Merge pull request #242 from DataDog/jaime/keys

truthbk · web-flow · commit cb45891980f3 · 2016-11-07T10:21:34.000-05:00
[keys][rpm+deb] rotate repo keys.
diff --git a/.fixtures.yml b/.fixtures.yml
@@ -1,6 +1,9 @@
 fixtures:
   repositories:
-    stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib.git"
+    stdlib:
+      repo: "git://github.com/puppetlabs/puppetlabs-stdlib.git"
+      ref: "4.12.0"
     ruby: "git://github.com/puppetlabs/puppetlabs-ruby.git"
+    remote_file: "git://github.com/lwf/puppet-remote_file.git"
   symlinks:
     datadog_agent: "#{source_dir}"
diff --git a/Gemfile b/Gemfile
@@ -9,11 +9,11 @@ group :test do
   gem "puppet-syntax"
   gem "puppetlabs_spec_helper"
   gem "rake"
-  gem "rspec-puppet", '2.2.0'
+  gem "rspec-puppet", '2.3.2'
 end
 
 group :development do
-  gem "beaker"
+  gem "beaker", '2.51.0'
   gem "beaker-rspec"
   gem "puppet-blacksmith"
   gem "guard-rake"
diff --git a/manifests/redhat.pp b/manifests/redhat.pp
@@ -13,23 +13,48 @@
 #
 # Sample Usage:
 #
+#
 class datadog_agent::redhat(
   $baseurl = "https://yum.datadoghq.com/rpm/${::architecture}/",
-  $gpgkey = 'https://yum.datadoghq.com/DATADOG_RPM_KEY.public',
+  $gpgkey = 'https://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
   $manage_repo = true,
   $agent_version = 'latest'
 ) {
 
   validate_bool($manage_repo)
   if $manage_repo {
+    $public_key_local = '/tmp/DATADOG_RPM_KEY.public'
+
     validate_string($baseurl)
 
+    remote_file { 'DATADOG_RPM_KEY.public':
+        owner  => root,
+        group  => root,
+        mode   => '600',
+        path   => $public_key_local,
+        source => $gpgkey
+    }
+
+    exec { 'install-gpg-key':
+        command => "/bin/rpm --import ${public_key_local}",
+        onlyif  => "/bin/gpg --quiet --with-fingerprint -n ${public_key_local} | grep \'A4C0 B90D 7443 CF6E 4E8A  A341 F106 8E14 E094 22B3\'",
+        unless  => '/bin/rpm -q gpg-pubkey-e09422b3',
+        require => Remote_file['DATADOG_RPM_KEY.public'],
+        notify  => Exec['cleanup-gpg-key'],
+    }
+
+    exec { 'cleanup-gpg-key':
+        command => "/bin/rm ${public_key_local}",
+        onlyif  => "/bin/test -f ${public_key_local}",
+    }
+
     yumrepo {'datadog':
       enabled  => 1,
       gpgcheck => 1,
       gpgkey   => $gpgkey,
       descr    => 'Datadog, Inc.',
       baseurl  => $baseurl,
+      require  => Exec['install-gpg-key'],
     }
 
     Package { require => Yumrepo['datadog']}
diff --git a/manifests/ubuntu.pp b/manifests/ubuntu.pp
@@ -10,19 +10,24 @@
 #
 # Sample Usage:
 #
+#
+
 class datadog_agent::ubuntu(
-  $apt_key = 'C7A7DA52',
-  $agent_version = 'latest'
+  $apt_key = '382E94DE',
+  $agent_version = 'latest',
+  $other_keys = ['C7A7DA52']
 ) {
 
   ensure_packages(['apt-transport-https'])
+  validate_array($other_keys)
 
   if !$::datadog_agent::skip_apt_key_trusting {
-    exec { 'datadog_key':
-      command => "/usr/bin/apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys ${apt_key}",
-      unless  => "/usr/bin/apt-key list | grep ${apt_key} | grep expires",
+    $mykeys = concat($other_keys, [$apt_key])
+
+    ::datadog_agent::ubuntu::install_key { $mykeys:
       before  => File['/etc/apt/sources.list.d/datadog.list'],
     }
+
   }
 
   file { '/etc/apt/sources.list.d/datadog.list':
diff --git a/manifests/ubuntu/install_key.pp b/manifests/ubuntu/install_key.pp
@@ -0,0 +1,20 @@
+# Resource type: datadog_agent::ubuntu::install_key
+#
+# This resource type install repository keys in Ubuntu
+#
+# Parameters:
+#
+# Actions:
+#
+# Requires:
+#
+# Sample Usage:
+#
+#
+#
+define datadog_agent::ubuntu::install_key() {
+  exec { "key ${name}":
+    command => "/usr/bin/apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys ${name}",
+    unless  => "/usr/bin/apt-key list | grep ${name} | grep expires",
+  }
+}
diff --git a/metadata.json b/metadata.json
@@ -71,6 +71,10 @@
     {
       "name": "puppetlabs/ruby",
       "version_requirement": ">=0.2.0 <1.0.0"
+    },
+    {
+      "name": "lwf/remote_file",
+      "version_requirement": ">=1.1.3"
     }
   ]
 }
diff --git a/spec/classes/datadog_agent_redhat_spec.rb b/spec/classes/datadog_agent_redhat_spec.rb
@@ -16,7 +16,7 @@
       should contain_yumrepo('datadog')
         .with_enabled(1)\
         .with_gpgcheck(1)\
-        .with_gpgkey('https://yum.datadoghq.com/DATADOG_RPM_KEY.public')\
+          .with_gpgkey('https://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public')\
         .with_baseurl('https://yum.datadoghq.com/rpm/x86_64/')
     end
   end
diff --git a/spec/classes/datadog_agent_ubuntu_spec.rb b/spec/classes/datadog_agent_ubuntu_spec.rb
@@ -14,7 +14,8 @@
   end
 
   # it should install the mirror
-  it { should contain_exec('datadog_key') }
+  it { should contain_datadog_agent__ubuntu__install_key('C7A7DA52') }
+  it { should contain_datadog_agent__ubuntu__install_key('382E94DE') }
   it do
     should contain_file('/etc/apt/sources.list.d/datadog.list')\
       .that_notifies('Exec[datadog_apt-get_update]')

Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,10 @@`
`71`	`71`	`{`
`72`	`72`	`"name": "puppetlabs/ruby",`
`73`	`73`	`"version_requirement": ">=0.2.0 <1.0.0"`
	`74`	`+ },`
	`75`	`+ {`
	`76`	`+ "name": "lwf/remote_file",`
	`77`	`+ "version_requirement": ">=1.1.3"`
`74`	`78`	`}`
`75`	`79`	`]`
`76`	`80`	`}`