From 926290de0491f7b83a7537331761374b59ac7dbe Mon Sep 17 00:00:00 2001
From: Jean-Philippe Evrard <jean-philippe@evrard.me>
Date: Wed, 25 Oct 2017 15:01:54 +0000
Subject: [PATCH] Vendor in the RDO GPG keys to install

This way we avoid all networking failures.

Change-Id: If95de543d2a2a7ad22435900e7923fc942cdd297
---
 files/gpg/61E8806C                   | 20 ++++++++++
 files/gpg/764429E6                   | 20 ++++++++++
 tasks/openstack_host_install_yum.yml | 58 +++++++++++-----------------
 vars/redhat-7.yml                    |  4 +-
 4 files changed, 64 insertions(+), 38 deletions(-)
 create mode 100644 files/gpg/61E8806C
 create mode 100644 files/gpg/764429E6

diff --git a/files/gpg/61E8806C b/files/gpg/61E8806C
new file mode 100644
index 00000000..d180c723
--- /dev/null
+++ b/files/gpg/61E8806C
@@ -0,0 +1,20 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQENBFWB31YBCAC4dFmTzBDOcq4R1RbvQXLkyYfF+yXcsMA5kwZy7kjxnFqBoNPv
+aAjFm3e5huTw2BMZW0viLGJrHZGnsXsE5iNmzom2UgCtrvcG2f65OFGlC1HZ3ajA
+8ZIfdgNQkPpor61xqBCLzIsp55A7YuPNDvatk/+MqGdNv8Ug7iVmhQvI0p1bbaZR
+0GuavmC5EZ/+mDlZ2kHIQOUoInHqLJaX7iw46iLRUnvJ1vATOzTnKidoFapjhzIt
+i4ZSIRaalyJ4sT+oX4CoRzerNnUtIe2k9Hw6cEu4YKGCO7nnuXjMKz7Nz5GgP2Ou
+zIA/fcOmQkSGcn7FoXybWJ8DqBExvkJuDljPABEBAAG0bENlbnRPUyBWaXJ0dWFs
+aXphdGlvbiBTSUcgKGh0dHA6Ly93aWtpLmNlbnRvcy5vcmcvU3BlY2lhbEludGVy
+ZXN0R3JvdXAvVmlydHVhbGl6YXRpb24pIDxzZWN1cml0eUBjZW50b3Mub3JnPokB
+OQQTAQIAIwUCVYHfVgIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEHrr
+voJh6IBsRd0H/A62i5CqfftuySOCE95xMxZRw8+voWO84QS9zYvDEnzcEQpNnHyo
+FNZTpKOghIDtETWxzpY2ThLixcZOTubT+6hUL1n+cuLDVMu4OVXBPoUkRy56defc
+qkWR+UVwQitmlq1ngzwmqVZaB8Hf/mFZiB3B3Jr4dvVgWXRv58jcXFOPb8DdUoAc
+S3u/FLvri92lCaXu08p8YSpFOfT5T55kFICeneqETNYS2E3iKLipHFOLh7EWGM5b
+Wsr7o0r+KltI4Ehy/TjvNX16fa/t9p5pUs8rKyG8SZndxJCsk0MW55G9HFvQ0FmP
+A6vX9WQmbP+ml7jsUxtEJ6MOGJ39jmaUvPc=
+=ZzP+
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/files/gpg/764429E6 b/files/gpg/764429E6
new file mode 100644
index 00000000..91f8e1c5
--- /dev/null
+++ b/files/gpg/764429E6
@@ -0,0 +1,20 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQENBFVWcCcBCACfm3eQ0526/I0/p7HpR0NjK7K307XHhnbcbZv1sDUjQABDaqh0
+N4gnZcovf+3fj6pcdOmeOpGI0cKE7Fh68RbEIqyjB7l7+j1grjewR0oCFFZ38KGm
+j+DWQrj1IJW7JU5fH/G0Cu66ix+dJPcuTB3PJTqXN3ce+4TuG09D+epgwfbHlqaT
+pH2qHCu2uiGj/AaRSM/ZZzcInMaeleHSB+NChvaQ0W/m+kK5d/20d7sfkaTfI/pY
+SrodCfVTYxfKAd0TLW03kimHs5/Rdz+iZWecVKv6aFxzaywbrOjmOsy2q0kEWIwX
+MTZrq6cBRRuWyiXsI2zT2YHQ4UK44IxINiaJABEBAAG0WkNlbnRPUyBDbG91ZCBT
+SUcgKGh0dHA6Ly93aWtpLmNlbnRvcy5vcmcvU3BlY2lhbEludGVyZXN0R3JvdXAv
+Q2xvdWQpIDxzZWN1cml0eUBjZW50b3Mub3JnPokBOQQTAQIAIwUCVVZwJwIbAwcL
+CQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEPm5/ud2RCnmATUH/3HDtWxpFkmy
+FiA3VGkMt5dp3bgCRSd84X6Orfx1LARowpI4LomCGglGBGXVJePBacwcclorbLaz
+uWrW/wU0efz0aDB5c4NPg/yXfNvujvlda8ADJwZXVBQphzvaIKwl4PqBsEnxC10I
+93T/0iyphAhfMRJ5R8AbEHMj7uF+TWTX/JoyQagllMqWTwoP4DFRutPdOmmjwvSV
+kWItH7hq6z9+M4dhlqeoOvPbL5oCxX7TVmLck02Q5gI4syULOa7sqntzUQKFkhWp
+9U0+5KrBQBKezrurrrkq/WZR3WNE1KQfNQ77f7S2JcXJdOaKgJ7xe7Y2flPq98Aq
+wKXK7l1c3dc=
+=W6yF
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tasks/openstack_host_install_yum.yml b/tasks/openstack_host_install_yum.yml
index 6a6eaa14..6ff6ccc8 100644
--- a/tasks/openstack_host_install_yum.yml
+++ b/tasks/openstack_host_install_yum.yml
@@ -21,43 +21,29 @@
     - openstack-yum-packages
     - openstack-packages
 
