Skip to content

Commit

Permalink
Release 4.7.2 (#757)
Browse files Browse the repository at this point in the history
- Undo revert of #754, seems to be working fine.
- Update metadata and changelog.
  • Loading branch information
albertvaka authored Nov 25, 2020
1 parent 063c29e commit 3559eb5
Show file tree
Hide file tree
Showing 11 changed files with 219 additions and 64 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
Changes
=======

# 4.7.2 / 2020-11-25
* [FEATURE] Trust new signing key [#754][] [@mikezhu-dd][]

# 4.7.1 / 2020-11-25
* [BUGFIX] Revert [#754][]

Expand Down
5 changes: 3 additions & 2 deletions attributes/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -167,9 +167,10 @@
# Only applies if specific version specified
default['datadog']['windows_agent_installer_prefix'] = nil

# Location of additional rpm gpgkey to import (with signature `e09422b3`). In the future the rpm packages
# Location of additional rpm gpg keys to import. In the future the rpm packages
# of the Agent will be signed with this key.
default['datadog']['yumrepo_gpgkey_new'] = "#{yum_protocol}://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public"
default['datadog']['yumrepo_gpgkey_new_e09422b3'] = "#{yum_protocol}://yum.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public"
default['datadog']['yumrepo_gpgkey_new_fd4bf915'] = "#{yum_protocol}://yum.datadoghq.com/DATADOG_RPM_KEY_20200908.public"

# Windows Agent Blacklist
# Attribute to enforce silent failures on agent installs when attempting to install a
Expand Down
2 changes: 1 addition & 1 deletion metadata.rb
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
maintainer_email '[email protected]'
license 'Apache-2.0'
description 'Installs/Configures datadog components'
version '4.7.1'
version '4.7.2'
chef_version '>= 12.7'
source_url 'https://github.com/DataDog/chef-datadog'
issues_url 'https://github.com/DataDog/chef-datadog/issues'
Expand Down
92 changes: 65 additions & 27 deletions recipes/repository.rb
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,22 @@

agent_major_version = Chef::Datadog.agent_major_version(node)

# A2923DFF56EDA6E76E55E492D3A80E30382E94DE expires in 2022
# D75CEA17048B9ACBF186794B32637D44F14F620E expires in 2032
apt_gpg_keys = ['A2923DFF56EDA6E76E55E492D3A80E30382E94DE', 'D75CEA17048B9ACBF186794B32637D44F14F620E']

# DATADOG_RPM_KEY_E09422B3.public expires in 2022
# DATADOG_RPM_KEY_20200908.public expires in 2024
rpm_gpg_keys = [['DATADOG_RPM_KEY_E09422B3.public', 'e09422b3', 'A4C0 B90D 7443 CF6E 4E8A A341 F106 8E14 E094 22B3'],
['DATADOG_RPM_KEY_20200908.public', 'fd4bf915', 'C655 9B69 0CA8 82F0 23BD F3F6 3F4D 1729 FD4B F915']]

# Local file name of the key
rpm_gpg_keys_name = 0
# Short fingerprint for rpm commands, used in "rpm -q gpg-pubkey-*" and node['datadog']["yumrepo_gpgkey_new_*"]
rpm_gpg_keys_short_fingerprint = 1
# Space delimited full fingerprint
rpm_gpg_keys_full_fingerprint = 2

case node['platform_family']
when 'debian'
apt_update 'update'
Expand All @@ -48,15 +64,17 @@

retries = node['datadog']['aptrepo_retries']
keyserver = node['datadog']['aptrepo_use_backup_keyserver'] ? node['datadog']['aptrepo_backup_keyserver'] : node['datadog']['aptrepo_keyserver']
# Add APT repository
apt_repository 'datadog' do
keyserver keyserver
key 'A2923DFF56EDA6E76E55E492D3A80E30382E94DE'
uri node['datadog']['aptrepo']
distribution node['datadog']['aptrepo_dist']
components components
action :add
retries retries
# Add APT repositories
apt_gpg_keys.each do |apt_gpg_key|
apt_repository "datadog_apt_#{apt_gpg_key}" do
keyserver keyserver
key apt_gpg_key
uri node['datadog']['aptrepo']
distribution node['datadog']['aptrepo_dist']
components components
action :add
retries retries
end
end

# Previous versions of the cookbook could create this repo file, make sure we remove it now
Expand All @@ -65,26 +83,31 @@
end
when 'rhel', 'fedora', 'amazon'
# Import new RPM key
if node['datadog']['yumrepo_gpgkey_new']
rpm_gpg_keys.each do |rpm_gpg_key|
next unless node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"]

# gnupg is required to check the downloaded key's fingerprint
package 'gnupg' do
action :install
only_if { node['packages']['gnupg2'].nil? }
end

# Download new RPM key
key_local_path = ::File.join(Chef::Config[:file_cache_path], 'DATADOG_RPM_KEY_E09422B3.public')
remote_file 'DATADOG_RPM_KEY_E09422B3.public' do
key_local_path = ::File.join(Chef::Config[:file_cache_path], rpm_gpg_key[rpm_gpg_keys_name])
remote_file "remote_file_#{rpm_gpg_key[rpm_gpg_keys_name]}" do
path key_local_path
source node['datadog']['yumrepo_gpgkey_new']
not_if 'rpm -q gpg-pubkey-e09422b3' # (key already imported)
notifies :run, 'execute[rpm-import datadog key e09422b3]', :immediately
source node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"]
not_if "rpm -q gpg-pubkey-#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}" # (key already imported)
notifies :run, "execute[rpm-import datadog key #{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}]", :immediately
end

