Merge "Use deb822 format for Apt repositories on Ubuntu and drop apt-key"

releasenotes/notes/fix-apt-repositories-and-drop-apt-key-ff4c062f5689c91e.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixes usage of the deprecated apt-key tool and switch to deb822 format for
+    Apt repositories on Ubuntu.

roles/baremetal/defaults/main.yml

@@ -7,7 +7,6 @@ ceph_url: "https://download.ceph.com"
 ceph_apt_url: "{{ ceph_url }}/debian-{{ ceph_version }}/"
 ceph_apt_repo: "deb {{ ceph_apt_url }} {{ ansible_facts.distribution_release }} main"
 ceph_apt_key_file: "{{ ceph_url }}/keys/release.gpg"
-ceph_apt_key_id: "460F3994"
 ceph_apt_package: "ceph-common"
 
 # Ceph Yum repository configuration.

roles/baremetal/tasks/configure-ceph-for-zun.yml

@@ -2,25 +2,53 @@
 - name: Install ceph-common
   block:
     - block:
-        - name: Install ceph apt gpg key
+        - name: Ensure apt sources list directory exists
-          apt_key:
+          file:
-            url: "{{ ceph_apt_key_file }}"
+            path: /etc/apt/sources.list.d
-            id: "{{ ceph_apt_key_id }}"
+            state: directory
-            state: present
+            recurse: yes
-          become: True
 
+        - name: Ensure apt keyrings directory exists
+          file:
+            path: /etc/apt/keyrings
+            state: directory
+            recurse: yes
+
+        - name: Install ceph apt gpg key
+          get_url:
+            url: "{{ ceph_apt_key_file }}"
+            dest: "/etc/apt/keyrings/ceph.gpg"
+            mode: "0644"
+            force: true
+
+        - name: Ensure old ceph repository absent
+          file:
+            path: /etc/apt/sources.list.d/ceph.list
+            state: absent
+
+        # TODO(mmalchuk): replace with ansible.builtin.deb822_repository module
+        # when all stable releases moves to the ansible-core >= 2.15
         - name: Enable ceph apt repository
-          apt_repository:
+          copy:
-            repo: "{{ ceph_apt_repo }}"
+            dest: /etc/apt/sources.list.d/ceph.sources
-            filename: ceph
+            content: |
-          become: True
+                # Ansible managed
+
+                Types: deb
+                URIs: {{ ceph_apt_url }}
+                Suites: {{ ansible_facts.distribution_release }}
+                Components: main
+                Signed-by: /etc/apt/keyrings/ceph.gpg
+            mode: "0644"
 
         - name: Install apt packages
-          package:
+          apt:
             name: "{{ ceph_apt_package }}"
             state: present
-          become: True
+            update_cache: true
+
       when: ansible_facts.os_family == 'Debian'
+      become: True
 
     - block:
         - name: Enable ceph yum repository
@@ -30,19 +58,16 @@
             baseurl: "{{ ceph_yum_baseurl }}"
             gpgcheck: "{{ ceph_yum_gpgcheck | bool }}"
             gpgkey: "{{ ceph_yum_gpgkey }}"
-          become: True
 
         - name: Enable epel yum repository
           package:
             name: "{{ epel_yum_package }}"
             state: present
-          become: True
 
         - name: Install ceph rpm gpg key
           rpm_key:
             state: present
             key: "{{ ceph_yum_gpgkey }}"
-          become: True
           when:
             - ceph_yum_gpgcheck | bool
 
@@ -51,5 +76,6 @@
             name: "{{ ceph_yum_package }}"
             state: present
             enablerepo: epel
-          become: True
+
       when: ansible_facts.os_family == 'RedHat'
+      become: True

roles/docker/defaults/main.yml

@@ -7,7 +7,6 @@ enable_docker_repo: "{% if ansible_facts.distribution == 'openEuler' %}false{% e
 
 # Docker APT repository configuration.
 docker_apt_url: "https://download.docker.com/linux/{{ ansible_facts.distribution | lower }}"
-docker_apt_repo: "deb [signed-by=/etc/apt/keyrings/docker.asc] {{ docker_apt_url }} {{ ansible_facts.distribution_release }} stable"
 docker_apt_key_file: "gpg"
 docker_apt_package: "docker-ce"
 docker_apt_package_pin: ""

roles/docker/tasks/repo-Debian.yml

@@ -1,11 +1,11 @@
 ---
 - name: Install CA certificates and gnupg packages
-  package:
+  apt:
     name:
       - ca-certificates
       - gnupg
-    cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}"
+    cache_valid_time: "{{ apt_cache_valid_time }}"
-    update_cache: "{{ True if ansible_facts.os_family == 'Debian' else omit }}"
+    update_cache: true
     state: present
   become: True
 
@@ -38,12 +38,33 @@
         Package: {{ docker_apt_package }}
         Pin: version {{ docker_apt_package_pin }}
         Pin-Priority: 1000
-    mode: 0644
+    mode: "0644"
   become: True
   when: docker_apt_package_pin | length > 0
 
-- name: Enable docker apt repository
+- name: Ensure old docker repository absent
-  apt_repository:
+  file:
-    repo: "{{ docker_apt_repo }}"
+    path: /etc/apt/sources.list.d/docker.list
-    filename: docker
+    state: absent
+  become: True
+
+# TODO(mmalchuk): replace with ansible.builtin.deb822_repository module
+# when all stable releases moves to the ansible-core >= 2.15
+- name: Enable docker apt repository
+  copy:
+    dest: /etc/apt/sources.list.d/docker.sources
+    content: |
+        # Ansible managed
+
+        Types: deb
+        URIs: {{ docker_apt_url }}
+        Suites: {{ ansible_facts.distribution_release }}
+        Components: stable
+        Signed-by: /etc/apt/keyrings/docker.asc
+    mode: "0644"
+  become: True
+
+- name: Update the apt cache
+  apt:
+    update_cache: true
   become: True

roles/podman_sdk/defaults/main.yml

@@ -35,4 +35,3 @@ podman_sdk_virtualenv_owner: "{{ kolla_user if create_kolla_user | bool else omi
 podman_sdk_upper_constraints_file:
 
 podman_sdk_osbpo_apt_url: "http://osbpo.debian.net/debian"
-podman_sdk_osbpo_apt_repo: "deb [signed-by=/etc/apt/keyrings/osbpo.asc] {{ podman_sdk_osbpo_apt_url }} bookworm-bobcat-backports-nochange main"

roles/podman_sdk/tasks/main.yml

@@ -6,30 +6,46 @@
         path: /etc/apt/sources.list.d
         state: directory
         recurse: yes
-      become: True
 
     - name: Ensure apt keyrings directory exists
       file:
         path: /etc/apt/keyrings
         state: directory
         recurse: yes
-      become: True
 
     - name: Install osbpo apt gpg key
       template:
         src: osbpo_pubkey.gpg.j2
         dest: /etc/apt/keyrings/osbpo.asc
         mode: "0644"
-      become: True
 
+    - name: Ensure old osbpo apt repository absent
+      file:
+        path: /etc/apt/sources.list.d/osbpo.list
+        state: absent
+
+    # TODO(mmalchuk): replace with ansible.builtin.deb822_repository module
+    # when all stable releases moves to the ansible-core >= 2.15
     - name: Enable osbpo apt repository
-      apt_repository:
+      copy:
-        repo: "{{ podman_sdk_osbpo_apt_repo }}"
+        dest: /etc/apt/sources.list.d/docker.sources
-        filename: osbpo
+        content: |
-      become: True
+            # Ansible managed
+
+            Types: deb
+            URIs: {{ podman_sdk_osbpo_apt_url }}
+            Suites: bookworm-bobcat-backports-nochange
+            Components: main
+            Signed-by: /etc/apt/keyrings/osbpo.asc
+        mode: "0644"
+
+    - name: Update the apt cache
+      apt:
+        update_cache: true
   when:
     - ansible_facts.os_family == 'Debian'
     - virtualenv is none
+  become: True
 
 - name: Install packages
   package: