Over the last couple of months I’ve been using puppet to help scale out sysadmin tasks. As puppet manifests are based on a declarative programming language I’ve discovered you can not rely on flow control such as ‘drop in a RPM GPG key, then configure repo foo. Once both of those tasks are done install package bar from repo foo’ unless you add some smarts.
This is how I install a package on a RHEL5/CentOS/Fedora type system which depends on a yum repo first which in turn depends on a GPG key.
Within the puppet manifest first define a file resource for the GPG key that RPM needs to install packages from the EPEL repository
owner => root,
group => root,
mode => 0444,
source => "puppet:///yum/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL"
The yum puppet module I have has RPM-GPG-KEY-EPEL in /etc/puppet/modules/yum/files/etc/pki/rpm-gpg/ on the puppetmaster server.
Next define a yumrepo resource with the repo details. Note the ‘require’ attribute which references the GPG key file resource.
mirrorlist => 'http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch',
enabled => 1,
gpgcheck => 1,
gpgkey => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL",
require => File["/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL"]
Finally the package resource which references the yumrepo resource.
ensure => latest,
require => Yumrepo[ "epel" ],