Manage apt repositores and keys using deb822_repository module

The apt-key module is deprecated so the code is refactored to allow any of the deb822_repository features to used instead. Change-Id: I1363c6d46e5fc6aad3887b0d6c0c439034026ee2
2024-09-04 08:38:24 +01:00 · 2024-09-04 08:38:24 +01:00 · e01b9194b4
commit e01b9194b4
parent c4137b3169
3 changed files with 74 additions and 51 deletions
--- a/releasenotes/galera_repo_deb822-fc1aa6b88ee33b57.yaml
+++ b/releasenotes/galera_repo_deb822-fc1aa6b88ee33b57.yaml
@ -0,0 +1,14 @@
 ---
 features:
  - |
    The apt repository setup for the galera_server role is migrated to use
    the deb822_repository ansible module rather than the legacy apt_key and
    apt_repository modules. The format of the `galera_repo` role default
    variable is changed to match the requirements of the new module, and
    is now a list to allow multiple repositories to be configured if required.
 upgrade:
  - |
    The configuration of apt repositories for the galera_server role through
    the `galera_repo` variable is changed to match the deb822_repository
    ansible module. Any deployments that customise the galera_server repository
    configuration should adjust their `galera_repo` override to suit.
--- a/tasks/galera_install_apt.yml
+++ b/tasks/galera_install_apt.yml
@ -13,57 +13,68 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 - name: Validate repo config is deb822 format
  vars:
    _repo_check: "{{ galera_repo | selectattr('repo', 'defined') | map(attribute='repo') }}"
  ansible.builtin.assert:
    that: _repo_check | length == 0
    fail_msg: "The following repository definitions must be updated to deb822 format {{ _repo_check }}"
 - name: Remove conflicting distro packages
  package:
    name: "{{ galera_mariadb_distro_packages_remove | default([]) }}"
    state: absent
  when: galera_install_method == 'external_repo'
- name: Configure repositories for MariaDB installation
+# NOTE(jrosser) remove this task for the 2025.2 release
-  when:
+- name: Clean up legacy repository config not in deb822 format
-    - galera_install_method == 'external_repo'
+  vars:
-    - galera_repo
+    galera_apt_repo_cleanup:
-  block:
+      - MariaDB.list
-    - name: If a keyfile is provided, copy the gpg keyfile to the key location
+  file:
-      copy:
+    path: "/etc/apt/sources.list.d/{{ item }}"
-        src: "gpg/{{ item.id }}"
+    state: absent
-        dest: "{{ item.file }}"
+  with_items: "{{ galera_apt_repo_cleanup }}"
-        mode: '0644'
+  register: apt_repo_removed
      with_items: "{{ galera_gpg_keys | selectattr('file', 'defined') | list }}"
-    - name: Install gpg keys
+- name: Ensure python3-debian package is available
-      apt_key:
+  apt:
-        data: "{{ key['data'] | default(omit) }}"
+    name: python3-debian
        file: "{{ key['file'] | default(omit) }}"
        id: "{{ key['id'] | default(omit) }}"
        state: "{{ key['state'] | default(omit) }}"
        url: "{{ key['url'] | default(omit) }}"
        validate_certs: "{{ key['validate_certs'] | default(omit) }}"
      with_items: "{{ galera_gpg_keys }}"
      loop_control:
        loop_var: key
      register: _add_apt_keys
      until: _add_apt_keys is success
      retries: 5
      delay: 2
-    - name: Remove old repos
+- name: Manage apt repositories
-      lineinfile:
+  vars:
-        dest: "/etc/apt/sources.list.d/{{ item.name }}.list"
+    _a: "{{ item.architectures }}"
-        regexp: "^((?!{{ item.repo }}).*)$"
+    _architecture_fixup: "{{ ((_a | d([])) is iterable and (_a | d([])) is not string) | ternary(_a, [_a]) | map('replace', 'x86_64', 'amd64') }}"
-        state: absent
+  ansible.builtin.deb822_repository:
-      with_items:
+    allow_downgrade_to_insecure: "{{ item.allow_downgrade_to_insecure | default(omit) }}"
-        - { name: "MariaDB", repo: "{{ galera_repo.repo }}" }
+    allow_insecure: "{{ item.allow_insecure | default(omit) }}"
-      when: galera_repo.repo is defined
+    allow_weak: "{{ item.allow_weak | default(omit) }}"
    architectures: "{{ (_architecture_fixup | length > 0) | ternary(_architecture_fixup, omit) }}"
    by_hash: "{{ item.by_hash | default(omit) }}"
    check_date: "{{ item.check_date | default(omit) }}"
    check_valid_until: "{{ item.check_valid_until | default(omit) }}"
    components: "{{ item.components | default(omit) }}"
    date_max_future: "{{ item.date_max_future | default(omit) }}"
    enabled: "{{ item.enabled | default(omit) }}"
    inrelease_path: "{{ item.inrelease_path | default(omit) }}"
    languages: "{{ item.languages | default(omit) }}"
    mode: "{{ item.mode | default(omit) }}"
    name: "{{ item.name }}"
    pdiffs: "{{ item.pdiffs | default(omit) }}"
    signed_by: "{{ item.signed_by | default(omit) }}"
    state: "{{ item.state | default(omit) }}"
    suites: "{{ item.suites | default(omit) }}"
    targets: "{{ item.targets | default(omit) }}"
    trusted: "{{ item.trusted | default(omit) }}"
    types: "{{ item.types | default(omit) }}"
    uris: "{{ item.uris | default(omit) }}"
  with_items: "{{ galera_repo }}"
  register: deb822_repos
-    - name: Add galera repo
+- name: Update apt repositories when config is changed
-      apt_repository:
+  apt:
-        repo: "{{ galera_repo.repo }}"
+    update_cache: yes
-        filename: "{{ galera_repo.filename | default(omit) }}"
+  when: (apt_repo_removed is changed) or (deb822_repos is changed)
        state: "{{ galera_repo.state }}"
        update_cache: yes
      register: add_galera_repo
      when: galera_repo.repo is defined
 - name: Preseed galera password(s)
  debconf:
--- a/vars/debian.yml
+++ b/vars/debian.yml
@ -19,12 +19,6 @@ cache_timeout: 600
 # Default private device setting
 _galera_disable_privatedevices: yes
 # Galera GPG Keys
 _galera_gpg_keys:
  # MariaDB Signing Key <signing-key@mariadb.org>
  - id: C74CD1D8
    file: /etc/ssl/mariadb-key
 galera_server_required_distro_packages:
  - apt-transport-https
  - debconf-utils
@ -78,9 +72,13 @@ _galera_repo_url: >-
  http://{{ galera_repo_host }}/MariaDB/mariadb-{{ galera_major_version }}.{{ galera_minor_version }}/repo/{{ ansible_facts['distribution'] | lower }}
 _galera_repo:
-  repo: "deb {{ galera_repo_url }} {{ ansible_facts['distribution_release'] }} main"
+  - name: "MariaDB"
-  state: "present"
+    suites: "{{ ansible_facts['distribution_release'] | lower }}"
-  filename: "MariaDB"
+    uris: "{{ galera_repo_url }}"
    signed_by: "{{ lookup('file', 'gpg/C74CD1D8') }}"
    components: main
    architectures: "{{ ansible_facts['architecture'] }}"
    state: "{{ (galera_install_method == 'external_repo') | ternary('present', 'absent') }}"
 galera_wsrep_provider: "/usr/lib/galera/libgalera_smm.so"