From 5f75a2d0048d32ef358c4728e9be24d7dffdf4b2 Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@redhat.com>
Date: Thu, 19 Oct 2017 13:26:16 -0700
Subject: [PATCH] Add roles to add/remove a GPG key

Current usage of gpg keys involves a single role that adds, signs,
and removes the key all in one.  Some jobs may need the GPG key
installed normally onto the remote host, then left in place, and
later removed.  This change facilitates that.

Change-Id: I2f13f0c4de91808ba1bbdcc0fd20a547e43d602b
---
 roles/add-gpgkey/README.rst         | 12 ++++++++++++
 roles/add-gpgkey/tasks/main.yaml    | 18 ++++++++++++++++++
 roles/remove-gpgkey/README.rst      |  1 +
 roles/remove-gpgkey/tasks/main.yaml |  2 ++
 4 files changed, 33 insertions(+)
 create mode 100644 roles/add-gpgkey/README.rst
 create mode 100644 roles/add-gpgkey/tasks/main.yaml
 create mode 100644 roles/remove-gpgkey/README.rst
 create mode 100644 roles/remove-gpgkey/tasks/main.yaml

diff --git a/roles/add-gpgkey/README.rst b/roles/add-gpgkey/README.rst
new file mode 100644
index 000000000..99a78f259
--- /dev/null
+++ b/roles/add-gpgkey/README.rst
@@ -0,0 +1,12 @@
+Install a GPG private key onto a host.
+
+**Role Variables**
+
+.. zuul:rolevar:: gpg_key
+
+   Complex argument which contains the GPG private key.  It is
+   expected that this argument comes from a `Secret`.
+
+  .. zuul:rolevar:: private
+
+     The ascii-armored contents of the GPG private key.
diff --git a/roles/add-gpgkey/tasks/main.yaml b/roles/add-gpgkey/tasks/main.yaml
new file mode 100644
index 000000000..8df3304aa
--- /dev/null
+++ b/roles/add-gpgkey/tasks/main.yaml
@@ -0,0 +1,18 @@
+- name: Create GPG private key tempfile
+  tempfile:
+    state: file
+  register: gpg_private_key_tmp
+
+- name: Stage GPG private key for importing
+  copy:
+    content: "{{ gpg_key.private }}"
+    dest: "{{ gpg_private_key_tmp.path }}"
+    mode: 0400
+
+- name: Import GPG private key
+  command: "gpg --allow-secret-key-import --import {{ gpg_private_key_tmp.path }}"
+
+- name: Delete staged GPG private key
+  file:
+    path: "{{ gpg_private_key_tmp.path }}"
+    state: absent
diff --git a/roles/remove-gpgkey/README.rst b/roles/remove-gpgkey/README.rst
new file mode 100644
index 000000000..604e4e3d1
--- /dev/null
+++ b/roles/remove-gpgkey/README.rst
@@ -0,0 +1 @@
+Remove an added GPG key from the host.
diff --git a/roles/remove-gpgkey/tasks/main.yaml b/roles/remove-gpgkey/tasks/main.yaml
new file mode 100644
index 000000000..e36f1117e
--- /dev/null
+++ b/roles/remove-gpgkey/tasks/main.yaml
@@ -0,0 +1,2 @@
+- name: Remove GPG key
+  command: "sh -c 'shred -u ~/.gnupg/*'"