Only install relevant GPG Keys (#930)

* feat(recipes): install only relevant gpg keys * fix(style): floating whitespace removal * test(dd-agent_spec): test gpg key correct installation * feat(lint): fix linting issue * feat(gpg): add kitchen tests to check gpg keys * feat(kitchen): add dd-agent-gpgcheck to ci tests * feat(kitchen): gpgcheck tests excluding agent 5 oses * feat(kitchen): gpgcheck add dd-handler * feat(chef): pin old version to 7.20.0 * feat(handler): enable chef handler * feat(rework): rpm gpg import * debug * feat(agent_minor_version): fix agent_minor_version * feat(agent_minor_version): fix agent_minor_version * feat(agent_minor_version): fix agent_minor_version * feat(agent_minor_version): fix agent_minor_version * feat(agent_minor_version): fix agent_minor_version * feat(agent_minor_version): debug agent_minor_version * feat(agent_minor_version): debug agent_minor_version * feat(agent_minor_version): debug agent_minor_version * feat(agent_minor_version): debug agent_minor_version * feat(agent_minor_version): debug agent_minor_version * feat(agent_minor_version): wrong condition priority * feat(agent_minor_version): wrong condition priority * feat(spec): update specs with removed gpg keys * feat(serverspec): fix serverspec tests * feat(kitchen): wrong indentation * feat(comment): apply PR comments
DataDog · Aug 14, 2024 · d7be5bb · d7be5bb
1 parent b54194f
commit d7be5bb
Show file tree

Hide file tree

Showing 14 changed files with 227 additions and 27 deletions.
diff --git a/kitchen.docker.yml b/kitchen.docker.yml
@@ -83,3 +83,34 @@ suites:
     - centos-7.7
   <% end %>
 <% end %>
+
+- name: dd-agent-gpgcheck-recent
+  run_list:
+    - recipe[datadog::dd-agent]
+    - recipe[datadog::dd-handler]
+  attributes:
+    datadog: &DATADOG
+      agent_major_version: 7
+      api_key: somenonnullapikeythats32charlong
+      application_key: alsonotnil
+      chef_handler_enable: true
+  excludes:
+    - ubuntu-14.04
+    - debian-8.11
+
+
+- name: dd-agent-gpgcheck-older
+  run_list:
+    - recipe[datadog::dd-agent]
+    - recipe[datadog::dd-handler]
+  attributes:
+    datadog: &DATADOG
+      agent_major_version: 7
+      agent_minor_version: 20.0
+      api_key: somenonnullapikeythats32charlong
+      application_key: alsonotnil
+      chef_handler_enable: true
+  excludes:
+    - ubuntu-14.04
+    - debian-8.11
+
diff --git a/recipes/repository.rb b/recipes/repository.rb
@@ -27,6 +27,11 @@
 
 agent_major_version = Chef::Datadog.agent_major_version(node)
 
+agent_minor_version = node['datadog']['agent_minor_version']
+unless agent_minor_version.nil? || !agent_minor_version.is_a?(String)
+  agent_minor_version = agent_minor_version.to_i
+end
+
 # DATADOG_APT_KEY_CURRENT always contains the key that is used to sign repodata and latest packages
 # A2923DFF56EDA6E76E55E492D3A80E30382E94DE expires in 2022
 # D75CEA17048B9ACBF186794B32637D44F14F620E expires in 2032
@@ -195,10 +200,12 @@ def warn_deprecated_yumrepo_gpgkey
     action :install
     only_if { node['packages']['gnupg2'].nil? }
   end
-
   # Import new RPM key
   rpm_gpg_keys.each do |rpm_gpg_key|
     next unless node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"]
+    if (agent_minor_version.nil? || agent_minor_version > 35) && rpm_gpg_key[rpm_gpg_keys_short_fingerprint] == 'e09422b3'
+      next
+    end
 
     # Download new RPM key
     key_local_path = ::File.join(Chef::Config[:file_cache_path], rpm_gpg_key[rpm_gpg_keys_name])
@@ -262,6 +269,9 @@ def warn_deprecated_yumrepo_gpgkey
   yumrepo_gpgkeys = []
   if agent_major_version > 5
     rpm_gpg_keys.each do |rpm_gpg_key|
+      if (agent_minor_version.nil? || agent_minor_version > 35) && rpm_gpg_key[rpm_gpg_keys_short_fingerprint] == 'e09422b3'
+        next
+      end
       yumrepo_gpgkeys.push(node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"])
     end
   end
@@ -284,7 +294,9 @@ def warn_deprecated_yumrepo_gpgkey
   # Import new RPM key
   rpm_gpg_keys.each do |rpm_gpg_key|
     next unless node['datadog']["yumrepo_gpgkey_new_#{rpm_gpg_key[rpm_gpg_keys_short_fingerprint]}"]
-
+    if (agent_minor_version.nil? || agent_minor_version > 35) && rpm_gpg_key[rpm_gpg_keys_short_fingerprint] == 'e09422b3'
+      next
+    end
     # Download new RPM key
     new_key_local_path = ::File.join(Chef::Config[:file_cache_path], rpm_gpg_key[rpm_gpg_keys_name])
     remote_file "remote_file_#{rpm_gpg_key[rpm_gpg_keys_name]}" do

diff --git a/spec/repository_spec.rb b/spec/repository_spec.rb
@@ -186,22 +186,21 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
         end.converge(described_recipe)
       end
 
+      # Key 4F09D16B (from 2024-05-15 to 2033-05-13)
       # Key B01082D3 (from 2023-04-20 to 2028-04-18)
       # Key FD4BF915 (from 2020-09-08 to 2024-09-07)
-      # Key E09422B3
       import_gpg_keys(
-        %w[current 4f09d16b b01082d3 fd4bf915 e09422b3]
+        %w[current 4f09d16b b01082d3 fd4bf915]
       )
 
       # prefer HTTPS on boxes that support TLS1.2
-      it 'sets up a yum repo E09422B3, FD4BF915 and B01082D3' do
+      it 'sets up a yum repo 4F09D16B, FD4BF915 and B01082D3' do
         expect(chef_run).to create_yum_repository('datadog').with(
           gpgkey: [
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_CURRENT.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_4F09D16B.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
-            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
           ]
         ).with(repo_gpgcheck: true)
       end
@@ -216,14 +215,13 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
         end.converge(described_recipe)
       end
 
+      # Key 4F09D16B (from 2024-05-15 to 2033-05-13)
       # Key B01082D3 (from 2023-04-20 to 2028-04-18)
       # Key FD4BF915 (from 2020-09-08 to 2024-09-07)
-      # Key E09422B3
       import_gpg_keys([
         '4f09d16b',
         'b01082d3',
         'fd4bf915',
-        'e09422b3'
       ])
 
       # prefer HTTPS on boxes that support TLS1.2
@@ -234,7 +232,6 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_4F09D16B.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
-            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
           ]
         ).with(repo_gpgcheck: true)
       end
@@ -251,12 +248,10 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
 
       # Key B01082D3 (from 2023-04-20 to 2028-04-18)
       # Key FD4BF915 (from 2020-09-08 to 2024-09-07)
-      # Key E09422B3
       import_gpg_keys([
         '4f09d16b',
         'b01082d3',
         'fd4bf915',
-        'e09422b3'
       ])
 
       # RHEL5 has to use insecure HTTP due to lack of support for TLS1.2
@@ -268,7 +263,6 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
             'http://keys.datadoghq.com/DATADOG_RPM_KEY_4F09D16B.public',
             'http://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
             'http://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
-            'http://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
           ]
         ).with(repo_gpgcheck: false)
       end
@@ -291,7 +285,6 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_4F09D16B.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
-            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
           ]
         ).with(repo_gpgcheck: false)
       end
@@ -314,7 +307,6 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_4F09D16B.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
-            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
           ]
         ).with(repo_gpgcheck: true)
       end
@@ -337,7 +329,6 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_4F09D16B.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
-            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
           ]
         ).with(repo_gpgcheck: true)
       end
@@ -360,7 +351,6 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_4F09D16B.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_B01082D3.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
-            'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
           ]
         ).with(repo_gpgcheck: true)
       end
@@ -385,7 +375,6 @@ def set_yum_repo_and_gnupg(key, install_gnupg)
         '4f09d16b',
         'b01082d3',
         'fd4bf915',
-        'e09422b3'
       ], false)
 
