AP-2103 Append keys instead of replacing

README.md

@@ -49,7 +49,7 @@ To deploy the Datadog Agent on hosts, add the Datadog role and your API key to y
 | `datadog_config_ex`                        | (Optional) Extra INI sections to go in `/etc/dd-agent/datadog.conf` (Agent v5 only).                                                                                                                                                                                                                                                                               |
 | `datadog_apt_repo`                         | Override the default Datadog `apt` repository. Make sure to use the `signed-by` option if repository metadata is signed using Datadog's signing keys: `deb [signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg] https://yourrepo`.                                                                                                                          |
 | `datadog_apt_cache_valid_time`             | Override the default apt cache expiration time (defaults to 1 hour).                                                                                                                                                                                                                                                                                               |
-| `datadog_apt_key_url_new`                  | Override the location from which to obtain Datadog `apt` key (the deprecated `datadog_apt_key_url` variable refers to an expired key that's been removed from the role). The URL is expected to be a GPG keyring containing keys `382E94DE` and `C0962C7D`.                                                                                                        |
+| `datadog_apt_key_url_new`                  | Override the location from which to obtain Datadog `apt` key (the deprecated `datadog_apt_key_url` variable refers to an expired key that's been removed from the role). The URL is expected to be a GPG keyring containing keys `382E94DE`, `F14F620E` and `C0962C7D`.                                                                                                        |
 | `datadog_yum_repo`                         | Override the default Datadog `yum` repository.                                                                                                                                                                                                                                                                                                                     |
 | `datadog_yum_repo_gpgcheck`                | Override the default `repo_gpgcheck` value (empty). If empty, value is dynamically set to `yes` when custom `datadog_yum_repo` is not used and system is not RHEL/CentOS 8.1 (due to [a bug](https://bugzilla.redhat.com/show_bug.cgi?id=1792506) in dnf), otherwise it's set to `no`. **Note**: repodata signature verification is always turned off for Agent 5. |
 | `datadog_yum_gpgcheck`                     | Override the default `gpgcheck` value (`yes`) - use `no` to turn off package GPG signature verification.                                                                                                                                                                                                                                                           |

defaults/main.yml

@@ -93,9 +93,11 @@ datadog_yum_gpgkey_current: "https://s3.amazonaws.com/public-signing-keys/DATADO
 datadog_yum_gpgkey_e09422b3: "https://s3.amazonaws.com/public-signing-keys/DATADOG_RPM_KEY_E09422B3.public"
 datadog_yum_gpgkey_e09422b3_sha256sum: "694a2ffecff85326cc08e5f1a619937999a5913171e42f166e13ec802c812085"
 # this key expires in 2024
-datadog_yum_gpgkey_20200908: "https://s3.amazonaws.com/public-signing-keys/DATADOG_RPM_KEY_B01082D3.public"
+datadog_yum_gpgkey_20200908: "https://s3.amazonaws.com/public-signing-keys/DATADOG_RPM_KEY_FD4BF915.public"
 datadog_yum_gpgkey_20200908_sha256sum: "4d16c598d3635086762bd086074140d947370077607db6d6395b8523d5c23a7d"
-# Default zypper repo and keys
+# this key expires in 2028
+datadog_yum_gpgkey_20280418: "https://s3.amazonaws.com/public-signing-keys/DATADOG_RPM_KEY_B01082D3.public"
+datadog_yum_gpgkey_20280418_sha256sum: "d309232f05bcfb5df7fce1a22b0920476254135083058206978aa57910698101"
 
