Closed cegerhardson closed 6 months ago
it looks like the salt pkgrepo state tries to validate configurations before finalizing which is what left the file in a 600 state. since the file here is asc and not gpg it never successfully validates.
it did take moving to manually copying the file with the correct extension, setting the correct perms, and using that directly rather than using key_url
.
This issue is in reference to PR #331:
With our salt-master provisioned for upgrade to Ubuntu 22.04,
apt-key
is deprecated with Ubuntu 22.04 under thepkgrepo.manage
module. The recommended approach is to configure-aptkey: False
to the package repo state, and setsigned-by
in the repo name.Salt does some fancy repo key management magic, where it gets the gpg key from the package repo
key_url
, and creates the file in the described location, as noted by thesigned-by
parameter. When salt places the keys in the designated location, the file is assigned appropriate permissions 644, and the user_apt
is able to read the file. For other packages that needed this configuration change, like datadog, it looks something like this:However, when the gpg key file gets created by salt for the postgresql package, the permissions are not set appropriately, only getting 640, leaving out the ability for the user
_apt
to read the file.To reproduced the deprecation error associated with this refactor:
laptop:psf-salt user$ vagrant up salt-master
laptop:psf-salt user$ vagrant ssh salt-master
sudo apt update
The expected postgres deprecation error:
To reproduce
_apt
user permissions bug that comes with refactoringpgkrepo.managed
:laptop:psf-salt user$ vim ./salt/postgresql/base/init.sls
pkgrepo.managed
configure-aptkey: False
to the package repo state, and setsigned-by
in the repo name as[signed-by=/etc/apt/keyrings/postgresql.gpg arch={{ grains["osarch"] }}]
laptop:psf-salt user$ vagrant destroy-f
laptop:psf-salt user$ vagrant up salt-master
The excepted error looks like this: