From 1d5c7f637f1519701b8232ef1f5d03b03320e8d6 Mon Sep 17 00:00:00 2001
From: Matt Thompson <mattt@defunct.ca>
Date: Tue, 29 Sep 2015 14:22:25 +0100
Subject: [PATCH] Update ceph key hash

Ceph packages are currently failing to install due to [1].  This commit
updates ceph_client/defaults/main.yml to use the latest Ceph signing
key.  Additionally, we add a new variable ceph_revoked_gpg_keys and
task to ensure revoked keys get removed.

[1] http://ceph.com/releases/important-security-notice-regarding-signing-key-and-binary-downloads-of-ceph/

Change-Id: I3c3f69c0eb471982c314816ae90a69458e48ded6
---
 playbooks/roles/ceph_client/defaults/main.yml |  6 +++++-
 .../ceph_client/tasks/ceph_preinstall.yml     | 20 +++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/playbooks/roles/ceph_client/defaults/main.yml b/playbooks/roles/ceph_client/defaults/main.yml
index be58c77bc6..ee20661b58 100644
--- a/playbooks/roles/ceph_client/defaults/main.yml
+++ b/playbooks/roles/ceph_client/defaults/main.yml
@@ -29,8 +29,12 @@ ceph_gpg_keys:
   - key_name: 'ceph'
     keyserver: 'hkp://keyserver.ubuntu.com:80'
     fallback_keyserver: 'hkp://p80.pool.sks-keyservers.net:80'
-    hash_id: '0x7ebfdd5d17ed316d'
+    hash_id: '0xe84ac2c0460f3994'
 
+# The apt-key command won't del a key when you give it the hash_id, so we have
+# to use the short key ID here instead.
+ceph_revoked_gpg_keys:
+  - '17ED316D'
 
 # Ceph Repositories
 ceph_apt_repo_url_region: "www"  # or "eu" for Netherlands based mirror
diff --git a/playbooks/roles/ceph_client/tasks/ceph_preinstall.yml b/playbooks/roles/ceph_client/tasks/ceph_preinstall.yml
index 6994398317..32d3c14532 100644
--- a/playbooks/roles/ceph_client/tasks/ceph_preinstall.yml
+++ b/playbooks/roles/ceph_client/tasks/ceph_preinstall.yml
@@ -13,6 +13,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Remove revoked ceph apt-keys
+  apt_key:
+    id: "{{ item }}"
+    state: "absent"
+  register: revoke_keys
+  with_items: ceph_revoked_gpg_keys
+  tags:
+    - ceph-apt-keys
+
 - name: Add ceph apt-keys
   apt_key:
     id: "{{ item.hash_id }}"
@@ -52,3 +61,14 @@
   tags:
     - ceph-repos
 
+# This is being added specifically for when a key is revoked, but should apply
+# to other tasks also.  The cache needs updating after changing keys but
+# ceph_install.yml (where packages get installed) only does so if cache > 600
+# seconds.
+- name: Update apt cache
+  apt:
+    update_cache: yes
+  when: revoke_keys|changed or add_keys|changed or add_keys_fallback|changed or add_repos|changed
+  tags:
+    - ceph-apt-keys
+    - ceph-repos