From: Javier Bértoli <jbertoli@curii.com>
Date: Fri, 4 Mar 2022 23:30:36 +0000 (-0300)
Subject: Merge branch '18761-debian-family-apt-keyrings'
X-Git-Url: https://git.arvados.org/arvados-formula.git/commitdiff_plain/44506de8d5acbdd35b4d1f56c7a1a46085c7c7cf?hp=0e514df65ddf408108d9e986f85ea584a8916627

Merge branch '18761-debian-family-apt-keyrings'

closes #18761
Arvados-DCO-1.1-Signed-off-by: Javier Bértoli <jbertoli@curii.com>
---

diff --git a/arvados/api/package/install.sls b/arvados/api/package/install.sls
index ce0004e..1c487a6 100644
--- a/arvados/api/package/install.sls
+++ b/arvados/api/package/install.sls
@@ -45,5 +45,6 @@ arvados-api-package-install-pkg-installed:
   pkg.installed:
     - name: {{ arvados.api.pkg.name }}
     - version: {{ arvados.version }}
+    - refresh: true
     - require:
       - sls: {{ sls_config_file }}
diff --git a/arvados/config/package/install.sls b/arvados/config/package/install.sls
index 031e3e8..31e4e30 100644
--- a/arvados/config/package/install.sls
+++ b/arvados/config/package/install.sls
@@ -9,3 +9,4 @@ arvados-config-package-install-pkg-installed:
   pkg.installed:
     - name: arvados-server
     - version: {{ arvados.version }}
+    - refresh: true
diff --git a/arvados/controller/package/install.sls b/arvados/controller/package/install.sls
index 62161ea..a820045 100644
--- a/arvados/controller/package/install.sls
+++ b/arvados/controller/package/install.sls
@@ -42,3 +42,4 @@ arvados-controller-package-install-pkg-installed:
   pkg.installed:
     - name: {{ arvados.controller.pkg.name }}
     - version: {{ arvados.version }}
+    - refresh: true
diff --git a/arvados/dispatcher/package/install.sls b/arvados/dispatcher/package/install.sls
index ec76dab..2073201 100644
--- a/arvados/dispatcher/package/install.sls
+++ b/arvados/dispatcher/package/install.sls
@@ -9,6 +9,7 @@ arvados-dispatcher-package-install-pkg-installed:
   pkg.installed:
     - name: {{ arvados.dispatcher.pkg.name }}
     - version: {{ arvados.version }}
+    - refresh: true
 
 # FIXME! Until https://dev.arvados.org/issues/16995 makes it to
 # a new release, this is required so the dependency is installed
@@ -16,7 +17,8 @@ arvados-dispatcher-package-install-pkg-installed:
 arvados-dispatcher-package-install-crunch-run-pkg-installed:
   pkg.installed:
     - name: crunch-run
+    - version: {{ arvados.version }}
+    - refresh: true
     - require:
       - pkg: arvados-dispatcher-package-install-pkg-installed
-    - version: {{ arvados.version }}
 {%- endif %}
diff --git a/arvados/init.sls b/arvados/init.sls
index 9836070..48ad786 100644
--- a/arvados/init.sls
+++ b/arvados/init.sls
@@ -15,3 +15,4 @@ include:
   - .shell
   - .workbench
   - .dispatcher
+  - .keepbalance
diff --git a/arvados/keepproxy/package/install.sls b/arvados/keepproxy/package/install.sls
index e06faa6..5176a7d 100644
--- a/arvados/keepproxy/package/install.sls
+++ b/arvados/keepproxy/package/install.sls
@@ -9,3 +9,4 @@ arvados-keepproxy-package-install-pkg-installed:
   pkg.installed:
     - name: {{ arvados.keepproxy.pkg.name }}
     - version: {{ arvados.version }}
+    - refresh: true
diff --git a/arvados/keepstore/package/install.sls b/arvados/keepstore/package/install.sls
index 9d311d5..38853a5 100644
--- a/arvados/keepstore/package/install.sls
+++ b/arvados/keepstore/package/install.sls
@@ -9,3 +9,4 @@ arvados-keepstore-package-install-pkg-installed:
   pkg.installed:
     - name: {{ arvados.keepstore.pkg.name }}
     - version: {{ arvados.version }}
+    - refresh: true
diff --git a/arvados/keepweb/package/install.sls b/arvados/keepweb/package/install.sls
index e9cfd4c..23144ee 100644
--- a/arvados/keepweb/package/install.sls
+++ b/arvados/keepweb/package/install.sls
@@ -9,3 +9,4 @@ arvados-keepweb-package-install-pkg-installed:
   pkg.installed:
     - name: {{ arvados.keepweb.pkg.name }}
     - version: {{ arvados.version }}
+    - refresh: true
diff --git a/arvados/osfamilymap.yaml b/arvados/osfamilymap.yaml
index 22516a4..7df0f00 100644
--- a/arvados/osfamilymap.yaml
+++ b/arvados/osfamilymap.yaml
@@ -18,7 +18,9 @@ Debian:
   repo:
     url_base: 'http://apt.arvados.org'
     file: /etc/apt/sources.list.d/arvados.list
-    key_url: 'http://apt.arvados.org/pubkey.gpg'
+    keyring_file: /usr/share/keyrings/arvados-archive-keyring.gpg
+    keyring_source: 'http://apt.arvados.org/keyring.gpg'
+    keyring_source_hash: 53c2c84849ada21e383f55af0753adb321cc941e7efab94483e3a1703fcc66f1
 
