From 83affc627fd2132bb5a65c4b1f5a07a9f95a7998 Mon Sep 17 00:00:00 2001 From: Jesse Pretorius Date: Fri, 14 Dec 2018 16:53:17 +0000 Subject: [PATCH] Use in-repo GPG keys We make remote network hits to get the GPG keys which are quite unreliable, and apt_key does not support using a proxy properly [1] so let's store them inside the role and use them. The implementation here matches that which was done in the galera_client role in I520ccbadf3320b0d07fc83e3dbec9ea2bd16ec83 [1] https://github.com/ansible/ansible/issues/31691 Change-Id: I2715c904975b7940af72bd422904e748d3bae953 --- defaults/main.yml | 9 +++ files/gpg/4D206F89 | 65 +++++++++++++++++++ files/gpg/A14F4FCA | 52 +++++++++++++++ .../rabbitmq-gpg-keys-042a47164265ea40.yaml | 12 ++++ tasks/install_apt.yml | 50 ++++++-------- vars/ubuntu.yml | 11 ++-- 6 files changed, 161 insertions(+), 38 deletions(-) create mode 100644 files/gpg/4D206F89 create mode 100644 files/gpg/A14F4FCA create mode 100644 releasenotes/notes/rabbitmq-gpg-keys-042a47164265ea40.yaml diff --git a/defaults/main.yml b/defaults/main.yml index 7deb8d1a..7d364157 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -51,6 +51,15 @@ rabbitmq_release_version: "{{ _rabbitmq_release_version }}" rabbitmq_package_sha256: "{{ _rabbitmq_package_sha256 }}" rabbitmq_package_path: "{{ _rabbitmq_package_path }}" +# Set the gpg keys needed to be imported +# This should be a list of dicts, with each dict +# giving a set of arguments to the applicable +# package module. The following is an example for +# systems using the apt package manager. +# rabbitmq_gpg_keys: +# - id: '0xC2E73424D59097AB' +# keyserver: 'hkp://keyserver.ubuntu.com:80' +# validate_certs: no rabbitmq_gpg_keys: "{{ _rabbitmq_gpg_keys | default([]) }}" # Set the URL for the RabbitMQ repository diff --git a/files/gpg/4D206F89 b/files/gpg/4D206F89 new file mode 100644 index 00000000..6825e955 --- /dev/null +++ b/files/gpg/4D206F89 @@ -0,0 +1,65 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.11 (GNU/Linux) + +mQINBFu7jVkBEADBO7bMOw3KxZG5rJGpyZ/eUegI3qSvt1NtPqTp91oiCOAU4w3C +PorCUnMQt/GMMZImlUSlvcd9aIfBaNFXSYWOiKNoKNsJSs790dpXeEScg82M8r+i +VZUYh9lrwePtV9mU8jiVLwX0DzEfpuazPdAZY7UaKG/tJGErDYclNs+i7TcbQAca +TT39uCM811L488OngXn2lepKUFgbEJ94dWDF8KuO8us0zP2ylTBGavDPo8m5DpaT +ZU9t0Emwc8nsr+DAUA9E3/fY77jXITDJdhw3LK9CvLkXwlxLccMuZhaaj1L7izhZ +1tH+kusFG0QVaZveG+MrIFPy9kgLIZ8/2HI83ZSjevu4h6Sq2qtl8hMWtPZuw8MN +GrzgWRkuRxzZ0LMQG6uvXR1y/yy2eMcIthvyMAoUs1luuUqQKKzNkX+8FaSXikcb +oRyjXUWLbE2MdWewsb+YO9i4dqO2KZcF4ryUIA85suHVqRYlRy1/HCB1jyMTGZC7 +LEnW+S8YRMiMifP2xTXduyrBQil4r8NqRT+G8GsE3p6RbVormIlwB3Kx6TIcPYP/ +ErOnL23TdMtYeIQnkctV67o6zxTz/9JNW1DL+YVbx2B4YOrDbiW+OvU74BKNU9lD +zeBUdGa31SBL7nF9iEQ1FBVc+/HEbxKA7Zd/6tDBS+/iU+USbTrSgrN+RQARAQAB +tHVodHRwczovL3BhY2thZ2VjbG91ZC5pby9yYWJiaXRtcS9yYWJiaXRtcS1zZXJ2 +ZXIgKGh0dHBzOi8vcGFja2FnZWNsb3VkLmlvL2RvY3MjZ3BnX3NpZ25pbmcpIDxz +dXBwb3J0QHBhY2thZ2VjbG91ZC5pbz6JAjgEEwECACIFAlu7jVkCGy8GCwkIBwMC +BhUIAgkKCwQWAgMBAh4BAheAAAoJEPTniSBNIG+JASgP/3Rc3A1OWDvbcAt1TRfT +fHT7kniepAc76o/kBd2WJ5aT3wp634SWXS6+/fl8u/mz6FIYE14k6tmMlFW7i7IO +8WY1BADBKUDvcbZ8eAVa5hx2wQesMrKrhnO/c+YRkqM4/008Pa2QkACzUDh4c0qD +f/ZLD/BuBnfVDwGcYQbZwzKiCwRIxLXHyhD4KriQCdrDce/SlJhVoCnngIc+sEeY +/R9VmORo3Lh5TRs5ivTZCB8eWXezudXTQq5oyXsu2gs4EyNsRnUD0bFx7aRsuFZS +vu56wUgvlSo7C+ZJ8wYIcjYzap7ezOPbGbMH2E7IZ9BXEMV/85sQjK875VWeoLAr +okzy9ydDzChgaBn92/0k1bbQyLIVCxIStGPQHCM8XbBhciSwlzXrH70QB4KlEbQN +Kt0CpNznF50gR3gWzenO+j6NEENmMcyvKrZwjbdOKJ5sjeLBoLZTIpGqrwctz97r +6BhCd5SZ5uqUo1twO+cwkDK/z5k5S8GNoHbejuidiFbd+FNSRx6CNDdoYI8DsyDj +1cTGFdPHYTNPraIIYV2f1mYFXUWG28OSwkxH2vVqZhyMKtFDv23Qwng+sQaTPkSd +KyolYNxH6HW+rynJkZDZ+Mr0zNSjQu7+WYT2d98E/JIZKW6Wonr6TPYhjrIUHOVq +hiqfhAf2EmsI539P9SJneiSvuQINBFu7jVkBEADIrsPaPST3/NGiwCss6pducMmk +FiC9R8O+vRTpBz1gJkEzEhHani28fJNWuhYHWCDAIoUuprvgbnM3+EtrzVATPy7u +FD1fB0bxEVy2Bvsa2PQ5Z0Wz24OftzXCYUAp2IhOjdK3wNzTLd4o14vnQCcplGD7 +/5uVvY0bQ4Ejpo/pYxQQhQqHrLZzP2t/O6nxtOVkosxGE9ozsjIuNAttNYhBSvS6 +C4Skp0ycIPjAybvxRCOFshiAjiwwSslZOCNiPpuXjfRqndlhDyZGpRyzH02x7myj +/gga551qym3j+LswUYId/ayVZZn7ZqtCQPQkU2tMpjxatFbqT6469UdbEqjbq5hH +MylQVXp1gf7VHmgYa+wzjO+ZZC/Bdp3SPc3NmHJXGDIzUrp8e2tc7oF1E4BBCxX0 +Lu+GbgARsQIsbaY3BSJTIJErtltzK8YIcALbSiVR9GKRqPDQY8EQIs9eXgQh5O8u +NjCNswFqbf1U7Kbe99zvrWoZZpl/il3sOSCLbukVa9dZhpvfATBdbpZnn4XFrzes +5nssy4VbuLDpF1r2q6T4tdJIjYweTs4acf2sAsaVZJugM6qb5Nlrv5hOvmWnlqmC +TYPICrFcBQYvYleu1lcr/tHMOC18iplRiUQ0jIZP/gxrDDyBnKnhPGP0hEeOtTsc +vFxC3ddEKLLwaFvSGQARAQABiQQ+BBgBAgAJBQJbu41ZAhsuAikJEPTniSBNIG+J +wV0gBBkBAgAGBQJbu41ZAAoJEPZgnmDcYoFOaM8P/3CyZAaPE1C06S3p2DE8L7u/ +GOOTxn7XCqApReBwo5hdw9cGMWPe/gJzrWs+ZulIsGqJeGeKeaHtyGp1m6n/P/4T +6CDHLmCNsAPySu8s6JOhjQ01IuMn9Z/wRtISpAbNTbT6n2A/p12CCJhi+G6dywYh +BbBN6YkDxd0VkY6gLb42rxgtLQlXOCLJ9GWxAHoBz1bi7e4/ErhIqPJKxDiqyNzS +8EFlLQWSkWFNzyyBYTA1FD26s2hWFPqqKW4D92qLd393S8wvmRbDgBS2+rikqQri +8Co/2cSs4k+vmkghyd9IrNMa1XERbYZz4XPpheKFMXibdRR+opL6oUG2lc5M6kAw +v94ObWZJxYdyJ61NyZiUaeg6K/6x/6oRDTudVNe1StRANbtxcfCp3MvCRMN62Epk +HnwnXJA11G12Zm6RhurWrYww+v3GQ7HKP11ABWkekds/FUQ6DaGTYHwvnO1ZBCOq +HANM636X8a2EJnoR3dUHMdB6xuo7gyv47JPpunPLt00N6gI/Oblpo9vKFvSXiKc3 +MfQhj7SjtwJkd/NC7JU5e1juy5hvFBSG7ZxLUwm18Xh4kJ1Czxi2BkP3sw9DXk+7 +5nWVnfQ4hYQ9VhYwtru1RTJUirO9fGi8/1b6JWG7+blifGqjNBTX5lVSE1Vgp7QD +/Jl1/RyoFw5s2uZjA+1+oCgP+QFvBiTKRPMKS7N5qNZ4pHPXbI8vBGQP3tPNTgFz +no8yfdx97hhoVSPcRgZta6n1S1DC/qd6lGuabGwHBzhI2InNY/AeFMpQnyoltS6c +w23lJUVhb0937KDb9/cDfGE6tqwqJM605VPU+5tKTWBgIN3s9LdcpkWAd02qVdhb +tQ98+s5BI1nxNzYr8uexuFMDaJjB/Yk0YPo14Q8oee50dZv1PryXNt3BSfUdoW/e +gcUshx0r35gzQhMqucqXjo4xaG4gNTH7e0WBVTzsSHC03huZytHxZkTIyhnpuIgX +hy+z2LpaP5xqJUfcrnhr2+O/j67g+Ha+O0605TgKsm0NBbPVbr6411/BNekQt6gk +qorHnOwFofysX2yI500i+XU7q0lqgc0ajg1laiILSAoK4q/NLTsvrqVHEd5Sbods +1bfYxeBJnihHkZm/GDDE8T4hdldVSgugifsz601WfStl3QB/Iz3R4ea+OYJ4ccER +w0mMCSZe5beBd65M6vufBsfOaVxFnCLhuXyTOs8d4Su0LvIZnzdknmWiTBnAYme+ +8pW2QDeOJE3UgpLD0V3fg8fREQ+7VvoHSwCrm5Iv71Cl6gndNaK5EjviSjxUzovl +b2YnngicVK1goXboBQeRmP5qAd8sO32sSejyfaBq1Dalh8D+85z2I8SsU1JU+D0B +PF1z +=AD8w +-----END PGP PUBLIC KEY BLOCK----- diff --git a/files/gpg/A14F4FCA b/files/gpg/A14F4FCA new file mode 100644 index 00000000..074efae5 --- /dev/null +++ b/files/gpg/A14F4FCA @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 + +mQINBE8v+uABEACgAlBUDDjc6PF7uI6mlTGnkemHF4trRINtocZKzvyKBmN+pPiV +CjJ3o6NwGmN/McHHyN1sB40n5IZbPtECi5hm+GmHWTkPG0jNQ0f9VDxoIb2eK/Xn +un2KmwJy7W0gth0++Eja5qE4G37o7AUr6hnwSUhFoQ8scahBxiAtya1M4FEeitsY +qY0azafah1Pl6c9I/sdyoH2T3casDByI6aiLK5iP+B5x2j1HKzGGkuTbOdMM0Jos +/pV8HbPBMCQdDhPOKSSEktKr3qgSD/fMzleusCQ5BYzlhAhr5OscCDny/LMiDBOF +8Au92q5DCkjsAlKz49DdpLjep4FwvBLq4DDGj9d8Bz28uUkKnYU8b+c8oPtf9E7D +Uc93i9Ddl6EmZ4QdaTZzR37oUIovKIChYNUh0FLNExhY6VsB3E/BJncaT5D2HkRQ +chUPl2lHVikeJhuHFGY3EkROXMYOxf6FrdVOJa13DflOBssDVwoul45ec9rxW/aA +UG7KCh4ySZ7C1ywSZSr6GXOfVdHjIaYgJpzee86TPnYxF81QpoXsH45tDOxMqMC2 +C1keWbzxvv3qxSGFAsCXSeKWNirCRPqsmEW1NpmLNIb2fm8LOru1hl/UknKu3Y1G +gJ/n6pJOB5cRLpconnssQ2iULSJeyrbVVNyXjQbHjj1DOhtrdDmmIEB/IQARAQAB +tDVFcmxhbmcgU29sdXRpb25zIEx0ZC4gPHBhY2thZ2VzQGVybGFuZy1zb2x1dGlv +bnMuY29tPokCOAQTAQIAIgUCTy/64AIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC +F4AACgkQ0ghQfKFPT8qeaQ//YAdT+Q206nwe9CauCKFzKfZVizWSXRa9n1pWyPWh +Cimag9gwCZisBasqVoQDP4qVgH6rJf97Z2/2//hK06hmnrtAodLWH2BgTE5nrDaa +XgAxIKDQJvJGKf+SMkZjL22ustpS1rHQ8R/vT9+XodGFVb/tzimN5mfWTlmAAl0/ +eRBbm7eEU41vij5P4NEE9hWFTclkxVws5m6iOLvJ+M8vQxt68ZaY6WBUgHxZXKHt +Mn/2OCnX2vg3mYzKWkhMUqgBzOWIBw6oH0kLOo34VqKyeqCubWO7Uu5JekrNrXT7 +K03wT+MAgIbmaYkVirTEF4JAqA8s37YFErOoM807pOTyE8Biao42v98F6h/l63qB +s1HBOG7LfuVXyG/reOlgGAlDFD8ShE2HP+UZ3/A/+LchKFAYt4bQG22KJtgWHgSk +ZNNaU7GPb2ai5TbjdvesZu9Wqq10T1dZC1txsZxl0uTDJh2HzzOshUCFxF7Yc2uq ++QBuX0aa9Z4x5Ls/UxTSV8a/XclOcTSIsSttUK5RIZNb2vaqF0Lh0kXaTErQiSq/ +SktmzFB09JqiYwXwiIYlYHpHBtWD9eiYtOuiRCf7qmV6g046n6QBq1j2d07SuqZM +AMpiDVY9zueUUpLWZvv77IBVE2TQ4kG7qSFPxSh+pPKoIwaDlo464WRrKqhijFl4 +m5y5Ag0ETy/64AEQAK1kcuQd5/vkEnionds1dGti5WPXKgmxYJEOE0K5ERYeZOZz +jHKKyn1sONY5BlZiHC97ISGSv8zuV2ER4GdJI8jH1OV7tx8dhy3ju2Uky5GiLwkJ +snfRLBFSBDD95Js4soZogIqsS9DxomfHD0nfet9ggR5ZYur/053xrY97ylPPvd96 +TYRXgNWz5qJX9YzExkAPhNUb6Qcw+Wr54n8lMBQQGl8rKZzVILRtiAo/XzhVWNAg +Ns4tSJlrcsS2qgn9vThtfkiFCwkPuTng+vUoRNSVvuHg1BcG/E5hhc/Gitmrynec +u1Exr2+FeuaG/1j2tQqBS7uwGgtJlDo0Ag1wKMoy790LX9uHS+0xx1x//wnkSQfY +Ob8cJWhWMsxZVngt9Pjs3ZL+bW2xxu/IOQ9OjXQMhJEwyf8/nMrcWnB0arIhqz+M +MX/XAfy/JwKD04LDdxngQD3NUOuuLIZWKuvx5WZr8+lSuc3gtthPFt43olIjY2Yi +HQhlcVKnV3xnXbaqaXptjXEkqi/K7jHtVn9Fpb3JAWNnIf5gaYTbdE2qQFiqPfWs +CQ1w5CHj2KPV3m/ckHiKu1oSvWFamocsEF0C3zYLdoDHKiuHesF0ZqCqIE9c0qkJ +gH+dxcbPhByCDIQbiyiHvXbs1SBM3VwTGhjvzlpLSCquBG5cAGMAnzNaMHr9ABEB +AAGJAh8EGAECAAkFAk8v+uACGwwACgkQ0ghQfKFPT8rwlw/+IGJTucS2T7+0FLDp +TKsdsBidPEOFEa19QBrIFM9sXdJXGyVRw/u/sVYOJYBYCZmGuqA/EB3mPNZHbsHX +pBRTIMGecH9qg55fm5t4WT93TbfbOjJCbbtsVONpig/NOYhVA63UUGasaLzVQ/6E +Ip4bmqSH4XhLrOT1J0yFe13MdfkJ6fxHJML1YeLrZhoVWApLQ9B70/CVfxqX5+oQ +Uwlxiiu6x2tExWCMrY2y9qXQOfk6bYZsNceoHrhXD876nn4pdMrJJoefD02OhT7L +/heeGCRolEzT5JsbTOr/HqyDoz6XP0Na30I4rJYRZKVUEDGT/XJaxhwX93QI2Kr/ +TvhgLtPDDngclxBuwfZ/gJMb8T83vN+fuhgjL8pHKaiQeneVuOMNpm5yxyAFr2ep +ux6ipe2UL9kUn7ZnfeiJc385cMTY9cZ30GjgdQr1o1EDwHiYm+ly4Licg5w5mYYx +Vx2bzOJLsGm9xAKp6G4xJHY89PE8y3bksO8pctGkkWmBPCCeH5PPFWrPhLcyiS9P +lvijXzabGtFaVDmxV5oGHW8orpirR3CMgn0DKE5QcH8412d9ByvjK3UcmBTwEnQk +Og0Ce4+ypBIERtufK1osg9lALv/abGtow2S6pdzfdFlISyiLA3HOUQ/spkuPvAe8 +ctmKvzuuerI6mVQjg/80PJ4fEV0= +=VAR1 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/releasenotes/notes/rabbitmq-gpg-keys-042a47164265ea40.yaml b/releasenotes/notes/rabbitmq-gpg-keys-042a47164265ea40.yaml new file mode 100644 index 00000000..5ac326ed --- /dev/null +++ b/releasenotes/notes/rabbitmq-gpg-keys-042a47164265ea40.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + The data structure for ``rabbitmq_gpg_keys`` has been changed to be + a dict passed directly to the applicable apt_key/rpm_key module. As such + any overrides would need to be reviewed to ensure that they do not pass + any key/value pairs which would cause the module to fail. + - | + The default values for ``rabbitmq_gpg_keys`` have been changed for + all supported platforms will use vendored keys. This means that the task + execution will no longer reach out to the internet to add the keys, + making offline or proxy-based installations easier and more reliable. diff --git a/tasks/install_apt.yml b/tasks/install_apt.yml index 15dd4415..0a2515bd 100644 --- a/tasks/install_apt.yml +++ b/tasks/install_apt.yml @@ -27,38 +27,26 @@ version: "{{ rabbitmq_erlang_version_spec }}" priority: 1000 -- block: - - name: Add rabbitmq apt-keys - apt_key: - id: "{{ item.hash_id }}" - keyserver: "{{ item.keyserver | default(omit) }}" - data: "{{ item.data | default(omit) }}" - url: "{{ item.url | default(omit) }}" - state: "present" - register: add_keys - until: add_keys is success - retries: 5 - delay: 2 - with_items: "{{ rabbitmq_gpg_keys }}" - tags: - - rabbitmq-apt-keys +- name: If a keyfile is provided, copy the gpg keyfile to the key location + copy: + src: "gpg/{{ item.id }}" + dest: "{{ item.file }}" + mode: '0644' + with_items: "{{ rabbitmq_gpg_keys | selectattr('file','defined') | list }}" + tags: + - rabbitmq-apt-keys - rescue: - - name: Add rabbitmq apt-keys using fallback keyserver - apt_key: - id: "{{ item.hash_id }}" - keyserver: "{{ item.fallback_keyserver | default(omit) }}" - url: "{{ item.fallback_url | default(omit) }}" - state: "present" - register: add_keys_fallback - until: add_keys_fallback is success - retries: 5 - delay: 2 - with_items: "{{ rabbitmq_gpg_keys }}" - when: - - (item.fallback_keyserver is defined or item.fallback_url is defined) - tags: - - rabbitmq-apt-keys +- name: Install gpg keys + apt_key: "{{ key }}" + with_items: "{{ rabbitmq_gpg_keys }}" + loop_control: + loop_var: key + register: _add_apt_keys + until: _add_apt_keys is success + retries: 5 + delay: 2 + tags: + - rabbitmq-apt-keys # When updating the cache in the apt_repository # task, and the update fails, a retry does not diff --git a/vars/ubuntu.yml b/vars/ubuntu.yml index 785c9fb4..6156f9c6 100644 --- a/vars/ubuntu.yml +++ b/vars/ubuntu.yml @@ -21,13 +21,10 @@ _rabbitmq_package_sha256: "11f70dd68e098e4dc32e3eda49ab68c795e599f3ac0b8b858014c _rabbitmq_package_path: "/opt/rabbitmq-server.deb" _rabbitmq_gpg_keys: - - key_name: 'packagecloud-rabbitmq' - url: 'https://packagecloud.io/rabbitmq/rabbitmq-server/gpgkey' - hash_id: '0xC2E73424D59097AB' - - key_name: 'erlang_solutions' - keyserver: 'hkp://keyserver.ubuntu.com:80' - fallback_keyserver: 'hkp://p80.pool.sks-keyservers.net:80' - hash_id: '0xd208507ca14f4fca' + - id: 4D206F89 + file: /etc/ssl/packagecloud-key + - id: A14F4FCA + file: /etc/ssl/erlang-key _rabbitmq_repo_url: "https://packagecloud.io/rabbitmq/rabbitmq-server/{{ ansible_distribution | lower }}" _rabbitmq_repo: