community.zabbix icon indicating copy to clipboard operation
community.zabbix copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

Find better way to handle signing keys for Zabbix

Open dj-wasabi opened this issue 3 years ago • 5 comments

SUMMARY

Each role has a zabbix.yml file in the vars/ directory containing the version of Zabbix, the name of the OS and the signing key. It not maintainance friendly to update the file with new OS's with signing keys and maintain them over de 5 roles. Something smarter should either be used, or ....

ISSUE TYPE
  • Feature Idea
COMPONENT NAME
ADDITIONAL INFORMATION

dj-wasabi avatar Oct 31 '21 09:10 dj-wasabi

If someone is interested in picking this up, please let me know and I will assign it to you. This also means that people see that there is someone working on it. 👍

dj-wasabi avatar Nov 01 '21 14:11 dj-wasabi

I've been looking and thinking about about this and maybe I can help out with this. I do have a couple of questions that we maybe can answer together on why and how we would like to proceed.

  1. Is there a reason why we import the signing keys for Debian based distributions but not for Enterprise Linux (EL) based? In the defaults/main.yml we have zabbix_repo_yum_gpgcheck set to 0 which disable the GPG check.
  2. What is the benefit of specifying the ID when importing the key? If we import the whole chain we don't need to manage the list of IDs per distribution.

Overall I think the repo installation could be done easier where we don't need to keep track of too much information. E.g. for Debian based:

- name: Ensure Zabbix signing key is trusted
  apt_key:
    url: http://repo.zabbix.com/zabbix-official-repo.key
    state: present

- name: Ensure Zabbix repository is present
  apt:
    deb: "https://repo.zabbix.com/zabbix/{{ zabbix_version }}/{{ ansible_distribution | lower }}/pool/main/z/zabbix-release/zabbix-release_{{ zabbix_version }}-1+ubuntu{{ ansible_distribution_version }}_all.deb"
    state: present

The second task is a bit messy but we could keep a list of the different repository packages if that is preferred.

ghost avatar Nov 02 '21 09:11 ghost

Hi @dopice

  1. To be honest, I really don't know. I think it was mostly because of my lack of knowledge and experience of using Debian/Ubuntu where I thought to provide an id.
  2. I think the answer on 1. also applies here. I am not a Debian/Ubuntu user, let alone knowing things how apt works. So if you think the above will work, Molecule agrees with it and we can get rid of an vars file, then I am all for it. 😄👍 But indeed, the 2nd task can be a bit messy. Not sure how other roles/collection is doing things with Debian/Ubuntu with this matter.

dj-wasabi avatar Nov 02 '21 19:11 dj-wasabi

Okay, thanks for the clarification! Let me put some effort into this and at least come up with a real proposal. I'll ping you as soon as I have something to show. 👍 You can assign this issue to me if you want.

ghost avatar Nov 02 '21 19:11 ghost

Okay, thanks for the clarification! Let me put some effort into this and at least come up with a real proposal. I'll ping you as soon as I have something to show. 👍 You can assign this issue to me if you want.

Thanks! 👍

dj-wasabi avatar Nov 02 '21 19:11 dj-wasabi