Use dedicated keyring for docker packages (#3485)

Signed-off-by: Artiom Diomin <artiom@kubermatic.com> Co-authored-by: Artiom Diomin <artiom@kubermatic.com>
kubermatic · Dec 16, 2024 · a8eff5f · a8eff5f
1 parent 9f733d6
commit a8eff5f
Show file tree

Hide file tree

Showing 7 changed files with 42 additions and 21 deletions.
diff --git a/pkg/scripts/render.go b/pkg/scripts/render.go
@@ -54,9 +54,12 @@ var containerRuntimeTemplates = map[string]string{
 			{{ if .CONFIGURE_REPOSITORIES }}
 			sudo apt-get update
 			sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common lsb-release
-			curl -fsSL https://download.docker.com/linux/$(lsb_release -si | tr '[:upper:]' '[:lower:]')/gpg |
-				sudo apt-key add -
-			sudo add-apt-repository "deb https://download.docker.com/linux/$(lsb_release -si | tr '[:upper:]' '[:lower:]') $(lsb_release -cs) stable"
+			sudo install -m 0755 -d /etc/apt/keyrings
+			curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+			sudo chmod a+r /etc/apt/keyrings/docker.gpg
+
+			echo "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list
+			sudo apt-get update
 			{{ end }}
 
 			sudo apt-mark unhold containerd.io || true

diff --git a/pkg/scripts/testdata/TestKubeadmDebian-cilium_cluster.golden b/pkg/scripts/testdata/TestKubeadmDebian-cilium_cluster.golden
@@ -78,9 +78,12 @@ kube_ver="1.30.0-*"
 
 sudo apt-get update
 sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common lsb-release
-curl -fsSL https://download.docker.com/linux/$(lsb_release -si | tr '[:upper:]' '[:lower:]')/gpg |
-	sudo apt-key add -
-sudo add-apt-repository "deb https://download.docker.com/linux/$(lsb_release -si | tr '[:upper:]' '[:lower:]') $(lsb_release -cs) stable"
+sudo install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+sudo chmod a+r /etc/apt/keyrings/docker.gpg
+
+echo "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list
+sudo apt-get update
 
 
 sudo apt-mark unhold containerd.io || true

diff --git a/pkg/scripts/testdata/TestKubeadmDebian-nutanix_cluster.golden b/pkg/scripts/testdata/TestKubeadmDebian-nutanix_cluster.golden
@@ -81,9 +81,12 @@ kube_ver="1.30.0-*"
 
 sudo apt-get update
 sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common lsb-release
-curl -fsSL https://download.docker.com/linux/$(lsb_release -si | tr '[:upper:]' '[:lower:]')/gpg |
-	sudo apt-key add -
-sudo add-apt-repository "deb https://download.docker.com/linux/$(lsb_release -si | tr '[:upper:]' '[:lower:]') $(lsb_release -cs) stable"
+sudo install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+sudo chmod a+r /etc/apt/keyrings/docker.gpg
+
+echo "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list
+sudo apt-get update
 
 
 sudo apt-mark unhold containerd.io || true

diff --git a/pkg/scripts/testdata/TestKubeadmDebian-with_containerd.golden b/pkg/scripts/testdata/TestKubeadmDebian-with_containerd.golden
@@ -78,9 +78,12 @@ kube_ver="1.30.0-*"
 
 sudo apt-get update
 sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common lsb-release
-curl -fsSL https://download.docker.com/linux/$(lsb_release -si | tr '[:upper:]' '[:lower:]')/gpg |
-	sudo apt-key add -
-sudo add-apt-repository "deb https://download.docker.com/linux/$(lsb_release -si | tr '[:upper:]' '[:lower:]') $(lsb_release -cs) stable"
+sudo install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+sudo chmod a+r /etc/apt/keyrings/docker.gpg
+
+echo "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list
+sudo apt-get update
 
 
 sudo apt-mark unhold containerd.io || true

diff --git a/pkg/scripts/testdata/TestKubeadmDebian-with_containerd_with_insecure_registry.golden b/pkg/scripts/testdata/TestKubeadmDebian-with_containerd_with_insecure_registry.golden
@@ -78,9 +78,12 @@ kube_ver="1.30.0-*"
 
 sudo apt-get update
 sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common lsb-release
-curl -fsSL https://download.docker.com/linux/$(lsb_release -si | tr '[:upper:]' '[:lower:]')/gpg |
-	sudo apt-key add -
-sudo add-apt-repository "deb https://download.docker.com/linux/$(lsb_release -si | tr '[:upper:]' '[:lower:]') $(lsb_release -cs) stable"
+sudo install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+sudo chmod a+r /etc/apt/keyrings/docker.gpg
+
+echo "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list
+sudo apt-get update
 
 
 sudo apt-mark unhold containerd.io || true

diff --git a/pkg/scripts/testdata/TestUpgradeKubeadmAndCNIDebian.golden b/pkg/scripts/testdata/TestUpgradeKubeadmAndCNIDebian.golden
@@ -79,9 +79,12 @@ sudo apt-mark unhold kubelet kubeadm kubectl kubernetes-cni cri-tools
 
 sudo apt-get update
 sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common lsb-release
-curl -fsSL https://download.docker.com/linux/$(lsb_release -si | tr '[:upper:]' '[:lower:]')/gpg |
-	sudo apt-key add -
-sudo add-apt-repository "deb https://download.docker.com/linux/$(lsb_release -si | tr '[:upper:]' '[:lower:]') $(lsb_release -cs) stable"
+sudo install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+sudo chmod a+r /etc/apt/keyrings/docker.gpg
+
+echo "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list
+sudo apt-get update
 
 
 sudo apt-mark unhold containerd.io || true

diff --git a/pkg/scripts/testdata/TestUpgradeKubeletAndKubectlDebian.golden b/pkg/scripts/testdata/TestUpgradeKubeletAndKubectlDebian.golden
@@ -79,9 +79,12 @@ sudo apt-mark unhold kubelet kubeadm kubectl kubernetes-cni cri-tools
 
 sudo apt-get update
 sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common lsb-release
-curl -fsSL https://download.docker.com/linux/$(lsb_release -si | tr '[:upper:]' '[:lower:]')/gpg |
-	sudo apt-key add -
-sudo add-apt-repository "deb https://download.docker.com/linux/$(lsb_release -si | tr '[:upper:]' '[:lower:]') $(lsb_release -cs) stable"
+sudo install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+sudo chmod a+r /etc/apt/keyrings/docker.gpg
+
+echo "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list
+sudo apt-get update
 
 
 sudo apt-mark unhold containerd.io || true