Normalise in-repo GPG key implementation

To ensure that we have a consistent implementation between the galera_client and galera_server roles, we change the galera_server role to match galera_client as was done in I520ccbadf3320b0d07fc83e3dbec9ea2bd16ec83 This updates it to a mechanism which will be easier to maintain. Change-Id: I7ac1a5e3a05aa3d0b4fae86c4a325ef147a9a528
2018-12-17 18:21:37 +00:00 · 2018-12-17 18:21:37 +00:00 · c2b73bff52
commit c2b73bff52
parent 30bdc809bb
10 changed files with 40 additions and 38 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -51,6 +51,14 @@ galera_repo_url: "{{ _galera_repo_url }}"
 galera_repo: "{{ _galera_repo }}"

 # Set the gpg keys needed to be imported
+# This should be a list of dicts, with each dict
+# giving a set of arguments to the applicable
+# package module. The following is an example for
+# systems using the apt package manager.
+# galera_gpg_keys:
+#   - id: '0xF1656F24C74CD1D8'
+#     keyserver: 'hkp://keyserver.ubuntu.com:80'
+#     validate_certs: no
 galera_gpg_keys: "{{ _galera_gpg_keys | default([]) }}"

 # Set the rpo information for the Percona Xtrabackup repository
--- a/files/gpg/RPM-GPG-KEY-MariaDB
+++ b/files/gpg/RPM-GPG-KEY-MariaDB
--- a/files/gpg/RPM-GPG-KEY-percona
+++ b/files/gpg/RPM-GPG-KEY-percona
--- a/releasenotes/notes/galera-gpg-keys-96ed45fd1ec4cb14.yaml
+++ b/releasenotes/notes/galera-gpg-keys-96ed45fd1ec4cb14.yaml
@ -0,0 +1,12 @@
+---
+upgrade:
+  - |
+    The data structure for ``galera_gpg_keys`` has been changed to be
+    a dict passed directly to the applicable apt_key/rpm_key module. As such
+    any overrides would need to be reviewed to ensure that they do not pass
+    any key/value pairs which would cause the module to fail.
+  - |
+    The default values for ``galera_gpg_keys`` have been changed for
+    all supported platforms will use vendored keys. This means that the task
+    execution will no longer reach out to the internet to add the keys,
+    making offline or proxy-based installations easier and more reliable.
--- a/tasks/galera_install_apt.yml
+++ b/tasks/galera_install_apt.yml
@ -20,16 +20,13 @@

 - name: If a keyfile is provided, copy the gpg keyfile to the key location
  copy:
-    src: "{{ item.keyfile }}"
-    dest: "{{ item.key }}"
+    src: "gpg/{{ item.id }}"
+    dest: "{{ item.file }}"
    mode: '0644'
-  with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
+  with_items: "{{ galera_gpg_keys | selectattr('file','defined') | list }}"

 - name: Install gpg keys
-  apt_key:
-    id: "{{ key.id }}"
-    file: "{{ key.key | default(omit) }}"
-    state: "{{ key.state | default('present') }}"
+  apt_key: "{{ key }}"
  with_items: "{{ galera_gpg_keys }}"
  loop_control:
    loop_var: key
--- a/tasks/galera_install_yum.yml
+++ b/tasks/galera_install_yum.yml
@ -51,16 +51,13 @@

 - name: If a keyfile is provided, copy the gpg keyfile to the key location
  copy:
-    src: "{{ item.keyfile }}"
+    src: "gpg/{{ item.key | basename }}"
    dest: "{{ item.key }}"
    mode: '0644'
-  with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
+  with_items: "{{ galera_gpg_keys }}"

 - name: Install gpg keys
-  rpm_key:
-    key: "{{ key.key }}"
-    validate_certs: "{{ key.validate_certs | default(omit) }}"
-    state: "{{ key.state | default('present') }}"
+  rpm_key: "{{ key }}"
  with_items: "{{ galera_gpg_keys }}"
  loop_control:
    loop_var: key
--- a/tasks/galera_install_zypper.yml
+++ b/tasks/galera_install_zypper.yml
@ -32,21 +32,18 @@

 - name: If a keyfile is provided, copy the gpg keyfile to the key location
  copy:
-    src: "{{ item.keyfile }}"
+    src: "gpg/{{ item.key | basename }}"
    dest: "{{ item.key }}"
    mode: '0644'
-  with_items: "{{ galera_gpg_keys | selectattr('keyfile','defined') | list }}"
+  with_items: "{{ galera_gpg_keys }}"

 - name: Install gpg keys
-  rpm_key:
-    key: "{{ key.key }}"
-    validate_certs: "{{ key.validate_certs | default(omit) }}"
-    state: "{{ key.state | default('present') }}"
+  rpm_key: "{{ key }}"
  with_items: "{{ galera_gpg_keys }}"
  loop_control:
    loop_var: key
-  register: _add_yum_keys
-  until: _add_yum_keys is success
+  register: _add_zypper_keys
+  until: _add_zypper_keys is success
  retries: 5
  delay: 2

--- a/vars/redhat-7.yml
+++ b/vars/redhat-7.yml
@ -16,13 +16,9 @@
 # Galera GPG Keys
 _galera_gpg_keys:
  # MariaDB Package Signing Key <package-signing-key@mariadb.org>
-  - name: mariadb
-    key: /etc/pki/rpm-gpg/RPM-GPG-KEY-MariaDB
-    keyfile: 'gpg/1BB943DB'
+  - key: /etc/pki/rpm-gpg/RPM-GPG-KEY-MariaDB
  # Percona MySQL Development Team <mysql-dev@percona.com>
-  - key_name: percona
-    key: /etc/pki/rpm-gpg/RPM-GPG-KEY-percona
-    keyfile: 'gpg/CD2EFD2A'
+  - key: /etc/pki/rpm-gpg/RPM-GPG-KEY-percona

 # Default private device setting
 # This provides some additional security, but it causes problems with creating
--- a/vars/suse.yml
+++ b/vars/suse.yml
@ -15,9 +15,8 @@

 # Galera GPG Keys
 _galera_gpg_keys:
-  - name: mariadb
-    key: /etc/pki/RPM-GPG-KEY-MariaDB
-    keyfile: 'gpg/1BB943DB'
+  # MariaDB Package Signing Key <package-signing-key@mariadb.org>
+  - key: /etc/pki/RPM-GPG-KEY-MariaDB

 # Default private device setting
 _galera_disable_privatedevices: yes
--- a/vars/ubuntu.yml
+++ b/vars/ubuntu.yml
@ -22,15 +22,11 @@ _galera_disable_privatedevices: yes
 # Galera GPG Keys
 _galera_gpg_keys:
  # MariaDB Signing Key <signing-key@mariadb.org>
-  - name: mariadb
-    id: C74CD1D8
-    key: /etc/ssl/mariadb-key
-    keyfile: 'gpg/C74CD1D8'
+  - id: C74CD1D8
+    file: /etc/ssl/mariadb-key
  # Percona MySQL Development Team (Packaging key) <mysql-dev@percona.com>
-  - key_name: percona
-    id: 8507EFA5
-    key: /etc/ssl/percona-pkg-key
-    keyfile: 'gpg/8507EFA5'
+  - id: 8507EFA5
+    file: /etc/ssl/percona-pkg-key

 galera_server_required_distro_packages:
  - apt-transport-https