Vendor the apt repo gpg keys used for Zuul

We use several PPAs on the Zuul servers, and today the Ubuntu keyring
servers are frequently failing.  Rather than rely on them, store the
GPG keys in this repo and install the files "manually" rather than
using the apt_repo module.

Change-Id: I009a1a38d3a5864a8d5b0d8f8be24a83d1924292

playbooks/roles/install-apt-repo/README.rst

@@ -0,0 +1,15 @@
+Install an APT repo
+
+**Role Variables**
+
+.. zuul:rolevar:: repo_name
+
+   The name of the repo (used for filenames).
+
+.. zuul:rolevar:: repo_key
+
+   The contents of the GPG key, ASCII armored.
+
+.. zuul:rolevar:: repo_content
+
+   The file content for the sources list.

playbooks/roles/install-apt-repo/tasks/main.yaml

@@ -0,0 +1,20 @@
+- name: Add apt repo key
+  become: yes
+  apt_key:
+    data: "{{ repo_key }}"
+    keyring: "/etc/apt/trusted.gpg.d/{{ repo_name }}.gpg"
+
+- name: Add apt repo
+  become: yes
+  copy:
+    dest: "/etc/apt/sources.list.d/{{ repo_name }}.list"
+    group: root
+    owner: root
+    mode: 0644
+    content: "{{ repo_content }}"
+  register: apt_repo
+
+- name: Run the equivalent of "apt-get update" as a separate step
+  apt:
+    update_cache: yes
+  when: apt_repo is changed

playbooks/roles/zuul-executor/tasks/main.yaml

@@ -7,35 +7,22 @@
         - 'vars'
 
 - name: Install PPAs
-  apt_repository:
-    repo: '{{ item }}'
-  become: yes
+  include_role:
+    name: install-apt-repo
+  vars:
+    repo_name: "{{ item.name }}"
+    repo_key: "{{ item.key }}"
+    repo_content: " {{item.content }}"
   loop: '{{ zuul_executor_ppas }}'
 
 - name: Atomic for focal
   when: ansible_distribution_version is version('20.04', '>=')
-  block:
-
-    - name: Add Kubic libcontainers OBS repo key
-      become: yes
-      apt_key:
-        data: "{{ libcontainers_apt_key }}"
-        keyring: /etc/apt/trusted.gpg.d/projectatomic.gpg
-
-    - name: Add kubic project libcontainers apt repo
-      become: yes
-      template:
-        dest: /etc/apt/sources.list.d/projectatomic.list
-        group: root
-        mode: 0644
-        owner: root
-        src: sources.list.j2
-      register: projectatomic_repo
-
-    - name: Run the equivalent of "apt-get update" as a separate step
-      apt:
-        update_cache: yes
-      when: projectatomic_repo is changed
+  include_role:
+    name: install-apt-repo
+  vars:
+    repo_name: projectatomic
+    repo_key: "{{ libcontainers_apt_key }}"
+    repo_content: "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_{{ ansible_lsb.release }}/ /"
 
 - name: Install bindep
   pip:

playbooks/roles/zuul-executor/vars/Ubuntu.focal.yaml

@@ -1,5 +1,8 @@
 zuul_executor_ppas:
   # We use later HWE kernels for better memory managment, requiring an
   # updated AFS version which we install from our custom ppa.
-  - ppa:openstack-ci-core/openafs
+  - name: openafs
+    content: "deb http://ppa.launchpad.net/openstack-ci-core/openafs/ubuntu focal main"
+    key: "{{ openstack_ci_core_ppa_key }}"
+
 zuul_executor_extra_packages: []

playbooks/roles/zuul-executor/vars/default.yaml

@@ -1,12 +1,21 @@
 zuul_executor_ppas:
   # For bubblewrap
-  - ppa:openstack-ci-core/bubblewrap
+  - name: bubblewrap
+    content: "deb http://ppa.launchpad.net/openstack-ci-core/bubblewrap/ubuntu xenial main"
+    key: "{{ openstack_ci_core_ppa_key }}"
   # Temporary PPA needed for bpo-27945 while waiting for SRU to be published
-  - ppa:openstack-ci-core/python-bpo-27945-backport
+  - name: python-bpo-27945-backport
+    content: "deb http://ppa.launchpad.net/openstack-ci-core/python-bpo-27945-backport/ubuntu xenial main"
+    key: "{{ openstack_ci_core_ppa_key }}"
   # We use later HWE kernels for better memory managment, requiring an
   # updated AFS version which we install from our custom ppa.
-  - ppa:openstack-ci-core/openafs
+  - name: openafs
+    content: "deb http://ppa.launchpad.net/openstack-ci-core/openafs-amd64-hwe/ubuntu xenial main"
+    key: "{{ openstack_ci_core_ppa_key }}"
   # For skopeo
-  - ppa:projectatomic/ppa
+  - name: projectatomic
+    content: "deb http://ppa.launchpad.net/projectatomic/ppa/ubuntu xenial main"
+    key: "{{ projectatomic_ppa_key }}"
+
 zuul_executor_extra_packages:
   - libjemalloc1

playbooks/roles/zuul-executor/vars/main.yaml

@@ -0,0 +1,61 @@
+openstack_ci_core_ppa_key: |
+  -----BEGIN PGP PUBLIC KEY BLOCK-----
+  Version: GnuPG v1
+
+  mQINBFUZtK8BEADGaOXCZ/ypqcNEU5Y3rospyaJDhi9PiLndRXz6KxZEoDljmaLz
+  QBMiJ3/lnNflwcv07sBdQDqBjNClFdDbvP4ttIZsQzWYQya/uHzM3rNxbh2bw24T
+  z0n/+PwZ10NrGFIoXl9rU79tXe7XTJDifYvEXtpwnNcgo6/j3FJ9l7q9jQO4SwbK
+  4dxKRLnwxPLsOtspvSp6J0PC9j6TiPYTrQ8dp8mj05GFF7oK6ZlQAJ3lgYG/QaWA
+  9rXF1bOMw7E/arMI4+WYQOhx+JHkCitkai000MdNRVykrvJD/r9pb6NSzyAIrs/h
+  DYvRjD/+7d2pd47R0CLTQJjsT9JNDlZqpU7i6+47zAB9uYTVJFprNF7/BuQ84fK/
+  o81ePwutt+gfGzhKvbjUNLUC6WxFzojZEDbixz0TUOgvjUsK4VGoDyxLw1YLebjs
+  5YdGROB19+771sx6leMZpdQhiTaXWlQrTyjbiS7f71Hx2Eng4hpyrySzHbBrLzXq
+  XjiMazxt1yp5qq3VEBBgb6iW1ejDihkew1dnx+IJbUJ+OCs8Exntdta9B5+gg557
+  Q6egbxQBK3RZ/c+8JHR1ROZ63COQXtAyfTsWwyxcfm7OI0YkNkJ2gNkeMl3spKw4
+  VbGgaC0WBGKsdhVd9TfvtssBItS5/bgnIob/3aOFyCmNH33SGCjYDeopPQARAQAB
+  tCNMYXVuY2hwYWQgUFBBIGZvciBPcGVuU3RhY2sgQ0kgQ29yZYkCOAQTAQIAIgUC
+  VRm0rwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQFbbOfAGNBfUyCA/+
+  OJEojrft6vxgh3iVDlDan1NavVm4D7F1mgfRlFwd9BC3trUkaLrNAqHXTi0fWtLe
+  CqD3k0UAekA+0e58AL5EjeGyCadn9TT7oWlaXgiPr9OHCaVV/z8DnalQny31PQhf
+  weNOVyOMKh/o7BFaLc3i5KCU+qb/gAcCRC7tLI8Saxf2CzboA6tECr8CHxX9xHln
+  pspbcw5aAnEfpqd6BTagkkMjJ/+tDhC4pv9USwH3lbBjRlU93miuqoqtooMd++yy
+  AKYd9c8ClRuI33rIAdoAmFfwwqk2prb9fF0BTxvfGdENZ+isOjvYTjzz0cYdBDrx
+  fZtl7ruYceC54/6Nt9aKX0ADJBJuiIcNjqgaNCjdBP/p7aCIJzh10GKeDIzitCrK
+  /ikMWcszaqYtctBVQvRxGfF2MSAy/VJny0OhiQI6XVc6eK/9Iu9ZeEAC6GoQRIla
+  rwYit+TGhqgYBKYTjWwVlKUZAz7GCIF+wx+NTkUTWVQTnDzTFeBVbzGx3WHQhCqF
+  NayXtKHrdImKfVpQjZZBVo42HzKqfGt/kNDM6IKhIuMlqlCUimVZpc3tawb+d8QT
+  TS0IjLrW7dpFfRaZRk82AjQOp96WJL9LoDvcEIfKg7RKmcGPBJ2qaquj+PA6yAZL
+  5pX70jigBqjtJ0PZGm7jELb8bB70SVSGsvwHmEz0pSs=
+  =cc1L
+  -----END PGP PUBLIC KEY BLOCK-----
+
+projectatomic_ppa_key: |
+  -----BEGIN PGP PUBLIC KEY BLOCK-----
+  Version: GnuPG v1
+
+  mQINBFlRJjABEADuE3ZLY/2W++bPsxtcaoi7VaNnkvsXuVYbbHalEh/YwKFVsDTo
+  PQpuw1UlPpmVTwT3ufWfv2v42eZiiWMZaKG9/aWF/TeIdH5+3anfVi+X+tuIW9sv
+  GKTHZdtDqd7fIhtY6AuNQ/D629TJxLvafZ5MoGeyxjsebt5dOvOrl0SHpwR75uPP
+  aCXTWrokhH7W2BbJQUB+47k62BMd03EKe8stz9FzUxptROFJJ2bITijJlDXNfSbV
+  bwCiyREIkzXS6ZdWliJAqencOIZ4UbUax+5BT8SRbSLtr/c4YxvARilpSVCkxo8/
+  EkPHBGygmgfw0kRPSGtLL7IqfWip9mFObji2geoU3A8gV/i3s9Ccc9GPKApX8r7b
+  QFs1tIlgUJKPqVwB2FAh+Xrqlsy/+8r95jL2gfRptSw7u8OP4AySj5WVm7cCEQ69
+  aLyemCsf+v72bFOUXuYQ22Kr3yqz2O/1IsG/0Usr4riTdG65Aq6gnq4KRHMNgXu8
+  7fC9omoy3sKHvzeAJsw/eC9chYNwO8pv8KRIvpDSGL5L7Ems8mq2C5xMyzSVegTr
+  AvXu7nJoZWVBFRluh42bZa9QesX9MzzfOQ+G3085aW8BE++lhtX5QOkfRd74E49H
+  1I2piAq/aE8P9jUHr60Po1C1Tw9iXeEaULLKut8eTMLkQ/02DXhBfq0I5QARAQAB
+  tCBMYXVuY2hwYWQgUFBBIGZvciBQcm9qZWN0IEF0b21pY4kCOAQTAQIAIgUCWVEm
+  MAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQi+zxY3rYx50HLw/5Ad6k
+  EHf2uT4owvzu393S/bUR6VVwCWYMbg14XgphxnoOfrHZWUjbrETTURyd1UexoHt7
+  ZDtMCVmzeY0jpvMb1W3WDebFVo+wR4CI15sPjyycsOxWTviD743wxaPCL1s009co
+  CzWg5AgP88B0D353Y39meC07BBgOJgIfk1OkFdeRjqHfAtucT99NrCuKr/bbBwDn
+  0E+wWaJoIbQvBzsPIFzMWWQ6RcnrZtyQv35epo+VBmW3VEIkorv1VoStF0RjvJM+
+  cMW/ogZsIEZk0IUREOtrtTKUXVrMw1hZ9IGYZRpbJ2g670UGuNjW/vo3rRCRSDaF
+  6Txp5Pn6ZLTgQWsWMw/6M6ooFIEpz3rhYmQSJLNmUN6SgKeWGVmOrQlg4f7YM75o
+  UEw56GKQWl9FAthO0qH0qF1OMfUKp/Tv2OSV/FNZsokf6alWXOB6Bzj6gYmmGXIv
+  MfFW5fZ1cuu5/0ULDckxWhVQ1ywLHREEoBQ6oKYONwUjSdWcM+VsKCEFeCqsNwak
+  qweP8C0fooycfiEZuncc/9ZujgkQ2p7xXTlv3t2SPF9h43xHs3515VS/OTJPGW59
+  98AqllpfqGxggYs5cwi2LO3xwvHyPoTqj3hcl1dRMspZINRsIo4VC8bSrCOqbjDc
+  CD2WFOo2c4mwTDmJpz0PLK87ev/WZ8K0OEflTfc=
+  =jPWv
+  -----END PGP PUBLIC KEY BLOCK-----

zuul.d/system-config-run.yaml

@@ -659,6 +659,7 @@
       - playbooks/host_vars/zk\d+
       - playbooks/host_vars/zuul01.openstack.org
       - playbooks/roles/zookeeper/
+      - playbooks/roles/install-apt-repo
       - playbooks/roles/zuul
 
 - job: