Fix, system.repo don't use curl if not needed

epcim · epcim · commit 3a829f27122b · 2018-06-13T10:29:45.000+02:00
- fixed pkgrepo.manage to use/prefer key_url for salt >= 2017.7 - updated syntax for key verificatoin - fix, avoid curl for salt:// schema (as in #156) Change-Id: I1b50c287a4030a9cefa1b819017d59cc5fb1c197
diff --git a/linux/system/repo.sls b/linux/system/repo.sls
@@ -83,21 +83,27 @@ linux_repo_{{ name }}_key:
   cmd.run:
     - name: |
             echo "{{ repo.key | indent(12) }}" | apt-key add -
-    - unless: |
-            apt-key finger --with-colons | grep -qF $(echo "{{ repo.key| indent(12) }}" | gpg --with-fingerprint --with-colons | grep -E '^fpr')
     - require_in:
     {%- if repo.get('default', False) %}
       - file: default_repo_list
     {% else %}
       - pkgrepo: linux_repo_{{ name }}
     {% endif %}
 
-{%- elif repo.key_url|default(False) %}
+{# key_url fetch by curl when salt <2017.7, higher version of salt has fixed bug for using a proxy_host/port specified at minion.conf #}
+{#
+   NOTE: curl/cmd.run usage to fetch gpg key has limited functionality behind proxy. Environments with salt >= 2017.7 should use
+         key_url specified at pkgrepo.manage state (which uses properly configured http_host at minion.conf). Older versions of
+         salt require to have proxy set at ENV and curl way to fetch gpg key here can have a sense for backward compatibility.
+
+         Be aware that as of salt 2018.3 no_proxy option is not implemented at all.
+#}
+{%- elif repo.key_url|default(False) and grains['saltversioninfo'] < [2017, 7] and not repo.key_url.startswith('salt://') %}
+
 
 linux_repo_{{ name }}_key:
   cmd.run:
-    - name: "curl -sL {{ repo.key_url }} | apt-key add -"
-    - unless: "apt-key finger --with-colons | grep -qF $(curl -sL {{ repo.key_url }} | gpg --with-fingerprint --with-colons | grep -E '^fpr')"
+    - name: "curl -sL '{{ repo.key_url }}' | apt-key add -"
     - require_in:
     {%- if repo.get('default', False) %}
       - file: default_repo_list
@@ -132,6 +138,9 @@ linux_repo_{{ name }}:
   {%- if repo.key_server is defined %}
   - keyserver: {{ repo.key_server }}
   {%- endif %}
+  {%- if repo.key_url is defined and (grains['saltversioninfo'] >= [2017, 7] or repo.key_url.startswith('salt://')) %}
+  - key_url: {{ repo.key_url }}
+  {%- endif %}
   - consolidate: {{ repo.get('consolidate', False) }}
   - clean_file: {{ repo.get('clean_file', False) }}
   - refresh_db: {{ repo.get('refresh_db', True) }}