       it 'deletes the old RPM GPG key 4172a230 if it exists' do

diff --git a/test/integration/dd-agent-gpgcheck-older/serverspec_datadog/Gemfile b/test/integration/dd-agent-gpgcheck-older/serverspec_datadog/Gemfile
@@ -0,0 +1,14 @@
+source 'https://rubygems.org'
+
+chef_version = ENV.fetch('CHEF_VERSION', '14.10.9')
+
+if RUBY_VERSION < '2.6'
+  gem 'net-ssh', '~> 6.1.0'
+  gem 'public_suffix', '~> 4.0.0'
+end
+
+gem 'json_spec', '~> 1.1.0'
+
+if Gem::Version.new(chef_version) > Gem::Version.new('16.0.0') && RUBY_VERSION < '2.7'
+  gem 'train-core', '~> 3.9.0'
+end
diff --git a/test/integration/dd-agent-gpgcheck-older/serverspec_datadog/dd-agent_spec.rb b/test/integration/dd-agent-gpgcheck-older/serverspec_datadog/dd-agent_spec.rb
@@ -0,0 +1,53 @@
+# Copyright:: 2011-Present, Datadog
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'spec_helper'
+
+describe package(@agent_package_name) do
+  it { should be_installed }
+end
+
+describe service(@agent_service_name) do
+  it { should be_running }
+end
+
+describe command('/opt/datadog-agent/bin/agent/agent status | grep -v "Instance ID"'), :if => os[:family] != 'windows' do
+  its(:exit_status) { should eq 0 }
+  its(:stdout) { should contain '[OK]' }
+  its(:stdout) { should_not contain 'ERROR' }
+end
+
+# The new APT keys are imported
+describe command('apt-key list'), :if => ['debian', 'ubuntu'].include?(os[:family]) do
+  its(:exit_status) { should eq 0 }
+  its(:stdout) { should contain 'C0962C7D' }
+  its(:stdout) { should contain 'F14F620E' }
+  its(:stdout) { should contain '382E94DE' }
+end
+
+# The new RPM keys are imported
+describe command('rpm -q gpg-pubkey-b01082d3'), :if => os[:family] == 'redhat' do
+  its(:exit_status) { should eq 0 }
+  its(:stdout) { should contain 'gpg-pubkey-b01082d3' }
+end
+
+describe command('rpm -q gpg-pubkey-fd4bf915'), :if => os[:family] == 'redhat' do
+  its(:exit_status) { should eq 0 }
+  its(:stdout) { should contain 'gpg-pubkey-fd4bf915' }
+end
+
+describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
+  its(:exit_status) { should eq 0 }
+  its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
+end
diff --git a/test/integration/dd-agent-gpgcheck-older/serverspec_datadog/dd-handler_spec.rb b/test/integration/dd-agent-gpgcheck-older/serverspec_datadog/dd-handler_spec.rb
@@ -0,0 +1,20 @@
+# Copyright:: 2011-Present, Datadog
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'spec_helper'
+
+# the be_installed.by('gem') check is not implemented for Windows as of v2.24 of Serverspec
+describe package('chef-handler-datadog'), :if => os[:family] != 'windows' do
+  it { should be_installed.by('gem') }
+end
diff --git a/test/integration/dd-agent-gpgcheck-recent/serverspec_datadog/Gemfile b/test/integration/dd-agent-gpgcheck-recent/serverspec_datadog/Gemfile
@@ -0,0 +1,14 @@
+source 'https://rubygems.org'
+
+chef_version = ENV.fetch('CHEF_VERSION', '14.10.9')
+
+if RUBY_VERSION < '2.6'
+  gem 'net-ssh', '~> 6.1.0'
+  gem 'public_suffix', '~> 4.0.0'
+end
+
+gem 'json_spec', '~> 1.1.0'
+
+if Gem::Version.new(chef_version) > Gem::Version.new('16.0.0') && RUBY_VERSION < '2.7'
+  gem 'train-core', '~> 3.9.0'
+end
diff --git a/test/integration/dd-agent-gpgcheck-recent/serverspec_datadog/dd-agent_spec.rb b/test/integration/dd-agent-gpgcheck-recent/serverspec_datadog/dd-agent_spec.rb
@@ -0,0 +1,52 @@
+# Copyright:: 2011-Present, Datadog
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'spec_helper'
+
+describe package(@agent_package_name) do
+  it { should be_installed }
+end
+
+describe service(@agent_service_name) do
+  it { should be_running }
+end
+
+describe command('/opt/datadog-agent/bin/agent/agent status | grep -v "Instance ID"'), :if => os[:family] != 'windows' do
+  its(:exit_status) { should eq 0 }
+  its(:stdout) { should contain '[OK]' }
+  its(:stdout) { should_not contain 'ERROR' }
+end
+
+# The new APT keys are imported
+describe command('apt-key list'), :if => ['debian', 'ubuntu'].include?(os[:family]) do
+  its(:exit_status) { should eq 0 }
+  its(:stdout) { should contain 'C0962C7D' }
+  its(:stdout) { should contain 'F14F620E' }
+  its(:stdout) { should contain '382E94DE' }
+end
+
+# The new RPM keys are imported
+describe command('rpm -q gpg-pubkey-b01082d3'), :if => os[:family] == 'redhat' do
+  its(:exit_status) { should eq 0 }
+  its(:stdout) { should contain 'gpg-pubkey-b01082d3' }
+end
+
+describe command('rpm -q gpg-pubkey-fd4bf915'), :if => os[:family] == 'redhat' do
+  its(:exit_status) { should eq 0 }
+  its(:stdout) { should contain 'gpg-pubkey-fd4bf915' }
+end
+
+describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
+  its(:exit_status) { should eq 1 }
+end
diff --git a/test/integration/dd-agent-gpgcheck-recent/serverspec_datadog/dd-handler_spec.rb b/test/integration/dd-agent-gpgcheck-recent/serverspec_datadog/dd-handler_spec.rb
@@ -0,0 +1,20 @@
+# Copyright:: 2011-Present, Datadog
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'spec_helper'
+
+# the be_installed.by('gem') check is not implemented for Windows as of v2.24 of Serverspec
+describe package('chef-handler-datadog'), :if => os[:family] != 'windows' do
+  it { should be_installed.by('gem') }
+end
diff --git a/test/integration/dd-agent-handler5/serverspec_datadog/dd-agent_spec.rb b/test/integration/dd-agent-handler5/serverspec_datadog/dd-agent_spec.rb
@@ -56,6 +56,5 @@
 end
 
 describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
-  its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
+  its(:exit_status) { should eq 1 }
 end
diff --git a/test/integration/dd-agent-handler6/serverspec_datadog/dd-agent_spec.rb b/test/integration/dd-agent-handler6/serverspec_datadog/dd-agent_spec.rb
@@ -54,6 +54,5 @@
 end
 
 describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
-  its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
+  its(:exit_status) { should eq 1 }
 end
diff --git a/test/integration/dd-agent-handler7/serverspec_datadog/dd-agent_spec.rb b/test/integration/dd-agent-handler7/serverspec_datadog/dd-agent_spec.rb
@@ -54,6 +54,5 @@
 end
 
 describe command('rpm -q gpg-pubkey-e09422b3'), :if => os[:family] == 'redhat' do
-  its(:exit_status) { should eq 0 }
-  its(:stdout) { should contain 'gpg-pubkey-e09422b3' }
+  its(:exit_status) { should eq 1 }
 end