Manage apt repositores and keys using deb822_repository module

The apt-key module is deprecated so the code is refactored to allow any of the deb822_repository features to used instead. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-apt_package_pinning/+/927903 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/907886 Change-Id: I96f1f23d6a1cca223ad4fc48a1caa21833a98b22
2024-02-05 16:19:12 +00:00 · 2024-02-05 16:19:12 +00:00 · e9de2b505d
commit e9de2b505d
parent 5675552c74
3 changed files with 83 additions and 74 deletions
--- a/releasenotes/notes/rabbitmq_repo_deb822-b47ef07ff462193f.yaml
+++ b/releasenotes/notes/rabbitmq_repo_deb822-b47ef07ff462193f.yaml
@ -0,0 +1,16 @@
+---
+features:
+  - |
+    The apt repository setup for the rabbitmq_server role is migrated to use
+    the deb822_repository ansible module rather than the legacy apt_key and
+    apt_repository modules. The format of the `rabbitmq_repo` and
+    `rabbitmq_erlang_repo` ole default variables are changed to match the
+    requirements of the new module, and are now lists allowing multiple
+    repositories to be configured if required.
+upgrade:
+  - |
+    The configuration of apt repositories for the rabbitmq_server role through
+    the `rabbitmq_repo` variable is changed to match the deb822_repository
+    ansible module. Any deployments that customise the repository
+    configuration should adjust their `rabbitmq_repo` and `rabbitmq_erlang_repo`
+    overrides to suit.
--- a/tasks/install_apt.yml
+++ b/tasks/install_apt.yml
@ -13,14 +13,20 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+- name: Validate repo config is deb822 format
+  vars:
+    _repo_check: "{{ (rabbitmq_repo + rabbitmq_erlang_repo) | selectattr('repo', 'defined') | map(attribute='repo') }}"
+  ansible.builtin.assert:
+    that: _repo_check | length == 0
+    fail_msg: "The following repository definitions must be updated to deb822 format {{ _repo_check }}"
+
 - name: Run the apt package pinning role
  include_role:
    name: apt_package_pinning
-  when:
-    - rabbitmq_install_method == 'external_repo'
  vars:
    apt_package_pinning_file_name: "rabbitmq.pref"
    apt_package_pinning_priority: 999
+    apt_package_pinning_state: "{{ (rabbitmq_install_method == 'external_repo') | ternary('present', 'absent') }}"
    apt_pinned_packages:
      - package: "*"
        release: "cloudsmith/rabbitmq/rabbitmq-erlang"
@ -31,70 +37,56 @@
        version: "{{ rabbitmq_package_version }}"
        priority: 1000

- name: Install GPG keys
-  apt_key:
-    data: "{{ lookup('file', item.file) }}"
-  when:
-    - rabbitmq_install_method == 'external_repo'
-  with_items: "{{ rabbitmq_gpg_keys | selectattr('file', 'defined') | list }}"
-  tags:
-    - rabbitmq-apt-keys
+# NOTE(jrosser) remove this task for the 2025.2 release
+- name: Clean up legacy repository config not in deb822 format
+  vars:
+    rabbitmq_apt_repo_cleanup:
+      - RabbitMQ.list
+      - els_erlang.list
+  file:
+    path: "/etc/apt/sources.list.d/{{ item }}"
+    state: absent
+  with_items: "{{ rabbitmq_apt_repo_cleanup }}"
+  register: apt_repo_removed

-# When updating the cache in the apt_repository
-# task, and the update fails, a retry does not
-# detect a change the second attempt and therefore
-# does not update the cache, resulting in a changed
-# repo config, but no updated cache. To work around
-# this bug we implement the change of repo config
-# and the cache update as two separate tasks.
- name: Add rabbitmq repo
-  apt_repository:
-    repo: "{{ rabbitmq_repo.repo }}"
-    state: "{{ rabbitmq_repo.state }}"
-    filename: "{{ rabbitmq_repo.filename | default(omit) }}"
-    update_cache: no
-  register: add_rabbitmq_repos
-  when:
-    - rabbitmq_install_method == 'external_repo'
-  tags:
-    - rabbitmq-repos
+- name: Ensure python3-debian package is available
+  apt:
+    name: python3-debian

