41241e9691
This change allows deployers to specify locally sourced apt keys
on the ansible host rather than requiring all apt keys to be
downloaded from upstream keyservers.
The current implementation requires that all containers and hosts
we deploy to have an internet connection to download apt keys for
the various repos. This change allows the user to source apt keys
from the deployment host like for example:
ceph_gpg_keys:
- key_name: 'ceph'
data: "{{ lookup('file', '/etc/openstack_deploy/keys/ceph.gpg') }}"
hash_id: '0xe84ac2c0460f3994'
Note: Deployers can already set the repo URLs to use local sources,
so this enables fully offline package installation.
Change-Id: I1607c7a5c9bb4d5e06dedbc76c84a77014305df2
76 lines
2.1 KiB
YAML
76 lines
2.1 KiB
YAML
---
|
|
# Copyright 2015, Serge van Ginderachter <serge@vanginderachter.be>
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Remove revoked ceph apt-keys
|
|
apt_key:
|
|
id: "{{ item }}"
|
|
state: "absent"
|
|
register: revoke_keys
|
|
with_items: ceph_revoked_gpg_keys
|
|
tags:
|
|
- ceph-apt-keys
|
|
|
|
- name: Add ceph apt-keys
|
|
apt_key:
|
|
id: "{{ item.hash_id }}"
|
|
keyserver: "{{ item.keyserver | default(omit) }}"
|
|
data: "{{ item.data | default(omit) }}"
|
|
state: "present"
|
|
register: add_keys
|
|
until: add_keys|success
|
|
ignore_errors: True
|
|
retries: 5
|
|
delay: 2
|
|
with_items: ceph_gpg_keys
|
|
tags:
|
|
- ceph-apt-keys
|
|
|
|
- name: Add ceph apt-keys using fallback keyserver
|
|
apt_key:
|
|
id: "{{ item.hash_id }}"
|
|
keyserver: "{{ item.fallback_keyserver }}"
|
|
state: "present"
|
|
register: add_keys_fallback
|
|
until: add_keys_fallback|success
|
|
retries: 5
|
|
delay: 2
|
|
with_items: ceph_gpg_keys
|
|
when: add_keys|failed and item.fallback_keyserver is defined
|
|
tags:
|
|
- ceph-apt-keys
|
|
|
|
- name: Add ceph repo(s)
|
|
apt_repository:
|
|
repo: "{{ ceph_apt_repo.repo }}"
|
|
state: "{{ ceph_apt_repo.state }}"
|
|
register: add_repos
|
|
until: add_repos|success
|
|
retries: 5
|
|
delay: 2
|
|
tags:
|
|
- ceph-repos
|
|
|
|
# This is being added specifically for when a key is revoked, but should apply
|
|
# to other tasks also. The cache needs updating after changing keys but
|
|
# ceph_install.yml (where packages get installed) only does so if cache > 600
|
|
# seconds.
|
|
- name: Update apt cache
|
|
apt:
|
|
update_cache: yes
|
|
when: revoke_keys|changed or add_keys|changed or add_keys_fallback|changed or add_repos|changed
|
|
tags:
|
|
- ceph-apt-keys
|
|
- ceph-repos
|