Merge pull request #175 from yakatz/new_gpg_key

APT repo has new GPG key and we should control it directly

REFERENCE.md

@@ -30,7 +30,7 @@ The following parameters are available in the `lldpd` class:
 * [`manage_service`](#-lldpd--manage_service)
 * [`manage_repo`](#-lldpd--manage_repo)
 * [`repourl`](#-lldpd--repourl)
-* [`apt_key_hash`](#-lldpd--apt_key_hash)
+* [`apt_key`](#-lldpd--apt_key)
 
 ##### <a name="-lldpd--ensure"></a>`ensure`
 
@@ -64,11 +64,11 @@ String that completes the url for the upstream repository
 
 Default value: `undef`
 
-##### <a name="-lldpd--apt_key_hash"></a>`apt_key_hash`
+##### <a name="-lldpd--apt_key"></a>`apt_key`
 
-Data type: `String[1]`
+Data type: `Optional[String[1]]`
 
-the sha256 hashsum for the GPG key file that was used to sign the packages
+the public key used to sign the apt repository (default loaded from hiera)
 
-Default value: `'4f9e668fbdaaedf4fc8d83f4eb98db33553d7f4e1f0bca212d0a7ccc9f1a6adf'`
+Default value: `undef`
 

data/common.yaml

@@ -1,2 +1,25 @@
 ---
 lldpd::manage_repo: true
+
+lldpd::apt_key: |
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+    Version: GnuPG v1.4.5 (GNU/Linux)
+
+    mQENBFrWFxUBCADE36u4rOV+FNTq/G5D0QEaxOoaBJxKOtAwxOs2euxrOuQeUhU3
+    J926Jp3IJbh3t2GROvNWvG+ypxZLXEJw1V1/C5aUFo4yYSBweAkXzNxBJtmh5+UB
+    uLwwdVvJLm3Ew4VV7hO5dn+I1D58pxOydeKhsE3Hb2z3Gg8gEuWwQCnMyRM4JAMq
+    5QcTotPJ/n3hHRR4v5WDUOa7W8rcpX9Je1BHT+BdRl+WyK9qjfSvsRvJNXzoZfIX
+    WIOX7Dw/3160aVFuHNEv/kOluIfttVjYnKlqiNqMEbho9OBwgl4zs5zNB56XiNvP
+    BQ7Qi0GxK8+OkAVqlQ80RimkT5Kv7AQP14qhABEBAAG0OmhvbWU6dmJlcm5hdCBP
+    QlMgUHJvamVjdCA8aG9tZTp2YmVybmF0QGJ1aWxkLm9wZW5zdXNlLm9yZz6JAT4E
+    EwEIACgFAmcd1SkCGwMFCRBmbhQGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ
+    EEMcN6l8PhFLPXkH/3jcPLce4jnbY+tPW2LasCGATNw38ZxEat4POYSw7u2nTMJf
+    gq+8Dktb2yRpLqXN1RoAfIt3iVHFlaRIHKO2I9jJVnwE22PKrfNoWngH9+f+++Ys
+    LBXS1R0W1R/sls+QxEhty6byiP++mg0XtBYQ+bdz4OF8JKbjBfj+ng5BUhJp7SIP
+    P0A9hLAKaZpGdP6y53W0s7f9I7G+tQRhlgtkxwoL2m2q9vr/8iGgE8jNAlTJ1o9j
+    m19N3ZBtcrbLh8C6KB+wOe3yqmJPKFC2RJmV204yqoakNvPCvYkImkbH+JP+83hs
+    61HRaMOzpNfLqdD5D+7225CLMNCOrvV/HhojsR6IRgQTEQIABgUCWtYXFQAKCRA7
+    MBG3a51lI8xNAKCc6J+qY7tSAhO06zW8+/1RsfCxJQCfbpnP0JZ/WzQQxyWpXuNa
+    t+Xd7EU=
+    =vZBz
+    -----END PGP PUBLIC KEY BLOCK-----

manifests/init.pp

@@ -9,13 +9,13 @@
 # @param manage_service Enable or disable the service management
 # @param manage_repo Enable or disable the repository setup
 # @param repourl String that completes the url for the upstream repository
-# @param apt_key_hash the sha256 hashsum for the GPG key file that was used to sign the packages
+# @param apt_key the public key used to sign the apt repository (default loaded from hiera)
 class lldpd (
   Enum['present', 'absent', 'latest'] $ensure            = 'present',
   Boolean                             $manage_repo       = false,
   Boolean                             $manage_service    = true,
   Optional[String[1]]                 $repourl           = undef,
-  String[1]                           $apt_key_hash      = '4f9e668fbdaaedf4fc8d83f4eb98db33553d7f4e1f0bca212d0a7ccc9f1a6adf',
+  Optional[String[1]]                 $apt_key           = undef,
 ) {
   if $manage_repo {
     case $facts['os']['family'] {
@@ -29,43 +29,43 @@
         }
       }
       'Debian': {
-        # place the key in the keyrings directory where apt won't search for keys for all repos
-        # ascii encoded files need to end with *.asc, binary files with .gpg...
-        file { '/usr/share/keyrings/lldpd.asc':
-          ensure         => 'file',
-          source         => "https://download.opensuse.org/repositories/home:/vbernat/${repourl}/Release.key",
-          owner          => 'root',
-          group          => 'root',
-          mode           => '0644',
-          checksum_value => $apt_key_hash,
-          checksum       => 'sha256',
-        }
-        # purge old key files that we installed in previous releases
-        file { ['/etc/apt/trusted.gpg.d/home_vbernat.gpg', '/etc/apt/trusted.gpg.d/home_vbernat.gpg~']:
-          ensure => absent,
-        }
-
-        # previously managed by apt::key, we need to purge it from the global keyring in /etc/apt/trusted.gpg
         include apt # required so apt::key can access variables from init.pp
+
+        # Get rid of all the different old keys
+        file { [
+            '/etc/apt/trusted.gpg.d/home_vbernat.gpg',
+            '/etc/apt/trusted.gpg.d/home_vbernat.gpg~',
+            '/usr/share/keyrings/lldpd.asc',
+          ]:
+            ensure => absent,
+        }
         apt::key { 'EF795E4D26E48F1D7661267B431C37A97C3E114B':
           ensure => 'absent',
         }
+
+        # Configure source and key
         apt::source { 'lldpd':
           location => "https://download.opensuse.org/repositories/home:/vbernat/${repourl}",
           release  => ' ',
           repos    => '/',
-          keyring  => '/usr/share/keyrings/lldpd.asc',
+          key      => {
+            name    => 'lldpd',
+            content => $apt_key,
+          },
           require  => File['/usr/share/keyrings/lldpd.asc'],
         }
+        Apt::Source['lldpd'] -> Package['lldpd']
       }
       default: {
         warning("`\$manage_repo` not valid for: ${facts['os']['family']}")
       }
     }
   }
+
   package { 'lldpd':
     ensure => $ensure,
   }
+
   if $manage_service {
     service { 'lldpd':
       ensure  => 'running',