-# When updating the cache in the apt_repository
-# task, and the update fails, a retry does not
-# detect a change the second attempt and therefore
-# does not update the cache, resulting in a changed
-# repo config, but no updated cache. To work around
-# this bug we implement the change of repo config
-# and the cache update as two separate tasks.
- name: Add erlang repo
-  apt_repository:
-    repo: "{{ rabbitmq_erlang_repo.repo }}"
-    state: "{{ rabbitmq_erlang_repo.state }}"
-    filename: "{{ rabbitmq_erlang_repo.filename | default(omit) }}"
-    update_cache: no
-  register: add_erlang_repos
-  when:
-    - rabbitmq_erlang_install_method == 'external_repo'
-  tags:
-    - rabbitmq-repos
+- name: Manage apt repositories
+  vars:
+    _a: "{{ item.architectures }}"
+    _architecture_fixup: "{{ ((_a | d([])) is iterable and (_a | d([])) is not string) | ternary(_a, [_a]) | map('replace', 'x86_64', 'amd64') }}"
+  ansible.builtin.deb822_repository:
+    allow_downgrade_to_insecure: "{{ item.allow_downgrade_to_insecure | default(omit) }}"
+    allow_insecure: "{{ item.allow_insecure | default(omit) }}"
+    allow_weak: "{{ item.allow_weak | default(omit) }}"
+    architectures: "{{ (_architecture_fixup | length > 0) | ternary(_architecture_fixup, omit) }}"
+    by_hash: "{{ item.by_hash | default(omit) }}"
+    check_date: "{{ item.check_date | default(omit) }}"
+    check_valid_until: "{{ item.check_valid_until | default(omit) }}"
+    components: "{{ item.components | default(omit) }}"
+    date_max_future: "{{ item.date_max_future | default(omit) }}"
+    enabled: "{{ item.enabled | default(omit) }}"
+    inrelease_path: "{{ item.inrelease_path | default(omit) }}"
+    languages: "{{ item.languages | default(omit) }}"
+    mode: "{{ item.mode | default(omit) }}"
+    name: "{{ item.name }}"
+    pdiffs: "{{ item.pdiffs | default(omit) }}"
+    signed_by: "{{ item.signed_by | default(omit) }}"
+    state: "{{ item.state | default(omit) }}"
+    suites: "{{ item.suites | default(omit) }}"
+    targets: "{{ item.targets | default(omit) }}"
+    trusted: "{{ item.trusted | default(omit) }}"
+    types: "{{ item.types | default(omit) }}"
+    uris: "{{ item.uris | default(omit) }}"
+  with_items: "{{ rabbitmq_repo + rabbitmq_erlang_repo }}"
+  register: deb822_repos

-# Due to our Ansible strategy, a skipped task does not
-# have a dictionary result, so we have to cater to the
-# situation where either of the apt_repository tasks
-# may not have the results dict in the register. As
-# such we validate that the register is a mapping (dict).
- name: Update Apt cache
+- name: Update apt repositories when config is changed
  apt:
    update_cache: yes
-  when:
-    - (add_rabbitmq_repos is mapping and add_rabbitmq_repos is changed) or
-      (add_erlang_repos is mapping and add_erlang_repos is changed)
-  register: update_apt_cache
-  until: update_apt_cache is success
-  retries: 5
-  delay: 2
-  tags:
-    - rabbitmq-repos
+  when: (apt_repo_removed is changed) or (deb822_repos is changed)

 - name: Install RabbitMQ package dependencies
  apt:
--- a/vars/debian.yml
+++ b/vars/debian.yml
@ -16,24 +16,25 @@
 _rabbitmq_install_method: external_repo
 _rabbitmq_package_version: "3.13.3-1"

-_rabbitmq_gpg_keys:
-  - file: gpg/C072C960
-  - file: gpg/A16A4251 # Erlang Cloudsmith repo
-  - file: gpg/0A9AF211 # RabbitMQ Release Signing Key
-
-# NOTE(noonedeadpunk): List of available packages can be searched here: https://cloudsmith.io/~rabbitmq/repos/rabbitmq-server
 _rabbitmq_repo_url: "https://ppa1.novemberain.com/rabbitmq/rabbitmq-server/deb/{{ ansible_facts['distribution'] | lower }}"
 _rabbitmq_repo:
-  repo: "deb {{ rabbitmq_repo_url }} {{ ansible_facts['distribution_release'] | lower }} main"
-  state: "present"
-  filename: "RabbitMQ"
+  - name: "RabbitMQ"
+    suites: "{{ ansible_facts['distribution_release'] | lower }}"
+    uris: "{{ rabbitmq_repo_url }}"
+    signed_by: "{{ lookup('file', 'gpg/C072C960') }}"
+    components: main
+    architectures: "{{ ansible_facts['architecture'] }}"
+    state: "{{ (rabbitmq_install_method == 'external_repo') | ternary('present', 'absent') }}"

-# NOTE(noonedeadpunk): List of available packages can be searched here: https://cloudsmith.io/~rabbitmq/repos/rabbitmq-erlang
 _rabbitmq_erlang_repo_url: "https://ppa1.novemberain.com/rabbitmq/rabbitmq-erlang/deb/{{ ansible_facts['distribution'] | lower }}"
 _rabbitmq_erlang_repo:
-  repo: "deb {{ rabbitmq_erlang_repo_url }} {{ ansible_facts['distribution_release'] | lower }} main"
-  state: "present"
-  filename: els_erlang
+  - name: "els_erlang"
+    suites: "{{ ansible_facts['distribution_release'] | lower }}"
+    uris: "{{ rabbitmq_erlang_repo_url }}"
+    signed_by: "{{ lookup('file', 'gpg/A16A4251') }}"
+    components: main
+    architectures: "{{ ansible_facts['architecture'] }}"
+    state: "{{ (rabbitmq_install_method == 'external_repo') | ternary('present', 'absent') }}"

 _rabbitmq_erlang_version_spec: "{{ (rabbitmq_install_method == 'external_repo') | ternary('1:26.2.*-1', '1:24.*') }}"