diff --git a/manifests/init.pp b/manifests/init.pp index 264ca41e..9804bf76 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -342,9 +342,11 @@ Hash[String[1], Data] $agent_extra_options = {}, Optional[String] $agent_repo_uri = undef, Optional[Boolean] $rpm_repo_gpgcheck = undef, - Optional[Boolean] $use_apt_backup_keyserver = $datadog_agent::params::use_apt_backup_keyserver, - String $apt_backup_keyserver = $datadog_agent::params::apt_backup_keyserver, - String $apt_keyserver = $datadog_agent::params::apt_keyserver, + # TODO: $use_apt_backup_keyserver, $apt_backup_keyserver and $apt_keyserver can be + # removed in the next major version; they're kept now for backwards compatibility + Optional[Boolean] $use_apt_backup_keyserver = undef, + Optional[String] $apt_backup_keyserver = undef, + Optional[String] $apt_keyserver = undef, String $apt_release = $datadog_agent::params::apt_default_release, String $win_msi_location = 'C:/Windows/temp', # Temporary directory where the msi file is downloaded, must exist Enum['present', 'absent'] $win_ensure = 'present', #TODO: Implement uninstall also for apt and rpm install methods @@ -424,10 +426,11 @@ if $manage_install { case $::operatingsystem { 'Ubuntu','Debian' : { - if $use_apt_backup_keyserver { - $_apt_keyserver = $apt_backup_keyserver - } else { - $_apt_keyserver = $apt_keyserver + if $use_apt_backup_keyserver != undef or $apt_backup_keyserver != undef or $apt_keyserver != undef { + notify { 'apt keyserver arguments deprecation': + message => '$use_apt_backup_keyserver, $apt_backup_keyserver and $apt_keyserver are deprecated since version 3.13.0', + loglevel => 'warning', + } } class { 'datadog_agent::ubuntu': agent_major_version => $_agent_major_version, @@ -436,7 +439,6 @@ agent_repo_uri => $agent_repo_uri, release => $apt_release, skip_apt_key_trusting => $skip_apt_key_trusting, - apt_keyserver => $_apt_keyserver, } } 'RedHat','CentOS','Fedora','Amazon','Scientific','OracleLinux' : { diff --git a/manifests/params.pp b/manifests/params.pp index 0b7b9294..afe8d1e1 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -19,9 +19,6 @@ $logs_enabled = false $logs_open_files_limit = undef $container_collect_all = false - $use_apt_backup_keyserver = false - $apt_backup_keyserver = 'hkp://pool.sks-keyservers.net:80' - $apt_keyserver = 'hkp://keyserver.ubuntu.com:80' $sysprobe_service_name = 'datadog-agent-sysprobe' $module_metadata = load_module_metadata($module_name) diff --git a/manifests/ubuntu.pp b/manifests/ubuntu.pp index 7f1b83b1..20e2b6c6 100644 --- a/manifests/ubuntu.pp +++ b/manifests/ubuntu.pp @@ -5,13 +5,18 @@ class datadog_agent::ubuntu( Integer $agent_major_version = $datadog_agent::params::default_agent_major_version, - Array[String] $apt_keys = ['A2923DFF56EDA6E76E55E492D3A80E30382E94DE', 'D75CEA17048B9ACBF186794B32637D44F14F620E'], String $agent_version = $datadog_agent::params::agent_version, Optional[String] $agent_repo_uri = undef, String $release = $datadog_agent::params::apt_default_release, Boolean $skip_apt_key_trusting = false, - String $apt_keyserver = $datadog_agent::params::apt_keyserver, String $agent_flavor = $datadog_agent::params::package_name, + Optional[String] $apt_trusted_d_keyring = '/etc/apt/trusted.gpg.d/datadog-archive-keyring.gpg', + Optional[String] $apt_usr_share_keyring = '/usr/share/keyrings/datadog-archive-keyring.gpg', + Optional[Hash[String, String]] $apt_default_keys = { + 'DATADOG_APT_KEY_CURRENT.public' => 'https://keys.datadoghq.com/DATADOG_APT_KEY_CURRENT.public', + 'D75CEA17048B9ACBF186794B32637D44F14F620E' => 'https://keys.datadoghq.com/DATADOG_APT_KEY_F14F620E.public', + 'A2923DFF56EDA6E76E55E492D3A80E30382E94DE' => 'https://keys.datadoghq.com/DATADOG_APT_KEY_382E94DE.public', + }, ) inherits datadog_agent::params { if $agent_version =~ /^[0-9]+\.[0-9]+\.[0-9]+((?:~|-)[^0-9\s-]+[^-\s]*)?$/ { @@ -29,10 +34,32 @@ } if !$skip_apt_key_trusting { - $apt_keys.each |String $apt_key| { - apt::key { $apt_key: - id => $apt_key, - server => $apt_keyserver, + file { $apt_usr_share_keyring: + ensure => file, + mode => '0644', + } + + $apt_default_keys.each |String $key_fingerprint, String $key_url| { + $key_path = "/tmp/${key_fingerprint}" + + file { $key_path: + owner => root, + group => root, + mode => '0600', + source => $key_url, + } + + exec { "ensure key ${key_fingerprint} is imported in APT keyring": + command => "/bin/cat /tmp/${key_fingerprint} | gpg --import --batch --no-default-keyring --keyring ${apt_usr_share_keyring}", + unless => "/bin/cat /tmp/${key_fingerprint} | gpg --dry-run --import --batch --no-default-keyring --keyring ${apt_usr_share_keyring} 2>&1 | grep 'unchanged: 1'", + } + } + + if ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '16') == -1) or + ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') == -1) { + file { $apt_trusted_d_keyring: + mode => '0644', + source => "file://${apt_usr_share_keyring}", } } } @@ -40,7 +67,7 @@ if ($agent_repo_uri != undef) { $location = $agent_repo_uri } else { - $location = 'https://apt.datadoghq.com/' + $location = "[signed-by=${apt_usr_share_keyring}] https://apt.datadoghq.com/" } apt::source { 'datadog-beta': diff --git a/spec/classes/datadog_agent_spec.rb b/spec/classes/datadog_agent_spec.rb index b5ce9713..c0ffa73c 100644 --- a/spec/classes/datadog_agent_spec.rb +++ b/spec/classes/datadog_agent_spec.rb @@ -34,7 +34,7 @@ it do is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\ - .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+main}) + .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+main}) end end @@ -53,7 +53,7 @@ it do is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\ - .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+6}) + .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+6}) end end @@ -72,7 +72,7 @@ it do is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\ - .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+7}) + .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+7}) end end @@ -91,7 +91,7 @@ it do is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\ - .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+6}) + .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+6}) end end @@ -110,7 +110,7 @@ it do is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\ - .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+6}) + .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+6}) end end @@ -129,7 +129,7 @@ it do is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\ - .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+6}) + .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+6}) end end @@ -1606,25 +1606,7 @@ end end - if DEBIAN_OS.include?(operatingsystem) - it do - is_expected.to contain_class('datadog_agent::ubuntu')\ - .with_apt_keyserver('hkp://keyserver.ubuntu.com:80') - end - context 'use backup keyserver' do - let(:params) do - { - use_apt_backup_keyserver: true, - agent_major_version: 5, - } - end - - it do - is_expected.to contain_class('datadog_agent::ubuntu')\ - .with_apt_keyserver('hkp://pool.sks-keyservers.net:80') - end - end - elsif REDHAT_OS.include?(operatingsystem) + if REDHAT_OS.include?(operatingsystem) it { is_expected.to contain_class('datadog_agent::redhat') } end end diff --git a/spec/classes/datadog_agent_ubuntu_spec.rb b/spec/classes/datadog_agent_ubuntu_spec.rb index 3676ba25..c3a498c6 100644 --- a/spec/classes/datadog_agent_ubuntu_spec.rb +++ b/spec/classes/datadog_agent_ubuntu_spec.rb @@ -1,5 +1,25 @@ require 'spec_helper' +shared_examples 'old debianoid' do + it do + is_expected.to contain_file('/usr/share/keyrings/datadog-archive-keyring.gpg') + is_expected.to contain_file('/etc/apt/trusted.gpg.d/datadog-archive-keyring.gpg') + is_expected.to contain_exec('ensure key DATADOG_APT_KEY_CURRENT.public is imported in APT keyring') + is_expected.to contain_exec('ensure key D75CEA17048B9ACBF186794B32637D44F14F620E is imported in APT keyring') + is_expected.to contain_exec('ensure key A2923DFF56EDA6E76E55E492D3A80E30382E94DE is imported in APT keyring') + end +end + +shared_examples 'new debianoid' do + it do + is_expected.to contain_file('/usr/share/keyrings/datadog-archive-keyring.gpg') + is_expected.not_to contain_file('/etc/apt/trusted.gpg.d/datadog-archive-keyring.gpg') + is_expected.to contain_exec('ensure key DATADOG_APT_KEY_CURRENT.public is imported in APT keyring') + is_expected.to contain_exec('ensure key D75CEA17048B9ACBF186794B32637D44F14F620E is imported in APT keyring') + is_expected.to contain_exec('ensure key A2923DFF56EDA6E76E55E492D3A80E30382E94DE is imported in APT keyring') + end +end + describe 'datadog_agent::ubuntu' do context 'agent 5' do if RSpec::Support::OS.windows? @@ -23,30 +43,11 @@ is_expected.to contain_file('/etc/apt/sources.list.d/datadog6.list') .with_ensure('absent') is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\ - .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+main}) + .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+main}) end # it should install the mirror it { is_expected.not_to contain_apt__key('935F5A436A5A6E8788F0765B226AE980C7A7DA52') } - it do - is_expected.to contain_apt__key('A2923DFF56EDA6E76E55E492D3A80E30382E94DE') - is_expected.to contain_apt__key('D75CEA17048B9ACBF186794B32637D44F14F620E') - end - - context 'overriding keyserver' do - let(:params) do - { - apt_keyserver: 'hkp://pool.sks-keyservers.net:80', - } - end - - it do - is_expected.to contain_apt__key('A2923DFF56EDA6E76E55E492D3A80E30382E94DE')\ - .with_server('hkp://pool.sks-keyservers.net:80') - is_expected.to contain_apt__key('D75CEA17048B9ACBF186794B32637D44F14F620E')\ - .with_server('hkp://pool.sks-keyservers.net:80') - end - end it do is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\ @@ -87,15 +88,11 @@ is_expected.to contain_file('/etc/apt/sources.list.d/datadog6.list') .with_ensure('absent') is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\ - .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+6}) + .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+6}) end # it should install the mirror it { is_expected.not_to contain_apt__key('935F5A436A5A6E8788F0765B226AE980C7A7DA52') } - it do - is_expected.to contain_apt__key('A2923DFF56EDA6E76E55E492D3A80E30382E94DE') - is_expected.to contain_apt__key('D75CEA17048B9ACBF186794B32637D44F14F620E') - end it do is_expected.to contain_file('/etc/apt/sources.list.d/datadog6.list')\ @@ -136,13 +133,9 @@ is_expected.to contain_file('/etc/apt/sources.list.d/datadog6.list') .with_ensure('absent') is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\ - .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+7}) + .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+7}) end - # it should install the mirror - it { is_expected.not_to contain_apt__key('935F5A436A5A6E8788F0765B226AE980C7A7DA52') } - it { is_expected.to contain_apt__key('A2923DFF56EDA6E76E55E492D3A80E30382E94DE') } - it do is_expected.to contain_file('/etc/apt/sources.list.d/datadog6.list')\ .that_notifies('exec[apt_update]') @@ -161,4 +154,76 @@ .that_requires('exec[apt_update]') end end + + context 'ubuntu < 16' do + let(:params) do + { + agent_major_version: 7, + } + end + + let(:facts) do + { + osfamily: 'debian', + operatingsystem: 'Ubuntu', + operatingsystemrelease: '14.04', + } + end + + include_examples 'old debianoid' + end + + context 'ubuntu >= 16' do + let(:params) do + { + agent_major_version: 7, + } + end + + let(:facts) do + { + osfamily: 'debian', + operatingsystem: 'Ubuntu', + operatingsystemrelease: '16.04', + } + end + + include_examples 'new debianoid' + end + + context 'debian < 9' do + let(:params) do + { + agent_major_version: 7, + } + end + + let(:facts) do + { + osfamily: 'debian', + operatingsystem: 'Debian', + operatingsystemrelease: '8.0', + } + end + + include_examples 'old debianoid' + end + + context 'debian >= 9' do + let(:params) do + { + agent_major_version: 7, + } + end + + let(:facts) do + { + osfamily: 'debian', + operatingsystem: 'Debian', + operatingsystemrelease: '9.0', + } + end + + include_examples 'new debianoid' + end end