 # By default, we fail early & print a helpful message if an older Ansible version and Python 3
 # interpreter is used on CentOS < 8. The 'yum' module is only available on Python 2, and the 'python3-dnf'
@@ -116,8 +118,10 @@ datadog_zypper_gpgcheck: true
 datadog_zypper_gpgkey_current: "https://s3.amazonaws.com/public-signing-keys/DATADOG_RPM_KEY_CURRENT.public"
 datadog_zypper_gpgkey_e09422b3: "https://s3.amazonaws.com/public-signing-keys/DATADOG_RPM_KEY_E09422B3.public"
 datadog_zypper_gpgkey_e09422b3_sha256sum: "694a2ffecff85326cc08e5f1a619937999a5913171e42f166e13ec802c812085"
-datadog_zypper_gpgkey_20200908: "https://s3.amazonaws.com/public-signing-keys/DATADOG_RPM_KEY_B01082D3.public"
+datadog_zypper_gpgkey_20200908: "https://s3.amazonaws.com/public-signing-keys/DATADOG_RPM_KEY_FD4BF915.public"
 datadog_zypper_gpgkey_20200908_sha256sum: "4d16c598d3635086762bd086074140d947370077607db6d6395b8523d5c23a7d"
+datadog_zypper_gpgkey_20280418: "https://s3.amazonaws.com/public-signing-keys/DATADOG_RPM_KEY_B01082D3.public"
+datadog_zypper_gpgkey_20280418_sha256sum: "d309232f05bcfb5df7fce1a22b0920476254135083058206978aa57910698101"
 
 # Avoid checking if the agent is running or not. This can be useful if you're
 # using sysvinit and providing your own init script.
@@ -182,6 +186,8 @@ datadog_apt_default_keys:
     value: https://s3.amazonaws.com/public-signing-keys/DATADOG_APT_KEY_CURRENT.public
   - key: A2923DFF56EDA6E76E55E492D3A80E30382E94DE
     value: https://s3.amazonaws.com/public-signing-keys/DATADOG_APT_KEY_382E94DE.public
+  - key: D75CEA17048B9ACBF186794B32637D44F14F620E
+    value: https://s3.amazonaws.com/public-signing-keys/DATADOG_APT_KEY_F14F620E.public
   - key: 5F1E256061D813B125E156E8E6266D4AC0962C7D
     value: https://s3.amazonaws.com/public-signing-keys/DATADOG_APT_KEY_C0962C7D.public
 

tasks/pkg-debian.yml

@@ -37,6 +37,8 @@
   with_items:
     - key: A2923DFF56EDA6E76E55E492D3A80E30382E94DE
       value: "{{ datadog_apt_key_url_new }}"
+    - key: D75CEA17048B9ACBF186794B32637D44F14F620E
+      value: "{{ datadog_apt_key_url_new }}"
     - key: 5F1E256061D813B125E156E8E6266D4AC0962C7D
       value: "{{ datadog_apt_key_url_new }}"
   when: datadog_apt_key_url_new is defined and not ansible_check_mode

tasks/pkg-redhat.yml

@@ -42,6 +42,12 @@
     state: present
   when: not ansible_check_mode
 
+- name: Import new RPM key (Expires in 2028)
+  rpm_key:
+    key: "{{ datadog_yum_gpgkey_20280418 }}"
+    state: present
+  when: not ansible_check_mode
+
 - name: Set versioned includepkgs variable
   set_fact:
     datadog_includepkgs: "{{ datadog_agent_flavor }}-{{ datadog_agent_redhat_version | regex_replace('^\\d+:', '') }}"
@@ -61,7 +67,12 @@
     includepkgs: "{{ datadog_includepkgs }}"
     repo_gpgcheck: false # we don't sign Agent 5 repodata
     gpgcheck: "{{ datadog_yum_gpgcheck }}"
-    gpgkey: ["{{ datadog_yum_gpgkey_current }}", "{{ datadog_yum_gpgkey_20200908 }}", "{{ datadog_yum_gpgkey_e09422b3 }}"]
+    gpgkey: [
+      "{{ datadog_yum_gpgkey_current }}",
+      "{{ datadog_yum_gpgkey_20280418 }}",
+      "{{ datadog_yum_gpgkey_20200908 }}",
+      "{{ datadog_yum_gpgkey_e09422b3 }}",
+    ]
   register: repofile5
   when: (datadog_agent_major_version|int == 5) and (datadog_yum_repo | length == 0) and (not ansible_check_mode)
 
@@ -74,7 +85,12 @@
     includepkgs: "{{ datadog_includepkgs }}"
     repo_gpgcheck: "{{ do_yum_repo_gpgcheck }}"
     gpgcheck: "{{ datadog_yum_gpgcheck }}"
-    gpgkey: ["{{ datadog_yum_gpgkey_current }}", "{{ datadog_yum_gpgkey_20200908 }}", "{{ datadog_yum_gpgkey_e09422b3 }}"]
+    gpgkey: [
+      "{{ datadog_yum_gpgkey_current }}",
+      "{{ datadog_yum_gpgkey_20280418 }}",
+      "{{ datadog_yum_gpgkey_20200908 }}",
+      "{{ datadog_yum_gpgkey_e09422b3 }}",
+    ]
   register: repofile6
   when: (datadog_agent_major_version|int == 6) and (datadog_yum_repo | length == 0) and (not ansible_check_mode)
 
