Use GPG key signing

deric · deric · commit 23c6ced36548 · 2024-02-08T10:53:50.000+01:00
diff --git a/manifests/repos.pp b/manifests/repos.pp
@@ -71,17 +71,39 @@
     }
     case $facts['os']['family'] {
       'Debian': {
-        $codename = fact('os.distro.codename')
         apt::source { 'kubernetes':
           location => pick($kubernetes_apt_location,"https://pkgs.k8s.io/core:/stable:/v${minor_version}/deb"),
           release  => pick($kubernetes_apt_release, '/'),
           repos    => $_repos,
-          key      => {
-            'id'     => pick($kubernetes_key_id,'DE15B14486CD377B9E876E1A234654DA9A296436'),
-            'source' => pick($kubernetes_key_source,"https://pkgs.k8s.io/core:/stable:/v${minor_version}/deb/Release.key"),
-          },
         }
 
+        if $kubernetes_apt_location =~ String[1] {
+          Apt::Source<| title == 'kubernetes' |> {
+            key => {
+              'id'     => $kubernetes_key_id,
+              'source' => $kubernetes_key_source,
+            }
+          }
+        } else {
+          # For pkgs.k8s.io use GPG siging key
+          $_keyring = '/usr/share/keyrings/kubernetes-apt-keyring.gpg'
+          # TODO: Switch to apt::keyring once supported by puppetlabs-apt
+          # see: https://github.com/puppetlabs/puppetlabs-apt/pull/1128
+          archive { '/tmp/kubernetes-apt-keyring.gpg':
+            source          => "https://pkgs.k8s.io/core:/stable:/v${minor_version}/deb/Release.key",
+            extract         => true,
+            extract_path    => '/usr/share/keyrings',
+            extract_command => 'gpg --dearmor < %s > kubernetes-apt-keyring.gpg',
+            creates         => $_keyring,
+          }
+
+          Apt::Source<| title == 'kubernetes' |> {
+            keyring  => $_keyring,
+            require  => Archive['/tmp/kubernetes-apt-keyring.gpg'],
+          }
+        }
+
+        $codename = fact('os.distro.codename')
         if ($container_runtime == 'docker' and $manage_docker == true) or
         ($container_runtime == 'cri_containerd' and $containerd_install_method == 'package') {
           apt::source { 'docker':
diff --git a/spec/classes/repos_spec.rb b/spec/classes/repos_spec.rb
@@ -48,13 +48,13 @@
         ensure: 'present',
         location: 'https://pkgs.k8s.io/core:/stable:/v1.28/deb',
         release: '/',
-        key: { 'id' => 'DE15B14486CD377B9E876E1A234654DA9A296436', 'source' => 'https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key' },
+        keyring: '/usr/share/keyrings/kubernetes-apt-keyring.gpg',
       )
     }
 
     it {
       expect(subject).to contain_file('/etc/apt/sources.list.d/kubernetes.list')
-      .with_content(%r{^deb https://pkgs.k8s.io/core:/stable:/v1.28/deb /\s$})
+        .with_content(%r{^deb \[signed-by=/usr/share/keyrings/kubernetes-apt-keyring.gpg\] https://pkgs.k8s.io/core:/stable:/v1.28/deb /\s$})
     }
 
     it {

Original file line number	Diff line number	Diff line change
`@@ -48,13 +48,13 @@`
`48`	`48`	`ensure: 'present',`
`49`	`49`	`location: 'https://pkgs.k8s.io/core:/stable:/v1.28/deb',`
`50`	`50`	`release: '/',`
`51`		`- key: { 'id' => 'DE15B14486CD377B9E876E1A234654DA9A296436', 'source' => 'https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key' },`
	`51`	`+ keyring: '/usr/share/keyrings/kubernetes-apt-keyring.gpg',`
`52`	`52`	`)`
`53`	`53`	`}`
`54`	`54`
`55`	`55`	`it {`
`56`	`56`	`expect(subject).to contain_file('/etc/apt/sources.list.d/kubernetes.list')`
`57`		`- .with_content(%r{^deb https://pkgs.k8s.io/core:/stable:/v1.28/deb /\s$})`
	`57`	`+ .with_content(%r{^deb \[signed-by=/usr/share/keyrings/kubernetes-apt-keyring.gpg\] https://pkgs.k8s.io/core:/stable:/v1.28/deb /\s$})`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`it {`