diff --git a/defaults/main.yml b/defaults/main.yml index d31f9ddb..12400ae3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -39,7 +39,7 @@ datadog_agent_version: "" # Default apt repo and keyserver -# By default, the roll uses the official apt Datadog repository for the chosen major version +# By default, the role uses the official apt Datadog repository for the chosen major version # Use the datadog_apt_repo variable to override the repository used. datadog_apt_repo: "" @@ -52,17 +52,20 @@ datadog_apt_backup_keyserver: hkp://pool.sks-keyservers.net:80 # Default yum repo and keys -# By default, the roll uses the official yum Datadog repository for the chosen major version +# By default, the role uses the official yum Datadog repository for the chosen major version # Use the datadog_yum_repo variable to override the repository used. datadog_yum_repo: "" datadog_yum_gpgkey: "https://yum.datadoghq.com/DATADOG_RPM_KEY.public" +# this key expires in 2022 datadog_yum_gpgkey_e09422b3: "https://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public" datadog_yum_gpgkey_e09422b3_sha256sum: "694a2ffecff85326cc08e5f1a619937999a5913171e42f166e13ec802c812085" - +# this key expires in 2024 +datadog_yum_gpgkey_20200908: "http://yum.datadoghq.com/DATADOG_RPM_KEY_20200908.public" +datadog_yum_gpgkey_20200908_sha256sum: "4d16c598d3635086762bd086074140d947370077607db6d6395b8523d5c23a7d" # Default zypper repo and keys -# By default, the roll uses the official zypper Datadog repository for the chosen major version +# By default, the role uses the official zypper Datadog repository for the chosen major version # Use the datadog_zypper_repo variable to override the repository used. datadog_zypper_repo: "" @@ -70,6 +73,8 @@ datadog_zypper_gpgkey: "https://yum.datadoghq.com/DATADOG_RPM_KEY.public" datadog_zypper_gpgkey_sha256sum: "00d6505c33fd95b56e54e7d91ad9bfb22d2af17e5480db25cba8fee500c80c46" datadog_zypper_gpgkey_e09422b3: "https://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public" datadog_zypper_gpgkey_e09422b3_sha256sum: "694a2ffecff85326cc08e5f1a619937999a5913171e42f166e13ec802c812085" +datadog_zypper_gpgkey_20200908: "http://yum.datadoghq.com/DATADOG_RPM_KEY_20200908.public" +datadog_zypper_gpgkey_20200908_sha256sum: "4d16c598d3635086762bd086074140d947370077607db6d6395b8523d5c23a7d" # Avoid checking if the agent is running or not. This can be useful if you're # using sysvinit and providing your own init script. diff --git a/tasks/pkg-debian.yml b/tasks/pkg-debian.yml index c4cf14e7..7f7c6c98 100644 --- a/tasks/pkg-debian.yml +++ b/tasks/pkg-debian.yml @@ -6,7 +6,7 @@ state: present when: not ansible_check_mode -- name: Install ubuntu apt-key server +- name: Install apt-key from keyserver (Expires 2022) apt_key: id: A2923DFF56EDA6E76E55E492D3A80E30382E94DE keyserver: "{{ datadog_apt_backup_keyserver if use_apt_backup_keyserver else datadog_apt_keyserver }}" @@ -17,13 +17,31 @@ retries: "{{ datadog_apt_key_retries }}" when: datadog_apt_key_url_new is not defined -- name: Install Datadog apt-key +- name: Install Datadog apt-key from url (Expires 2022) apt_key: id: A2923DFF56EDA6E76E55E492D3A80E30382E94DE url: "{{ datadog_apt_key_url_new }}" state: present when: datadog_apt_key_url_new is defined +- name: Install apt-key from keyserver (Expires 2032) + apt_key: + id: D75CEA17048B9ACBF186794B32637D44F14F620E + keyserver: "{{ datadog_apt_backup_keyserver if use_apt_backup_keyserver else datadog_apt_keyserver }}" + state: present + # keyserver.ubuntu.com is a pool of server, we should retry if one of them is down + register: result_2032 + until: not result_2032.failed is defined or not result_2032.failed + retries: "{{ datadog_apt_key_retries }}" + when: datadog_apt_key_url_new is not defined + +- name: Install Datadog apt-key from url (Expires 2032) + apt_key: + id: D75CEA17048B9ACBF186794B32637D44F14F620E + url: "{{ datadog_apt_key_url_new }}" + state: present + when: datadog_apt_key_url_new is defined + - name: Ensure Datadog non-https repositories are deprecated apt_repository: repo: "{{ item }}" diff --git a/tasks/pkg-redhat.yml b/tasks/pkg-redhat.yml index a5c29f3a..a902e099 100644 --- a/tasks/pkg-redhat.yml +++ b/tasks/pkg-redhat.yml @@ -1,16 +1,28 @@ --- -- name: Download new RPM key +- name: Download new RPM key (Expires in 2022) get_url: url: "{{ datadog_yum_gpgkey_e09422b3 }}" dest: /tmp/DATADOG_RPM_KEY_E09422B3.public checksum: "sha256:{{ datadog_yum_gpgkey_e09422b3_sha256sum }}" -- name: Import new RPM key +- name: Import new RPM key (Expires in 2022) rpm_key: key: /tmp/DATADOG_RPM_KEY_E09422B3.public state: present when: not ansible_check_mode +- name: Download new RPM key (Expires in 2024) + get_url: + url: "{{ datadog_yum_gpgkey_20200908 }}" + dest: /tmp/DATADOG_RPM_KEY_20200908.public + checksum: "sha256:{{ datadog_yum_gpgkey_20200908_sha256sum }}" + +- name: Import new RPM key (Expires in 2024) + rpm_key: + key: /tmp/DATADOG_RPM_KEY_20200908.public + state: present + when: not ansible_check_mode + - name: Install Datadog yum repo yum_repository: name: "ansible_datadog_{{ item.key }}" @@ -18,7 +30,7 @@ baseurl: "{{ item.value }}" enabled: yes gpgcheck: yes - gpgkey: "{% if datadog_agent_major_version|int == 7 %}{{ datadog_yum_gpgkey_e09422b3 }}{% else %}{{ datadog_yum_gpgkey }}{% endif %}" + gpgkey: "{% if datadog_agent_major_version|int == 7 %}{{ datadog_yum_gpgkey_20200908 }}{% else %}{{ datadog_yum_gpgkey }}{% endif %}" state: "{% if item.key == datadog_agent_major_version|int and datadog_yum_repo | length == 0 %}present{% else %}absent{% endif %}" when: (not ansible_check_mode) with_dict: diff --git a/tasks/pkg-suse.yml b/tasks/pkg-suse.yml index 50294127..c1012e54 100644 --- a/tasks/pkg-suse.yml +++ b/tasks/pkg-suse.yml @@ -27,30 +27,55 @@ when: datadog_agent_major_version|int < 7 and not ansible_check_mode - block: # Work around due to SNI check for SLES11 - - name: Stat if new RPM key already exists + - name: Stat if E09422B3 key (Expires 2022) RPM key already exists stat: path: /tmp/DATADOG_RPM_KEY_E09422B3.public register: ddnewkey - - name: Download new RPM key (SLES11) + - name: Download E09422B3 key (Expires 2022) RPM key (SLES11) get_url: url: "{{ datadog_zypper_gpgkey_e09422b3 }}" dest: /tmp/DATADOG_RPM_KEY_E09422B3.public when: not ddnewkey.stat.exists when: ansible_distribution_version|int == 11 -- name: Download new RPM key +- name: Download E09422B3 key (Expires 2022) RPM key get_url: url: "{{ datadog_zypper_gpgkey_e09422b3 }}" dest: /tmp/DATADOG_RPM_KEY_E09422B3.public checksum: "sha256:{{ datadog_zypper_gpgkey_e09422b3_sha256sum }}" when: ansible_distribution_version|int >= 12 -- name: Import new RPM key +- name: Import E09422B3 key (Expires 2022) RPM key rpm_key: key: /tmp/DATADOG_RPM_KEY_E09422B3.public state: present when: not ansible_check_mode +- block: # Work around due to SNI check for SLES11 + - name: Stat if 20200908 key (Expires 2024) RPM key already exists + stat: + path: /tmp/DATADOG_RPM_KEY_20200908.public + register: ddnewkey_20200908 + - name: Download 20200908 key (Expires 2024) RPM key (SLES11) + get_url: + url: "{{ datadog_zypper_gpgkey_20200908 }}" + dest: /tmp/DATADOG_RPM_KEY_20200908.public + when: not ddnewkey_20200908.stat.exists + when: ansible_distribution_version|int == 11 + +- name: Download 20200908 key (Expires 2024) RPM key + get_url: + url: "{{ datadog_zypper_gpgkey_20200908 }}" + dest: /tmp/DATADOG_RPM_KEY_20200908.public + checksum: "sha256:{{ datadog_zypper_gpgkey_20200908_sha256sum }}" + when: ansible_distribution_version|int >= 12 + +- name: Import 20200908 key (Expires 2024) RPM key + rpm_key: + key: /tmp/DATADOG_RPM_KEY_20200908.public + state: present + when: not ansible_check_mode + # ansible don't allow repo_gpgcheck to be set, we have to create the repo file manually - name: Install DataDog zypper repo template: