Browse Source

Vendor the apt repo gpg keys used for Zuul

We use several PPAs on the Zuul servers, and today the Ubuntu keyring
servers are frequently failing.  Rather than rely on them, store the
GPG keys in this repo and install the files "manually" rather than
using the apt_repo module.

Change-Id: I009a1a38d3a5864a8d5b0d8f8be24a83d1924292
changes/01/729401/7
James E. Blair 2 years ago
parent
commit
b173fcb1d9
  1. 15
      playbooks/roles/install-apt-repo/README.rst
  2. 20
      playbooks/roles/install-apt-repo/tasks/main.yaml
  3. 37
      playbooks/roles/zuul-executor/tasks/main.yaml
  4. 5
      playbooks/roles/zuul-executor/vars/Ubuntu.focal.yaml
  5. 17
      playbooks/roles/zuul-executor/vars/default.yaml
  6. 61
      playbooks/roles/zuul-executor/vars/main.yaml
  7. 1
      zuul.d/system-config-run.yaml

15
playbooks/roles/install-apt-repo/README.rst

@ -0,0 +1,15 @@
Install an APT repo
**Role Variables**
.. zuul:rolevar:: repo_name
The name of the repo (used for filenames).
.. zuul:rolevar:: repo_key
The contents of the GPG key, ASCII armored.
.. zuul:rolevar:: repo_content
The file content for the sources list.

20
playbooks/roles/install-apt-repo/tasks/main.yaml

@ -0,0 +1,20 @@
- name: Add apt repo key
become: yes
apt_key:
data: "{{ repo_key }}"
keyring: "/etc/apt/trusted.gpg.d/{{ repo_name }}.gpg"
- name: Add apt repo
become: yes
copy:
dest: "/etc/apt/sources.list.d/{{ repo_name }}.list"
group: root
owner: root
mode: 0644
content: "{{ repo_content }}"
register: apt_repo
- name: Run the equivalent of "apt-get update" as a separate step
apt:
update_cache: yes
when: apt_repo is changed

37
playbooks/roles/zuul-executor/tasks/main.yaml

@ -7,35 +7,22 @@
- 'vars'
- name: Install PPAs
apt_repository:
repo: '{{ item }}'
become: yes
include_role:
name: install-apt-repo
vars:
repo_name: "{{ item.name }}"
repo_key: "{{ item.key }}"
repo_content: " {{item.content }}"
loop: '{{ zuul_executor_ppas }}'
- name: Atomic for focal
when: ansible_distribution_version is version('20.04', '>=')
block:
- name: Add Kubic libcontainers OBS repo key
become: yes
apt_key:
data: "{{ libcontainers_apt_key }}"
keyring: /etc/apt/trusted.gpg.d/projectatomic.gpg
- name: Add kubic project libcontainers apt repo
become: yes
template:
dest: /etc/apt/sources.list.d/projectatomic.list
group: root
mode: 0644
owner: root
src: sources.list.j2
register: projectatomic_repo
- name: Run the equivalent of "apt-get update" as a separate step
apt:
update_cache: yes
when: projectatomic_repo is changed
include_role:
name: install-apt-repo
vars:
repo_name: projectatomic
repo_key: "{{ libcontainers_apt_key }}"
repo_content: "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_{{ ansible_lsb.release }}/ /"
- name: Install bindep
pip:

5
playbooks/roles/zuul-executor/vars/Ubuntu.focal.yaml

@ -1,5 +1,8 @@
zuul_executor_ppas:
# We use later HWE kernels for better memory managment, requiring an
# updated AFS version which we install from our custom ppa.
- ppa:openstack-ci-core/openafs
- name: openafs
content: "deb http://ppa.launchpad.net/openstack-ci-core/openafs/ubuntu focal main"
key: "{{ openstack_ci_core_ppa_key }}"
zuul_executor_extra_packages: []

17
playbooks/roles/zuul-executor/vars/default.yaml

@ -1,12 +1,21 @@
zuul_executor_ppas:
# For bubblewrap
- ppa:openstack-ci-core/bubblewrap
- name: bubblewrap
content: "deb http://ppa.launchpad.net/openstack-ci-core/bubblewrap/ubuntu xenial main"
key: "{{ openstack_ci_core_ppa_key }}"
# Temporary PPA needed for bpo-27945 while waiting for SRU to be published
- ppa:openstack-ci-core/python-bpo-27945-backport
- name: python-bpo-27945-backport
content: "deb http://ppa.launchpad.net/openstack-ci-core/python-bpo-27945-backport/ubuntu xenial main"
key: "{{ openstack_ci_core_ppa_key }}"
# We use later HWE kernels for better memory managment, requiring an
# updated AFS version which we install from our custom ppa.
- ppa:openstack-ci-core/openafs
- name: openafs
content: "deb http://ppa.launchpad.net/openstack-ci-core/openafs-amd64-hwe/ubuntu xenial main"
key: "{{ openstack_ci_core_ppa_key }}"
# For skopeo
- ppa:projectatomic/ppa
- name: projectatomic
content: "deb http://ppa.launchpad.net/projectatomic/ppa/ubuntu xenial main"
key: "{{ projectatomic_ppa_key }}"
zuul_executor_extra_packages:
- libjemalloc1

61
playbooks/roles/zuul-executor/vars/main.yaml

@ -0,0 +1,61 @@
openstack_ci_core_ppa_key: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFUZtK8BEADGaOXCZ/ypqcNEU5Y3rospyaJDhi9PiLndRXz6KxZEoDljmaLz
QBMiJ3/lnNflwcv07sBdQDqBjNClFdDbvP4ttIZsQzWYQya/uHzM3rNxbh2bw24T
z0n/+PwZ10NrGFIoXl9rU79tXe7XTJDifYvEXtpwnNcgo6/j3FJ9l7q9jQO4SwbK
4dxKRLnwxPLsOtspvSp6J0PC9j6TiPYTrQ8dp8mj05GFF7oK6ZlQAJ3lgYG/QaWA
9rXF1bOMw7E/arMI4+WYQOhx+JHkCitkai000MdNRVykrvJD/r9pb6NSzyAIrs/h
DYvRjD/+7d2pd47R0CLTQJjsT9JNDlZqpU7i6+47zAB9uYTVJFprNF7/BuQ84fK/
o81ePwutt+gfGzhKvbjUNLUC6WxFzojZEDbixz0TUOgvjUsK4VGoDyxLw1YLebjs
5YdGROB19+771sx6leMZpdQhiTaXWlQrTyjbiS7f71Hx2Eng4hpyrySzHbBrLzXq
XjiMazxt1yp5qq3VEBBgb6iW1ejDihkew1dnx+IJbUJ+OCs8Exntdta9B5+gg557
Q6egbxQBK3RZ/c+8JHR1ROZ63COQXtAyfTsWwyxcfm7OI0YkNkJ2gNkeMl3spKw4
VbGgaC0WBGKsdhVd9TfvtssBItS5/bgnIob/3aOFyCmNH33SGCjYDeopPQARAQAB
tCNMYXVuY2hwYWQgUFBBIGZvciBPcGVuU3RhY2sgQ0kgQ29yZYkCOAQTAQIAIgUC
VRm0rwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQFbbOfAGNBfUyCA/+
OJEojrft6vxgh3iVDlDan1NavVm4D7F1mgfRlFwd9BC3trUkaLrNAqHXTi0fWtLe
CqD3k0UAekA+0e58AL5EjeGyCadn9TT7oWlaXgiPr9OHCaVV/z8DnalQny31PQhf
weNOVyOMKh/o7BFaLc3i5KCU+qb/gAcCRC7tLI8Saxf2CzboA6tECr8CHxX9xHln
pspbcw5aAnEfpqd6BTagkkMjJ/+tDhC4pv9USwH3lbBjRlU93miuqoqtooMd++yy
AKYd9c8ClRuI33rIAdoAmFfwwqk2prb9fF0BTxvfGdENZ+isOjvYTjzz0cYdBDrx
fZtl7ruYceC54/6Nt9aKX0ADJBJuiIcNjqgaNCjdBP/p7aCIJzh10GKeDIzitCrK
/ikMWcszaqYtctBVQvRxGfF2MSAy/VJny0OhiQI6XVc6eK/9Iu9ZeEAC6GoQRIla
rwYit+TGhqgYBKYTjWwVlKUZAz7GCIF+wx+NTkUTWVQTnDzTFeBVbzGx3WHQhCqF
NayXtKHrdImKfVpQjZZBVo42HzKqfGt/kNDM6IKhIuMlqlCUimVZpc3tawb+d8QT
TS0IjLrW7dpFfRaZRk82AjQOp96WJL9LoDvcEIfKg7RKmcGPBJ2qaquj+PA6yAZL
5pX70jigBqjtJ0PZGm7jELb8bB70SVSGsvwHmEz0pSs=
=cc1L
-----END PGP PUBLIC KEY BLOCK-----
projectatomic_ppa_key: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFlRJjABEADuE3ZLY/2W++bPsxtcaoi7VaNnkvsXuVYbbHalEh/YwKFVsDTo
PQpuw1UlPpmVTwT3ufWfv2v42eZiiWMZaKG9/aWF/TeIdH5+3anfVi+X+tuIW9sv
GKTHZdtDqd7fIhtY6AuNQ/D629TJxLvafZ5MoGeyxjsebt5dOvOrl0SHpwR75uPP
aCXTWrokhH7W2BbJQUB+47k62BMd03EKe8stz9FzUxptROFJJ2bITijJlDXNfSbV
bwCiyREIkzXS6ZdWliJAqencOIZ4UbUax+5BT8SRbSLtr/c4YxvARilpSVCkxo8/
EkPHBGygmgfw0kRPSGtLL7IqfWip9mFObji2geoU3A8gV/i3s9Ccc9GPKApX8r7b
QFs1tIlgUJKPqVwB2FAh+Xrqlsy/+8r95jL2gfRptSw7u8OP4AySj5WVm7cCEQ69
aLyemCsf+v72bFOUXuYQ22Kr3yqz2O/1IsG/0Usr4riTdG65Aq6gnq4KRHMNgXu8
7fC9omoy3sKHvzeAJsw/eC9chYNwO8pv8KRIvpDSGL5L7Ems8mq2C5xMyzSVegTr
AvXu7nJoZWVBFRluh42bZa9QesX9MzzfOQ+G3085aW8BE++lhtX5QOkfRd74E49H
1I2piAq/aE8P9jUHr60Po1C1Tw9iXeEaULLKut8eTMLkQ/02DXhBfq0I5QARAQAB
tCBMYXVuY2hwYWQgUFBBIGZvciBQcm9qZWN0IEF0b21pY4kCOAQTAQIAIgUCWVEm
MAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQi+zxY3rYx50HLw/5Ad6k
EHf2uT4owvzu393S/bUR6VVwCWYMbg14XgphxnoOfrHZWUjbrETTURyd1UexoHt7
ZDtMCVmzeY0jpvMb1W3WDebFVo+wR4CI15sPjyycsOxWTviD743wxaPCL1s009co
CzWg5AgP88B0D353Y39meC07BBgOJgIfk1OkFdeRjqHfAtucT99NrCuKr/bbBwDn
0E+wWaJoIbQvBzsPIFzMWWQ6RcnrZtyQv35epo+VBmW3VEIkorv1VoStF0RjvJM+
cMW/ogZsIEZk0IUREOtrtTKUXVrMw1hZ9IGYZRpbJ2g670UGuNjW/vo3rRCRSDaF
6Txp5Pn6ZLTgQWsWMw/6M6ooFIEpz3rhYmQSJLNmUN6SgKeWGVmOrQlg4f7YM75o
UEw56GKQWl9FAthO0qH0qF1OMfUKp/Tv2OSV/FNZsokf6alWXOB6Bzj6gYmmGXIv
MfFW5fZ1cuu5/0ULDckxWhVQ1ywLHREEoBQ6oKYONwUjSdWcM+VsKCEFeCqsNwak
qweP8C0fooycfiEZuncc/9ZujgkQ2p7xXTlv3t2SPF9h43xHs3515VS/OTJPGW59
98AqllpfqGxggYs5cwi2LO3xwvHyPoTqj3hcl1dRMspZINRsIo4VC8bSrCOqbjDc
CD2WFOo2c4mwTDmJpz0PLK87ev/WZ8K0OEflTfc=
=jPWv
-----END PGP PUBLIC KEY BLOCK-----

1
zuul.d/system-config-run.yaml

@ -659,6 +659,7 @@
- playbooks/host_vars/zk\d+
- playbooks/host_vars/zuul01.openstack.org
- playbooks/roles/zookeeper/
- playbooks/roles/install-apt-repo
- playbooks/roles/zuul
- job:

Loading…
Cancel
Save