@@ -87,7 +103,12 @@
     includepkgs: "{{ datadog_includepkgs }}"
     repo_gpgcheck: "{{ do_yum_repo_gpgcheck }}"
     gpgcheck: "{{ datadog_yum_gpgcheck }}"
-    gpgkey: ["{{ datadog_yum_gpgkey_current }}", "{{ datadog_yum_gpgkey_20200908 }}", "{{ datadog_yum_gpgkey_e09422b3 }}"]
+    gpgkey: [
+      "{{ datadog_yum_gpgkey_current }}",
+      "{{ datadog_yum_gpgkey_20280418 }}",
+      "{{ datadog_yum_gpgkey_20200908 }}",
+      "{{ datadog_yum_gpgkey_e09422b3 }}",
+    ]
   register: repofile7
   when: (datadog_agent_major_version|int == 7) and (datadog_yum_repo | length == 0) and (not ansible_check_mode)
 
@@ -100,7 +121,12 @@
     includepkgs: "{{ datadog_includepkgs }}"
     repo_gpgcheck: "{{ do_yum_repo_gpgcheck }}"
     gpgcheck: "{{ datadog_yum_gpgcheck }}"
-    gpgkey: ["{{ datadog_yum_gpgkey_current }}", "{{ datadog_yum_gpgkey_20200908 }}", "{{ datadog_yum_gpgkey_e09422b3 }}"]
+    gpgkey: [
+      "{{ datadog_yum_gpgkey_current }}",
+      "{{ datadog_yum_gpgkey_20280418 }}",
+      "{{ datadog_yum_gpgkey_20200908 }}",
+      "{{ datadog_yum_gpgkey_e09422b3 }}",
+    ]
   register: repofilecustom
   when: (datadog_yum_repo | length > 0) and (not ansible_check_mode)
 

tasks/pkg-suse.yml

@@ -91,6 +91,33 @@
     state: present
   when: not ansible_check_mode
 
+- name: Check and download 20280418 key # Work around due to SNI check for SLES11
+  when: ansible_distribution_version|int == 11
+  block:
+    - name: Stat if 20280418 key (Expires 2028) RPM key already exists
+      stat:
+        path: /tmp/DATADOG_RPM_KEY_20280418.public
+      register: ddnewkey_20280418
+    - name: Download 20280418 key (Expires 2028) RPM key (SLES11)
+      get_url:
+        url: "{{ datadog_zypper_gpgkey_20280418 }}"
+        dest: /tmp/DATADOG_RPM_KEY_20280418.public
+        mode: 600
+      when: not  ddnewkey_20280418.stat.exists
+
+- name: Download 20280418 key (Expires 2028) RPM key
+  get_url:
+    url: "{{ datadog_zypper_gpgkey_20280418 }}"
+    dest: /tmp/DATADOG_RPM_KEY_20280418.public
+    checksum: "sha256:{{ datadog_zypper_gpgkey_20280418_sha256sum }}"
+  when: ansible_distribution_version|int >= 12
+
+- name: Import 20280418 key (Expires 2028) RPM key
+  rpm_key:
+    key: /tmp/DATADOG_RPM_KEY_20280418.public
+    state: present
+  when: not ansible_check_mode
+
 # ansible don't allow repo_gpgcheck to be set, we have to create the repo file manually
 - name: Install DataDog zypper repo
   template:

templates/zypper.repo.j2

@@ -22,6 +22,7 @@ repo_gpgcheck={{ do_zypper_repo_gpgcheck|int }}
 gpgkey={{ datadog_zypper_gpgkey_current }}
 {% else %}
 gpgkey={{ datadog_zypper_gpgkey_current }}
+       {{ datadog_zypper_gpgkey_20280418 }}
        {{ datadog_zypper_gpgkey_20200908 }}
        {{ datadog_zypper_gpgkey_e09422b3 }}
 {% endif %}