Use in-repo GPG keys

We make remote network hits to get the GPG keys which are quite
unreliable, and apt_key does not support using a proxy properly [1]
so let's store them inside the role and use them.

The implementation here matches that which was done in the
galera_client role in I520ccbadf3320b0d07fc83e3dbec9ea2bd16ec83

[1] https://github.com/ansible/ansible/issues/31691

Change-Id: I2715c904975b7940af72bd422904e748d3bae953
This commit is contained in:
Jesse Pretorius 2018-12-14 16:53:17 +00:00 committed by Jesse Pretorius (odyssey4me)
parent 54a54babf2
commit 83affc627f
6 changed files with 161 additions and 38 deletions

View File

@ -51,6 +51,15 @@ rabbitmq_release_version: "{{ _rabbitmq_release_version }}"
rabbitmq_package_sha256: "{{ _rabbitmq_package_sha256 }}"
rabbitmq_package_path: "{{ _rabbitmq_package_path }}"
# Set the gpg keys needed to be imported
# This should be a list of dicts, with each dict
# giving a set of arguments to the applicable
# package module. The following is an example for
# systems using the apt package manager.
# rabbitmq_gpg_keys:
# - id: '0xC2E73424D59097AB'
# keyserver: 'hkp://keyserver.ubuntu.com:80'
# validate_certs: no
rabbitmq_gpg_keys: "{{ _rabbitmq_gpg_keys | default([]) }}"
# Set the URL for the RabbitMQ repository

65
files/gpg/4D206F89 Normal file
View File

@ -0,0 +1,65 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
mQINBFu7jVkBEADBO7bMOw3KxZG5rJGpyZ/eUegI3qSvt1NtPqTp91oiCOAU4w3C
PorCUnMQt/GMMZImlUSlvcd9aIfBaNFXSYWOiKNoKNsJSs790dpXeEScg82M8r+i
VZUYh9lrwePtV9mU8jiVLwX0DzEfpuazPdAZY7UaKG/tJGErDYclNs+i7TcbQAca
TT39uCM811L488OngXn2lepKUFgbEJ94dWDF8KuO8us0zP2ylTBGavDPo8m5DpaT
ZU9t0Emwc8nsr+DAUA9E3/fY77jXITDJdhw3LK9CvLkXwlxLccMuZhaaj1L7izhZ
1tH+kusFG0QVaZveG+MrIFPy9kgLIZ8/2HI83ZSjevu4h6Sq2qtl8hMWtPZuw8MN
GrzgWRkuRxzZ0LMQG6uvXR1y/yy2eMcIthvyMAoUs1luuUqQKKzNkX+8FaSXikcb
oRyjXUWLbE2MdWewsb+YO9i4dqO2KZcF4ryUIA85suHVqRYlRy1/HCB1jyMTGZC7
LEnW+S8YRMiMifP2xTXduyrBQil4r8NqRT+G8GsE3p6RbVormIlwB3Kx6TIcPYP/
ErOnL23TdMtYeIQnkctV67o6zxTz/9JNW1DL+YVbx2B4YOrDbiW+OvU74BKNU9lD
zeBUdGa31SBL7nF9iEQ1FBVc+/HEbxKA7Zd/6tDBS+/iU+USbTrSgrN+RQARAQAB
tHVodHRwczovL3BhY2thZ2VjbG91ZC5pby9yYWJiaXRtcS9yYWJiaXRtcS1zZXJ2
ZXIgKGh0dHBzOi8vcGFja2FnZWNsb3VkLmlvL2RvY3MjZ3BnX3NpZ25pbmcpIDxz
dXBwb3J0QHBhY2thZ2VjbG91ZC5pbz6JAjgEEwECACIFAlu7jVkCGy8GCwkIBwMC
BhUIAgkKCwQWAgMBAh4BAheAAAoJEPTniSBNIG+JASgP/3Rc3A1OWDvbcAt1TRfT
fHT7kniepAc76o/kBd2WJ5aT3wp634SWXS6+/fl8u/mz6FIYE14k6tmMlFW7i7IO
8WY1BADBKUDvcbZ8eAVa5hx2wQesMrKrhnO/c+YRkqM4/008Pa2QkACzUDh4c0qD
f/ZLD/BuBnfVDwGcYQbZwzKiCwRIxLXHyhD4KriQCdrDce/SlJhVoCnngIc+sEeY
/R9VmORo3Lh5TRs5ivTZCB8eWXezudXTQq5oyXsu2gs4EyNsRnUD0bFx7aRsuFZS
vu56wUgvlSo7C+ZJ8wYIcjYzap7ezOPbGbMH2E7IZ9BXEMV/85sQjK875VWeoLAr
okzy9ydDzChgaBn92/0k1bbQyLIVCxIStGPQHCM8XbBhciSwlzXrH70QB4KlEbQN
Kt0CpNznF50gR3gWzenO+j6NEENmMcyvKrZwjbdOKJ5sjeLBoLZTIpGqrwctz97r
6BhCd5SZ5uqUo1twO+cwkDK/z5k5S8GNoHbejuidiFbd+FNSRx6CNDdoYI8DsyDj
1cTGFdPHYTNPraIIYV2f1mYFXUWG28OSwkxH2vVqZhyMKtFDv23Qwng+sQaTPkSd
KyolYNxH6HW+rynJkZDZ+Mr0zNSjQu7+WYT2d98E/JIZKW6Wonr6TPYhjrIUHOVq
hiqfhAf2EmsI539P9SJneiSvuQINBFu7jVkBEADIrsPaPST3/NGiwCss6pducMmk
FiC9R8O+vRTpBz1gJkEzEhHani28fJNWuhYHWCDAIoUuprvgbnM3+EtrzVATPy7u
FD1fB0bxEVy2Bvsa2PQ5Z0Wz24OftzXCYUAp2IhOjdK3wNzTLd4o14vnQCcplGD7
/5uVvY0bQ4Ejpo/pYxQQhQqHrLZzP2t/O6nxtOVkosxGE9ozsjIuNAttNYhBSvS6
C4Skp0ycIPjAybvxRCOFshiAjiwwSslZOCNiPpuXjfRqndlhDyZGpRyzH02x7myj
/gga551qym3j+LswUYId/ayVZZn7ZqtCQPQkU2tMpjxatFbqT6469UdbEqjbq5hH
MylQVXp1gf7VHmgYa+wzjO+ZZC/Bdp3SPc3NmHJXGDIzUrp8e2tc7oF1E4BBCxX0
Lu+GbgARsQIsbaY3BSJTIJErtltzK8YIcALbSiVR9GKRqPDQY8EQIs9eXgQh5O8u
NjCNswFqbf1U7Kbe99zvrWoZZpl/il3sOSCLbukVa9dZhpvfATBdbpZnn4XFrzes
5nssy4VbuLDpF1r2q6T4tdJIjYweTs4acf2sAsaVZJugM6qb5Nlrv5hOvmWnlqmC
TYPICrFcBQYvYleu1lcr/tHMOC18iplRiUQ0jIZP/gxrDDyBnKnhPGP0hEeOtTsc
vFxC3ddEKLLwaFvSGQARAQABiQQ+BBgBAgAJBQJbu41ZAhsuAikJEPTniSBNIG+J
wV0gBBkBAgAGBQJbu41ZAAoJEPZgnmDcYoFOaM8P/3CyZAaPE1C06S3p2DE8L7u/
GOOTxn7XCqApReBwo5hdw9cGMWPe/gJzrWs+ZulIsGqJeGeKeaHtyGp1m6n/P/4T
6CDHLmCNsAPySu8s6JOhjQ01IuMn9Z/wRtISpAbNTbT6n2A/p12CCJhi+G6dywYh
BbBN6YkDxd0VkY6gLb42rxgtLQlXOCLJ9GWxAHoBz1bi7e4/ErhIqPJKxDiqyNzS
8EFlLQWSkWFNzyyBYTA1FD26s2hWFPqqKW4D92qLd393S8wvmRbDgBS2+rikqQri
8Co/2cSs4k+vmkghyd9IrNMa1XERbYZz4XPpheKFMXibdRR+opL6oUG2lc5M6kAw
v94ObWZJxYdyJ61NyZiUaeg6K/6x/6oRDTudVNe1StRANbtxcfCp3MvCRMN62Epk
HnwnXJA11G12Zm6RhurWrYww+v3GQ7HKP11ABWkekds/FUQ6DaGTYHwvnO1ZBCOq
HANM636X8a2EJnoR3dUHMdB6xuo7gyv47JPpunPLt00N6gI/Oblpo9vKFvSXiKc3
MfQhj7SjtwJkd/NC7JU5e1juy5hvFBSG7ZxLUwm18Xh4kJ1Czxi2BkP3sw9DXk+7
5nWVnfQ4hYQ9VhYwtru1RTJUirO9fGi8/1b6JWG7+blifGqjNBTX5lVSE1Vgp7QD
/Jl1/RyoFw5s2uZjA+1+oCgP+QFvBiTKRPMKS7N5qNZ4pHPXbI8vBGQP3tPNTgFz
no8yfdx97hhoVSPcRgZta6n1S1DC/qd6lGuabGwHBzhI2InNY/AeFMpQnyoltS6c
w23lJUVhb0937KDb9/cDfGE6tqwqJM605VPU+5tKTWBgIN3s9LdcpkWAd02qVdhb
tQ98+s5BI1nxNzYr8uexuFMDaJjB/Yk0YPo14Q8oee50dZv1PryXNt3BSfUdoW/e
gcUshx0r35gzQhMqucqXjo4xaG4gNTH7e0WBVTzsSHC03huZytHxZkTIyhnpuIgX
hy+z2LpaP5xqJUfcrnhr2+O/j67g+Ha+O0605TgKsm0NBbPVbr6411/BNekQt6gk
qorHnOwFofysX2yI500i+XU7q0lqgc0ajg1laiILSAoK4q/NLTsvrqVHEd5Sbods
1bfYxeBJnihHkZm/GDDE8T4hdldVSgugifsz601WfStl3QB/Iz3R4ea+OYJ4ccER
w0mMCSZe5beBd65M6vufBsfOaVxFnCLhuXyTOs8d4Su0LvIZnzdknmWiTBnAYme+
8pW2QDeOJE3UgpLD0V3fg8fREQ+7VvoHSwCrm5Iv71Cl6gndNaK5EjviSjxUzovl
b2YnngicVK1goXboBQeRmP5qAd8sO32sSejyfaBq1Dalh8D+85z2I8SsU1JU+D0B
PF1z
=AD8w
-----END PGP PUBLIC KEY BLOCK-----

52
files/gpg/A14F4FCA Normal file
View File

@ -0,0 +1,52 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBE8v+uABEACgAlBUDDjc6PF7uI6mlTGnkemHF4trRINtocZKzvyKBmN+pPiV
CjJ3o6NwGmN/McHHyN1sB40n5IZbPtECi5hm+GmHWTkPG0jNQ0f9VDxoIb2eK/Xn
un2KmwJy7W0gth0++Eja5qE4G37o7AUr6hnwSUhFoQ8scahBxiAtya1M4FEeitsY
qY0azafah1Pl6c9I/sdyoH2T3casDByI6aiLK5iP+B5x2j1HKzGGkuTbOdMM0Jos
/pV8HbPBMCQdDhPOKSSEktKr3qgSD/fMzleusCQ5BYzlhAhr5OscCDny/LMiDBOF
8Au92q5DCkjsAlKz49DdpLjep4FwvBLq4DDGj9d8Bz28uUkKnYU8b+c8oPtf9E7D
Uc93i9Ddl6EmZ4QdaTZzR37oUIovKIChYNUh0FLNExhY6VsB3E/BJncaT5D2HkRQ
chUPl2lHVikeJhuHFGY3EkROXMYOxf6FrdVOJa13DflOBssDVwoul45ec9rxW/aA
UG7KCh4ySZ7C1ywSZSr6GXOfVdHjIaYgJpzee86TPnYxF81QpoXsH45tDOxMqMC2
C1keWbzxvv3qxSGFAsCXSeKWNirCRPqsmEW1NpmLNIb2fm8LOru1hl/UknKu3Y1G
gJ/n6pJOB5cRLpconnssQ2iULSJeyrbVVNyXjQbHjj1DOhtrdDmmIEB/IQARAQAB
tDVFcmxhbmcgU29sdXRpb25zIEx0ZC4gPHBhY2thZ2VzQGVybGFuZy1zb2x1dGlv
bnMuY29tPokCOAQTAQIAIgUCTy/64AIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
F4AACgkQ0ghQfKFPT8qeaQ//YAdT+Q206nwe9CauCKFzKfZVizWSXRa9n1pWyPWh
Cimag9gwCZisBasqVoQDP4qVgH6rJf97Z2/2//hK06hmnrtAodLWH2BgTE5nrDaa
XgAxIKDQJvJGKf+SMkZjL22ustpS1rHQ8R/vT9+XodGFVb/tzimN5mfWTlmAAl0/
eRBbm7eEU41vij5P4NEE9hWFTclkxVws5m6iOLvJ+M8vQxt68ZaY6WBUgHxZXKHt
Mn/2OCnX2vg3mYzKWkhMUqgBzOWIBw6oH0kLOo34VqKyeqCubWO7Uu5JekrNrXT7
K03wT+MAgIbmaYkVirTEF4JAqA8s37YFErOoM807pOTyE8Biao42v98F6h/l63qB
s1HBOG7LfuVXyG/reOlgGAlDFD8ShE2HP+UZ3/A/+LchKFAYt4bQG22KJtgWHgSk
ZNNaU7GPb2ai5TbjdvesZu9Wqq10T1dZC1txsZxl0uTDJh2HzzOshUCFxF7Yc2uq
+QBuX0aa9Z4x5Ls/UxTSV8a/XclOcTSIsSttUK5RIZNb2vaqF0Lh0kXaTErQiSq/
SktmzFB09JqiYwXwiIYlYHpHBtWD9eiYtOuiRCf7qmV6g046n6QBq1j2d07SuqZM
AMpiDVY9zueUUpLWZvv77IBVE2TQ4kG7qSFPxSh+pPKoIwaDlo464WRrKqhijFl4
m5y5Ag0ETy/64AEQAK1kcuQd5/vkEnionds1dGti5WPXKgmxYJEOE0K5ERYeZOZz
jHKKyn1sONY5BlZiHC97ISGSv8zuV2ER4GdJI8jH1OV7tx8dhy3ju2Uky5GiLwkJ
snfRLBFSBDD95Js4soZogIqsS9DxomfHD0nfet9ggR5ZYur/053xrY97ylPPvd96
TYRXgNWz5qJX9YzExkAPhNUb6Qcw+Wr54n8lMBQQGl8rKZzVILRtiAo/XzhVWNAg
Ns4tSJlrcsS2qgn9vThtfkiFCwkPuTng+vUoRNSVvuHg1BcG/E5hhc/Gitmrynec
u1Exr2+FeuaG/1j2tQqBS7uwGgtJlDo0Ag1wKMoy790LX9uHS+0xx1x//wnkSQfY
Ob8cJWhWMsxZVngt9Pjs3ZL+bW2xxu/IOQ9OjXQMhJEwyf8/nMrcWnB0arIhqz+M
MX/XAfy/JwKD04LDdxngQD3NUOuuLIZWKuvx5WZr8+lSuc3gtthPFt43olIjY2Yi
HQhlcVKnV3xnXbaqaXptjXEkqi/K7jHtVn9Fpb3JAWNnIf5gaYTbdE2qQFiqPfWs
CQ1w5CHj2KPV3m/ckHiKu1oSvWFamocsEF0C3zYLdoDHKiuHesF0ZqCqIE9c0qkJ
gH+dxcbPhByCDIQbiyiHvXbs1SBM3VwTGhjvzlpLSCquBG5cAGMAnzNaMHr9ABEB
AAGJAh8EGAECAAkFAk8v+uACGwwACgkQ0ghQfKFPT8rwlw/+IGJTucS2T7+0FLDp
TKsdsBidPEOFEa19QBrIFM9sXdJXGyVRw/u/sVYOJYBYCZmGuqA/EB3mPNZHbsHX
pBRTIMGecH9qg55fm5t4WT93TbfbOjJCbbtsVONpig/NOYhVA63UUGasaLzVQ/6E
Ip4bmqSH4XhLrOT1J0yFe13MdfkJ6fxHJML1YeLrZhoVWApLQ9B70/CVfxqX5+oQ
Uwlxiiu6x2tExWCMrY2y9qXQOfk6bYZsNceoHrhXD876nn4pdMrJJoefD02OhT7L
/heeGCRolEzT5JsbTOr/HqyDoz6XP0Na30I4rJYRZKVUEDGT/XJaxhwX93QI2Kr/
TvhgLtPDDngclxBuwfZ/gJMb8T83vN+fuhgjL8pHKaiQeneVuOMNpm5yxyAFr2ep
ux6ipe2UL9kUn7ZnfeiJc385cMTY9cZ30GjgdQr1o1EDwHiYm+ly4Licg5w5mYYx
Vx2bzOJLsGm9xAKp6G4xJHY89PE8y3bksO8pctGkkWmBPCCeH5PPFWrPhLcyiS9P
lvijXzabGtFaVDmxV5oGHW8orpirR3CMgn0DKE5QcH8412d9ByvjK3UcmBTwEnQk
Og0Ce4+ypBIERtufK1osg9lALv/abGtow2S6pdzfdFlISyiLA3HOUQ/spkuPvAe8
ctmKvzuuerI6mVQjg/80PJ4fEV0=
=VAR1
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -0,0 +1,12 @@
---
upgrade:
- |
The data structure for ``rabbitmq_gpg_keys`` has been changed to be
a dict passed directly to the applicable apt_key/rpm_key module. As such
any overrides would need to be reviewed to ensure that they do not pass
any key/value pairs which would cause the module to fail.
- |
The default values for ``rabbitmq_gpg_keys`` have been changed for
all supported platforms will use vendored keys. This means that the task
execution will no longer reach out to the internet to add the keys,
making offline or proxy-based installations easier and more reliable.

View File

@ -27,38 +27,26 @@
version: "{{ rabbitmq_erlang_version_spec }}"
priority: 1000
- block:
- name: Add rabbitmq apt-keys
apt_key:
id: "{{ item.hash_id }}"
keyserver: "{{ item.keyserver | default(omit) }}"
data: "{{ item.data | default(omit) }}"
url: "{{ item.url | default(omit) }}"
state: "present"
register: add_keys
until: add_keys is success
retries: 5
delay: 2
with_items: "{{ rabbitmq_gpg_keys }}"
tags:
- rabbitmq-apt-keys
- name: If a keyfile is provided, copy the gpg keyfile to the key location
copy:
src: "gpg/{{ item.id }}"
dest: "{{ item.file }}"
mode: '0644'
with_items: "{{ rabbitmq_gpg_keys | selectattr('file','defined') | list }}"
tags:
- rabbitmq-apt-keys
rescue:
- name: Add rabbitmq apt-keys using fallback keyserver
apt_key:
id: "{{ item.hash_id }}"
keyserver: "{{ item.fallback_keyserver | default(omit) }}"
url: "{{ item.fallback_url | default(omit) }}"
state: "present"
register: add_keys_fallback
until: add_keys_fallback is success
retries: 5
delay: 2
with_items: "{{ rabbitmq_gpg_keys }}"
when:
- (item.fallback_keyserver is defined or item.fallback_url is defined)
tags:
- rabbitmq-apt-keys
- name: Install gpg keys
apt_key: "{{ key }}"
with_items: "{{ rabbitmq_gpg_keys }}"
loop_control:
loop_var: key
register: _add_apt_keys
until: _add_apt_keys is success
retries: 5
delay: 2
tags:
- rabbitmq-apt-keys
# When updating the cache in the apt_repository
# task, and the update fails, a retry does not

View File

@ -21,13 +21,10 @@ _rabbitmq_package_sha256: "11f70dd68e098e4dc32e3eda49ab68c795e599f3ac0b8b858014c
_rabbitmq_package_path: "/opt/rabbitmq-server.deb"
_rabbitmq_gpg_keys:
- key_name: 'packagecloud-rabbitmq'
url: 'https://packagecloud.io/rabbitmq/rabbitmq-server/gpgkey'
hash_id: '0xC2E73424D59097AB'
- key_name: 'erlang_solutions'
keyserver: 'hkp://keyserver.ubuntu.com:80'
fallback_keyserver: 'hkp://p80.pool.sks-keyservers.net:80'
hash_id: '0xd208507ca14f4fca'
- id: 4D206F89
file: /etc/ssl/packagecloud-key
- id: A14F4FCA
file: /etc/ssl/erlang-key
_rabbitmq_repo_url: "https://packagecloud.io/rabbitmq/rabbitmq-server/{{ ansible_distribution | lower }}"
_rabbitmq_repo: