Add roles to add/remove a GPG key

Current usage of gpg keys involves a single role that adds, signs, and removes the key all in one. Some jobs may need the GPG key installed normally onto the remote host, then left in place, and later removed. This change facilitates that. Change-Id: I2f13f0c4de91808ba1bbdcc0fd20a547e43d602b
2017-10-19 13:26:16 -07:00 · 2017-10-19 13:26:16 -07:00 · 5f75a2d004
parent 361b11f3e3
commit 5f75a2d004
4 changed files with 33 additions and 0 deletions
--- a/roles/add-gpgkey/README.rst
+++ b/roles/add-gpgkey/README.rst
@ -0,0 +1,12 @@
+Install a GPG private key onto a host.
+
+**Role Variables**
+
+.. zuul:rolevar:: gpg_key
+
+   Complex argument which contains the GPG private key.  It is
+   expected that this argument comes from a `Secret`.
+
+  .. zuul:rolevar:: private
+
+     The ascii-armored contents of the GPG private key.
--- a/roles/add-gpgkey/tasks/main.yaml
+++ b/roles/add-gpgkey/tasks/main.yaml
@ -0,0 +1,18 @@
+- name: Create GPG private key tempfile
+  tempfile:
+    state: file
+  register: gpg_private_key_tmp
+
+- name: Stage GPG private key for importing
+  copy:
+    content: "{{ gpg_key.private }}"
+    dest: "{{ gpg_private_key_tmp.path }}"
+    mode: 0400
+
+- name: Import GPG private key
+  command: "gpg --allow-secret-key-import --import {{ gpg_private_key_tmp.path }}"
+
+- name: Delete staged GPG private key
+  file:
+    path: "{{ gpg_private_key_tmp.path }}"
+    state: absent
--- a/roles/remove-gpgkey/README.rst
+++ b/roles/remove-gpgkey/README.rst
@ -0,0 +1 @@
+Remove an added GPG key from the host.
--- a/roles/remove-gpgkey/tasks/main.yaml
+++ b/roles/remove-gpgkey/tasks/main.yaml
@ -0,0 +1,2 @@
+- name: Remove GPG key
+  command: "sh -c 'shred -u ~/.gnupg/*'"