Debian/Ubuntu: handle APT keys in proper way

apt-key is deprecated and in Debian 'bullseye' it complain when we use it the way we did. The right way is to store key files in separate directory and then, for each repo source file, point to proper key. And this is what this patch does. Both distros use the same keys now. More info: - https://losst.pro/en/how-to-fix-key-is-stored-in-legacy-trusted-gpg-keyring-in-ubuntu - https://wiki.debian.org/DebianRepository/UseThirdParty Change-Id: I4a5116499b13fff0b9523ed29acb080df110e2d4
2023-01-24 15:38:04 +01:00 · 2023-01-24 15:38:04 +01:00 · 41ea290e68
commit 41ea290e68
parent bb43201474
2 changed files with 12 additions and 5 deletions
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@ -7,9 +7,8 @@ enable_docker_repo: "{% if ansible_facts.distribution == 'openEuler' %}false{% e

 # Docker APT repository configuration.
 docker_apt_url: "https://download.docker.com/linux/{{ ansible_facts.distribution | lower }}"
-docker_apt_repo: "deb {{ docker_apt_url }} {{ ansible_facts.distribution_release }} stable"
+docker_apt_repo: "deb [signed-by=/etc/apt/keyrings/docker.asc] {{ docker_apt_url }} {{ ansible_facts.distribution_release }} stable"
 docker_apt_key_file: "gpg"
-docker_apt_key_id: "0EBFCD88"
 docker_apt_package: "docker-ce"

 # Docker Yum repository configuration.
--- a/roles/docker/tasks/repo-Debian.yml
+++ b/roles/docker/tasks/repo-Debian.yml
@ -16,11 +16,19 @@
    recurse: yes
  become: True

+- name: Ensure apt keyrings directory exists
+  file:
+    path: /etc/apt/keyrings
+    state: directory
+    recurse: yes
+  become: True
+
 - name: Install docker apt gpg key
-  apt_key:
+  get_url:
    url: "{{ docker_apt_url }}/{{ docker_apt_key_file }}"
-    id: "{{ docker_apt_key_id }}"
-    state: present
+    dest: "/etc/apt/keyrings/docker.asc"
+    mode: "0644"
+    force: true
  become: True

 - name: Enable docker apt repository