Vendor the apt repo gpg keys used for Zuul
We use several PPAs on the Zuul servers, and today the Ubuntu keyring servers are frequently failing. Rather than rely on them, store the GPG keys in this repo and install the files "manually" rather than using the apt_repo module. Change-Id: I009a1a38d3a5864a8d5b0d8f8be24a83d1924292
This commit is contained in:
parent
7a63dad5c1
commit
b173fcb1d9
15
playbooks/roles/install-apt-repo/README.rst
Normal file
15
playbooks/roles/install-apt-repo/README.rst
Normal file
@ -0,0 +1,15 @@
|
||||
Install an APT repo
|
||||
|
||||
**Role Variables**
|
||||
|
||||
.. zuul:rolevar:: repo_name
|
||||
|
||||
The name of the repo (used for filenames).
|
||||
|
||||
.. zuul:rolevar:: repo_key
|
||||
|
||||
The contents of the GPG key, ASCII armored.
|
||||
|
||||
.. zuul:rolevar:: repo_content
|
||||
|
||||
The file content for the sources list.
|
20
playbooks/roles/install-apt-repo/tasks/main.yaml
Normal file
20
playbooks/roles/install-apt-repo/tasks/main.yaml
Normal file
@ -0,0 +1,20 @@
|
||||
- name: Add apt repo key
|
||||
become: yes
|
||||
apt_key:
|
||||
data: "{{ repo_key }}"
|
||||
keyring: "/etc/apt/trusted.gpg.d/{{ repo_name }}.gpg"
|
||||
|
||||
- name: Add apt repo
|
||||
become: yes
|
||||
copy:
|
||||
dest: "/etc/apt/sources.list.d/{{ repo_name }}.list"
|
||||
group: root
|
||||
owner: root
|
||||
mode: 0644
|
||||
content: "{{ repo_content }}"
|
||||
register: apt_repo
|
||||
|
||||
- name: Run the equivalent of "apt-get update" as a separate step
|
||||
apt:
|
||||
update_cache: yes
|
||||
when: apt_repo is changed
|
@ -7,35 +7,22 @@
|
||||
- 'vars'
|
||||
|
||||
- name: Install PPAs
|
||||
apt_repository:
|
||||
repo: '{{ item }}'
|
||||
become: yes
|
||||
include_role:
|
||||
name: install-apt-repo
|
||||
vars:
|
||||
repo_name: "{{ item.name }}"
|
||||
repo_key: "{{ item.key }}"
|
||||
repo_content: " {{item.content }}"
|
||||
loop: '{{ zuul_executor_ppas }}'
|
||||
|
||||
- name: Atomic for focal
|
||||
when: ansible_distribution_version is version('20.04', '>=')
|
||||
block:
|
||||
|
||||
- name: Add Kubic libcontainers OBS repo key
|
||||
become: yes
|
||||
apt_key:
|
||||
data: "{{ libcontainers_apt_key }}"
|
||||
keyring: /etc/apt/trusted.gpg.d/projectatomic.gpg
|
||||
|
||||
- name: Add kubic project libcontainers apt repo
|
||||
become: yes
|
||||
template:
|
||||
dest: /etc/apt/sources.list.d/projectatomic.list
|
||||
group: root
|
||||
mode: 0644
|
||||
owner: root
|
||||
src: sources.list.j2
|
||||
register: projectatomic_repo
|
||||
|
||||
- name: Run the equivalent of "apt-get update" as a separate step
|
||||
apt:
|
||||
update_cache: yes
|
||||
when: projectatomic_repo is changed
|
||||
include_role:
|
||||
name: install-apt-repo
|
||||
vars:
|
||||
repo_name: projectatomic
|
||||
repo_key: "{{ libcontainers_apt_key }}"
|
||||
repo_content: "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_{{ ansible_lsb.release }}/ /"
|
||||
|
||||
- name: Install bindep
|
||||
pip:
|
||||
|
@ -1,5 +1,8 @@
|
||||
zuul_executor_ppas:
|
||||
# We use later HWE kernels for better memory managment, requiring an
|
||||
# updated AFS version which we install from our custom ppa.
|
||||
- ppa:openstack-ci-core/openafs
|
||||
- name: openafs
|
||||
content: "deb http://ppa.launchpad.net/openstack-ci-core/openafs/ubuntu focal main"
|
||||
key: "{{ openstack_ci_core_ppa_key }}"
|
||||
|
||||
zuul_executor_extra_packages: []
|
||||
|
@ -1,12 +1,21 @@
|
||||
zuul_executor_ppas:
|
||||
# For bubblewrap
|
||||
- ppa:openstack-ci-core/bubblewrap
|
||||
- name: bubblewrap
|
||||
content: "deb http://ppa.launchpad.net/openstack-ci-core/bubblewrap/ubuntu xenial main"
|
||||
key: "{{ openstack_ci_core_ppa_key }}"
|
||||
# Temporary PPA needed for bpo-27945 while waiting for SRU to be published
|
||||
- ppa:openstack-ci-core/python-bpo-27945-backport
|
||||
- name: python-bpo-27945-backport
|
||||
content: "deb http://ppa.launchpad.net/openstack-ci-core/python-bpo-27945-backport/ubuntu xenial main"
|
||||
key: "{{ openstack_ci_core_ppa_key }}"
|
||||
# We use later HWE kernels for better memory managment, requiring an
|
||||
# updated AFS version which we install from our custom ppa.
|
||||
- ppa:openstack-ci-core/openafs
|
||||
- name: openafs
|
||||
content: "deb http://ppa.launchpad.net/openstack-ci-core/openafs-amd64-hwe/ubuntu xenial main"
|
||||
key: "{{ openstack_ci_core_ppa_key }}"
|
||||
# For skopeo
|
||||
- ppa:projectatomic/ppa
|
||||
- name: projectatomic
|
||||
content: "deb http://ppa.launchpad.net/projectatomic/ppa/ubuntu xenial main"
|
||||
key: "{{ projectatomic_ppa_key }}"
|
||||
|
||||
zuul_executor_extra_packages:
|
||||
- libjemalloc1
|
||||
|
61
playbooks/roles/zuul-executor/vars/main.yaml
Normal file
61
playbooks/roles/zuul-executor/vars/main.yaml
Normal file
@ -0,0 +1,61 @@
|
||||
openstack_ci_core_ppa_key: |
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: GnuPG v1
|
||||
|
||||
mQINBFUZtK8BEADGaOXCZ/ypqcNEU5Y3rospyaJDhi9PiLndRXz6KxZEoDljmaLz
|
||||
QBMiJ3/lnNflwcv07sBdQDqBjNClFdDbvP4ttIZsQzWYQya/uHzM3rNxbh2bw24T
|
||||
z0n/+PwZ10NrGFIoXl9rU79tXe7XTJDifYvEXtpwnNcgo6/j3FJ9l7q9jQO4SwbK
|
||||
4dxKRLnwxPLsOtspvSp6J0PC9j6TiPYTrQ8dp8mj05GFF7oK6ZlQAJ3lgYG/QaWA
|
||||
9rXF1bOMw7E/arMI4+WYQOhx+JHkCitkai000MdNRVykrvJD/r9pb6NSzyAIrs/h
|
||||
DYvRjD/+7d2pd47R0CLTQJjsT9JNDlZqpU7i6+47zAB9uYTVJFprNF7/BuQ84fK/
|
||||
o81ePwutt+gfGzhKvbjUNLUC6WxFzojZEDbixz0TUOgvjUsK4VGoDyxLw1YLebjs
|
||||
5YdGROB19+771sx6leMZpdQhiTaXWlQrTyjbiS7f71Hx2Eng4hpyrySzHbBrLzXq
|
||||
XjiMazxt1yp5qq3VEBBgb6iW1ejDihkew1dnx+IJbUJ+OCs8Exntdta9B5+gg557
|
||||
Q6egbxQBK3RZ/c+8JHR1ROZ63COQXtAyfTsWwyxcfm7OI0YkNkJ2gNkeMl3spKw4
|
||||
VbGgaC0WBGKsdhVd9TfvtssBItS5/bgnIob/3aOFyCmNH33SGCjYDeopPQARAQAB
|
||||
tCNMYXVuY2hwYWQgUFBBIGZvciBPcGVuU3RhY2sgQ0kgQ29yZYkCOAQTAQIAIgUC
|
||||
VRm0rwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQFbbOfAGNBfUyCA/+
|
||||
OJEojrft6vxgh3iVDlDan1NavVm4D7F1mgfRlFwd9BC3trUkaLrNAqHXTi0fWtLe
|
||||
CqD3k0UAekA+0e58AL5EjeGyCadn9TT7oWlaXgiPr9OHCaVV/z8DnalQny31PQhf
|
||||
weNOVyOMKh/o7BFaLc3i5KCU+qb/gAcCRC7tLI8Saxf2CzboA6tECr8CHxX9xHln
|
||||
pspbcw5aAnEfpqd6BTagkkMjJ/+tDhC4pv9USwH3lbBjRlU93miuqoqtooMd++yy
|
||||
AKYd9c8ClRuI33rIAdoAmFfwwqk2prb9fF0BTxvfGdENZ+isOjvYTjzz0cYdBDrx
|
||||
fZtl7ruYceC54/6Nt9aKX0ADJBJuiIcNjqgaNCjdBP/p7aCIJzh10GKeDIzitCrK
|
||||
/ikMWcszaqYtctBVQvRxGfF2MSAy/VJny0OhiQI6XVc6eK/9Iu9ZeEAC6GoQRIla
|
||||
rwYit+TGhqgYBKYTjWwVlKUZAz7GCIF+wx+NTkUTWVQTnDzTFeBVbzGx3WHQhCqF
|
||||
NayXtKHrdImKfVpQjZZBVo42HzKqfGt/kNDM6IKhIuMlqlCUimVZpc3tawb+d8QT
|
||||
TS0IjLrW7dpFfRaZRk82AjQOp96WJL9LoDvcEIfKg7RKmcGPBJ2qaquj+PA6yAZL
|
||||
5pX70jigBqjtJ0PZGm7jELb8bB70SVSGsvwHmEz0pSs=
|
||||
=cc1L
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
projectatomic_ppa_key: |
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: GnuPG v1
|
||||
|
||||
mQINBFlRJjABEADuE3ZLY/2W++bPsxtcaoi7VaNnkvsXuVYbbHalEh/YwKFVsDTo
|
||||
PQpuw1UlPpmVTwT3ufWfv2v42eZiiWMZaKG9/aWF/TeIdH5+3anfVi+X+tuIW9sv
|
||||
GKTHZdtDqd7fIhtY6AuNQ/D629TJxLvafZ5MoGeyxjsebt5dOvOrl0SHpwR75uPP
|
||||
aCXTWrokhH7W2BbJQUB+47k62BMd03EKe8stz9FzUxptROFJJ2bITijJlDXNfSbV
|
||||
bwCiyREIkzXS6ZdWliJAqencOIZ4UbUax+5BT8SRbSLtr/c4YxvARilpSVCkxo8/
|
||||
EkPHBGygmgfw0kRPSGtLL7IqfWip9mFObji2geoU3A8gV/i3s9Ccc9GPKApX8r7b
|
||||
QFs1tIlgUJKPqVwB2FAh+Xrqlsy/+8r95jL2gfRptSw7u8OP4AySj5WVm7cCEQ69
|
||||
aLyemCsf+v72bFOUXuYQ22Kr3yqz2O/1IsG/0Usr4riTdG65Aq6gnq4KRHMNgXu8
|
||||
7fC9omoy3sKHvzeAJsw/eC9chYNwO8pv8KRIvpDSGL5L7Ems8mq2C5xMyzSVegTr
|
||||
AvXu7nJoZWVBFRluh42bZa9QesX9MzzfOQ+G3085aW8BE++lhtX5QOkfRd74E49H
|
||||
1I2piAq/aE8P9jUHr60Po1C1Tw9iXeEaULLKut8eTMLkQ/02DXhBfq0I5QARAQAB
|
||||
tCBMYXVuY2hwYWQgUFBBIGZvciBQcm9qZWN0IEF0b21pY4kCOAQTAQIAIgUCWVEm
|
||||
MAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQi+zxY3rYx50HLw/5Ad6k
|
||||
EHf2uT4owvzu393S/bUR6VVwCWYMbg14XgphxnoOfrHZWUjbrETTURyd1UexoHt7
|
||||
ZDtMCVmzeY0jpvMb1W3WDebFVo+wR4CI15sPjyycsOxWTviD743wxaPCL1s009co
|
||||
CzWg5AgP88B0D353Y39meC07BBgOJgIfk1OkFdeRjqHfAtucT99NrCuKr/bbBwDn
|
||||
0E+wWaJoIbQvBzsPIFzMWWQ6RcnrZtyQv35epo+VBmW3VEIkorv1VoStF0RjvJM+
|
||||
cMW/ogZsIEZk0IUREOtrtTKUXVrMw1hZ9IGYZRpbJ2g670UGuNjW/vo3rRCRSDaF
|
||||
6Txp5Pn6ZLTgQWsWMw/6M6ooFIEpz3rhYmQSJLNmUN6SgKeWGVmOrQlg4f7YM75o
|
||||
UEw56GKQWl9FAthO0qH0qF1OMfUKp/Tv2OSV/FNZsokf6alWXOB6Bzj6gYmmGXIv
|
||||
MfFW5fZ1cuu5/0ULDckxWhVQ1ywLHREEoBQ6oKYONwUjSdWcM+VsKCEFeCqsNwak
|
||||
qweP8C0fooycfiEZuncc/9ZujgkQ2p7xXTlv3t2SPF9h43xHs3515VS/OTJPGW59
|
||||
98AqllpfqGxggYs5cwi2LO3xwvHyPoTqj3hcl1dRMspZINRsIo4VC8bSrCOqbjDc
|
||||
CD2WFOo2c4mwTDmJpz0PLK87ev/WZ8K0OEflTfc=
|
||||
=jPWv
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
@ -659,6 +659,7 @@
|
||||
- playbooks/host_vars/zk\d+
|
||||
- playbooks/host_vars/zuul01.openstack.org
|
||||
- playbooks/roles/zookeeper/
|
||||
- playbooks/roles/install-apt-repo
|
||||
- playbooks/roles/zuul
|
||||
|
||||
- job:
|
||||
|
Loading…
Reference in New Issue
Block a user