# The fingerprint string has spaces in it, calculate one without space here
gpg_key_fingerprint_without_space = rpm_gpg_key[rpm_gpg_keys_full_fingerprint].delete(' ')

# Import key if fingerprint matches
execute 'rpm-import datadog key e09422b3' do
execute "rpm-import datadog key #{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}" do
command "rpm --import #{key_local_path}"
only_if "gpg --dry-run --quiet --with-fingerprint #{key_local_path} | grep 'A4C0 B90D 7443 CF6E 4E8A A341 F106 8E14 E094 22B3' || gpg --dry-run --import --import-options import-show #{key_local_path} | grep 'A4C0B90D7443CF6E4E8AA341F1068E14E09422B3'"
only_if "gpg --dry-run --quiet --with-fingerprint #{key_local_path} | grep '#{rpm_gpg_key[rpm_gpg_keys_full_fingerprint]}' || gpg --dry-run --import --import-options import-show #{key_local_path} | grep '#{gpg_key_fingerprint_without_space}'"
action :nothing
end
end
Expand All @@ -105,36 +128,51 @@
end

# Add YUM repository
yumrepo_gpgkeys = []
if agent_major_version < 7
yumrepo_gpgkeys.push(node['datadog']['yumrepo_gpgkey'])
else
rpm_gpg_keys.each do |rpm_gpg_key|
yumrepo_gpgkeys.push(node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"])
end
end

yum_repository 'datadog' do
description 'datadog'
baseurl baseurl
proxy node['datadog']['yumrepo_proxy']
proxy_username node['datadog']['yumrepo_proxy_username']
proxy_password node['datadog']['yumrepo_proxy_password']
gpgkey agent_major_version < 7 ? node['datadog']['yumrepo_gpgkey'] : node['datadog']['yumrepo_gpgkey_new']
gpgkey yumrepo_gpgkeys
gpgcheck true
action :create
end
when 'suse'
# Import new RPM key
if node['datadog']['yumrepo_gpgkey_new']
rpm_gpg_keys.each do |rpm_gpg_key|
next unless node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"]

# Download new RPM key
new_key_local_path = ::File.join(Chef::Config[:file_cache_path], 'DATADOG_RPM_KEY_E09422B3.public')
remote_file 'DATADOG_RPM_KEY_E09422B3.public' do
new_key_local_path = ::File.join(Chef::Config[:file_cache_path], rpm_gpg_key[rpm_gpg_keys_name])
remote_file "remote_file_#{rpm_gpg_key[rpm_gpg_keys_name]}" do
path new_key_local_path
source node['datadog']['yumrepo_gpgkey_new']
not_if 'rpm -q gpg-pubkey-e09422b3' # (key already imported)
notifies :run, 'execute[rpm-import datadog key e09422b3]', :immediately
source node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"]
not_if "rpm -q gpg-pubkey-#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}" # (key already imported)
notifies :run, "execute[rpm-import datadog key #{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}]", :immediately
end

# The fingerprint string has spaces in it, calculate one without space here
gpg_key_fingerprint_without_space = rpm_gpg_key[rpm_gpg_keys_full_fingerprint].delete(' ')

# Import key if fingerprint matches
execute 'rpm-import datadog key e09422b3' do
execute "rpm-import datadog key #{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}" do
command "rpm --import #{new_key_local_path}"
only_if "gpg --dry-run --quiet --with-fingerprint #{new_key_local_path} | grep 'A4C0 B90D 7443 CF6E 4E8A A341 F106 8E14 E094 22B3' || gpg --dry-run --import --import-options import-show #{new_key_local_path} | grep 'A4C0B90D7443CF6E4E8AA341F1068E14E09422B3'"
only_if "gpg --dry-run --quiet --with-fingerprint #{new_key_local_path} | grep '#{rpm_gpg_key[rpm_gpg_keys_full_fingerprint]}' || gpg --dry-run --import --import-options import-show #{new_key_local_path} | grep '#{gpg_key_fingerprint_without_space}'"
action :nothing
end
end

# Now the old key is mostly hard-coded
old_key_local_path = ::File.join(Chef::Config[:file_cache_path], 'DATADOG_RPM_KEY.public')
remote_file 'DATADOG_RPM_KEY.public' do
path old_key_local_path
Expand Down Expand Up @@ -167,7 +205,7 @@
zypper_repository 'datadog' do
description 'datadog'
baseurl baseurl
gpgkey agent_major_version < 7 ? node['datadog']['yumrepo_gpgkey'] : node['datadog']['yumrepo_gpgkey_new']
gpgkey agent_major_version < 7 ? node['datadog']['yumrepo_gpgkey'] : node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_keys[0][rpm_gpg_keys_short_fingerprint]}"]
gpgautoimportkeys false
gpgcheck false
action :create
Expand Down
Loading

0 comments on commit 3559eb5

Please sign in to comment.