Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Only install relevant GPG Keys #930

Merged
merged 29 commits into from
Aug 14, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
a6f9656
feat(recipes): install only relevant gpg keys
Pythyu Apr 11, 2024
f5f4bbe
fix(style): floating whitespace removal
Pythyu Apr 11, 2024
5bbb7f0
test(dd-agent_spec): test gpg key correct installation
Pythyu Apr 15, 2024
7c9ca18
feat(lint): fix linting issue
Pythyu Apr 23, 2024
52b0438
feat(gpg): add kitchen tests to check gpg keys
Pythyu Apr 26, 2024
a7b2161
feat(kitchen): add dd-agent-gpgcheck to ci tests
Pythyu Apr 26, 2024
6592086
feat(kitchen): gpgcheck tests excluding agent 5 oses
Pythyu Apr 26, 2024
89af0bf
feat(kitchen): gpgcheck add dd-handler
Pythyu Apr 26, 2024
b1a5889
feat(chef): pin old version to 7.20.0
Pythyu Apr 29, 2024
dbf9d80
Merge branch 'main' into pythyu/relevant_gpg_key_installation
Pythyu Aug 13, 2024
5b093f7
feat(handler): enable chef handler
Pythyu Aug 13, 2024
c581aba
feat(rework): rpm gpg import
Pythyu Aug 13, 2024
91504c0
debug
Pythyu Aug 13, 2024
826c558
feat(agent_minor_version): fix agent_minor_version
Pythyu Aug 13, 2024
67f7498
feat(agent_minor_version): fix agent_minor_version
Pythyu Aug 14, 2024
e099edb
feat(agent_minor_version): fix agent_minor_version
Pythyu Aug 14, 2024
cae51a8
feat(agent_minor_version): fix agent_minor_version
Pythyu Aug 14, 2024
a79a516
feat(agent_minor_version): fix agent_minor_version
Pythyu Aug 14, 2024
380a65d
feat(agent_minor_version): debug agent_minor_version
Pythyu Aug 14, 2024
e247147
feat(agent_minor_version): debug agent_minor_version
Pythyu Aug 14, 2024
2d4ef5d
feat(agent_minor_version): debug agent_minor_version
Pythyu Aug 14, 2024
c4ec75c
feat(agent_minor_version): debug agent_minor_version
Pythyu Aug 14, 2024
ee51cad
feat(agent_minor_version): debug agent_minor_version
Pythyu Aug 14, 2024
17908bd
feat(agent_minor_version): wrong condition priority
Pythyu Aug 14, 2024
0789894
feat(agent_minor_version): wrong condition priority
Pythyu Aug 14, 2024
87101a1
feat(spec): update specs with removed gpg keys
Pythyu Aug 14, 2024
2fa9a54
feat(serverspec): fix serverspec tests
Pythyu Aug 14, 2024
00d94f5
feat(kitchen): wrong indentation
Pythyu Aug 14, 2024
5d45036
feat(comment): apply PR comments
Pythyu Aug 14, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions kitchen.docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -83,3 +83,34 @@ suites:
- centos-7.7
<% end %>
<% end %>

- name: dd-agent-gpgcheck-recent
run_list:
- recipe[datadog::dd-agent]
- recipe[datadog::dd-handler]
attributes:
datadog: &DATADOG
agent_major_version: 7
api_key: somenonnullapikeythats32charlong
application_key: alsonotnil
chef_handler_enable: true
excludes:
- ubuntu-14.04
- debian-8.11


- name: dd-agent-gpgcheck-older
run_list:
- recipe[datadog::dd-agent]
- recipe[datadog::dd-handler]
attributes:
datadog: &DATADOG
agent_major_version: 7
agent_minor_version: 20.0
api_key: somenonnullapikeythats32charlong
application_key: alsonotnil
chef_handler_enable: true
excludes:
- ubuntu-14.04
- debian-8.11

16 changes: 14 additions & 2 deletions recipes/repository.rb
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,11 @@

agent_major_version = Chef::Datadog.agent_major_version(node)

agent_minor_version = node['datadog']['agent_minor_version']
unless agent_minor_version.nil? || !agent_minor_version.is_a?(String)
Pythyu marked this conversation as resolved.
Show resolved Hide resolved
agent_minor_version = agent_minor_version.to_i
end

# DATADOG_APT_KEY_CURRENT always contains the key that is used to sign repodata and latest packages
# A2923DFF56EDA6E76E55E492D3A80E30382E94DE expires in 2022
# D75CEA17048B9ACBF186794B32637D44F14F620E expires in 2032
Expand Down Expand Up @@ -195,10 +200,12 @@ def warn_deprecated_yumrepo_gpgkey
action :install
only_if { node['packages']['gnupg2'].nil? }
end

# Import new RPM key
rpm_gpg_keys.each do |rpm_gpg_key|
next unless node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"]
if (agent_minor_version.nil? || agent_minor_version > 35) && rpm_gpg_key[rpm_gpg_keys_short_fingerprint] == 'e09422b3'
next
Pythyu marked this conversation as resolved.
Show resolved Hide resolved
end

# Download new RPM key
key_local_path = ::File.join(Chef::Config[:file_cache_path], rpm_gpg_key[rpm_gpg_keys_name])
Expand Down Expand Up @@ -262,6 +269,9 @@ def warn_deprecated_yumrepo_gpgkey
yumrepo_gpgkeys = []
if agent_major_version > 5
rpm_gpg_keys.each do |rpm_gpg_key|
if (agent_minor_version.nil? || agent_minor_version > 35) && rpm_gpg_key[rpm_gpg_keys_short_fingerprint] == 'e09422b3'
next
end
yumrepo_gpgkeys.push(node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"])
end
end
Expand All @@ -284,7 +294,9 @@ def warn_deprecated_yumrepo_gpgkey
# Import new RPM key
rpm_gpg_keys.each do |rpm_gpg_key|
next unless node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"]

if (agent_minor_version.nil? || agent_minor_version > 35) && rpm_gpg_key[rpm_gpg_keys_short_fingerprint] == 'e09422b3'
next
end
# Download new RPM key
new_key_local_path = ::File.join(Chef::Config[:file_cache_path], rpm_gpg_key[rpm_gpg_keys_name])
remote_file "remote_file_#{rpm_gpg_key[rpm_gpg_keys_name]}" do
Expand Down
19 changes: 4 additions & 15 deletions spec/repository_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -186,22 +186,21 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
end.converge(described_recipe)
end

# Key 4F09D16B (from 2024-05-15 to 2033-05-13)
# Key B01082D3 (from 2023-04-20 to 2028-04-18)
# Key FD4BF915 (from 2020-09-08 to 2024-09-07)
# Key E09422B3
import_gpg_keys(
%w[current 4f09d16b b01082d3 fd4bf915 e09422b3]
%w[current 4f09d16b b01082d3 fd4bf915]
)

# prefer HTTPS on boxes that support TLS1.2
it 'sets up a yum repo E09422B3, FD4BF915 and B01082D3' do
it 'sets up a yum repo 4F09D16B, FD4BF915 and B01082D3' do
expect(chef_run).to create_yum_repository('datadog').with(
gpgkey: [
'https://keys.datadoghq.com/DATADOG_RPM_KEY_CURRENT.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_4F09D16B.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
]
).with(repo_gpgcheck: true)
end
Expand All @@ -216,14 +215,13 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
end.converge(described_recipe)
end

# Key 4F09D16B (from 2024-05-15 to 2033-05-13)
# Key B01082D3 (from 2023-04-20 to 2028-04-18)
# Key FD4BF915 (from 2020-09-08 to 2024-09-07)
# Key E09422B3
Pythyu marked this conversation as resolved.
Show resolved Hide resolved
import_gpg_keys([
'4f09d16b',
'b01082d3',
'fd4bf915',
'e09422b3'
])

# prefer HTTPS on boxes that support TLS1.2
Expand All @@ -234,7 +232,6 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
'https://keys.datadoghq.com/DATADOG_RPM_KEY_4F09D16B.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
]
).with(repo_gpgcheck: true)
end
Expand All @@ -251,12 +248,10 @@ def set_yum_repo_and_gnupg(key, install_gnupg)

# Key B01082D3 (from 2023-04-20 to 2028-04-18)
# Key FD4BF915 (from 2020-09-08 to 2024-09-07)
# Key E09422B3
import_gpg_keys([
'4f09d16b',
'b01082d3',
'fd4bf915',
'e09422b3'
])

# RHEL5 has to use insecure HTTP due to lack of support for TLS1.2
Expand All @@ -268,7 +263,6 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
'http://keys.datadoghq.com/DATADOG_RPM_KEY_4F09D16B.public',
'http://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
'http://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
'http://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
]
).with(repo_gpgcheck: false)
end
Expand All @@ -291,7 +285,6 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
'https://keys.datadoghq.com/DATADOG_RPM_KEY_4F09D16B.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
]
).with(repo_gpgcheck: false)
end
Expand All @@ -314,7 +307,6 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
'https://keys.datadoghq.com/DATADOG_RPM_KEY_4F09D16B.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
]
).with(repo_gpgcheck: true)
end
Expand All @@ -337,7 +329,6 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
'https://keys.datadoghq.com/DATADOG_RPM_KEY_4F09D16B.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
]
).with(repo_gpgcheck: true)
end
Expand All @@ -360,7 +351,6 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
'https://keys.datadoghq.com/DATADOG_RPM_KEY_4F09D16B.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
]
).with(repo_gpgcheck: true)
end
Expand All @@ -385,7 +375,6 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
'4f09d16b',
'b01082d3',
'fd4bf915',
'e09422b3'
], false)

it 'deletes the old RPM GPG key 4172a230 if it exists' do
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
source 'https://rubygems.org'

chef_version = ENV.fetch('CHEF_VERSION', '14.10.9')

if RUBY_VERSION < '2.6'
gem 'net-ssh', '~> 6.1.0'
gem 'public_suffix', '~> 4.0.0'
end

gem 'json_spec', '~> 1.1.0'

if Gem::Version.new(chef_version) > Gem::Version.new('16.0.0') && RUBY_VERSION < '2.7'
gem 'train-core', '~> 3.9.0'
end
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# Copyright:: 2011-Present, Datadog
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

require 'spec_helper'

describe package(@agent_package_name) do
it { should be_installed }
end

describe service(@agent_service_name) do
it { should be_running }
end

describe command('/opt/datadog-agent/bin/agent/agent status | grep -v "Instance ID"'), :if => os[:family] != 'windows' do
its(:exit_status) { should eq 0 }
its(:stdout) { should contain '[OK]' }
its(:stdout) { should_not contain 'ERROR' }
end
Pythyu marked this conversation as resolved.
Show resolved Hide resolved

# The new APT keys are imported
describe command('apt-key list'), :if => ['debian', 'ubuntu'].include?(os[:family]) do
its(:exit_status) { should eq 0 }
its(:stdout) { should contain 'C0962C7D' }
its(:stdout) { should contain 'F14F620E' }
its(:stdout) { should contain '382E94DE' }
end

# The new RPM keys are imported
describe command('rpm -q gpg-pubkey-b01082d3'), :if => os[:family] == 'redhat' do
its(:exit_status) { should eq 0 }
its(:stdout) { should contain 'gpg-pubkey-b01082d3' }
end

describe command('rpm -q gpg-pubkey-fd4bf915'), :if => os[:family] == 'redhat' do
its(:exit_status) { should eq 0 }
its(:stdout) { should contain 'gpg-pubkey-fd4bf915' }
end

describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
its(:exit_status) { should eq 0 }
its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
Pythyu marked this conversation as resolved.
Show resolved Hide resolved
end
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Copyright:: 2011-Present, Datadog
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

require 'spec_helper'

# the be_installed.by('gem') check is not implemented for Windows as of v2.24 of Serverspec
describe package('chef-handler-datadog'), :if => os[:family] != 'windows' do
it { should be_installed.by('gem') }
end
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
source 'https://rubygems.org'

chef_version = ENV.fetch('CHEF_VERSION', '14.10.9')

if RUBY_VERSION < '2.6'
gem 'net-ssh', '~> 6.1.0'
gem 'public_suffix', '~> 4.0.0'
end

gem 'json_spec', '~> 1.1.0'

if Gem::Version.new(chef_version) > Gem::Version.new('16.0.0') && RUBY_VERSION < '2.7'
gem 'train-core', '~> 3.9.0'
end
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# Copyright:: 2011-Present, Datadog
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

require 'spec_helper'

describe package(@agent_package_name) do
it { should be_installed }
end

describe service(@agent_service_name) do
it { should be_running }
end

describe command('/opt/datadog-agent/bin/agent/agent status | grep -v "Instance ID"'), :if => os[:family] != 'windows' do
its(:exit_status) { should eq 0 }
its(:stdout) { should contain '[OK]' }
its(:stdout) { should_not contain 'ERROR' }
end

# The new APT keys are imported
describe command('apt-key list'), :if => ['debian', 'ubuntu'].include?(os[:family]) do
its(:exit_status) { should eq 0 }
its(:stdout) { should contain 'C0962C7D' }
its(:stdout) { should contain 'F14F620E' }
its(:stdout) { should contain '382E94DE' }
end

# The new RPM keys are imported
describe command('rpm -q gpg-pubkey-b01082d3'), :if => os[:family] == 'redhat' do
its(:exit_status) { should eq 0 }
its(:stdout) { should contain 'gpg-pubkey-b01082d3' }
end

describe command('rpm -q gpg-pubkey-fd4bf915'), :if => os[:family] == 'redhat' do
its(:exit_status) { should eq 0 }
its(:stdout) { should contain 'gpg-pubkey-fd4bf915' }
end

describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
Pythyu marked this conversation as resolved.
Show resolved Hide resolved
its(:exit_status) { should eq 1 }
end
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Copyright:: 2011-Present, Datadog
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

require 'spec_helper'

# the be_installed.by('gem') check is not implemented for Windows as of v2.24 of Serverspec
describe package('chef-handler-datadog'), :if => os[:family] != 'windows' do
it { should be_installed.by('gem') }
end
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,5 @@
end

describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
its(:exit_status) { should eq 0 }
its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
its(:exit_status) { should eq 1 }
end
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,5 @@
end

describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
its(:exit_status) { should eq 0 }
its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
its(:exit_status) { should eq 1 }
end
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,5 @@
end

describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
its(:exit_status) { should eq 0 }
its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
its(:exit_status) { should eq 1 }
end
Loading
Loading