-- name: Get a list of RPM GPG keys
-  shell: "rpm -vv -q centos-release 2>&1 | grep 'to keyring'"
-  args:
-    warn: no
-  changed_when: False
-  register: current_rpm_keys
-  tags:
-    - openstack-yum-packages
-    - openstack-packages
+# Copy all factored-in GPG keys.
+# KeyID 764429E6 from https://raw.githubusercontent.com/rdo-infra/centos-release-openstack/ocata-rdo/RPM-GPG-KEY-CentOS-SIG-Cloud
+# KeyID 61E8806C from keyserver for rdo-qemu-ev
+- name: Copy validated GPG keys
+  copy:
+    src: "gpg/{{ item | basename }}"
+    dest: /tmp/
+  with_fileglob:
+    - "gpg/*"
 
-- block:
-    - name: Import GPG keys for repositories if needed
-      shell: "rpm --define '%_hkp_keyserver http://pool.sks-keyservers.net' --import 0x{{ item.keyid  }}"
-      args:
-        warn: no
-      with_items:
-        - "{{ openstack_host_rdo_repos_keys }}"
-      when:
-        - item.keyid | lower not in current_rpm_keys.stdout
-        - user_external_repo_key is not defined
-      tags:
-        - openstack-yum-packages
-        - openstack-packages
-
-  rescue:
-    - name: Import GPG keys for repositories if needed
-      shell: "rpm --import 0x{{ item.keyid  }}"
-      args:
-        warn: no
-      with_items:
-        - "{{ openstack_host_rdo_repos_keys }}"
-      when:
-        - item.keyid | lower not in current_rpm_keys.stdout
-        - user_external_repo_key is not defined
-      tags:
-        - openstack-yum-packages
-        - openstack-packages
+# Handle gpg keys manually
+- name: Install gpg keys
+  rpm_key:
+    key: "{{ key.keyfile | default(key.key) }}"
+    validate_certs: "{{ key.validate_certs | default(omit) }}"
+    state: "{{ key.state | default('present') }}"
+  with_items: "{{ openstack_host_rdo_repos_keys }}"
+  loop_control:
+    loop_var: key
+  register: _add_yum_keys
+  until: _add_yum_keys | success
+  retries: 5
+  delay: 2
 
 - name: Check for existing yum repositories
   shell: "yum-config-manager | grep 'repo:'"
diff --git a/vars/redhat-7.yml b/vars/redhat-7.yml
index 9cb1b07e..cb7b6e6e 100644
--- a/vars/redhat-7.yml
+++ b/vars/redhat-7.yml
@@ -81,9 +81,9 @@ openstack_host_required_distro_packages:
 
 openstack_host_rdo_repos_keys:
   - repo: openstack-pike
-    keyid: 764429E6
+    keyfile: /tmp/764429E6
   - repo: rdo-qemu-ev
-    keyid: 61E8806C
+    keyfile: /tmp/61E8806C
 
 openstack_host_rdo_repos:
   - file: rdo-qemu-ev