From 2ab88e699019ae33b48c28ad4c9f87d0877e46e9 Mon Sep 17 00:00:00 2001
From: Maksim Malchuk <maksim.malchuk@gmail.com>
Date: Thu, 18 Apr 2024 00:19:03 +0300
Subject: [PATCH] Use deb822 format for Apt repositories on Ubuntu and drop
 apt-key

Use the modern deb822 format [1] for Apt repositories on Ubuntu the
same way as in OpenStack Kolla projects, for example in Kayobe [2].
Also this change refactor usage of the deprecated [3] apt-key tool.

[1] https://manpages.ubuntu.com/manpages/jammy/en/man5/sources.list.5.html#deb822-style%20format
[2] I3f821937b0930a0ac9341178de7ae5123d82b957
[3] https://manpages.ubuntu.com/manpages/jammy/en/man8/apt-key.8.html#deprecation

Change-Id: Ic3dd0ce30a8436406a451276bbd94cb5f6f33f9d
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
---
 ...ies-and-drop-apt-key-ff4c062f5689c91e.yaml |  5 ++
 roles/baremetal/defaults/main.yml             |  1 -
 .../tasks/configure-ceph-for-zun.yml          | 58 ++++++++++++++-----
 roles/docker/defaults/main.yml                |  1 -
 roles/docker/tasks/repo-Debian.yml            | 37 +++++++++---
 roles/podman_sdk/defaults/main.yml            |  1 -
 roles/podman_sdk/tasks/main.yml               | 30 +++++++---
 7 files changed, 99 insertions(+), 34 deletions(-)
 create mode 100644 releasenotes/notes/fix-apt-repositories-and-drop-apt-key-ff4c062f5689c91e.yaml

diff --git a/releasenotes/notes/fix-apt-repositories-and-drop-apt-key-ff4c062f5689c91e.yaml b/releasenotes/notes/fix-apt-repositories-and-drop-apt-key-ff4c062f5689c91e.yaml
new file mode 100644
index 0000000..796cc9c
--- /dev/null
+++ b/releasenotes/notes/fix-apt-repositories-and-drop-apt-key-ff4c062f5689c91e.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixes usage of the deprecated apt-key tool and switch to deb822 format for
+    Apt repositories on Ubuntu.
diff --git a/roles/baremetal/defaults/main.yml b/roles/baremetal/defaults/main.yml
index c2d16a4..c7d6133 100644
--- a/roles/baremetal/defaults/main.yml
+++ b/roles/baremetal/defaults/main.yml
@@ -7,7 +7,6 @@ ceph_url: "https://download.ceph.com"
 ceph_apt_url: "{{ ceph_url }}/debian-{{ ceph_version }}/"
 ceph_apt_repo: "deb {{ ceph_apt_url }} {{ ansible_facts.distribution_release }} main"
 ceph_apt_key_file: "{{ ceph_url }}/keys/release.gpg"
-ceph_apt_key_id: "460F3994"
 ceph_apt_package: "ceph-common"
 
 # Ceph Yum repository configuration.
diff --git a/roles/baremetal/tasks/configure-ceph-for-zun.yml b/roles/baremetal/tasks/configure-ceph-for-zun.yml
index 606c14b..746baad 100644
--- a/roles/baremetal/tasks/configure-ceph-for-zun.yml
+++ b/roles/baremetal/tasks/configure-ceph-for-zun.yml
@@ -2,25 +2,53 @@
 - name: Install ceph-common
   block:
     - block:
-        - name: Install ceph apt gpg key
-          apt_key:
-            url: "{{ ceph_apt_key_file }}"
-            id: "{{ ceph_apt_key_id }}"
-            state: present
-          become: True
+        - name: Ensure apt sources list directory exists
+          file:
+            path: /etc/apt/sources.list.d
+            state: directory
+            recurse: yes
 
+        - name: Ensure apt keyrings directory exists
+          file:
+            path: /etc/apt/keyrings
+            state: directory
+            recurse: yes
+
+        - name: Install ceph apt gpg key
+          get_url:
+            url: "{{ ceph_apt_key_file }}"
+            dest: "/etc/apt/keyrings/ceph.gpg"
+            mode: "0644"
+            force: true
+
+        - name: Ensure old ceph repository absent
+          file:
+            path: /etc/apt/sources.list.d/ceph.list
+            state: absent
+
+        # TODO(mmalchuk): replace with ansible.builtin.deb822_repository module
+        # when all stable releases moves to the ansible-core >= 2.15
         - name: Enable ceph apt repository
-          apt_repository:
-            repo: "{{ ceph_apt_repo }}"
-            filename: ceph
-          become: True
+          copy:
+            dest: /etc/apt/sources.list.d/ceph.sources
+            content: |
+                # Ansible managed
+
+                Types: deb
+                URIs: {{ ceph_apt_url }}
+                Suites: {{ ansible_facts.distribution_release }}
+                Components: main
+                Signed-by: /etc/apt/keyrings/ceph.gpg
+            mode: "0644"
 
         - name: Install apt packages
-          package:
+          apt:
             name: "{{ ceph_apt_package }}"
             state: present
-          become: True
+            update_cache: true
+
       when: ansible_facts.os_family == 'Debian'
+      become: True
 
     - block:
         - name: Enable ceph yum repository
@@ -30,19 +58,16 @@
             baseurl: "{{ ceph_yum_baseurl }}"
             gpgcheck: "{{ ceph_yum_gpgcheck | bool }}"
             gpgkey: "{{ ceph_yum_gpgkey }}"
-          become: True
 
         - name: Enable epel yum repository
           package:
             name: "{{ epel_yum_package }}"
             state: present
-          become: True
 
         - name: Install ceph rpm gpg key
           rpm_key:
             state: present
             key: "{{ ceph_yum_gpgkey }}"
-          become: True
           when:
             - ceph_yum_gpgcheck | bool
 
@@ -51,5 +76,6 @@
             name: "{{ ceph_yum_package }}"
             state: present
             enablerepo: epel
-          become: True
+
       when: ansible_facts.os_family == 'RedHat'
+      become: True
diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml
index 1ba4f6f..e146eba 100644
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -7,7 +7,6 @@ enable_docker_repo: "{% if ansible_facts.distribution == 'openEuler' %}false{% e
 
 # Docker APT repository configuration.
 docker_apt_url: "https://download.docker.com/linux/{{ ansible_facts.distribution | lower }}"
-docker_apt_repo: "deb [signed-by=/etc/apt/keyrings/docker.asc] {{ docker_apt_url }} {{ ansible_facts.distribution_release }} stable"
 docker_apt_key_file: "gpg"
 docker_apt_package: "docker-ce"
 docker_apt_package_pin: ""
diff --git a/roles/docker/tasks/repo-Debian.yml b/roles/docker/tasks/repo-Debian.yml
index df2fceb..b58b061 100644
--- a/roles/docker/tasks/repo-Debian.yml
+++ b/roles/docker/tasks/repo-Debian.yml
@@ -1,11 +1,11 @@
 ---
 - name: Install CA certificates and gnupg packages
-  package:
+  apt:
     name:
       - ca-certificates
       - gnupg
-    cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}"
-    update_cache: "{{ True if ansible_facts.os_family == 'Debian' else omit }}"
+    cache_valid_time: "{{ apt_cache_valid_time }}"
+    update_cache: true
     state: present
   become: True
 
@@ -38,12 +38,33 @@
         Package: {{ docker_apt_package }}
         Pin: version {{ docker_apt_package_pin }}
         Pin-Priority: 1000
-    mode: 0644
+    mode: "0644"
   become: True
   when: docker_apt_package_pin | length > 0
 
-- name: Enable docker apt repository
-  apt_repository:
-    repo: "{{ docker_apt_repo }}"
-    filename: docker
+- name: Ensure old docker repository absent
+  file:
+    path: /etc/apt/sources.list.d/docker.list
+    state: absent
+  become: True
+
+# TODO(mmalchuk): replace with ansible.builtin.deb822_repository module
+# when all stable releases moves to the ansible-core >= 2.15
+- name: Enable docker apt repository
+  copy:
+    dest: /etc/apt/sources.list.d/docker.sources
+    content: |
+        # Ansible managed
+
+        Types: deb
+        URIs: {{ docker_apt_url }}
+        Suites: {{ ansible_facts.distribution_release }}
+        Components: stable
+        Signed-by: /etc/apt/keyrings/docker.asc
+    mode: "0644"
+  become: True
+
+- name: Update the apt cache
+  apt:
+    update_cache: true
   become: True
diff --git a/roles/podman_sdk/defaults/main.yml b/roles/podman_sdk/defaults/main.yml
index d6ab905..10b25f1 100644
--- a/roles/podman_sdk/defaults/main.yml
+++ b/roles/podman_sdk/defaults/main.yml
@@ -35,4 +35,3 @@ podman_sdk_virtualenv_owner: "{{ kolla_user if create_kolla_user | bool else omi
 podman_sdk_upper_constraints_file:
 
 podman_sdk_osbpo_apt_url: "http://osbpo.debian.net/debian"
-podman_sdk_osbpo_apt_repo: "deb [signed-by=/etc/apt/keyrings/osbpo.asc] {{ podman_sdk_osbpo_apt_url }} bookworm-bobcat-backports-nochange main"
diff --git a/roles/podman_sdk/tasks/main.yml b/roles/podman_sdk/tasks/main.yml
index 66ebf0d..ab9a916 100644
--- a/roles/podman_sdk/tasks/main.yml
+++ b/roles/podman_sdk/tasks/main.yml
@@ -6,30 +6,46 @@
         path: /etc/apt/sources.list.d
         state: directory
         recurse: yes
-      become: True
 
     - name: Ensure apt keyrings directory exists
       file:
         path: /etc/apt/keyrings
         state: directory
         recurse: yes
-      become: True
 
     - name: Install osbpo apt gpg key
       template:
         src: osbpo_pubkey.gpg.j2
         dest: /etc/apt/keyrings/osbpo.asc
         mode: "0644"
-      become: True
 
+    - name: Ensure old osbpo apt repository absent
+      file:
+        path: /etc/apt/sources.list.d/osbpo.list
+        state: absent
+
+    # TODO(mmalchuk): replace with ansible.builtin.deb822_repository module
+    # when all stable releases moves to the ansible-core >= 2.15
     - name: Enable osbpo apt repository
-      apt_repository:
-        repo: "{{ podman_sdk_osbpo_apt_repo }}"
-        filename: osbpo
-      become: True
+      copy:
+        dest: /etc/apt/sources.list.d/docker.sources
+        content: |
+            # Ansible managed
+
+            Types: deb
+            URIs: {{ podman_sdk_osbpo_apt_url }}
+            Suites: bookworm-bobcat-backports-nochange
+            Components: main
+            Signed-by: /etc/apt/keyrings/osbpo.asc
+        mode: "0644"
+
+    - name: Update the apt cache
+      apt:
+        update_cache: true
   when:
     - ansible_facts.os_family == 'Debian'
     - virtualenv is none
+  become: True
 
 - name: Install packages
   package: