Merge "Use deb822 format for Apt repositories on Ubuntu and drop apt-key"

2024-05-06 08:50:21 +00:00 · 2024-05-06 08:50:21 +00:00 · 0d88ea8271
commit 0d88ea8271
parent a29e6e68df 2ab88e6990
7 changed files with 99 additions and 34 deletions
--- a/releasenotes/notes/fix-apt-repositories-and-drop-apt-key-ff4c062f5689c91e.yaml
+++ b/releasenotes/notes/fix-apt-repositories-and-drop-apt-key-ff4c062f5689c91e.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixes usage of the deprecated apt-key tool and switch to deb822 format for
+    Apt repositories on Ubuntu.
--- a/roles/baremetal/defaults/main.yml
+++ b/roles/baremetal/defaults/main.yml
@ -7,7 +7,6 @@ ceph_url: "https://download.ceph.com"
 ceph_apt_url: "{{ ceph_url }}/debian-{{ ceph_version }}/"
 ceph_apt_repo: "deb {{ ceph_apt_url }} {{ ansible_facts.distribution_release }} main"
 ceph_apt_key_file: "{{ ceph_url }}/keys/release.gpg"
-ceph_apt_key_id: "460F3994"
 ceph_apt_package: "ceph-common"

 # Ceph Yum repository configuration.
--- a/roles/baremetal/tasks/configure-ceph-for-zun.yml
+++ b/roles/baremetal/tasks/configure-ceph-for-zun.yml
@ -2,25 +2,53 @@
 - name: Install ceph-common
  block:
    - block:
-        - name: Install ceph apt gpg key
-          apt_key:
-            url: "{{ ceph_apt_key_file }}"
-            id: "{{ ceph_apt_key_id }}"
-            state: present
-          become: True
+        - name: Ensure apt sources list directory exists
+          file:
+            path: /etc/apt/sources.list.d
+            state: directory
+            recurse: yes

+        - name: Ensure apt keyrings directory exists
+          file:
+            path: /etc/apt/keyrings
+            state: directory
+            recurse: yes
+
+        - name: Install ceph apt gpg key
+          get_url:
+            url: "{{ ceph_apt_key_file }}"
+            dest: "/etc/apt/keyrings/ceph.gpg"
+            mode: "0644"
+            force: true
+
+        - name: Ensure old ceph repository absent
+          file:
+            path: /etc/apt/sources.list.d/ceph.list
+            state: absent
+
+        # TODO(mmalchuk): replace with ansible.builtin.deb822_repository module
+        # when all stable releases moves to the ansible-core >= 2.15
        - name: Enable ceph apt repository
-          apt_repository:
-            repo: "{{ ceph_apt_repo }}"
-            filename: ceph
-          become: True
+          copy:
+            dest: /etc/apt/sources.list.d/ceph.sources
+            content: |
+                # Ansible managed
+
+                Types: deb
+                URIs: {{ ceph_apt_url }}
+                Suites: {{ ansible_facts.distribution_release }}
+                Components: main
+                Signed-by: /etc/apt/keyrings/ceph.gpg
+            mode: "0644"

        - name: Install apt packages
-          package:
+          apt:
            name: "{{ ceph_apt_package }}"
            state: present
-          become: True
+            update_cache: true
+
      when: ansible_facts.os_family == 'Debian'
+      become: True

    - block:
        - name: Enable ceph yum repository
@ -30,19 +58,16 @@
            baseurl: "{{ ceph_yum_baseurl }}"
            gpgcheck: "{{ ceph_yum_gpgcheck | bool }}"
            gpgkey: "{{ ceph_yum_gpgkey }}"
-          become: True

        - name: Enable epel yum repository
          package:
            name: "{{ epel_yum_package }}"
            state: present
-          become: True

        - name: Install ceph rpm gpg key
          rpm_key:
            state: present
            key: "{{ ceph_yum_gpgkey }}"
-          become: True
          when:
            - ceph_yum_gpgcheck | bool

@ -51,5 +76,6 @@
            name: "{{ ceph_yum_package }}"
            state: present
            enablerepo: epel
-          become: True
+
      when: ansible_facts.os_family == 'RedHat'
+      become: True
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@ -7,7 +7,6 @@ enable_docker_repo: "{% if ansible_facts.distribution == 'openEuler' %}false{% e

 # Docker APT repository configuration.
 docker_apt_url: "https://download.docker.com/linux/{{ ansible_facts.distribution | lower }}"
-docker_apt_repo: "deb [signed-by=/etc/apt/keyrings/docker.asc] {{ docker_apt_url }} {{ ansible_facts.distribution_release }} stable"
 docker_apt_key_file: "gpg"
 docker_apt_package: "docker-ce"
 docker_apt_package_pin: ""
--- a/roles/docker/tasks/repo-Debian.yml
+++ b/roles/docker/tasks/repo-Debian.yml
@ -1,11 +1,11 @@
 ---
 - name: Install CA certificates and gnupg packages
-  package:
+  apt:
    name:
      - ca-certificates
      - gnupg
-    cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}"
-    update_cache: "{{ True if ansible_facts.os_family == 'Debian' else omit }}"
+    cache_valid_time: "{{ apt_cache_valid_time }}"
+    update_cache: true
    state: present
  become: True

@ -38,12 +38,33 @@
        Package: {{ docker_apt_package }}
        Pin: version {{ docker_apt_package_pin }}
        Pin-Priority: 1000
-    mode: 0644
+    mode: "0644"
  become: True
  when: docker_apt_package_pin | length > 0

- name: Enable docker apt repository
-  apt_repository:
-    repo: "{{ docker_apt_repo }}"
-    filename: docker
+- name: Ensure old docker repository absent
+  file:
+    path: /etc/apt/sources.list.d/docker.list
+    state: absent
+  become: True
+
+# TODO(mmalchuk): replace with ansible.builtin.deb822_repository module
+# when all stable releases moves to the ansible-core >= 2.15
+- name: Enable docker apt repository
+  copy:
+    dest: /etc/apt/sources.list.d/docker.sources
+    content: |
+        # Ansible managed
+
+        Types: deb
+        URIs: {{ docker_apt_url }}
+        Suites: {{ ansible_facts.distribution_release }}
+        Components: stable
+        Signed-by: /etc/apt/keyrings/docker.asc
+    mode: "0644"
+  become: True
+
+- name: Update the apt cache
+  apt:
+    update_cache: true
  become: True
--- a/roles/podman_sdk/defaults/main.yml
+++ b/roles/podman_sdk/defaults/main.yml
@ -35,4 +35,3 @@ podman_sdk_virtualenv_owner: "{{ kolla_user if create_kolla_user | bool else omi
 podman_sdk_upper_constraints_file:

 podman_sdk_osbpo_apt_url: "http://osbpo.debian.net/debian"
-podman_sdk_osbpo_apt_repo: "deb [signed-by=/etc/apt/keyrings/osbpo.asc] {{ podman_sdk_osbpo_apt_url }} bookworm-bobcat-backports-nochange main"
--- a/roles/podman_sdk/tasks/main.yml
+++ b/roles/podman_sdk/tasks/main.yml
@ -6,30 +6,46 @@
        path: /etc/apt/sources.list.d
        state: directory
        recurse: yes
-      become: True

    - name: Ensure apt keyrings directory exists
      file:
        path: /etc/apt/keyrings
        state: directory
        recurse: yes
-      become: True

    - name: Install osbpo apt gpg key
      template:
        src: osbpo_pubkey.gpg.j2
        dest: /etc/apt/keyrings/osbpo.asc
        mode: "0644"
-      become: True

+    - name: Ensure old osbpo apt repository absent
+      file:
+        path: /etc/apt/sources.list.d/osbpo.list
+        state: absent
+
+    # TODO(mmalchuk): replace with ansible.builtin.deb822_repository module
+    # when all stable releases moves to the ansible-core >= 2.15
    - name: Enable osbpo apt repository
-      apt_repository:
-        repo: "{{ podman_sdk_osbpo_apt_repo }}"
-        filename: osbpo
-      become: True
+      copy:
+        dest: /etc/apt/sources.list.d/docker.sources
+        content: |
+            # Ansible managed
+
+            Types: deb
+            URIs: {{ podman_sdk_osbpo_apt_url }}
+            Suites: bookworm-bobcat-backports-nochange
+            Components: main
+            Signed-by: /etc/apt/keyrings/osbpo.asc
+        mode: "0644"
+
+    - name: Update the apt cache
+      apt:
+        update_cache: true
  when:
    - ansible_facts.os_family == 'Debian'
    - virtualenv is none
+  become: True

 - name: Install packages
  package: