Merge pull request #61 from stackhpc/no-apt-key

markgoddard · web-flow · commit 6a7967a27a88 · 2022-09-15T17:33:37.000+01:00
Stop using apt-key
diff --git a/roles/cephadm/tasks/pkg_debian.yml b/roles/cephadm/tasks/pkg_debian.yml
@@ -1,13 +1,34 @@
 ---
-- name: Add Ceph signing keys
+# Remove any old Ceph keys added to the main keyring.
+- name: Clean up old key
   apt_key:
-    keyserver: keyserver.ubuntu.com
     id: E84AC2C0460F3994
+    state: absent
+  become: true
+
+- name: Ensure keys directory exists
+  file:
+    path: "{{ cephadm_apt_key_path | dirname }}"
+    owner: root
+    group: root
+    mode: 0755
+    state: directory
+  when: not cephadm_custom_repos | bool
+  become: true
+
+- name: Ensure keys exist
+  get_url:
+    url: "{{ cephadm_apt_key_url }}"
+    dest: "{{ cephadm_apt_key_path }}"
+    owner: root
+    group: root
+    mode: 0644
+  when: not cephadm_custom_repos | bool
   become: true
 
 - name: Ensure Ceph repositories are defined
   apt_repository:
-    repo: "deb https://download.ceph.com/debian-{{ item }}/ {{ cephadm_apt_repo_dist }} main"
+    repo: "deb [signed-by={{ cephadm_apt_key_path }}] https://download.ceph.com/debian-{{ item }}/ {{ cephadm_apt_repo_dist }} main"
     state: "{{ 'present' if item == cephadm_ceph_release else 'absent' }}"
   when: not cephadm_custom_repos | bool
   become: true
diff --git a/roles/cephadm/vars/main.yml b/roles/cephadm/vars/main.yml
@@ -5,3 +5,5 @@ cephadm_rpm_repos:
 cephadm_ceph_releases:
   - "octopus"
   - "pacific"
+cephadm_apt_key_url: "https://download.ceph.com/keys/release.asc"
+cephadm_apt_key_path: "/usr/local/share/keyrings/ceph.asc"
