Stop adding old RPM GPG key 4172A230 (#466)

README.md

@@ -53,14 +53,14 @@ To deploy the Datadog Agent on hosts, add the Datadog role and your API key to y
 | `datadog_yum_repo`                         | Override the default Datadog `yum` repository.                                                                                                                                                                                                                                                                                                                     |
 | `datadog_yum_repo_gpgcheck`                | Override the default `repo_gpgcheck` value (empty). If empty, value is dynamically set to `yes` when custom `datadog_yum_repo` is not used and system is not RHEL/CentOS 8.1 (due to [a bug](https://bugzilla.redhat.com/show_bug.cgi?id=1792506) in dnf), otherwise it's set to `no`. **Note**: repodata signature verification is always turned off for Agent 5. |
 | `datadog_yum_gpgcheck`                     | Override the default `gpgcheck` value (`yes`) - use `no` to turn off package GPG signature verification.                                                                                                                                                                                                                                                           |
-| `datadog_yum_gpgkey`                       | Override the default URL to the Datadog `yum` key used to verify Agent v5 and v6 (up to 6.13) packages (key ID `4172A230`).                                                                                                                                                                                                                                        |
+| `datadog_yum_gpgkey`                       | **Removed in version 4.18.0** Override the default URL to the Datadog `yum` key used to verify Agent v5 and v6 (up to 6.13) packages (key ID `4172A230`).                                                                                                                                                                                                                                        |
 | `datadog_yum_gpgkey_e09422b3`              | Override the default URL to the Datadog `yum` key used to verify Agent v6.14+ packages (key ID `E09422B3`).                                                                                                                                                                                                                                                        |
 | `datadog_yum_gpgkey_e09422b3_sha256sum`    | Override the default checksum of the `datadog_yum_gpgkey_e09422b3` key.                                                                                                                                                                                                                                                                                            |
 | `datadog_zypper_repo`                      | Override the default Datadog `zypper` repository.                                                                                                                                                                                                                                                                                                                  |
 | `datadog_zypper_repo_gpgcheck`             | Override the default `repo_gpgcheck` value (empty). If empty, value is dynamically set to `yes` when custom `datadog_zypper_repo` is not used, otherwise it's set to `no`. **Note**: repodata signature verification is always turned off for Agent 5.                                                                                                             |
 | `datadog_zypper_gpgcheck`                  | Override the default `gpgcheck` value (`yes`) - use `no` to turn off package GPG signature verification.                                                                                                                                                                                                                                                           |
-| `datadog_zypper_gpgkey`                    | Override the default URL to the Datadog `zypper` key used to verify Agent v5 and v6 (up to 6.13) packages (key ID `4172A230`).                                                                                                                                                                                                                                     |
-| `datadog_zypper_gpgkey_sha256sum`          | Override the default checksum of the `datadog_zypper_gpgkey` key.                                                                                                                                                                                                                                                                                                  |
+| `datadog_zypper_gpgkey`                    | **Removed in version 4.18.0** Override the default URL to the Datadog `zypper` key used to verify Agent v5 and v6 (up to 6.13) packages (key ID `4172A230`).                                                                                                                                                                                                                                     |
+| `datadog_zypper_gpgkey_sha256sum`          | **Removed in version 4.18.0** Override the default checksum of the `datadog_zypper_gpgkey` key.                                                                                                                                                                                                                                                                                                  |
 | `datadog_zypper_gpgkey_e09422b3`           | Override the default URL to the Datadog `zypper` key used to verify Agent v6.14+ packages (key ID `E09422B3`).                                                                                                                                                                                                                                                     |
 | `datadog_zypper_gpgkey_e09422b3_sha256sum` | Override the default checksum of the `datadog_zypper_gpgkey_e09422b3` key.                                                                                                                                                                                                                                                                                         |
 | `datadog_agent_allow_downgrade`            | Set to `yes` to allow Agent downgrades on apt-based platforms (use with caution, see `defaults/main.yml` for details). **Note**: On Centos this only works with Ansible 2.4+.                                                                                                                                                                                      |

defaults/main.yml

@@ -69,6 +69,10 @@ datadog_apt_repo: ""
 datadog_apt_cache_valid_time: 3600
 datadog_apt_key_retries: 5
 
+# DATADOG_RPM_KEY.public (4172A230) is only useful to install old (< 6.14) Agent packages.
+# We no longer add it and we explicitly remove it.
+datadog_rpm_remove_keys: [4172A230]
+
 # Default yum repo and keys
 
 # By default, the role uses the official yum Datadog repository for the chosen major version
@@ -79,7 +83,7 @@ datadog_yum_repo_gpgcheck: ""
 datadog_yum_gpgcheck: yes
 # NOTE: we don't use URLs starting with https://keys.datadoghq.com/, as Python
 # on older CentOS/RHEL/SUSE doesn't support SNI and get_url would fail on them
-datadog_yum_gpgkey: "https://s3.amazonaws.com/public-signing-keys/DATADOG_RPM_KEY.public"
+
 # the CURRENT key always contains the key that is used to sign repodata and latest packages
 datadog_yum_gpgkey_current: "https://s3.amazonaws.com/public-signing-keys/DATADOG_RPM_KEY_CURRENT.public"
 # this key expires in 2022
@@ -106,8 +110,6 @@ datadog_manage_zypper_repofile: yes
 
