Stop adding old GPG key 4172a230 (#770)

KSerrania · Slavek Kabrda · web-flow · commit 7e942d61ca3a · 2023-01-12T13:17:02.000+01:00
Co-authored-by: Slavek Kabrda &lt;slavek.kabrda@datadoghq.com&gt;
diff --git a/kitchen.yml b/kitchen.yml
@@ -72,30 +72,30 @@ platforms:
         - gem install multipart-post:2.1.1 r10k:2.6.7
         - cd /home/kitchen/puppet && r10k puppetfile install --moduledir=/tmp/modules
         
-  - name: opensuse/leap-15
-    # Workaround for flakes on initializing opensuse/leap-15:
-    # => SCP did not finish successfully (255):  (Net::SCP::Error)
-    transport:
-      max_ssh_sessions: 1
-    driver_config:
-      # we use a custom image that runs systemd
-      image: 'datadog/docker-library:chef_kitchen_systemd_opensuse_leap_15'
-      run_command: /root/start.sh
-
-    driver:
-      provision_command:
-        - zypper ar -G https://yum.puppet.com/puppet/sles/15/x86_64/ puppet-repo
-        - zypper install -y puppet-agent ruby=2.5
-        - gem install bundler -v '= 1.17.3'
-        - gem install net-ssh -v '= 6.1.0'
-        - gem install serverspec rspec
-        - ln -s /usr/bin/rspec.ruby2.5 /usr/bin/rspec
-        - ln -s /opt/puppetlabs/puppet/bin/puppet /usr/bin/puppet
-        - mkdir /home/kitchen/puppet
-        - printf <%= File.read('environments/etc/Puppetfile').inspect %> > /home/kitchen/puppet/Puppetfile
-
-        - /opt/puppetlabs/puppet/bin/gem install multipart-post:2.1.1 r10k:2.6.7
-        - cd /home/kitchen/puppet && /opt/puppetlabs/puppet/bin/r10k puppetfile install --moduledir=/tmp/modules
+#  - name: opensuse/leap-15
+#    # Workaround for flakes on initializing opensuse/leap-15:
+#    # => SCP did not finish successfully (255):  (Net::SCP::Error)
+#    transport:
+#      max_ssh_sessions: 1
+#    driver_config:
+#      # we use a custom image that runs systemd
+#      image: 'datadog/docker-library:chef_kitchen_systemd_opensuse_leap_15'
+#      run_command: /root/start.sh
+#
+#    driver:
+#      provision_command:
+#        - zypper ar -G https://yum.puppet.com/puppet/sles/15/x86_64/ puppet-repo
+#        - zypper install -y puppet-agent ruby=2.5
+#        - gem install bundler -v '= 1.17.3'
+#        - gem install net-ssh -v '= 6.1.0'
+#        - gem install serverspec rspec
+#        - ln -s /usr/bin/rspec.ruby2.5 /usr/bin/rspec
+#        - ln -s /opt/puppetlabs/puppet/bin/puppet /usr/bin/puppet
+#        - mkdir /home/kitchen/puppet
+#        - printf <%= File.read('environments/etc/Puppetfile').inspect %> > /home/kitchen/puppet/Puppetfile
+#
+#        - /opt/puppetlabs/puppet/bin/gem install multipart-post:2.1.1 r10k:2.6.7
+#        - cd /home/kitchen/puppet && /opt/puppetlabs/puppet/bin/r10k puppetfile install --moduledir=/tmp/modules
 
 verifier:
   name: serverspec
diff --git a/manifests/redhat.pp b/manifests/redhat.pp
@@ -18,8 +18,8 @@
         'https://keys.datadoghq.com/DATADOG_RPM_KEY_CURRENT.public',
         'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
         'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
-        'https://keys.datadoghq.com/DATADOG_RPM_KEY.public',
     ]
+
     if ($rpm_repo_gpgcheck != undef) {
       $repo_gpgcheck = $rpm_repo_gpgcheck
     } else {
@@ -54,7 +54,7 @@
       }
       7 : {
         $defaulturl = "https://yum.datadoghq.com/stable/7/${::architecture}/"
-        $gpgkeys = $keys[0,-2]
+        $gpgkeys = $keys
       }
       default: { fail('invalid agent_major_version') }
     }
@@ -65,6 +65,11 @@
       $baseurl = $defaulturl
     }
 
+    exec { 'ensure key 4172A230 is removed from the RPM database':
+      command => '/bin/rpm --erase gpg-pubkey-4172a230-55dd14f6',
+      onlyif  => '/bin/rpm -q gpg-pubkey-4172a230-55dd14f6',
+    }
+
     yumrepo { 'datadog-beta':
       ensure => absent,
     }
diff --git a/manifests/suse.pp b/manifests/suse.pp
@@ -17,7 +17,6 @@
     $current_key,
     'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
     'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
-    'https://keys.datadoghq.com/DATADOG_RPM_KEY.public',
   ]
 
   if ($rpm_repo_gpgcheck != undef) {
@@ -33,7 +32,7 @@
   case $agent_major_version {
       5 : { fail('Agent v5 package not available in SUSE') }
       6 : { $gpgkeys = $all_keys }
-      7 : { $gpgkeys = $all_keys[0,-2] }
+      7 : { $gpgkeys = $all_keys }
       default: { fail('invalid agent_major_version') }
   }
 
@@ -66,6 +65,11 @@
     }
   }
 
+  exec { 'ensure key 4172A230 is removed from the RPM database':
+    command => '/bin/rpm --erase gpg-pubkey-4172a230-55dd14f6',
+    onlyif  => '/bin/rpm -q gpg-pubkey-4172a230-55dd14f6',
+  }
+
   zypprepo { 'datadog':
     baseurl      => $baseurl,
     enabled      => 1,
diff --git a/spec/classes/datadog_agent_redhat_spec.rb b/spec/classes/datadog_agent_redhat_spec.rb
@@ -29,8 +29,7 @@
           .with_gpgcheck(1)\
           .with_gpgkey('https://keys.datadoghq.com/DATADOG_RPM_KEY_CURRENT.public
        https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public
-       https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public
-       https://keys.datadoghq.com/DATADOG_RPM_KEY.public')\
+       https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public')\
           .with_baseurl('https://yum.datadoghq.com/rpm/x86_64/')\
           .with_repo_gpgcheck(false)
       end
@@ -78,8 +77,7 @@
           .with_gpgcheck(1)\
           .with_gpgkey('https://keys.datadoghq.com/DATADOG_RPM_KEY_CURRENT.public
        https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public
-       https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public
-       https://keys.datadoghq.com/DATADOG_RPM_KEY.public')\
+       https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public')\
           .with_baseurl('https://yum.datadoghq.com/stable/6/x86_64/')\
           .with_repo_gpgcheck(true)
       end
diff --git a/spec/classes/datadog_agent_suse_spec.rb b/spec/classes/datadog_agent_suse_spec.rb
@@ -32,8 +32,7 @@
           .with_gpgcheck(1)\
           .with_gpgkey('https://keys.datadoghq.com/DATADOG_RPM_KEY_CURRENT.public
        https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public
-       https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public
-       https://keys.datadoghq.com/DATADOG_RPM_KEY.public')\
+       https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public')\
           .with_baseurl('https://yum.datadoghq.com/suse/stable/6/x86_64')
         # .with_repo_gpgcheck(true)
       end
diff --git a/test/integration/dd-agent/serverspec/default_spec.rb b/test/integration/dd-agent/serverspec/default_spec.rb
@@ -9,4 +9,14 @@
     it { is_expected.to be_enabled }
     it { is_expected.to be_running }
   end
+
+  describe command('rpm -q gpg-pubkey-4172a230-55dd14f6'), if: os[:family] == 'redhat' do
+    its(:stdout) { is_expected.to match 'package gpg-pubkey-4172a230-55dd14f6 is not installed' }
+    its(:exit_status) { is_expected.to eq 1 }
+  end
+
+  describe command('rpm -q gpg-pubkey-4172a230-55dd14f6'), if: os[:family] == 'opensuse' do
+    its(:stdout) { is_expected.to match 'package gpg-pubkey-4172a230-55dd14f6 is not installed' }
+    its(:exit_status) { is_expected.to eq 1 }
+  end
 end

Original file line number	Diff line number	Diff line change
`@@ -18,8 +18,8 @@`
`18`	`18`	`'https://keys.datadoghq.com/DATADOG_RPM_KEY_CURRENT.public',`
`19`	`19`	`'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',`
`20`	`20`	`'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',`
`21`		`- 'https://keys.datadoghq.com/DATADOG_RPM_KEY.public',`
`22`	`21`	`]`
	`22`	`+`
`23`	`23`	`if ($rpm_repo_gpgcheck != undef) {`
`24`	`24`	`$repo_gpgcheck = $rpm_repo_gpgcheck`
`25`	`25`	`} else {`
`@@ -54,7 +54,7 @@`
`54`	`54`	`}`
`55`	`55`	`7 : {`
`56`	`56`	`$defaulturl = "https://yum.datadoghq.com/stable/7/${::architecture}/"`
`57`		`- $gpgkeys = $keys[0,-2]`
	`57`	`+ $gpgkeys = $keys`
`58`	`58`	`}`
`59`	`59`	`default: { fail('invalid agent_major_version') }`
`60`	`60`	`}`
`@@ -65,6 +65,11 @@`
`65`	`65`	`$baseurl = $defaulturl`
`66`	`66`	`}`
`67`	`67`
	`68`	`+ exec { 'ensure key 4172A230 is removed from the RPM database':`
	`69`	`+ command => '/bin/rpm --erase gpg-pubkey-4172a230-55dd14f6',`
	`70`	`+ onlyif => '/bin/rpm -q gpg-pubkey-4172a230-55dd14f6',`
	`71`	`+ }`
	`72`	`+`
`68`	`73`	`yumrepo { 'datadog-beta':`
`69`	`74`	`ensure => absent,`
`70`	`75`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,6 @@`
`17`	`17`	`$current_key,`
`18`	`18`	`'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',`
`19`	`19`	`'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',`
`20`		`- 'https://keys.datadoghq.com/DATADOG_RPM_KEY.public',`
`21`	`20`	`]`
`22`	`21`
`23`	`22`	`if ($rpm_repo_gpgcheck != undef) {`
`@@ -33,7 +32,7 @@`
`33`	`32`	`case $agent_major_version {`
`34`	`33`	`5 : { fail('Agent v5 package not available in SUSE') }`
`35`	`34`	`6 : { $gpgkeys = $all_keys }`
`36`		`- 7 : { $gpgkeys = $all_keys[0,-2] }`
	`35`	`+ 7 : { $gpgkeys = $all_keys }`
`37`	`36`	`default: { fail('invalid agent_major_version') }`
`38`	`37`	`}`
`39`	`38`
`@@ -66,6 +65,11 @@`
`66`	`65`	`}`
`67`	`66`	`}`
`68`	`67`
	`68`	`+ exec { 'ensure key 4172A230 is removed from the RPM database':`
	`69`	`+ command => '/bin/rpm --erase gpg-pubkey-4172a230-55dd14f6',`
	`70`	`+ onlyif => '/bin/rpm -q gpg-pubkey-4172a230-55dd14f6',`
	`71`	`+ }`
	`72`	`+`
`69`	`73`	`zypprepo { 'datadog':`
`70`	`74`	`baseurl => $baseurl,`
`71`	`75`	`enabled => 1,`