Debian: use extrepo for setting-up the repositories

The old method used in manifests/repo/debian/debian.pp that was using apt-key is currently deprecated. apt-key itself is going to be removed in 2021. Also, downloading a random repository key from the internet is questionable at least. So I'm switching to use extrepo by default for setting-up the Debian repositories. It's nice, it's official, and it's in Bullseye already. It also is authenticated by default, and supports additional repositories (so it's prepared for the future). Change-Id: I7686a1cf541c81a9a14ef05542e31053c47e3f51
2021-04-15 22:41:55 +02:00 · 2021-04-15 22:41:55 +02:00 · c8fabb628c
parent 7e74f6914e
commit c8fabb628c
3 changed files with 117 additions and 45 deletions
--- a/manifests/repo/debian/debian.pp
+++ b/manifests/repo/debian/debian.pp
@ -15,6 +15,17 @@
 #   Debian APT source
 #   Defaults to true
 #
+# [*package_require*]
+#   (optional) Whether or not to run 'apt-get update' before
+#   installing any packages.
+#   Defaults to false
+#
+# [*use_extrepo*]
+#   (optional) Should this module use extrepo to
+#   setup the Debian apt sources.list. If true, the
+#   below parameters aren't in use.
+#   Defaults to true.
+#
 # [*source_hash*]
 #   (optional) A hash of apt::source resources to
 #   create and manage
@ -25,11 +36,6 @@
 #   resources created by this class
 #   Defaults to {}
 #
-# [*package_require*]
-#   (optional) Whether or not to run 'apt-get update' before
-#   installing any packages.
-#   Defaults to false
-#
 # [*deb_location*]
 #   (optional) Debian package repository location.
 #   Defaults to "http://${::lsbdistcodename}-${release}.debian.net/debian"
@ -43,41 +49,68 @@
 class openstack_extras::repo::debian::debian(
  $release         = $::openstack_extras::repo::debian::params::release,
  $manage_deb      = true,
+  $package_require = false,
+  $use_extrepo     = true,
+  # Below params only used if $use_extrepo is set to false
  $source_hash     = {},
  $source_defaults = {},
-  $package_require = false,
  $deb_location    = "http://${::lsbdistcodename}-${release}.debian.net/debian",
  # DEPRECATED
  $manage_whz      = undef,
 ) inherits openstack_extras::repo::debian::params {
  # handle deprecation
  $deb_manage = pick($manage_whz, $manage_deb)
-  if $deb_manage {
-    exec { 'installing openstack-backports-archive-keyring':
-      command     => "/usr/bin/apt-get update ; \
-                   wget ${deb_location}/dists/pubkey.gpg ; \
-                   apt-key add pubkey.gpg ; \
-                   rm pubkey.gpg",
-      logoutput   => 'on_failure',
-      tries       => 3,
-      try_sleep   => 1,
-      refreshonly => true,
-      subscribe   => File["/etc/apt/sources.list.d/${::openstack_extras::repo::debian::params::deb_name}.list"],
-      notify      => Exec['apt_update'],
-    }
-    apt::source { $::openstack_extras::repo::debian::params::deb_name:
-      location => $deb_location,
-      release  => "${::lsbdistcodename}-${release}-backports",
-      repos    => $::openstack_extras::repo::debian::params::deb_repos,
-    }
-    -> apt::source { "${::openstack_extras::repo::debian::params::deb_name}-nochange":
-      location => $deb_location,
-      release  => "${::lsbdistcodename}-${release}-backports-nochange",
-      repos    => $::openstack_extras::repo::debian::params::deb_repos,
-    }
-  }

-  create_resources('apt::source', $source_hash, $source_defaults)
+  $lowercase_release = downcase($release)
+
+
+  if $deb_manage {
+
+    if $use_extrepo {
+      # Extrepo is much nicer than what's below, because
+      # the repositories are authenticated by extrepo itself.
+      # Also, using apt-key is now deprecated (to be removed in 2021).
+      # We use ensure_packages to avoid conflict with any other class
+      # external to this module that may also install extrepo.
+      ensure_packages(['extrepo',], {'ensure' => 'present'})
+
+      exec { "extrepo enable openstack_${lowercase_release}":
+        command     => "extrepo enable openstack_${lowercase_release}",
+        logoutput   => 'on_failure',
+        tries       => 3,
+        try_sleep   => 1,
+        refreshonly => true,
+        require     => Package['extrepo'],
+      }
+      if $package_require {
+        Exec["extrepo enable openstack_${lowercase_release}"] -> Exec['apt_update']
+      }
+    }else{
+      exec { 'installing openstack-backports-archive-keyring':
+        command     => "/usr/bin/apt-get update ; \
+                     wget ${deb_location}/dists/pubkey.gpg ; \
+                     apt-key add pubkey.gpg ; \
+                     rm pubkey.gpg",
+        logoutput   => 'on_failure',
+        tries       => 3,
+        try_sleep   => 1,
+        refreshonly => true,
+        subscribe   => File["/etc/apt/sources.list.d/${::openstack_extras::repo::debian::params::deb_name}.list"],
+        notify      => Exec['apt_update'],
+      }
+      apt::source { $::openstack_extras::repo::debian::params::deb_name:
+        location => $deb_location,
+        release  => "${::lsbdistcodename}-${lowercase_release}-backports",
+        repos    => $::openstack_extras::repo::debian::params::deb_repos,
+      }
+      -> apt::source { "${::openstack_extras::repo::debian::params::deb_name}-nochange":
+        location => $deb_location,
+        release  => "${::lsbdistcodename}-${lowercase_release}-backports-nochange",
+        repos    => $::openstack_extras::repo::debian::params::deb_repos,
+      }
+    }
+    create_resources('apt::source', $source_hash, $source_defaults)
+  }

  if $package_require {
    Exec['apt_update'] -> Package<||>
--- a/releasenotes/notes/debian-uses-extrepo-a77c672920581e4e.yaml
+++ b/releasenotes/notes/debian-uses-extrepo-a77c672920581e4e.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - |
+    The class openstack_extras::repo::debian::debian has now a new parameter
+    use_extrepo, which is true by default. If true, extrepo will be used for
+    setting-up the OpenStack apt sources.list, and the parameters source_hash,
+    source_defaults and deb_location are ignored. Beware that this is now
+    the new default!
--- a/spec/classes/openstack_extras_repo_debian_debian_spec.rb
+++ b/spec/classes/openstack_extras_repo_debian_debian_spec.rb
@ -7,7 +7,8 @@ describe 'openstack_extras::repo::debian::debian' do
        :manage_deb      => true,
        :source_hash     => {},
        :source_defaults => {},
-        :package_require => false
+        :package_require => false,
+        :use_extrepo     => false,
      }
    end

@ -21,9 +22,37 @@ describe 'openstack_extras::repo::debian::debian' do
      class_params.merge!(paramclass_defaults)
    end

-    context 'with default parameters' do
+    context 'with default params' do
+      it { should contain_exec('extrepo enable openstack_victoria').with(
+        :command => 'extrepo enable openstack_victoria',
+      )}
+      it { should contain_package('extrepo').with(
+        :ensure => 'present',
+        :name   => 'extrepo',
+      )}
+    end
+
+    context 'wallaby with extrepo' do
      let :params do
-        {}
+        {
+          :release     => 'wallaby',
+          :use_extrepo => true,
+        }
+      end
+      it { should contain_exec('extrepo enable openstack_wallaby').with(
+        :command => 'extrepo enable openstack_wallaby',
+      )}
+      it { should contain_package('extrepo').with(
+        :ensure => 'present',
+        :name   => 'extrepo',
+      )}
+    end
+
+    context 'with extrepo set to false' do
+      let :params do
+        {
+          :use_extrepo => false,
+        }
      end

      it { should contain_apt__source('debian-openstack-backports').with(
@ -87,19 +116,20 @@ describe 'openstack_extras::repo::debian::debian' do
                                   }
                                }
                              })
+        default_params.merge!({ :use_extrepo => false })
      end

      it { should contain_apt__source('debian_unstable').with(
-        :location => 'http://mymirror/debian/',
-        :release  => 'unstable',
-        :repos    => 'main'
+        :location    => 'http://mymirror/debian/',
+        :release     => 'unstable',
+        :repos       => 'main',
      )}

      it { should contain_apt__source('puppetlabs').with(
-        :location => 'http://apt.puppetlabs.com',
-        :repos    => 'main',
-        :release  => 'stretch',
-        :key      => { 'id' => '4BD6EC30', 'server' => 'pgp.mit.edu' }
+        :location    => 'http://apt.puppetlabs.com',
+        :repos       => 'main',
+        :release     => 'stretch',
+        :key         => { 'id' => '4BD6EC30', 'server' => 'pgp.mit.edu' },
      )}

      it { should contain_exec('installing openstack-backports-archive-keyring') }
@ -119,13 +149,14 @@ describe 'openstack_extras::repo::debian::debian' do
                                   'include' => { 'src' => true }
                                }
                              })
+        default_params.merge!({ :use_extrepo => false })
      end

      it { should contain_apt__source('debian_unstable').with(
-        :include  => { 'src' => true },
-        :location => 'http://mymirror/debian/',
-        :release  => 'unstable',
-        :repos    => 'main',
+        :include     => { 'src' => true },
+        :location    => 'http://mymirror/debian/',
+        :release     => 'unstable',
+        :repos       => 'main',
      )}

      it { should contain_exec('installing openstack-backports-archive-keyring') }