 datadog_zypper_repo_gpgcheck: ""
 datadog_zypper_gpgcheck: yes
-datadog_zypper_gpgkey: "https://s3.amazonaws.com/public-signing-keys/DATADOG_RPM_KEY.public"
-datadog_zypper_gpgkey_sha256sum: "00d6505c33fd95b56e54e7d91ad9bfb22d2af17e5480db25cba8fee500c80c46"
 datadog_zypper_gpgkey_current: "https://s3.amazonaws.com/public-signing-keys/DATADOG_RPM_KEY_CURRENT.public"
 datadog_zypper_gpgkey_e09422b3: "https://s3.amazonaws.com/public-signing-keys/DATADOG_RPM_KEY_E09422B3.public"
 datadog_zypper_gpgkey_e09422b3_sha256sum: "694a2ffecff85326cc08e5f1a619937999a5913171e42f166e13ec802c812085"

tasks/_remove_rpm_keys.yml

@@ -0,0 +1,5 @@
+- name: "Ensure GPG key {{ item }} is not present in the RPM db"
+  rpm_key:
+    state: absent
+    key: "{{ item }}"
+  when: not ansible_check_mode

tasks/check-removed-config.yml

@@ -0,0 +1,9 @@
+- name: Ensure datadog_yum_gpgkey is not used
+  fail:
+    msg: datadog_yum_gpgkey configuration value was removed.
+  when: datadog_yum_gpgkey is defined and datadog_yum_gpgkey|length > 0
+
+- name: Ensure datadog_zypper_gpgkey is not used
+  fail:
+    msg: datadog_zypper_gpgkey configuration value was removed.
+  when: datadog_zypper_gpgkey is defined and datadog_zypper_gpgkey|length > 0

tasks/main.yml

@@ -21,6 +21,14 @@
   include_tasks: pkg-debian.yml
   when: ansible_facts.os_family == "Debian" and not datadog_skip_install
 
+- name: Include tasks to remove old GPG keys
+  include_tasks: "_remove_rpm_keys.yml"
+  when: ansible_facts.os_family in ["RedHat", "Rocky", "AlmaLinux", "Suse"]
+  loop: "{{ datadog_rpm_remove_keys }}"
+
+- name: Include tasks to check removed configuration value usage
+  include_tasks: check-removed-config.yml
+
 # Only Ansible >= 3.0 knows that AlmaLinux belongs to "RedHat" family
 # (and latest bugfix releases of some 2.X)
 # For Rocky it is some 4.X and >= 5.0

tasks/pkg-redhat.yml

@@ -84,7 +84,6 @@
       "{{ datadog_yum_gpgkey_current }}",
       "{{ datadog_yum_gpgkey_20200908 }}",
       "{{ datadog_yum_gpgkey_e09422b3 }}",
-      "{{ datadog_yum_gpgkey }}",
     ]
   register: repofile5
   when: (datadog_agent_major_version|int == 5) and (datadog_yum_repo | length == 0) and (not ansible_check_mode)
@@ -102,7 +101,6 @@
       "{{ datadog_yum_gpgkey_current }}",
       "{{ datadog_yum_gpgkey_20200908 }}",
       "{{ datadog_yum_gpgkey_e09422b3 }}",
-      "{{ datadog_yum_gpgkey }}",
     ]
   register: repofile6
   when: (datadog_agent_major_version|int == 6) and (datadog_yum_repo | length == 0) and (not ansible_check_mode)
@@ -137,7 +135,6 @@
       "{{ datadog_yum_gpgkey_current }}",
       "{{ datadog_yum_gpgkey_20200908 }}",
       "{{ datadog_yum_gpgkey_e09422b3 }}",
-      "{{ datadog_yum_gpgkey }}",
     ]
   register: repofilecustom
   when: (datadog_yum_repo | length > 0) and (not ansible_check_mode)

tasks/pkg-suse.yml

@@ -32,33 +32,6 @@
     state: present
   when: not ansible_check_mode
 
-# Do not import old key if installing Agent 7, as all Agent 7 packages are signed with the new key
-- block:  # Work around due to SNI check for SLES11
-  - name: Stat if RPM key already exists
-    stat:
-      path: /tmp/DATADOG_RPM_KEY.public
-    register: ddkey
-  - name: Download RPM key (SLES11)
-    get_url:
-      url: "{{ datadog_zypper_gpgkey }}"
-      dest: /tmp/DATADOG_RPM_KEY.public
-    when: not ddkey.stat.exists
-  when: datadog_agent_major_version|int < 7 and ansible_distribution_version|int == 11
-
-# Do not import old key if installing Agent 7, as all Agent 7 packages are signed with the new key
-- name: Download RPM key
-  get_url:
-    url: "{{ datadog_zypper_gpgkey }}"
-    dest: /tmp/DATADOG_RPM_KEY.public
-    checksum: "sha256:{{ datadog_zypper_gpgkey_sha256sum }}"
-  when: datadog_agent_major_version|int < 7 and ansible_distribution_version|int >= 12
-
-- name: Import RPM key
-  rpm_key:
-    key: /tmp/DATADOG_RPM_KEY.public
-    state: present
-  when: datadog_agent_major_version|int < 7 and not ansible_check_mode
-
 - block:  # Work around due to SNI check for SLES11
   - name: Stat if E09422B3 key (Expires 2022) RPM key already exists
     stat: