Workaround for fetching repo keys via proxy. #150
Conversation
linux/system/repo.sls
Outdated
| linux_repo_{{ name }}_key: | ||
| cmd.run: | ||
| - name: "echo '{{ repo.key }}' | apt-key add -" | ||
| - onchange: |
There was a problem hiding this comment.
change this requisite to: require_in [to be processed before the repo]
and add the idemopotency clausule:
unless: "make repo.key fingerpring | apt-key list | grep key fingerprint"
There was a problem hiding this comment.
actuall syntax is "onchanges" - https://docs.saltstack.com/en/latest/ref/states/requisites.html
@cznewt, I would give a try, it's actually questionable whether on change implicitly require previous state to have a result - so it's actually as require_in. The doc in this case is not clear. Quite sure it would be safer to user
require_in:
- linux_repo_{{ name }}
Add check for existing key for idempotency.
linux/system/repo.sls
Outdated
| linux_repo_{{ name }}_key: | ||
| cmd.run: | ||
| - name: "echo '{{ repo.key }}' | apt-key add -" | ||
| - onchange: |
There was a problem hiding this comment.
actuall syntax is "onchanges" - https://docs.saltstack.com/en/latest/ref/states/requisites.html
@cznewt, I would give a try, it's actually questionable whether on change implicitly require previous state to have a result - so it's actually as require_in. The doc in this case is not clear. Quite sure it would be safer to user
require_in:
- linux_repo_{{ name }}
|
Seems some gpg data/pkg are missing |
|
Make sure, these two are installed prior GPG is used |
|
I pushed some gpg-parsing changes, as well as a repo url fix in [1], you might want to take a look at that for the tests ... |
linux/system/repo.sls
Outdated
| cmd.run: | ||
| - name: "echo '{{ repo.key }}' | apt-key add -" | ||
| - onchange: | ||
| - unless: "apt-key finger --with-colons | grep -qF $(echo '{{ repo-key }} | gpg --with-fingerprint --with-colons | grep -E '^fpr')" |
There was a problem hiding this comment.
I know this is the right way, but a simpler (and usually less likely to fail) solution would be to check for the existence of </etc/apt/sources.list.d/{{ name }}.list>. This file should only be created after the GPG is imported, so the check should be safe.
|
apt-mk/.../public.gpg is not empty, it's just redirected: |
|
This PR breaks the support of |
|
@epcim: salt 2017.7.5 (Nitrogen) |
|
so the latest code dont for you either. then I would recomend to use key option on a pillar or located at salt:// |
|
no proxy is kind of needed. btw what way you set system curl works for you ? profile scripts? /etc/env ? |
|
Both root's profile or /etc/environment works only if using salt-call from minion. |
Salt has problem to fetch repo key from behind proxy with this simple state:
This workaround enables adding repo and fetch it's gpg key from behind proxy, if proxy environment is properly configured (
curl -s some_urlworks).