Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't set repo_gpgcheck=1 by default on RHEL/CentOS 8.1 and on custom repos #352

Merged
merged 2 commits into from
Apr 29, 2021
Merged

Don't set repo_gpgcheck=1 by default on RHEL/CentOS 8.1 and on custom repos #352

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e38270f
Don't set repo_gpgcheck=1 by default on RHEL/CentOS 8.1
Apr 28, 2021
bf4c462
Also dynamically compute repo_gpgcheck for zypper repofiles
Apr 29, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,13 +51,13 @@ To deploy the Datadog Agent on hosts, add the Datadog role and your API key to y
| `datadog_apt_cache_valid_time` | Override the default apt cache expiration time (defaults to 1 hour). |
| `datadog_apt_key_url_new` | Override the default URL to Datadog `apt` key (key ID `382E94DE`; the deprecated `datadog_apt_key_url` variable refers to an expired key that's been removed from the role). |
| `datadog_yum_repo` | Override the default Datadog `yum` repository. |
| `datadog_yum_repo_gpgcheck` | Override the default `repo_gpgcheck` value (`yes`) - use `no` to turn off repodata GPG signature verification. Note that repodata signature verification is always turned off for Agent 5. |
| `datadog_yum_repo_gpgcheck` | Override the default `repo_gpgcheck` value (empty). If empty, value is dynamically set to `yes` when custom `datadog_yum_repo` is not used and system is not RHEL/CentOS 8.1 (due to [a bug](https://bugzilla.redhat.com/show_bug.cgi?id=1792506) in dnf), otherwise it's set to `no`. Note that repodata signature verification is always turned off for Agent 5. |
| `datadog_yum_gpgcheck` | Override the default `gpgcheck` value (`yes`) - use `no` to turn off package GPG signature verification. |
| `datadog_yum_gpgkey` | Override the default URL to the Datadog `yum` key used to verify Agent v5 and v6 (up to 6.13) packages (key ID `4172A230`). |
| `datadog_yum_gpgkey_e09422b3` | Override the default URL to the Datadog `yum` key used to verify Agent v6.14+ packages (key ID `E09422B3`). |
| `datadog_yum_gpgkey_e09422b3_sha256sum` | Override the default checksum of the `datadog_yum_gpgkey_e09422b3` key. |
| `datadog_zypper_repo` | Override the default Datadog `zypper` repository. |
| `datadog_zypper_repo_gpgcheck` | Override the default `repo_gpgcheck` value (`yes`) - use `no` to turn off repodata GPG signature verification. Note that repodata signature verification is always turned off for Agent 5. |
| `datadog_zypper_repo_gpgcheck` | Override the default `repo_gpgcheck` value (empty). If empty, value is dynamically set to `yes` when custom `datadog_zypper_repo` is not used, otherwise it's set to `no`. Note that repodata signature verification is always turned off for Agent 5. |
| `datadog_zypper_gpgcheck` | Override the default `gpgcheck` value (`yes`) - use `no` to turn off package GPG signature verification. |
| `datadog_zypper_gpgkey` | Override the default URL to the Datadog `zypper` key used to verify Agent v5 and v6 (up to 6.13) packages (key ID `4172A230`). |
| `datadog_zypper_gpgkey_sha256sum` | Override the default checksum of the `datadog_zypper_gpgkey` key. |
Expand Down
4 changes: 2 additions & 2 deletions defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ datadog_apt_backup_keyserver: hkp://pool.sks-keyservers.net:80
# Use the datadog_yum_repo variable to override the repository used.
datadog_yum_repo: ""

datadog_yum_repo_gpgcheck: yes
datadog_yum_repo_gpgcheck: ""
datadog_yum_gpgcheck: yes
datadog_yum_gpgkey: "https://keys.datadoghq.com/DATADOG_RPM_KEY.public"
# the CURRENT key always contains the key that is used to sign repodata and latest packages
Expand All @@ -96,7 +96,7 @@ datadog_ignore_old_centos_python3_error: false
# Use the datadog_zypper_repo variable to override the repository used.
datadog_zypper_repo: ""

datadog_zypper_repo_gpgcheck: yes
datadog_zypper_repo_gpgcheck: ""
datadog_zypper_gpgcheck: yes
datadog_zypper_gpgkey: "https://keys.datadoghq.com/DATADOG_RPM_KEY.public"
datadog_zypper_gpgkey_sha256sum: "00d6505c33fd95b56e54e7d91ad9bfb22d2af17e5480db25cba8fee500c80c46"
Expand Down
18 changes: 15 additions & 3 deletions tasks/pkg-redhat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,18 @@
and (ansible_facts.distribution_major_version | int <= 7)
and (ansible_facts.python.version.major | int >= 3)

