Merge pull request #280 from Cray-HPE/develop

Release 1.22.0 for CSM 1.6
Cray-HPE · Jun 26, 2024 · e45e6f8 · e45e6f8
2 parents 5e268fa + 75160bf
commit e45e6f8
Show file tree

Hide file tree

Showing 8 changed files with 85 additions and 33 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.22.0] - 2024-06-25
+
+### Added
+
+- CASMINST-6896: Add support for multiple GPG keys and update with CFS
+
 ## [1.21.0] - 2024-06-12
 
 ### Added
@@ -456,7 +462,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Ansible playbook for applying csm packages to Compute and Application nodes
 
-[Unreleased]: https://github.com/Cray-HPE/csm-config/compare/1.21.0...HEAD
+[Unreleased]: https://github.com/Cray-HPE/csm-config/compare/1.22.0...HEAD
+
+[1.22.0]: https://github.com/Cray-HPE/csm-config/compare/1.21.0...1.22.0
 
 [1.21.0]: https://github.com/Cray-HPE/csm-config/compare/1.20.0...1.21.0
 

diff --git a/ansible/compute_nodes.yml b/ansible/compute_nodes.yml
@@ -54,7 +54,6 @@
   roles:
     - role: csm.ca_cert
     - role: csm.password
-    - role: csm.gpg_keys
     - role: csm.ssh_keys
     - role: csm.cn.exclude-module
 

diff --git a/ansible/ims_computes.yml b/ansible/ims_computes.yml
@@ -34,7 +34,6 @@
     - vars/csm_packages.yml
   roles:
     - role: csm.ca_cert
-    - role: csm.gpg_keys
     - role: csm.packages
       vars:
         packages: "{{ ims_compute_sles_packages + common_csm_sles_packages }}"

diff --git a/ansible/roles/csm.gpg_keys/README.md b/ansible/roles/csm.gpg_keys/README.md
@@ -1,15 +1,15 @@
 csm.gpg_keys
 =========
 
-Install the CSM GPG signing public key. This role is a dependency of the
+Install the CSM GPG signing public keys. This role is a dependency of the
 `csm.packages` role.
 
 Requirements
 ------------
 
-The Kubernetes secret must be available in the namespace and field specified
-by the `csm_gpg_key_*` variables below. The key must be stored as a base64-encoded
-string.
+The Kubernetes secret must be available in the namespace specified
+by the `csm_gpg_key_*` variables below. Each field in secret is processed as separate
+GPG signing key. Keys must be stored as base64-encoded string.
 
 Role Variables
 --------------
@@ -25,9 +25,6 @@ The Kubernetes secret which contains the GPG public key.
 
 The Kubernetes namespace which contains the secret.
 
-    csm_gpg_key_k8s_field: "gpg-pubkey"
-
-The field in the Kubernetes secret that holds the GPG public key.
 
 Dependencies
 ------------
@@ -50,4 +47,4 @@ MIT
 Author Information
 ------------------
 
-Copyright 2021-2023 Hewlett Packard Enterprise Development LP
+Copyright 2021-2024 Hewlett Packard Enterprise Development LP
diff --git a/ansible/roles/csm.gpg_keys/defaults/main.yml b/ansible/roles/csm.gpg_keys/defaults/main.yml
@@ -1,7 +1,7 @@
 #
 # MIT License
 #
-# (C) Copyright 2021-2023 Hewlett Packard Enterprise Development LP
+# (C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP
 #
 # Permission is hereby granted, free of charge, to any person obtaining a
 # copy of this software and associated documentation files (the "Software"),
@@ -24,4 +24,3 @@
 # Defaults for the csm.gpg_key role. See the README.md for information.
 csm_gpg_key_k8s_secret: "hpe-signing-key"
 csm_gpg_key_k8s_namespace: "services"
-csm_gpg_key_k8s_field: "gpg-pubkey"
diff --git a/ansible/roles/csm.gpg_keys/tasks/install_key.yml b/ansible/roles/csm.gpg_keys/tasks/install_key.yml
@@ -0,0 +1,39 @@
+#
+# MIT License
+#
+# (C) Copyright 2024 Hewlett Packard Enterprise Development LP
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included
+# in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+# OTHER DEALINGS IN THE SOFTWARE.
+#
+
+- name: Create a temporary file to store the key content
+  tempfile:
+    state: file
+    suffix: key
+  register: temp_key_file
+
+- name: Copy the key content to a temporary file
+  copy:
+    content: "{{ item.value | b64decode }}"
+    dest: "{{ temp_key_file.path }}"
+
+- name: Install the HPE Signing Key
+  rpm_key:
+    state: present
+    key: "{{ temp_key_file.path }}"
diff --git a/ansible/roles/csm.gpg_keys/tasks/main.yml b/ansible/roles/csm.gpg_keys/tasks/main.yml
@@ -1,7 +1,7 @@
 #
 # MIT License
 #
-# (C) Copyright 2021-2023 Hewlett Packard Enterprise Development LP
+# (C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP
 #
 # Permission is hereby granted, free of charge, to any person obtaining a
 # copy of this software and associated documentation files (the "Software"),
@@ -22,28 +22,14 @@
 # OTHER DEALINGS IN THE SOFTWARE.
 #
 # Tasks for the csm.gpg_keys role
-- name: Fetch the HPE GPG Signing Key from the K8S secret
+- name: Fetch Public GPG Keys from the K8S secret
   no_log: true
   local_action:
     module: csm_read_secret
     name: "{{ csm_gpg_key_k8s_secret }}"
     namespace: "{{ csm_gpg_key_k8s_namespace }}"
-    key: "{{ csm_gpg_key_k8s_field }}"
-    decrypt: True
-  register: hpe_gpg_pubkey
+  register: hpe_gpg_pubkeys
 
-- name: Create a temporary file to store the key content
-  tempfile:
-    state: file
-    suffix: key
-  register: temp_key_file
-
-- name: Copy the key content to a temporary file
-  copy:
-    content: "{{ hpe_gpg_pubkey.response }}"
-    dest: "{{ temp_key_file.path }}"
-
-- name: Install the HPE Signing Key
-  rpm_key:
-    state: present
-    key: "{{ temp_key_file.path }}"
+- include_tasks: install_key.yml
+  no_log: true
+  loop: "{{ hpe_gpg_pubkeys.response | dict2items }}"
diff --git a/ansible/roles/csm.packages/meta/main.yml b/ansible/roles/csm.packages/meta/main.yml
@@ -0,0 +1,25 @@
+#
+# MIT License
+#
+# (C) Copyright 2024 Hewlett Packard Enterprise Development LP
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included
+# in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+# OTHER DEALINGS IN THE SOFTWARE.
+#
+dependencies:
+  - role: csm.gpg_keys