Added support for importing keys via primary/security mirror clauses

cloudinit/config/cc_apt_configure.py

@@ -57,6 +57,15 @@
             },
             'search_dns': {
                 'type': 'boolean',
+            },
+            'keyid': {
+                'type': 'string'
+            },
+            'key': {
+                'type': 'string'
+            },
+            'keyserver': {
+                'type': 'string'
             }
         }
     }
@@ -228,6 +237,15 @@
                         key, the search pattern will be
                         ``<distro>-security-mirror``.
 
+                        Each mirror may also specify a key to import via
+                        any of the following optional keys:
+
+                            - ``keyid``: a key to import via shortid or \
+                                  fingerprint.
+                            - ``key``: a raw PGP key.
+                            - ``keyserver``: alternate keyserver to pull \
+                                    ``keyid`` key from.
+
                         If no mirrors are specified, or all lookups fail,
                         then default mirrors defined in the datasource
                         are used. If none are present in the datasource
@@ -453,6 +471,7 @@ def apply_apt(cfg, cloud, target):
     LOG.debug("Apt Mirror info: %s", mirrors)
 
     if util.is_false(cfg.get('preserve_sources_list', False)):
+        add_mirror_keys(cfg, target)
         generate_sources_list(cfg, release, mirrors, cloud)
         rename_apt_lists(mirrors, target, arch)
 
@@ -660,6 +679,13 @@ def disable_suites(disabled, src, release):
     return retsrc
 
 
+def add_mirror_keys(cfg, target):
+    """Adds any keys included in the primary/security mirror clauses"""
+    for key in ('primary', 'security'):
+        for mirror in cfg.get(key, []):
+            add_apt_key(mirror, target)
+
+
 def generate_sources_list(cfg, release, mirrors, cloud):
     """generate_sources_list
        create a source.list file based on a custom or default template

doc/examples/cloud-config-apt.txt

@@ -138,6 +138,12 @@ apt:
       # the first defining a valid mirror wins (in the order as defined here,
       # not the order as listed in the config).
       #
+      # Additionally, if the repository requires a custom signing key, it can be
+      # specified via the same fields as for custom sources:
+      #   'keyid': providing a key to import via shortid or fingerprint
+      #   'key': providing a raw PGP key
+      #   'keyserver': specify an alternate keyserver to pull keys from that
+      #                were specified by keyid
     - arches: [s390x, arm64]
       # as above, allowing to have one config for different per arch mirrors
   # security is optional, if not defined it is set to the same value as primary

tests/unittests/test_handler/test_handler_apt_source_v3.py

@@ -1009,6 +1009,29 @@ def test_apt_v3_mirror_search_dns(self, m_get_hostname):
         self.assertEqual(mirrors['SECURITY'],
                          smir)
 
+    def test_apt_v3_add_mirror_keys(self):
+        """test_apt_v3_add_mirror_keys - Test adding key for mirrors"""
+        arch = 'amd64'
+        cfg = {
+            'primary': [
+                {'arches': [arch],
+                 'uri': 'http://test.ubuntu.com/',
+                 'key': 'fakekey_primary'}],
+            'security': [
+                {'arches': [arch],
+                 'uri': 'http://testsec.ubuntu.com/',
+                 'key': 'fakekey_security'}]
+        }
+
+        with mock.patch.object(cc_apt_configure,
+                               'add_apt_key_raw') as mockadd:
+            cc_apt_configure.add_mirror_keys(cfg, TARGET)
+        calls = [
+            mock.call('fakekey_primary', TARGET),
+            mock.call('fakekey_security', TARGET),
+        ]
+        mockadd.assert_has_calls(calls, any_order=True)
+
 
 class TestDebconfSelections(TestCase):