Skip to content

Commit

Permalink
Merge pull request #322 from netmanagers/debian-family-apt-keyrings
Browse files Browse the repository at this point in the history 
feat(debian): use repository keyring instead of key_id
  • Loading branch information
@myii
myii authored Feb 7, 2022
2 parents 126d2cd + 43b4329 commit c9aea57
Show file tree
Hide file tree
Showing 5 changed files with 87 additions and 3 deletions.
2 changes: 1 addition & 1 deletion postgres/codenamemap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
data_dir: {{ data_dir }}
fromrepo: {{ fromrepo }}
pkg_repo:
name: 'deb http://apt.postgresql.org/pub/repos/apt {{ name }}-pgdg main'
name: 'deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg] http://apt.postgresql.org/pub/repos/apt {{ name }}-pgdg main'
pkg: postgresql-{{ version }}
pkg_client: postgresql-client-{{ version }}
prepare_cluster:
Expand Down
4 changes: 2 additions & 2 deletions postgres/osfamilymap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ Debian:
pkgs_deps: ['python3-apt']
pkg_repo:
humanname: PostgreSQL Official Repository
key_url: 'https://www.postgresql.org/media/keys/ACCC4CF8.asc'
file: /etc/apt/sources.list.d/pgdg.list
pkg_repo_keyring: 'https://download.postgresql.org/pub/repos/apt/pool/main/p/pgdg-keyring/pgdg-keyring_2018.2_all.deb'
pkg_repo_keyid: ACCC4CF8
{% if repo.use_upstream_repo == true %}
pkg_dev: ''
Expand Down Expand Up @@ -145,7 +145,7 @@ Suse:
humanname: PostgreSQL {{ repo.version }} $releasever - $basearch
# works for postgres 11 onwards
baseurl: 'https://download.postgresql.org/pub/repos/zypp/{{ repo.version }}/suse/sles-$releasever-$basearch'
key_url: 'https://download.postgresql.org/pub/repos/zypp/{{ repo.version }}/suse/sles-$releasever-$basearch/repodata/repomd.xml.key'
gpgkey: 'https://download.postgresql.org/pub/repos/zypp/{{ repo.version }}/suse/sles-$releasever-$basearch/repodata/repomd.xml.key'
gpgcheck: 1
gpgautoimport: True

Expand Down
6 changes: 6 additions & 0 deletions postgres/server/remove.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,12 @@ postgresql-repo-removed:
- keyid: {{ postgres.pkg_repo_keyid }}
{%- endif %}
{% if grains.os_family == 'Debian' %}
postgresql-repo-keyring-removed:
pkg.removed:
- name: pgdg-keyring
{%- endif -%}
#remove release installed by formula
postgresql-server-removed:
pkg.removed:
Expand Down
15 changes: 15 additions & 0 deletions postgres/upstream.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,15 @@ postgresql-pkg-deps:
- pkgs: {{ postgres.pkgs_deps | json }}
# Add upstream repository for your distro
{% if grains.os_family == 'Debian' %}
postgresql-repo-keyring:
pkg.installed:
- sources:
- pgdg-keyring: {{ postgres.pkg_repo_keyring }}
- require_in:
- pkgrepo: postgresql-repo
{%- endif %}
postgresql-repo:
pkgrepo.managed:
{{- format_kwargs(postgres.pkg_repo) }}
Expand All @@ -39,6 +48,12 @@ postgresql-repo:
- keyid: {{ postgres.pkg_repo_keyid }}
{%- endif %}
{% if grains.os_family == 'Debian' %}
postgresql-repo-keyring:
pkg.removed:
- name: pgdg-keyring
{%- endif -%}
{%- endif -%}
{%- elif grains.os not in ('Windows', 'MacOS',) %}
Expand Down
63 changes: 63 additions & 0 deletions test/integration/repo/controls/repository.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# frozen_string_literal: true

case platform.family
when 'redhat', 'fedora', 'suse'
os_name_repo_file = {
'opensuse' => '/etc/zypp/repos.d/pgdg-sles-13.repo'
}
os_name_repo_file.default = '/etc/yum.repos.d/pgdg13.repo'

os_name_repo_url = {
'amazon' => 'https://download.postgresql.org/pub/repos/yum/13/redhat/rhel-7-$basearch',
'fedora' => 'https://download.postgresql.org/pub/repos/yum/13/fedora/fedora-$releasever-$basearch',
'opensuse' => 'https://download.postgresql.org/pub/repos/zypp/13/suse/sles-$releasever-$basearch'
}
os_name_repo_url.default = 'https://download.postgresql.org/pub/repos/yum/13/redhat/rhel-$releasever-$basearch'

repo_url = os_name_repo_url[platform.name]
repo_file = os_name_repo_file[platform.name]

when 'debian'
# Inspec does not provide a `codename` matcher, so we add ours
finger_codename = {
'ubuntu-18.04' => 'bionic',
'ubuntu-20.04' => 'focal',
'debian-9' => 'stretch',
'debian-10' => 'buster',
'debian-11' => 'bullseye'
}
codename = finger_codename[system.platform[:finger]]

repo_keyring = '/usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg'
repo_file = '/etc/apt/sources.list.d/pgdg.list'
# rubocop:disable Metrics/LineLength
repo_url = "deb [signed-by=#{repo_keyring}] http://apt.postgresql.org/pub/repos/apt #{codename}-pgdg main"
# rubocop:enable Metrics/LineLength
end

control 'Postgresql repository keyring' do
title 'should be installed'

only_if('Requirement for Debian family') do
os.debian?
end

describe package('pgdg-keyring') do
it { should be_installed }
end

describe file(repo_keyring) do
it { should exist }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
its('mode') { should cmp '0644' }
end
end

control 'Postgresql repository' do
impact 1
title 'should be configured'
describe file(repo_file) do
its('content') { should include repo_url }
end
end

0 comments on commit c9aea57

Please sign in to comment.