- name: Find out whether to set repo_gpgcheck or not
# We turn off repo_gpgcheck on custom repos and on RHEL/CentOS 8.1 because
# of https://bugzilla.redhat.com/show_bug.cgi?id=1792506
set_fact:
do_yum_repo_gpgcheck: >-
{{ datadog_yum_repo_gpgcheck if datadog_yum_repo_gpgcheck != '' else (
'no' if (
ansible_facts.distribution_version.startswith('8.1.') or ansible_facts.distribution_version == '8.1' or
datadog_yum_repo != ''
) else 'yes'
) }}

- name: Download current RPM key
get_url:
url: "{{ datadog_yum_gpgkey_current }}"
Expand Down Expand Up @@ -66,7 +78,7 @@
description: Datadog, Inc.
baseurl: "{{ datadog_agent6_yum_repo }}"
enabled: yes
repo_gpgcheck: "{{ datadog_yum_repo_gpgcheck }}"
repo_gpgcheck: "{{ do_yum_repo_gpgcheck }}"
gpgcheck: "{{ datadog_yum_gpgcheck }}"
gpgkey: [
"{{ datadog_yum_gpgkey_current }}",
Expand All @@ -83,7 +95,7 @@
description: Datadog, Inc.
baseurl: "{{ datadog_agent7_yum_repo }}"
enabled: yes
repo_gpgcheck: "{{ datadog_yum_repo_gpgcheck }}"
repo_gpgcheck: "{{ do_yum_repo_gpgcheck }}"
gpgcheck: "{{ datadog_yum_gpgcheck }}"
gpgkey: [
"{{ datadog_yum_gpgkey_current }}",
Expand All @@ -99,7 +111,7 @@
description: Datadog, Inc.
baseurl: "{{ datadog_yum_repo }}"
enabled: yes
repo_gpgcheck: "{{ datadog_yum_repo_gpgcheck }}"
repo_gpgcheck: "{{ do_yum_repo_gpgcheck }}"
gpgcheck: "{{ datadog_yum_gpgcheck }}"
gpgkey: [
"{{ datadog_yum_gpgkey_current }}",
Expand Down
7 changes: 7 additions & 0 deletions tasks/pkg-suse.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,11 @@
---
- name: Find out whether to set repo_gpgcheck or not
set_fact:
do_zypper_repo_gpgcheck: >-
{{ datadog_zypper_repo_gpgcheck if datadog_zypper_repo_gpgcheck != '' else (
'yes' if datadog_zypper_repo == '' and datadog_agent_major_version|int != 5 else 'no'
) }}

- block: # Work around due to SNI check for SLES11
- name: Stat if current RPM key already exists
stat:
Expand Down
5 changes: 1 addition & 4 deletions templates/zypper.repo.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,6 @@
{% set repo_gpgcheck = datadog_zypper_repo_gpgcheck|int %}

{% if datadog_zypper_repo | length > 0 %}
{% set baseurl = datadog_zypper_repo %}
{% elif datadog_agent_major_version|int == 5 %}
{% set repo_gpgcheck = 0 %}{# we don't sign Agent 5 repodata #}
{% set baseurl = datadog_agent5_zypper_repo %}
{% elif datadog_agent_major_version|int == 6 %}
{% set baseurl = datadog_agent6_zypper_repo %}
Expand All @@ -19,7 +16,7 @@ baseurl={{ baseurl }}

type=rpm-md
gpgcheck={{ datadog_zypper_gpgcheck|int }}
repo_gpgcheck={{ repo_gpgcheck }}
repo_gpgcheck={{ do_zypper_repo_gpgcheck|int }}
{# zypper in SUSE < 15 will not parse (SUSE 11) or respect (SUSE 12 - 14) mutliple entries in gpgkey #}
{% if ansible_distribution_version|int < 15 %}
gpgkey={{ datadog_zypper_gpgkey_current }}
Expand Down