diff --git a/README.md b/README.md index f4165f9e..4878c177 100644 --- a/README.md +++ b/README.md @@ -51,11 +51,13 @@ To deploy the Datadog Agent on hosts, add the Datadog role and your API key to y | `datadog_apt_cache_valid_time` | Override the default apt cache expiration time (defaults to 1 hour). | | `datadog_apt_key_url_new` | Override the default URL to Datadog `apt` key (key ID `382E94DE`; the deprecated `datadog_apt_key_url` variable refers to an expired key that's been removed from the role). | | `datadog_yum_repo` | Override the default Datadog `yum` repository. | +| `datadog_yum_repo_gpgcheck` | Override the default `repo_gpgcheck` value (`yes`) - use `no` to turn off repodata GPG signature verification. Note that repodata signature verification is always turned off for Agent 5. | | `datadog_yum_gpgcheck` | Override the default `gpgcheck` value (`yes`) - use `no` to turn off package GPG signature verification. | | `datadog_yum_gpgkey` | Override the default URL to the Datadog `yum` key used to verify Agent v5 and v6 (up to 6.13) packages (key ID `4172A230`). | | `datadog_yum_gpgkey_e09422b3` | Override the default URL to the Datadog `yum` key used to verify Agent v6.14+ packages (key ID `E09422B3`). | | `datadog_yum_gpgkey_e09422b3_sha256sum` | Override the default checksum of the `datadog_yum_gpgkey_e09422b3` key. | | `datadog_zypper_repo` | Override the default Datadog `zypper` repository. | +| `datadog_zypper_repo_gpgcheck` | Override the default `repo_gpgcheck` value (`yes`) - use `no` to turn off repodata GPG signature verification. Note that repodata signature verification is always turned off for Agent 5. | | `datadog_zypper_gpgcheck` | Override the default `gpgcheck` value (`yes`) - use `no` to turn off package GPG signature verification. | | `datadog_zypper_gpgkey` | Override the default URL to the Datadog `zypper` key used to verify Agent v5 and v6 (up to 6.13) packages (key ID `4172A230`). | | `datadog_zypper_gpgkey_sha256sum` | Override the default checksum of the `datadog_zypper_gpgkey` key. | diff --git a/defaults/main.yml b/defaults/main.yml index 327c35ef..39b23c6b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -75,6 +75,7 @@ datadog_apt_backup_keyserver: hkp://pool.sks-keyservers.net:80 # Use the datadog_yum_repo variable to override the repository used. datadog_yum_repo: "" +datadog_yum_repo_gpgcheck: yes datadog_yum_gpgcheck: yes datadog_yum_gpgkey: "https://keys.datadoghq.com/DATADOG_RPM_KEY.public" # the CURRENT key always contains the key that is used to sign repodata and latest packages @@ -98,6 +99,7 @@ datadog_ignore_old_centos_python3_error: false # Use the datadog_zypper_repo variable to override the repository used. datadog_zypper_repo: "" +datadog_zypper_repo_gpgcheck: yes datadog_zypper_gpgcheck: yes datadog_zypper_gpgkey: "https://keys.datadoghq.com/DATADOG_RPM_KEY.public" datadog_zypper_gpgkey_sha256sum: "00d6505c33fd95b56e54e7d91ad9bfb22d2af17e5480db25cba8fee500c80c46" diff --git a/tasks/pkg-redhat.yml b/tasks/pkg-redhat.yml index ff10b376..e638afce 100644 --- a/tasks/pkg-redhat.yml +++ b/tasks/pkg-redhat.yml @@ -49,6 +49,7 @@ description: Datadog, Inc. baseurl: "{{ datadog_agent5_yum_repo }}" enabled: yes + repo_gpgcheck: no # we don't sign Agent 5 repodata gpgcheck: "{{ datadog_yum_gpgcheck }}" gpgkey: [ "{{ datadog_yum_gpgkey_current }}", @@ -65,6 +66,7 @@ description: Datadog, Inc. baseurl: "{{ datadog_agent6_yum_repo }}" enabled: yes + repo_gpgcheck: "{{ datadog_yum_repo_gpgcheck }}" gpgcheck: "{{ datadog_yum_gpgcheck }}" gpgkey: [ "{{ datadog_yum_gpgkey_current }}", @@ -81,6 +83,7 @@ description: Datadog, Inc. baseurl: "{{ datadog_agent7_yum_repo }}" enabled: yes + repo_gpgcheck: "{{ datadog_yum_repo_gpgcheck }}" gpgcheck: "{{ datadog_yum_gpgcheck }}" gpgkey: [ "{{ datadog_yum_gpgkey_current }}", @@ -96,6 +99,7 @@ description: Datadog, Inc. baseurl: "{{ datadog_yum_repo }}" enabled: yes + repo_gpgcheck: "{{ datadog_yum_repo_gpgcheck }}" gpgcheck: "{{ datadog_yum_gpgcheck }}" gpgkey: [ "{{ datadog_yum_gpgkey_current }}", diff --git a/templates/zypper.repo.j2 b/templates/zypper.repo.j2 index 99d3d39e..f1f8e317 100644 --- a/templates/zypper.repo.j2 +++ b/templates/zypper.repo.j2 @@ -1,6 +1,9 @@ +{% set repo_gpgcheck = datadog_zypper_repo_gpgcheck|int %} + {% if datadog_zypper_repo | length > 0 %} {% set baseurl = datadog_zypper_repo %} {% elif datadog_agent_major_version|int == 5 %} + {% set repo_gpgcheck = 0 %}{# we don't sign Agent 5 repodata #} {% set baseurl = datadog_agent5_zypper_repo %} {% elif datadog_agent_major_version|int == 6 %} {% set baseurl = datadog_agent6_zypper_repo %} @@ -16,7 +19,7 @@ baseurl={{ baseurl }} type=rpm-md gpgcheck={{ datadog_zypper_gpgcheck|int }} -repo_gpgcheck=0 +repo_gpgcheck={{ repo_gpgcheck }} {# zypper in SUSE < 15 will not parse (SUSE 11) or respect (SUSE 12 - 14) mutliple entries in gpgkey #} {% if ansible_distribution_version|int < 15 %} gpgkey={{ datadog_zypper_gpgkey_current }}