From 3ce9cb43c585cfb521dc14bb5540760a930d09ed Mon Sep 17 00:00:00 2001 From: Alin Cociorvan Date: Sat, 28 Jun 2025 00:57:35 +0300 Subject: [PATCH] manage gpg key with apt::keyring --- REFERENCE.md | 9 +++++++++ manifests/repo.pp | 32 +++++++++++++++++++------------- spec/classes/repo_spec.rb | 2 ++ 3 files changed, 30 insertions(+), 13 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index a724c27..47faabe 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -34,6 +34,7 @@ The following parameters are available in the `elastic_stack::repo` class: * [`base_repo_url`](#-elastic_stack--repo--base_repo_url) * [`gpg_key_source`](#-elastic_stack--repo--gpg_key_source) * [`apt_keyring_name`](#-elastic_stack--repo--apt_keyring_name) +* [`gpg_key_path`](#-elastic_stack--repo--gpg_key_path) ##### `oss` @@ -101,3 +102,11 @@ Use `.asc` if the key is armored and `.gpg` if it's unarmored Default value: `'elastic-keyring.asc'` +##### `gpg_key_path` + +Data type: `Stdlib::Absolutepath` + +The path where the GPG key should be stored (APT only) + +Default value: `'/usr/share/keyrings'` + diff --git a/manifests/repo.pp b/manifests/repo.pp index ddaa31f..57bd922 100644 --- a/manifests/repo.pp +++ b/manifests/repo.pp @@ -14,16 +14,18 @@ # @param gpg_key_source The gpg key for the repo # @param apt_keyring_name The keyring filename to create (APT only) # The filename extention is important here. -# Use `.asc` if the key is armored and `.gpg` if it's unarmored +# Use `.asc` if the key is armored and `.gpg` if it's unarmored +# @param gpg_key_path The path where the GPG key should be stored (APT only) class elastic_stack::repo ( - Boolean $oss = false, - Boolean $prerelease = false, - Optional[Integer] $priority = undef, - String $proxy = 'absent', - Integer $version = 7, - Stdlib::Filesource $gpg_key_source = 'https://artifacts.elastic.co/GPG-KEY-elasticsearch', - String[1] $apt_keyring_name = 'elastic-keyring.asc', - Optional[String] $base_repo_url = undef, + Boolean $oss = false, + Boolean $prerelease = false, + Optional[Integer] $priority = undef, + String $proxy = 'absent', + Integer $version = 7, + Stdlib::Filesource $gpg_key_source = 'https://artifacts.elastic.co/GPG-KEY-elasticsearch', + String[1] $apt_keyring_name = 'elastic-keyring.asc', + Stdlib::Absolutepath $gpg_key_path = '/usr/share/keyrings', + Optional[String] $base_repo_url = undef, ) { if $prerelease { $version_suffix = '.x-prerelease' @@ -72,16 +74,20 @@ 'Debian': { include apt + apt::keyring { $apt_keyring_name: + ensure => present, + source => $gpg_key_source, + dir => $gpg_key_path, + } + apt::source { 'elastic': comment => $description, location => $base_url, release => 'stable', repos => 'main', - key => { - 'name' => $apt_keyring_name, - 'source' => $gpg_key_source, - }, pin => $priority, + keyring => "${gpg_key_path}/${apt_keyring_name}", + require => Apt::Keyring[$apt_keyring_name], } } 'RedHat', 'Linux': { diff --git a/spec/classes/repo_spec.rb b/spec/classes/repo_spec.rb index 3ab8c76..e59e9c3 100644 --- a/spec/classes/repo_spec.rb +++ b/spec/classes/repo_spec.rb @@ -38,8 +38,10 @@ def declare_zypper(version: '7.x', **params) case facts[:os]['family'] when 'Debian' it { is_expected.to declare_apt } + it { is_expected.to contain_apt__keyring('elastic-keyring.asc') } when 'RedHat' it { is_expected.to declare_yum } + it { is_expected.to contain_exec('elastic_yumrepo_yum_clean') } when 'Suse' it { is_expected.to declare_zypper } it { is_expected.to contain_exec('elastic_suse_import_gpg').with(command: rpm_key_cmd) }