Allow non-url Elastic gpg key specification

It is currently the case that the elastic GPG key must be specified
as a remote URL within the elastic_repositories role. This causes
issues in the case that remote URLs specifying the GPG key are
inaccessible due to e.g. firewalls at deploy time.

In analogy to Change-ID I7ac1a5e3a05aa3d0b4fae86c4a325ef147a9a528,
this commit allows the GPG key to be provided not only via a remote
URL, but also in-data or through a file by allowing the full range
of apt_key input types (url, file, data etc) to be provided. The
default behaviour is changed to use the vendor key in the role
files.

Change-Id: Ic48db01029c4b94845ccacfba7440b13a59ab873
This commit is contained in:
Duncan Martin Walker 2020-02-25 14:12:32 +00:00
parent 80e8bedcf0
commit b875cc30b1
4 changed files with 56 additions and 9 deletions

View File

@ -23,4 +23,9 @@ elastic_repo_distro_packages: []
# elastic_apt_repo: # elastic_apt_repo:
# repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main' # repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main'
# state: "{{ ((elk_package_state | default('present')) == 'absent') | ternary('absent', 'present') }}" # state: "{{ ((elk_package_state | default('present')) == 'absent') | ternary('absent', 'present') }}"
# key_url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch"
# This should be a list of dicts, with each dict
# giving a set of arguments to the applicable
# package module. Defaults to the remote url
# https://artifacts.elastic.co/GPG-KEY-elasticsearch
elastic_gpg_keys: "{{ _elastic_gpg_keys | default([]) }}"

View File

@ -0,0 +1,31 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.14 (GNU/Linux)
mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD
A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9
CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ
j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd
1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD
2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg
KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy
Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75
nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/
7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm
TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe
8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/
eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl
zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT
RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+
1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+
Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt
KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww
EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0
c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J
TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j
6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7
vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM
cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/
qPDlGRlOgVTd9xUfHFkzB52c70E=
=92oX
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -13,13 +13,21 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
- name: add Elastic search public GPG key - name: If a keyfile is provided, copy the gpg keyfile to the key location
apt_key: copy:
url: "{{ elastic_repo.key_url }}" src: "gpg/{{ item.id }}"
state: "present" dest: "{{ item.file }}"
register: _apt_task mode: '0644'
until: _apt_task is success with_items: "{{ elastic_gpg_keys | selectattr('file','defined') | list }}"
retries: 3
- name: Install Elastic gpg keys
apt_key: "{{ key }}"
with_items: "{{ elastic_gpg_keys }}"
loop_control:
loop_var: key
register: _add_apt_keys
until: _add_apt_keys is success
retries: 5
delay: 2 delay: 2
tags: tags:
- package_install - package_install

View File

@ -20,6 +20,9 @@ elastic_repo_distro_packages:
_elastic_repo: _elastic_repo:
repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main' repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main'
state: "{{ ((elk_package_state | default('present')) == 'absent') | ternary('absent', 'present') }}" state: "{{ ((elk_package_state | default('present')) == 'absent') | ternary('absent', 'present') }}"
key_url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch"
elastic_repo: "{{ elastic_apt_repo | default(_elastic_repo) }}" elastic_repo: "{{ elastic_apt_repo | default(_elastic_repo) }}"
_elastic_gpg_keys:
- id: 46095ACC8548582C1A2699A9D27D666CD88E42B4
file: /etc/ssl/elastic-key