 RedHat:
   repo:
diff --git a/arvados/repo/install.sls b/arvados/repo/install.sls
index cd42aaa..2c9360e 100644
--- a/arvados/repo/install.sls
+++ b/arvados/repo/install.sls
@@ -16,12 +16,22 @@
     {%- else %}
       {%- set release = distro %}
     {%- endif %}
-arvados-repo-install-pkgrepo-managed:
-  pkgrepo.managed:
-    - humanname: {{ arvados.repo.humanname }}
-    - name: deb {{ arvados.repo.url_base }}/{{ distro }} {{ release }} main
-    - file: {{ arvados.repo.file }}
-    - key_url: {{ arvados.repo.key_url }}
+
+arvados-repo-install-pkgrepo-keyring-managed:
+  file.managed:
+    - name: {{ arvados.repo.keyring_file }}
+    - source:
+      - {{ arvados.repo.keyring_source }}
+    - source_hash: sha256={{ arvados.repo.keyring_source_hash }}
+    - require_in:
+      - file: arvados-repo-install-file-managed
+
+arvados-repo-install-file-managed:
+  file.managed:
+    - name: {{ arvados.repo.file }}
+    - contents: >
+        deb [signed-by={{ arvados.repo.keyring_file }} arch=amd64]
+        {{ arvados.repo.url_base }}/{{ distro }} {{ release }} main
 
   {%- elif grains.get('os_family') == 'RedHat' %}
     {%- if arvados.release == 'testing' %}
diff --git a/arvados/shell/package/install.sls b/arvados/shell/package/install.sls
index 6d1300f..7a0698f 100644
--- a/arvados/shell/package/install.sls
+++ b/arvados/shell/package/install.sls
@@ -30,6 +30,7 @@ arvados-shell-package-install-pkg-installed:
       - {{ package }}
         {%- endif %}
       {%- endfor %}
+    - refresh: true
 
 arvados-shell-package-install-gems-deps-pkg-installed:
   pkg.installed:
diff --git a/arvados/websocket/package/install.sls b/arvados/websocket/package/install.sls
index fe8f87a..a1c4344 100644
--- a/arvados/websocket/package/install.sls
+++ b/arvados/websocket/package/install.sls
@@ -9,3 +9,4 @@ arvados-websocket-package-install-pkg-installed:
   pkg.installed:
     - name: {{ arvados.websocket.pkg.name }}
     - version: {{ arvados.version }}
+    - refresh: true
diff --git a/arvados/workbench/package/install.sls b/arvados/workbench/package/install.sls
index f379f64..0eb191e 100644
--- a/arvados/workbench/package/install.sls
+++ b/arvados/workbench/package/install.sls
@@ -29,6 +29,7 @@ arvados-workbench-package-install-pkg-installed:
   pkg.installed:
     - name: {{ arvados.workbench.pkg.name }}
     - version: {{ arvados.version }}
+    - refresh: true
     - require:
       {%- if arvados.ruby.manage_ruby %}
       - {{ ruby_dep }}: arvados-ruby-package-install-ruby-{{ ruby_dep }}-installed
diff --git a/arvados/workbench2/package/install.sls b/arvados/workbench2/package/install.sls
index 9e503ff..2ba21c0 100644
--- a/arvados/workbench2/package/install.sls
+++ b/arvados/workbench2/package/install.sls
@@ -10,5 +10,6 @@ arvados-workbench2-package-install-pkg-installed:
   pkg.installed:
     - name: {{ arvados.workbench2.pkg.name }}
     - version: {{ arvados.version }}
+    - refresh: true
     - require:
       - sls: {{ sls_config_file }}
diff --git a/kitchen.yml b/kitchen.yml
index 5e70729..443e219 100644
--- a/kitchen.yml
+++ b/kitchen.yml
@@ -57,6 +57,23 @@ platforms:
     driver:
       image: saltimages/salt-master-py3:centos-7
 
