GitLab upgraded to 13.12.4-ee.0 - changelog: https://gitlab.com/gitlab-org/gitlab/blob/master/CHANGELOG-EE.md

Unverified Commit 1d2bd9b6 authored by Slavek Kabrda's avatar Slavek Kabrda
Browse files

Improvements for APT keys management

* By default, get keys from keys.datadoghq.com, not Ubuntu keyserver
* Always add the DATADOG_APT_KEY_CURRENT.public key (contains key used to sign current repodata)
* Add 'signed-by' option to all sources list lines
* On Debian >= 9 and Ubuntu >= 16, only add keys to /usr/share/keyrings/datadog-archive-keyring.gpg
* On older systems, also add the same keyring to /etc/apt/trusted.gpg.d
parent bdcfb520
......@@ -140,7 +140,7 @@ default['datadog']['handler_extra_config'] = {}
# If you're installing a pre-release version of the Agent (beta or RC), you need to:
# * on debian: set node['datadog']['aptrepo_dist'] to 'beta' instead of 'stable'
# * on RHEL: set node['datadog']['yumrepo'] to 'https://yum.datadoghq.com/beta/x86_64/'
default['datadog']['aptrepo'] = 'http://apt.datadoghq.com'
default['datadog']['aptrepo'] = nil # uses Datadog stable repos by default
default['datadog']['aptrepo_dist'] = 'stable'
default['datadog']['yumrepo'] = nil # uses Datadog stable repos by default
default['datadog']['yumrepo_suse'] = nil # uses Datadog stable repos by default
......@@ -157,9 +157,6 @@ yum_protocol =
# to pin the version you're installing with node['datadog']['agent_version']
default['datadog']['installrepo'] = true
default['datadog']['aptrepo_retries'] = 4
default['datadog']['aptrepo_use_backup_keyserver'] = false
default['datadog']['aptrepo_keyserver'] = 'hkp://keyserver.ubuntu.com:80'
default['datadog']['aptrepo_backup_keyserver'] = 'hkp://pool.sks-keyservers.net:80'
# When repo_gpgcheck set to nil, it will get turned on in the code when
# not running on RHEL/CentOS <= 5 and not providing custom yumrepo.
# You can set it to true/false explicitly to override this behaviour.
......
......@@ -26,10 +26,18 @@ yum_a5_architecture_map.default = 'x86_64'
agent_major_version = Chef::Datadog.agent_major_version(node)
# DATADOG_APT_KEY_CURRENT always contains the key that is used to sing repodata and latest packages
# A2923DFF56EDA6E76E55E492D3A80E30382E94DE expires in 2022
# D75CEA17048B9ACBF186794B32637D44F14F620E expires in 2032
apt_gpg_key = 'D75CEA17048B9ACBF186794B32637D44F14F620E'
other_apt_gpg_keys = ['A2923DFF56EDA6E76E55E492D3A80E30382E94DE']
apt_gpg_keys = {
'DATADOG_APT_KEY_CURRENT.public' => 'https://keys.datadoghq.com/DATADOG_APT_KEY_CURRENT.public',
'D75CEA17048B9ACBF186794B32637D44F14F620E' => 'https://keys.datadoghq.com/DATADOG_APT_KEY_F14F620E.public',
'A2923DFF56EDA6E76E55E492D3A80E30382E94DE' => 'https://keys.datadoghq.com/DATADOG_APT_KEY_382E94DE.public',
}
apt_trusted_d_keyring = '/etc/apt/trusted.gpg.d/datadog-archive-keyring.gpg'
apt_usr_share_keyring = '/usr/share/keyrings/datadog-archive-keyring.gpg'
apt_sources_list_file = '/etc/apt/sources.list.d/datadog.list'
apt_repo_uri = 'https://apt.datadoghq.com'
# DATADOG_RPM_KEY_CURRENT always contains the key that is used to sign repodata and latest packages
# DATADOG_RPM_KEY_E09422B3.public expires in 2022
......@@ -47,6 +55,14 @@ rpm_gpg_keys_full_fingerprint = 2
case node['platform_family']
when 'debian'
log 'apt deprecated parameters warning' do
level :warn
message 'Attributes "aptrepo_use_backup_keyserver", "aptrepo_keyserver" and "aptrepo_backup_keyserver" are deprecated since version 4.11.0'
only_if {
!node['datadog']['aptrepo_use_backup_keyserver'].nil? || !node['datadog']['aptrepo_keyserver'].nil? || !node['datadog']['aptrepo_backup_keyserver'].nil?
}
end
apt_update 'update'
package 'install-apt-transport-https' do
......@@ -54,6 +70,38 @@ when 'debian'
action :install
end
file apt_usr_share_keyring do
action :create_if_missing
content ''
mode '0644'
end
apt_gpg_keys.each do |key_fingerprint, key_url|
# Download the APT key
key_local_path = ::File.join(Chef::Config[:file_cache_path], key_fingerprint)
# By default, remote_file will use `If-Modified-Since` header to see if the file
# was modified remotely, so this works fine for the "current" key
remote_file "remote_file_#{key_fingerprint}" do
path key_local_path
source key_url
notifies :run, "execute[import apt datadog key #{key_fingerprint}]", :immediately
end
# Import the APT key
execute "import apt datadog key #{key_fingerprint}" do
command "/bin/cat #{key_local_path} | gpg --import --batch --no-default-keyring --keyring #{apt_usr_share_keyring}"
not_if "/bin/cat #{key_local_path} | gpg --dry-run --import --batch --no-default-keyring --keyring #{apt_usr_share_keyring} 2>&1 | grep 'unchanged: 1'"
action :nothing
end
end
remote_file apt_trusted_d_keyring do
action :create
mode '0644'
source "file://#{apt_usr_share_keyring}"
only_if { (platform?('ubuntu') && node['platform_version'].to_i < 16) || (platform?('debian') && node['platform_version'].to_i < 9) }
end
case agent_major_version
when 7
components = ['7']
......@@ -65,25 +113,30 @@ when 'debian'
Chef::Log.error("agent_major_version '#{agent_major_version}' not supported.")
end
other_apt_gpg_keys.each do |key|
key_short = key[-8..-1] # last 8 chars, since some versions of apt-key add dashes between key sections
execute "apt-key import key #{key_short}" do
command "apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 #{key}"
not_if "apt-key adv --list-public-keys --with-fingerprint --with-colons | grep #{key_short} | grep pub"
end
end
retries = node['datadog']['aptrepo_retries']
keyserver = node['datadog']['aptrepo_use_backup_keyserver'] ? node['datadog']['aptrepo_backup_keyserver'] : node['datadog']['aptrepo_keyserver']
# Add APT repositories
apt_repository 'datadog' do
keyserver keyserver
key apt_gpg_key
uri node['datadog']['aptrepo']
distribution node['datadog']['aptrepo_dist']
components components
action :add
# Chef's apt_repository resource doesn't allow specifying the signed-by option and we can't pass
# it in uri, as that would make it fail parsing, hence we use the file and apt_update resources.
apt_update 'datadog' do
retries retries
ignore_failure true # this is exactly what apt_repository does
action :nothing
end
deb_repo_with_options = if node['datadog']['aptrepo'].nil?
"[signed-by=#{apt_usr_share_keyring}] #{apt_repo_uri}"
else
node['datadog']['aptrepo']
end
file apt_sources_list_file do
action :create
owner 'root'
group 'root'
mode '0644'
content "deb #{deb_repo_with_options} #{node['datadog']['aptrepo_dist']} #{components.compact.join(' ')}"
notifies :update, 'apt_update[datadog]', :immediately
end
# Previous versions of the cookbook could create these repo files, make sure we remove it now
......
shared_examples 'old debianoid' do
it 'properly creates both keyring files and imports all keys' do
expect(chef_run).to create_file_if_missing('/usr/share/keyrings/datadog-archive-keyring.gpg')
expect(chef_run).to create_remote_file('/etc/apt/trusted.gpg.d/datadog-archive-keyring.gpg').with(
source: 'file:///usr/share/keyrings/datadog-archive-keyring.gpg')
expect(chef_run).to create_file('/etc/apt/sources.list.d/datadog.list').with(
content: 'deb [signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg] https://apt.datadoghq.com stable 7'
)
# NOTE: there is no way in chefspec to actually test the notified action,
# see https://github.com/chefspec/chefspec/issues/541
expect(chef_run.remote_file('remote_file_DATADOG_APT_KEY_CURRENT.public')).to notify(
'execute[import apt datadog key DATADOG_APT_KEY_CURRENT.public]').to(:run).immediately
expect(chef_run.remote_file('remote_file_D75CEA17048B9ACBF186794B32637D44F14F620E')).to notify(
'execute[import apt datadog key D75CEA17048B9ACBF186794B32637D44F14F620E]').to(:run).immediately
expect(chef_run.remote_file('remote_file_A2923DFF56EDA6E76E55E492D3A80E30382E94DE')).to notify(
'execute[import apt datadog key A2923DFF56EDA6E76E55E492D3A80E30382E94DE]').to(:run).immediately
end
end
shared_examples 'new debianoid' do
it 'properly creates the keyring file and imports all keys' do
expect(chef_run).to create_file_if_missing('/usr/share/keyrings/datadog-archive-keyring.gpg')
expect(chef_run).to_not create_remote_file('/etc/apt/trusted.gpg.d/datadog-archive-keyring.gpg')
expect(chef_run).to create_file('/etc/apt/sources.list.d/datadog.list').with(
content: 'deb [signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg] https://apt.datadoghq.com stable 7'
)
expect(chef_run.remote_file('remote_file_DATADOG_APT_KEY_CURRENT.public')).to notify(
'execute[import apt datadog key DATADOG_APT_KEY_CURRENT.public]').to(:run).immediately
expect(chef_run.remote_file('remote_file_D75CEA17048B9ACBF186794B32637D44F14F620E')).to notify(
'execute[import apt datadog key D75CEA17048B9ACBF186794B32637D44F14F620E]').to(:run).immediately
expect(chef_run.remote_file('remote_file_A2923DFF56EDA6E76E55E492D3A80E30382E94DE')).to notify(
'execute[import apt datadog key A2923DFF56EDA6E76E55E492D3A80E30382E94DE]').to(:run).immediately
end
end
describe 'datadog::repository' do
context 'on debianoids' do
cached(:chef_run) do
......@@ -14,12 +51,7 @@ describe 'datadog::repository' do
expect(chef_run).to install_package('install-apt-transport-https')
end
it 'sets up an apt repo with fingerprint A2923DFF56EDA6E76E55E492D3A80E30382E94DE and D75CEA17048B9ACBF186794B32637D44F14F620E' do
expect(chef_run).to add_apt_repository('datadog').with(
key: ['D75CEA17048B9ACBF186794B32637D44F14F620E']
)
expect(chef_run).to run_execute('apt-key import key 382E94DE')
end
# testing of creation of the source file + keyrings is done for various cases in different methods
it 'removes the datadog-beta repo' do
expect(chef_run).to remove_apt_repository('datadog-beta')
......@@ -34,6 +66,50 @@ describe 'datadog::repository' do
end
end
context 'debian < 9' do
cached(:chef_run) do
ChefSpec::SoloRunner.new(
# Fauxhai doesn't have definition for Debian < 9, but we can
# workaround that by setting platform_version below
platform: 'debian', version: '9.11'
) do |node|
node.automatic['platform_version'] = '8.0'
end.converge(described_recipe)
end
it_behaves_like 'old debianoid'
end
context 'ubuntu < 16' do
cached(:chef_run) do
ChefSpec::SoloRunner.new(
platform: 'ubuntu', version: '14.04'
).converge(described_recipe)
end
it_behaves_like 'old debianoid'
end
context 'debian >= 9' do
cached(:chef_run) do
ChefSpec::SoloRunner.new(
platform: 'debian', version: '9.11'
).converge(described_recipe)
end
it_behaves_like 'new debianoid'
end
context 'ubuntu >= 16' do
cached(:chef_run) do
ChefSpec::SoloRunner.new(
platform: 'ubuntu', version: '16.04'
).converge(described_recipe)
end
it_behaves_like 'new debianoid'
end
context 'rhellions' do
context 'centos 6, agent 7' do
cached(:chef_run) do
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment