From 7a70556e151f9b528732ff24fd8fca0de18fd97b Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
Date: Thu, 30 Mar 2023 21:16:28 +0200
Subject: [PATCH] Unify EPEL gpg key and repo provisioning

At the moment we do install EPEL repo in multiple other roles, like
lxc_hosts or systemd_mount. We're trying to be consistent in ways
of adding them, while ceph_client was slightly different, by carrying on
GPG keys in-repo instead of fetching them from `centos_epel_key` url.

With this patch we unify approach with other roles and reducing
maintenance costs of the repo when adding new distributions

Change-Id: I407256dc6eee3365c4f8c191a1f50717f0b35fa8
Related-Bug: #2013276
---
 defaults/main.yml             |  4 ++++
 files/gpg/RPM-GPG-KEY-EPEL-7  | 29 -----------------------------
 files/gpg/RPM-GPG-KEY-EPEL-8  | 28 ----------------------------
 files/gpg/RPM-GPG-KEY-EPEL-9  | 29 -----------------------------
 tasks/ceph_preinstall_dnf.yml | 32 +++++++++++++-------------------
 vars/redhat.yml               |  5 -----
 6 files changed, 17 insertions(+), 110 deletions(-)
 delete mode 100644 files/gpg/RPM-GPG-KEY-EPEL-7
 delete mode 100644 files/gpg/RPM-GPG-KEY-EPEL-8
 delete mode 100644 files/gpg/RPM-GPG-KEY-EPEL-9

diff --git a/defaults/main.yml b/defaults/main.yml
index 5e9c08d..19d298d 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -121,3 +121,7 @@ ceph_extra_config_groups:
 ceph_extra_compute_group: nova_compute
 
 ceph_client_ceph_conf_overrides: "{{ ceph_conf_overrides | default({}) }}"
+
+# CentOS repos
+ceph_centos_epel_mirror: "{{ centos_epel_mirror | default('http://download.fedoraproject.org/pub/epel') }}"
+ceph_centos_epel_key: "{{ centos_epel_key | default('http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-' ~ ansible_facts['distribution_major_version']) }}"
diff --git a/files/gpg/RPM-GPG-KEY-EPEL-7 b/files/gpg/RPM-GPG-KEY-EPEL-7
deleted file mode 100644
index f205ede..0000000
--- a/files/gpg/RPM-GPG-KEY-EPEL-7
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.11 (GNU/Linux)
-
-mQINBFKuaIQBEAC1UphXwMqCAarPUH/ZsOFslabeTVO2pDk5YnO96f+rgZB7xArB
-OSeQk7B90iqSJ85/c72OAn4OXYvT63gfCeXpJs5M7emXkPsNQWWSju99lW+AqSNm
-jYWhmRlLRGl0OO7gIwj776dIXvcMNFlzSPj00N2xAqjMbjlnV2n2abAE5gq6VpqP
-vFXVyfrVa/ualogDVmf6h2t4Rdpifq8qTHsHFU3xpCz+T6/dGWKGQ42ZQfTaLnDM
-jToAsmY0AyevkIbX6iZVtzGvanYpPcWW4X0RDPcpqfFNZk643xI4lsZ+Y2Er9Yu5
-S/8x0ly+tmmIokaE0wwbdUu740YTZjCesroYWiRg5zuQ2xfKxJoV5E+Eh+tYwGDJ
-n6HfWhRgnudRRwvuJ45ztYVtKulKw8QQpd2STWrcQQDJaRWmnMooX/PATTjCBExB
-9dkz38Druvk7IkHMtsIqlkAOQMdsX1d3Tov6BE2XDjIG0zFxLduJGbVwc/6rIc95
-T055j36Ez0HrjxdpTGOOHxRqMK5m9flFbaxxtDnS7w77WqzW7HjFrD0VeTx2vnjj
-GqchHEQpfDpFOzb8LTFhgYidyRNUflQY35WLOzLNV+pV3eQ3Jg11UFwelSNLqfQf
-uFRGc+zcwkNjHh5yPvm9odR1BIfqJ6sKGPGbtPNXo7ERMRypWyRz0zi0twARAQAB
-tChGZWRvcmEgRVBFTCAoNykgPGVwZWxAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMB
-AgAiBQJSrmiEAhsPBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBqL66iNSxk
-5cfGD/4spqpsTjtDM7qpytKLHKruZtvuWiqt5RfvT9ww9GUUFMZ4ZZGX4nUXg49q
-ixDLayWR8ddG/s5kyOi3C0uX/6inzaYyRg+Bh70brqKUK14F1BrrPi29eaKfG+Gu
-MFtXdBG2a7OtPmw3yuKmq9Epv6B0mP6E5KSdvSRSqJWtGcA6wRS/wDzXJENHp5re
-9Ism3CYydpy0GLRA5wo4fPB5uLdUhLEUDvh2KK//fMjja3o0L+SNz8N0aDZyn5Ax
-CU9RB3EHcTecFgoy5umRj99BZrebR1NO+4gBrivIfdvD4fJNfNBHXwhSH9ACGCNv
-HnXVjHQF9iHWApKkRIeh8Fr2n5dtfJEF7SEX8GbX7FbsWo29kXMrVgNqHNyDnfAB
-VoPubgQdtJZJkVZAkaHrMu8AytwT62Q4eNqmJI1aWbZQNI5jWYqc6RKuCK6/F99q
-thFT9gJO17+yRuL6Uv2/vgzVR1RGdwVLKwlUjGPAjYflpCQwWMAASxiv9uPyYPHc
-ErSrbRG0wjIfAR3vus1OSOx3xZHZpXFfmQTsDP7zVROLzV98R3JwFAxJ4/xqeON4
-vCPFU6OsT3lWQ8w7il5ohY95wmujfr6lk89kEzJdOTzcn7DBbUru33CQMGKZ3Evt
-RjsC7FDbL017qxS+ZVA/HGkyfiu4cpgV8VUnbql5eAZ+1Ll6Dw==
-=hdPa
------END PGP PUBLIC KEY BLOCK-----
diff --git a/files/gpg/RPM-GPG-KEY-EPEL-8 b/files/gpg/RPM-GPG-KEY-EPEL-8
deleted file mode 100644
index 1a25ca2..0000000
--- a/files/gpg/RPM-GPG-KEY-EPEL-8
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBFz3zvsBEADJOIIWllGudxnpvJnkxQz2CtoWI7godVnoclrdl83kVjqSQp+2
-dgxuG5mUiADUfYHaRQzxKw8efuQnwxzU9kZ70ngCxtmbQWGmUmfSThiapOz00018
-+eo5MFabd2vdiGo1y+51m2sRDpN8qdCaqXko65cyMuLXrojJHIuvRA/x7iqOrRfy
-a8x3OxC4PEgl5pgDnP8pVK0lLYncDEQCN76D9ubhZQWhISF/zJI+e806V71hzfyL
-/Mt3mQm/li+lRKU25Usk9dWaf4NH/wZHMIPAkVJ4uD4H/uS49wqWnyiTYGT7hUbi
-ecF7crhLCmlRzvJR8mkRP6/4T/F3tNDPWZeDNEDVFUkTFHNU6/h2+O398MNY/fOh
-yKaNK3nnE0g6QJ1dOH31lXHARlpFOtWt3VmZU0JnWLeYdvap4Eff9qTWZJhI7Cq0
-Wm8DgLUpXgNlkmquvE7P2W5EAr2E5AqKQoDbfw/GiWdRvHWKeNGMRLnGI3QuoX3U
-pAlXD7v13VdZxNydvpeypbf/AfRyrHRKhkUj3cU1pYkM3DNZE77C5JUe6/0nxbt4
-ETUZBTgLgYJGP8c7PbkVnO6I/KgL1jw+7MW6Az8Ox+RXZLyGMVmbW/TMc8haJfKL
-MoUo3TVk8nPiUhoOC0/kI7j9ilFrBxBU5dUtF4ITAWc8xnG6jJs/IsvRpQARAQAB
-tChGZWRvcmEgRVBFTCAoOCkgPGVwZWxAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMB
-AgAiBQJc9877AhsPBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAh6kWrL4bW
-oWagD/4xnLWws34GByVDQkjprk0fX7Iyhpm/U7BsIHKspHLL+Y46vAAGY/9vMvdE
-0fcr9Ek2Zp7zE1RWmSCzzzUgTG6BFoTG1H4Fho/7Z8BXK/jybowXSZfqXnTOfhSF
-alwDdwlSJvfYNV9MbyvbxN8qZRU1z7PEWZrIzFDDToFRk0R71zHpnPTNIJ5/YXTw
-NqU9OxII8hMQj4ufF11040AJQZ7br3rzerlyBOB+Jd1zSPVrAPpeMyJppWFHSDAI
-WK6x+am13VIInXtqB/Cz4GBHLFK5d2/IYspVw47Solj8jiFEtnAq6+1Aq5WH3iB4
-bE2e6z00DSF93frwOyWN7WmPIoc2QsNRJhgfJC+isGQAwwq8xAbHEBeuyMG8GZjz
-xohg0H4bOSEujVLTjH1xbAG4DnhWO/1VXLX+LXELycO8ZQTcjj/4AQKuo4wvMPrv
-9A169oETG+VwQlNd74VBPGCvhnzwGXNbTK/KH1+WRH0YSb+41flB3NKhMSU6dGI0
-SGtIxDSHhVVNmx2/6XiT9U/znrZsG5Kw8nIbbFz+9MGUUWgJMsd1Zl9R8gz7V9fp
-n7L7y5LhJ8HOCMsY/Z7/7HUs+t/A1MI4g7Q5g5UuSZdgi0zxukiWuCkLeAiAP4y7
-zKK4OjJ644NDcWCHa36znwVmkz3ixL8Q0auR15Oqq2BjR/fyog==
-=84m8
------END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file
diff --git a/files/gpg/RPM-GPG-KEY-EPEL-9 b/files/gpg/RPM-GPG-KEY-EPEL-9
deleted file mode 100644
index 0cc05ec..0000000
--- a/files/gpg/RPM-GPG-KEY-EPEL-9
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBGE3mOsBEACsU+XwJWDJVkItBaugXhXIIkb9oe+7aadELuVo0kBmc3HXt/Yp
-CJW9hHEiGZ6z2jwgPqyJjZhCvcAWvgzKcvqE+9i0NItV1rzfxrBe2BtUtZmVcuE6
-2b+SPfxQ2Hr8llaawRjt8BCFX/ZzM4/1Qk+EzlfTcEcpkMf6wdO7kD6ulBk/tbsW
-DHX2lNcxszTf+XP9HXHWJlA2xBfP+Dk4gl4DnO2Y1xR0OSywE/QtvEbN5cY94ieu
-n7CBy29AleMhmbnx9pw3NyxcFIAsEZHJoU4ZW9ulAJ/ogttSyAWeacW7eJGW31/Z
-39cS+I4KXJgeGRI20RmpqfH0tuT+X5Da59YpjYxkbhSK3HYBVnNPhoJFUc2j5iKy
-XLgkapu1xRnEJhw05kr4LCbud0NTvfecqSqa+59kuVc+zWmfTnGTYc0PXZ6Oa3rK
-44UOmE6eAT5zd/ToleDO0VesN+EO7CXfRsm7HWGpABF5wNK3vIEF2uRr2VJMvgqS
-9eNwhJyOzoca4xFSwCkc6dACGGkV+CqhufdFBhmcAsUotSxe3zmrBjqA0B/nxIvH
-DVgOAMnVCe+Lmv8T0mFgqZSJdIUdKjnOLu/GRFhjDKIak4jeMBMTYpVnU+HhMHLq
-uDiZkNEvEEGhBQmZuI8J55F/a6UURnxUwT3piyi3Pmr2IFD7ahBxPzOBCQARAQAB
-tCdGZWRvcmEgKGVwZWw5KSA8ZXBlbEBmZWRvcmFwcm9qZWN0Lm9yZz6JAk4EEwEI
-ADgWIQT/itE0RZcQbs6BO5GKOHK/MihGfAUCYTeY6wIbDwULCQgHAgYVCgkICwIE
-FgIDAQIeAQIXgAAKCRCKOHK/MihGfFX/EACBPWv20+ttYu1A5WvtHJPzwbj0U4yF
-3zTQpBglQ2UfkRpYdipTlT3Ih6j5h2VmgRPtINCc/ZE28adrWpBoeFIS2YAKOCLC
-nZYtHl2nCoLq1U7FSttUGsZ/t8uGCBgnugTfnIYcmlP1jKKA6RJAclK89evDQX5n
-R9ZD+Cq3CBMlttvSTCht0qQVlwycedH8iWyYgP/mF0W35BIn7NuuZwWhgR00n/VG
-4nbKPOzTWbsP45awcmivdrS74P6mL84WfkghipdmcoyVb1B8ZP4Y/Ke0RXOnLhNe
-CfrXXvuW+Pvg2RTfwRDtehGQPAgXbmLmz2ZkV69RGIr54HJv84NDbqZovRTMr7gL
-9k3ciCzXCiYQgM8yAyGHV0KEhFSQ1HV7gMnt9UmxbxBE2pGU7vu3CwjYga5DpwU7
-w5wu1TmM5KgZtZvuWOTDnqDLf0cKoIbW8FeeCOn24elcj32bnQDuF9DPey1mqcvT
-/yEo/Ushyz6CVYxN8DGgcy2M9JOsnmjDx02h6qgWGWDuKgb9jZrvRedpAQCeemEd
-fhEs6ihqVxRFl16HxC4EVijybhAL76SsM2nbtIqW1apBQJQpXWtQwwdvgTVpdEtE
-r4ArVJYX5LrswnWEQMOelugUG6S3ZjMfcyOa/O0364iY73vyVgaYK+2XtT2usMux
-VL469Kj5m13T6w==
-=Mjs/
------END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file
diff --git a/tasks/ceph_preinstall_dnf.yml b/tasks/ceph_preinstall_dnf.yml
index 298e841..9cdd6a5 100644
--- a/tasks/ceph_preinstall_dnf.yml
+++ b/tasks/ceph_preinstall_dnf.yml
@@ -13,33 +13,27 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Copy EPEL gpg keyfile to the key location
-  copy:
-    src: "gpg/{{ item.key | basename }}"
-    dest: "{{ item.key }}"
-    mode: '0644'
-  with_items: "{{ epel_gpg_keys }}"
-  when:
-    - ansible_facts['pkg_mgr'] == 'dnf'
-
-- name: Install EPEL gpg keys
-  rpm_key: "{{ key }}"
-  with_items: "{{ epel_gpg_keys }}"
-  loop_control:
-    loop_var: key
-  when:
-    - ansible_facts['pkg_mgr'] == 'dnf'
-  register: _add_epel_keys
-  until: _add_epel_keys is success
+- name: Download EPEL gpg keys
+  get_url:
+     url: "{{ ceph_centos_epel_key }}"
+     dest: /etc/pki/rpm-gpg
+  register: _get_yum_keys
+  until: _get_yum_keys is success
   retries: 5
   delay: 2
 
+- name: Install EPEL gpg keys
+  rpm_key:
+    key: "/etc/pki/rpm-gpg/{{ ceph_centos_epel_key.split('/')[-1] }}"
+    state: present
+
 - name: Install the EPEL repository
   yum_repository:
     name: ceph-client-deps
-    baseurl: "{{ (centos_epel_mirror | default ('http://download.fedoraproject.org/pub/epel')) ~ '/' ~ ansible_facts['distribution_major_version'] ~ '/Everything/' ~ ansible_facts['architecture'] }}"
+    baseurl: "{{ ceph_centos_epel_mirror ~ '/' ~ ansible_facts['distribution_major_version'] ~ '/Everything/' ~ ansible_facts['architecture'] }}"
     description: "Extra Packages for Enterprise Linux {{ ansible_facts['distribution_major_version'] }} - $basearch"
     gpgcheck: yes
+    gpgkey: "file:///etc/pki/rpm-gpg/{{ ceph_centos_epel_key.split('/')[-1] }}"
     enabled: yes
     state: present
     includepkgs: 'lttng-ust*, userspace-rcu, libbabeltrace, leveldb, liboath, fmt'
diff --git a/vars/redhat.yml b/vars/redhat.yml
index 472f2a8..e3ab1b8 100644
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@@ -18,11 +18,6 @@ ceph_gpg_keys:
   # download.ceph.com/keys/release.asc
   - key: /etc/pki/rpm-gpg/ceph_com_keys_release
 
-# EPEL GPG Keys
-epel_gpg_keys:
-  # Extra Packages for Enterprise Linux
-  - key: "/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-{{ ansible_facts['distribution_major_version'] }}"
-
 libvirt_packages:
   - libvirt-daemon-kvm
   - libvirt-client