+  ## SALT `3004.0`
+  - name: debian-11-3004.0-py3
+    driver:
+      image: saltimages/salt-3004.0-py3:debian-11
+  - name: debian-10-3004.0-py3
+    driver:
+      image: saltimages/salt-3004.0-py3:debian-10
+  - name: ubuntu-2004-3004.0-py3
+    driver:
+      image: saltimages/salt-3004.0-py3:ubuntu-20.04
+  - name: ubuntu-1804-3004.0-py3
+    driver:
+      image: saltimages/salt-3004.0-py3:ubuntu-18.04
+  - name: centos-7-3004.0-py3
+    driver:
+      image: saltimages/salt-3004.0-py3:centos-7
+
   ## SALT `3003.3`
   - name: debian-11-3003.3-py3
     driver:
@@ -75,9 +92,6 @@ platforms:
       image: saltimages/salt-3003.3-py3:centos-7
 
   ## SALT `3002.7`
-  - name: debian-11-3002.7-py3
-    driver:
-      image: saltimages/salt-3002.7-py3:debian-11
   - name: debian-10-3002.7-py3
     driver:
       image: saltimages/salt-3002.7-py3:debian-10
@@ -91,20 +105,6 @@ platforms:
     driver:
       image: saltimages/salt-3002.7-py3:centos-7
 
-  ## SALT `3001.8`
-  - name: debian-10-3001.8-py3
-    driver:
-      image: saltimages/salt-3001.8-py3:debian-10
-  - name: ubuntu-2004-3001.8-py3
-    driver:
-      image: saltimages/salt-3001.8-py3:ubuntu-20.04
-  - name: ubuntu-1804-3001.8-py3
-    driver:
-      image: saltimages/salt-3001.8-py3:ubuntu-18.04
-  - name: centos-7-3001.8-py3
-    driver:
-      image: saltimages/salt-3001.8-py3:centos-7
-
 verifier:
   # https://www.inspec.io/
   name: inspec
diff --git a/test/integration/repo/controls/repo_spec.rb b/test/integration/repo/controls/repo_spec.rb
index 601119f..49078c6 100644
--- a/test/integration/repo/controls/repo_spec.rb
+++ b/test/integration/repo/controls/repo_spec.rb
@@ -23,7 +23,23 @@ when 'debian', 'ubuntu'
     codename = 'bullseye'
   end
   repo_file = '/etc/apt/sources.list.d/arvados.list'
-  repo_url = "deb http://apt.arvados.org/#{codename} #{codename} main"
+  repo_keyring = '/usr/share/keyrings/arvados-archive-keyring.gpg'
+  repo_url = "deb [signed-by=/usr/share/keyrings/arvados-archive-keyring.gpg arch=amd64] http://apt.arvados.org/#{codename} #{codename} main"
+end
+
+control 'arvados repository keyring' do
+  title 'should be installed'
+
+  only_if('Requirement for Debian family') do
+    platform.family == 'debian'
+  end
+
+  describe file(repo_keyring) do
+    it { should exist }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0644' }
+  end
 end
 
 control 'arvados repository' do
diff --git a/test/integration/shell/controls/repo_spec.rb b/test/integration/shell/controls/repo_spec.rb
index a9dc3cb..0f097fe 100644
--- a/test/integration/shell/controls/repo_spec.rb
+++ b/test/integration/shell/controls/repo_spec.rb
@@ -23,7 +23,23 @@ when 'debian', 'ubuntu'
     codename = 'bullseye'
   end
   repo_file = '/etc/apt/sources.list.d/arvados.list'
-  repo_url = "deb http://apt.arvados.org/#{codename} #{codename}-dev main"
+  repo_keyring = '/usr/share/keyrings/arvados-archive-keyring.gpg'
+  repo_url = "deb [signed-by=/usr/share/keyrings/arvados-archive-keyring.gpg arch=amd64] http://apt.arvados.org/#{codename} #{codename}-dev main"
+end
+
+control 'arvados repository keyring' do
+  title 'should be installed'
+
+  only_if('Requirement for Debian family') do
+    platform.family == 'debian'
+  end
+
+  describe file(repo_keyring) do
+    it { should exist }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0644' }
+  end
 end
 
 control 'arvados repository' do