Enable yum repository repo_gpgcheck option for Red Hat platforms by d…

…efault (#789)
DataDog · Apr 26, 2021 · d49b76e · d49b76e
1 parent 785af6c
commit d49b76e
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 3 deletions.
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -160,6 +160,10 @@
 default['datadog']['aptrepo_use_backup_keyserver'] = false
 default['datadog']['aptrepo_keyserver'] = 'hkp://keyserver.ubuntu.com:80'
 default['datadog']['aptrepo_backup_keyserver'] = 'hkp://pool.sks-keyservers.net:80'
+# When repo_gpgcheck set to nil, it will get turned on in the code when
+# not running on RHEL/CentOS <= 5 and not providing custom yumrepo.
+# You can set it to true/false explicitly to override this behaviour.
+default['datadog']['yumrepo_repo_gpgcheck'] = nil
 default['datadog']['yumrepo_gpgkey'] = "#{yum_protocol}://keys.datadoghq.com/DATADOG_RPM_KEY.public"
 default['datadog']['yumrepo_proxy'] = nil
 default['datadog']['yumrepo_proxy_username'] = nil

diff --git a/recipes/repository.rb b/recipes/repository.rb
@@ -132,6 +132,20 @@
     end
   end
 
+  # When the user has set yumrepo_repo_gpgcheck explicitly, we respect that.
+  # Otherwise, we turn on repo_gpgcheck by default when both:
+  # * We're not running on RHEL/CentOS 5 or older
+  # * User has not overriden the default yumrepo
+  repo_gpgcheck = if node['datadog']['yumrepo_repo_gpgcheck'].nil?
+                    if !node['datadog']['yumrepo'].nil? || (platform_family?('rhel') && node['platform_version'].to_i < 6)
+                      false
+                    else
+                      true
+                    end
+                  else
+                    node['datadog']['yumrepo_repo_gpgcheck']
+                  end
+
   if !node['datadog']['yumrepo'].nil?
     baseurl = node['datadog']['yumrepo']
   else
@@ -142,6 +156,7 @@
       baseurl = "https://yum.datadoghq.com/stable/#{agent_major_version}/#{node['kernel']['machine']}/"
     when 5
       baseurl = "#{yum_protocol_a5}://yum.datadoghq.com/rpm/#{yum_a5_architecture_map[node['kernel']['machine']]}/"
+      repo_gpgcheck = false
     else
       Chef::Log.error("agent_major_version '#{agent_major_version}' not supported.")
     end
@@ -166,6 +181,7 @@
     proxy_password node['datadog']['yumrepo_proxy_password']
     gpgkey yumrepo_gpgkeys
     gpgcheck true
+    repo_gpgcheck repo_gpgcheck
     action :create
   end
 when 'suse'
@@ -229,6 +245,9 @@
     gpgkey agent_major_version < 6 ? node['datadog']['yumrepo_gpgkey'] : node['datadog']['yumrepo_gpgkey_new_current']
     gpgautoimportkeys false
     gpgcheck false
+    # zypper has no repo_gpgcheck option, but it does repodata signature checks
+    # by default (when the repomd.xml.asc file is present) which users have
+    # to actually disable system-wide, so we are fine not setting it explicitly
     action :create
   end
 end
diff --git a/spec/repository_spec.rb b/spec/repository_spec.rb
@@ -119,7 +119,7 @@
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_E09422B3.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
           ]
-        )
+        ).with(repo_gpgcheck: true)
       end
     end
 
@@ -193,7 +193,7 @@
             'https://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
             'https://keys.datadoghq.com/DATADOG_RPM_KEY.public',
           ]
-        )
+        ).with(repo_gpgcheck: true)
       end
     end
 
@@ -268,7 +268,7 @@
             'http://keys.datadoghq.com/DATADOG_RPM_KEY_FD4BF915.public',
             'http://keys.datadoghq.com/DATADOG_RPM_KEY.public',
           ]
-        )
+        ).with(repo_gpgcheck: false)
       end
     end
   end