Use GPG key signing

deric · deric · commit 5b6578dc3bd0 · 2023-09-25T11:38:33.000+02:00
diff --git a/manifests/repos.pp b/manifests/repos.pp
@@ -71,17 +71,37 @@
     }
     case $facts['os']['family'] {
       'Debian': {
-        $codename = fact('os.distro.codename')
-        apt::source { 'kubernetes':
-          location => pick($kubernetes_apt_location,"https://pkgs.k8s.io/core:/stable:/v${minor_version}/deb"),
-          release  => pick($kubernetes_apt_release, '/'),
-          repos    => $_repos,
-          key      => {
-            'id'     => pick($kubernetes_key_id,'DE15B14486CD377B9E876E1A234654DA9A296436'),
-            'source' => pick($kubernetes_key_source,"https://pkgs.k8s.io/core:/stable:/v${minor_version}/deb/Release.key"),
-          },
+        if $kubernetes_apt_location =~ String[1] {
+          apt::source { 'kubernetes':
+            location => pick($kubernetes_apt_location,"https://pkgs.k8s.io/core:/stable:/v${minor_version}/deb"),
+            release  => pick($kubernetes_apt_release, '/'),
+            repos    => $_repos,
+            key      => {
+              'id'     => $kubernetes_key_id,
+              'source' => $kubernetes_key_source,
+            },
+          }
+        } else {
+          # For pkgs.k8s.io use GPG siging key
+          $_keyring = '/etc/apt/keyrings/kubernetes-apt-keyring.gpg'
+          archive { '/tmp/kubernetes-apt-keyring.gpg':
+            source          => "https://pkgs.k8s.io/core:/stable:/v${minor_version}/deb/Release.key",
+            extract         => true,
+            extract_path    => '/etc/apt/keyrings/',
+            extract_command => 'gpg --dearmor < %s > kubernetes-apt-keyring.gpg',
+            creates         => $_keyring,
+          }
+
+          apt::source { 'kubernetes':
+            location => pick($kubernetes_apt_location,"https://pkgs.k8s.io/core:/stable:/v${minor_version}/deb"),
+            release  => pick($kubernetes_apt_release, '/'),
+            repos    => $_repos,
+            keyring  => $_keyring,
+            require  => Archive['/tmp/kubernetes-apt-keyring.gpg'],
+          }
         }
 
+        $codename = fact('os.distro.codename')
         if ($container_runtime == 'docker' and $manage_docker == true) or
         ($container_runtime == 'cri_containerd' and $containerd_install_method == 'package') {
           apt::source { 'docker':
diff --git a/spec/classes/repos_spec.rb b/spec/classes/repos_spec.rb
@@ -48,13 +48,13 @@
         ensure: 'present',
         location: 'https://pkgs.k8s.io/core:/stable:/v1.28/deb',
         release: '/',
-        key: { 'id' => 'DE15B14486CD377B9E876E1A234654DA9A296436', 'source' => 'https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key' },
+        keyring: '/etc/apt/keyrings/kubernetes-apt-keyring.gpg',
       )
     }
 
     it {
       expect(subject).to contain_file('/etc/apt/sources.list.d/kubernetes.list')
-      .with_content(%r{^deb https://pkgs.k8s.io/core:/stable:/v1.28/deb /\s$})
+        .with_content(%r{^deb \[signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg\] https://pkgs.k8s.io/core:/stable:/v1.28/deb /\s$})
     }
 
     it {

Original file line number	Diff line number	Diff line change
`@@ -48,13 +48,13 @@`
`48`	`48`	`ensure: 'present',`
`49`	`49`	`location: 'https://pkgs.k8s.io/core:/stable:/v1.28/deb',`
`50`	`50`	`release: '/',`
`51`		`- key: { 'id' => 'DE15B14486CD377B9E876E1A234654DA9A296436', 'source' => 'https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key' },`
	`51`	`+ keyring: '/etc/apt/keyrings/kubernetes-apt-keyring.gpg',`
`52`	`52`	`)`
`53`	`53`	`}`
`54`	`54`
`55`	`55`	`it {`
`56`	`56`	`expect(subject).to contain_file('/etc/apt/sources.list.d/kubernetes.list')`
`57`		`- .with_content(%r{^deb https://pkgs.k8s.io/core:/stable:/v1.28/deb /\s$})`
	`57`	`+ .with_content(%r{^deb \[signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg\] https://pkgs.k8s.io/core:/stable:/v1.28/deb /\s$})`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`it {`