From 267317234e4c41cd55e2369451de483fcbd5b99d Mon Sep 17 00:00:00 2001
From: Kylian Serrania <kylian.serrania@datadoghq.com>
Date: Mon, 22 Jul 2019 13:45:21 +0200
Subject: [PATCH 1/4] [suse] Import the new GPG key

In the near future, we're going to sign our RPM packages with our
newer GPG key. The RHEL task already imports the new key, but not the SUSE
task, so the new key import step has been added to it.
---
 defaults/main.yml  |  2 ++
 tasks/pkg-suse.yml | 33 +++++++++++++++++++++++++++++----
 2 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 05cff79c..ee2a4e83 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -31,6 +31,8 @@ datadog_yum_gpgkey_new: "https://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.publ
 datadog_zypper_repo: "https://yum.datadoghq.com/suse/stable/6/{{ ansible_userspace_architecture }}"
 datadog_zypper_gpgkey: "https://yum.datadoghq.com/DATADOG_RPM_KEY.public"
 datadog_zypper_gpgkey_sha256sum: "00d6505c33fd95b56e54e7d91ad9bfb22d2af17e5480db25cba8fee500c80c46"
+datadog_zypper_gpgkey_new: "https://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public"
+datadog_zypper_gpgkey_new_sha256sum: "694a2ffecff85326cc08e5f1a619937999a5913171e42f166e13ec802c812085"
 
 # Pin agent to a version. Highly recommended.
 datadog_agent_version: ""
diff --git a/tasks/pkg-suse.yml b/tasks/pkg-suse.yml
index 32a70f09..ea044509 100644
--- a/tasks/pkg-suse.yml
+++ b/tasks/pkg-suse.yml
@@ -1,29 +1,54 @@
 ---
 - block:  # Work around due to SNI check for SLES11
-  - name: Stat if RPM key already exist
+  - name: Stat if RPM key already exists
     stat:
       path: /tmp/DATADOG_RPM_KEY.public
     register: ddkey
-  - name: Download new RPM key (SLES11)
+  - name: Download RPM key (SLES11)
     shell: "curl {{ datadog_zypper_gpgkey }} -o /tmp/DATADOG_RPM_KEY.public"
     args:
       warn: no
     when: not ddkey.stat.exists
   when: ansible_distribution_version|int == 11
 
-- name: Download new RPM key
+- name: Download RPM key
   get_url:
     url: "{{ datadog_zypper_gpgkey }}"
     dest: /tmp/DATADOG_RPM_KEY.public
     checksum: "sha256:{{ datadog_zypper_gpgkey_sha256sum }}"
   when: ansible_distribution_version|int >= 12
 
-- name: Import new RPM key
+- name: Import RPM key
   rpm_key:
     key: /tmp/DATADOG_RPM_KEY.public
     state: present
   when: not ansible_check_mode
 
+- block:  # Work around due to SNI check for SLES11
+  - name: Stat if new RPM key already exists
+    stat:
+      path: /tmp/DATADOG_RPM_KEY_E09422B3.public
+    register: ddnewkey
+  - name: Download new RPM key (SLES11)
+    shell: "curl {{ datadog_zypper_gpgkey_new }} -o /tmp/DATADOG_RPM_KEY_E09422B3.public"
+    args:
+      warn: no
+    when: not ddnewkey.stat.exists
+  when: ansible_distribution_version|int == 11
+
+- name: Download new RPM key
+  get_url:
+    url: "{{ datadog_zypper_gpgkey_new }}"
+    dest: /tmp/DATADOG_RPM_KEY_E09422B3.public
+    checksum: "sha256:{{ datadog_zypper_gpgkey_new_sha256sum }}"
+  when: ansible_distribution_version|int >= 12
+
+- name: Import new RPM key
+  rpm_key:
+    key: /tmp/DATADOG_RPM_KEY_E09422B3.public
+    state: present
+  when: not ansible_check_mode
+
 # ansible don't allow repo_gpgcheck to be set, we have to create the repo file manually
 - name: Install DataDog zypper repo
   template:

From efc59556bccd3e3c1978f30753247e9e496b6e05 Mon Sep 17 00:00:00 2001
From: Kylian Serrania <kylian.serrania@datadoghq.com>
Date: Fri, 9 Aug 2019 10:51:17 +0200
Subject: [PATCH 2/4] Change 'new' to the ID of the key to be more explicit

---
 defaults/main.yml    | 7 ++++---
 tasks/pkg-redhat.yml | 4 ++--
 tasks/pkg-suse.yml   | 6 +++---
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index ee2a4e83..9c10355c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -25,14 +25,15 @@ datadog_apt_backup_keyserver: hkp://pool.sks-keyservers.net:80
 # default yum repo and keys
 datadog_yum_repo: "https://yum.datadoghq.com/stable/6/{{ ansible_userspace_architecture }}/"
 datadog_yum_gpgkey: "https://yum.datadoghq.com/DATADOG_RPM_KEY.public"
-datadog_yum_gpgkey_new: "https://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public"
+datadog_yum_gpgkey_e09422b3: "https://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public"
+datadog_yum_gpgkey_e09422b3_sha256sum: "694a2ffecff85326cc08e5f1a619937999a5913171e42f166e13ec802c812085"
 
 # default zypper repo and keys
 datadog_zypper_repo: "https://yum.datadoghq.com/suse/stable/6/{{ ansible_userspace_architecture }}"
 datadog_zypper_gpgkey: "https://yum.datadoghq.com/DATADOG_RPM_KEY.public"
 datadog_zypper_gpgkey_sha256sum: "00d6505c33fd95b56e54e7d91ad9bfb22d2af17e5480db25cba8fee500c80c46"
-datadog_zypper_gpgkey_new: "https://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public"
-datadog_zypper_gpgkey_new_sha256sum: "694a2ffecff85326cc08e5f1a619937999a5913171e42f166e13ec802c812085"
+datadog_zypper_gpgkey_e09422b3: "https://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public"
+datadog_zypper_gpgkey_e09422b3_sha256sum: "694a2ffecff85326cc08e5f1a619937999a5913171e42f166e13ec802c812085"
 
 # Pin agent to a version. Highly recommended.
 datadog_agent_version: ""
diff --git a/tasks/pkg-redhat.yml b/tasks/pkg-redhat.yml
index 47a0fafa..ca44512d 100644
--- a/tasks/pkg-redhat.yml
+++ b/tasks/pkg-redhat.yml
@@ -1,9 +1,9 @@
 ---
 - name: Download new RPM key
   get_url:
-    url: "{{ datadog_yum_gpgkey_new }}"
+    url: "{{ datadog_yum_gpgkey_e09422b3 }}"
     dest: /tmp/DATADOG_RPM_KEY_E09422B3.public
-    checksum: "sha256:694a2ffecff85326cc08e5f1a619937999a5913171e42f166e13ec802c812085"
+    checksum: "sha256:{{ datadog_yum_gpgkey_e09422b3_sha256sum }}"
 
 - name: Import new RPM key
   rpm_key:
diff --git a/tasks/pkg-suse.yml b/tasks/pkg-suse.yml
index ea044509..384d3bcd 100644
--- a/tasks/pkg-suse.yml
+++ b/tasks/pkg-suse.yml
@@ -30,7 +30,7 @@
       path: /tmp/DATADOG_RPM_KEY_E09422B3.public
     register: ddnewkey
   - name: Download new RPM key (SLES11)
-    shell: "curl {{ datadog_zypper_gpgkey_new }} -o /tmp/DATADOG_RPM_KEY_E09422B3.public"
+    shell: "curl {{ datadog_zypper_gpgkey_e09422b3 }} -o /tmp/DATADOG_RPM_KEY_E09422B3.public"
     args:
       warn: no
     when: not ddnewkey.stat.exists
@@ -38,9 +38,9 @@
 
 - name: Download new RPM key
   get_url:
-    url: "{{ datadog_zypper_gpgkey_new }}"
+    url: "{{ datadog_zypper_gpgkey_e09422b3 }}"
     dest: /tmp/DATADOG_RPM_KEY_E09422B3.public
-    checksum: "sha256:{{ datadog_zypper_gpgkey_new_sha256sum }}"
+    checksum: "sha256:{{ datadog_zypper_gpgkey_e09422b3_sha256sum }}"
   when: ansible_distribution_version|int >= 12
 
 - name: Import new RPM key

From f0f91b0701e5c3e386bec0e24b6949db4dbf35d4 Mon Sep 17 00:00:00 2001
From: Kylian Serrania <kylian.serrania@datadoghq.com>
Date: Fri, 9 Aug 2019 10:51:47 +0200
Subject: [PATCH 3/4] List yum and zypper options in README

---
 README.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/README.md b/README.md
index dd400b62..6e646f84 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,15 @@ Role Variables
 - `datadog_apt_repo` - Override default Datadog `apt` repository
 - `datadog_apt_cache_valid_time` - Override the default apt cache expiration time (default 1 hour)
 - `datadog_apt_key_url_new` - Override default url to Datadog `apt` key (key ID `382E94DE` ; the deprecated `datadog_apt_key_url` variable refers to an expired key that's been removed from the role)
+- `datadog_yum_repo` - Override default Datadog `yum` repository
+- `datadog_yum_gpgkey` - Override default url to Datadog `yum` key used to verify Agent 5 and Agent 6 (up to 6.13) packages (key ID `4172A230`)
+- `datadog_yum_gpgkey_e09422b3` - Override default url to Datadog `yum` key used to verify Agent 6 (from 6.14 upwards) packages (key ID `E09422B3`)
+- `datadog_yum_gpgkey_e09422b3_sha256sum` - Override default checksum of the `datadog_yum_gpgkey_e09422b3` key
+- `datadog_zypper_repo` - Override default Datadog `zypper` repository
+- `datadog_zypper_gpgkey` - Override default url to Datadog `zypper` key used to verify Agent 5 and Agent 6 (up to 6.13) packages (key ID `4172A230`)
+- `datadog_zypper_gpgkey_sha256sum` - Override default checksum of the `datadog_zypper_gpgkey` key
+- `datadog_zypper_gpgkey_e09422b3` - Override default url to Datadog `zypper` key used to verify Agent 6 (from 6.14 upwards) packages (key ID `E09422B3`)
+- `datadog_zypper_gpgkey_e09422b3_sha256sum` - Override default checksum of the `datadog_zypper_gpgkey_e09422b3` key
 - `datadog_agent_allow_downgrade` - Set to `yes` to allow agent downgrades on apt-based platforms (use with caution, see `defaults/main.yml` for details). **On centos this will only work with ansible 2.4 and up**.
 - `use_apt_backup_keyserver` - Set `true` to use the backup keyserver instead of the default one
 - `datadog_enabled` - Set to `false` to prevent `datadog-agent` service from starting. Defaults to `true`

From 4dce2f43356edacb5568c4e6b205b7c30b04702f Mon Sep 17 00:00:00 2001
From: Kylian Serrania <kylian.serrania@datadoghq.com>
Date: Fri, 9 Aug 2019 19:12:21 +0200
Subject: [PATCH 4/4] Add changelog entry

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index eba1656c..3aded057 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,10 @@
 CHANGELOG
 =========
 
+# 3.1.0
+
+- [FEATURE] Trust new RPM key on SUSE. See [#203][]
+
 # 3.0.0 / 2019-05-17
 
 - [FEATURE] On Linux: you can now add the Agent's user to additionnal groups.