Install haproxy without using apt-key. Unifies Debian and Ubuntu

Julien Girardin · Julien Girardin · commit 443bc1b59591 · 2023-11-29T10:25:30.000+01:00
diff --git a/roles/apiserver_haproxy/defaults/main.yml b/roles/apiserver_haproxy/defaults/main.yml
@@ -2,6 +2,8 @@
 apiserver_proxy_apiserver_port: 6443
 _apiserver_proxy_haproxy_version: '2.6.*'
 force_apt_update: false
+haproxy_repo_url: '{{ haproxy_upstream_repo_url }}'
+haproxy_gpg_url: '{{ haproxy_upstream_gpg_url }}'
 
 # From apiserver_docker
 apiserver_proxy_stack_dir: '/etc/docker-compose/apiserver-proxy'
diff --git a/roles/apiserver_haproxy/handlers/main.yml b/roles/apiserver_haproxy/handlers/main.yml
@@ -5,4 +5,4 @@
     state: reloaded
   when:
     - apiserver_docker_compose.stat.exists != True
-    - not(haproxy_repo_just_added is changed and ansible_check_mode)
+    - not(_haproxy_repo_just_added is changed and ansible_check_mode)
diff --git a/roles/apiserver_haproxy/tasks/haproxy_repo_Debian.yml b/roles/apiserver_haproxy/tasks/haproxy_repo_Debian.yml
@@ -1,19 +1,51 @@
 ---
+- name: 'Install software-properties-common if installing ppa'
+  apt:
+    name: software-properties-common
+  when: haproxy_repo_url.startswith('ppa:')
+
+- name: 'Create directory to store keys'
+  file:
+    dest: /etc/apt/keyrings
+    state: directory
+  register: _apt_keyring_directory
+  when: haproxy_gpg_url is not none and haproxy_gpg_url|length > 0
+
 - name: 'Add HAProxy repo signing key'
-  apt_key:
-    url: 'https://haproxy.debian.net/bernat.debian.org.gpg'
+  ansible.builtin.get_url:
+    url: '{{ haproxy_gpg_url }}'
+    dest: /etc/apt/keyrings/haproxy.asc
+    force: true
+  when:
+    - haproxy_gpg_url is not none and haproxy_gpg_url|length > 0
+    - not(_apt_keyring_directory is changed and ansible_check_mode)
+
+- name: 'Add the HAProxy repository (in dry-run to check change)'
+  apt_repository:
+    repo: '{{ haproxy_repo_url }}'
+    filename: haproxy
     state: present
+    update_cache: false
+  check_mode: true
+  register: _haproxy_repo_dry_run
+
+- name: 'Remove repository file if modification exists.'
+  file:
+    dest: /etc/apt/sources.list.d/haproxy.list
+    state: absent
+  when: _haproxy_repo_dry_run is changed
 
 - name: 'Add the HAProxy repository'
   apt_repository:
-    repo: 'deb http://haproxy.debian.net bullseye-backports-{{ _apiserver_proxy_haproxy_version | regex_replace("^(\d+[.]\d+)[.].+", "\1") }} main'
+    repo: '{{ haproxy_repo_url }}'
     filename: haproxy
     state: present
-  register: haproxy_repo_just_added
+    update_cache: false
+  register: _haproxy_repo_just_added
 
 - name: 'refresh source list'
   apt:
     update_cache: true
   when: >-
-    haproxy_repo_just_added is changed
+    _haproxy_repo_just_added is changed
     or force_apt_update|bool
diff --git a/roles/apiserver_haproxy/tasks/haproxy_repo_Ubuntu.yml b/roles/apiserver_haproxy/tasks/haproxy_repo_Ubuntu.yml
diff --git a/roles/apiserver_haproxy/tasks/main.yml b/roles/apiserver_haproxy/tasks/main.yml
@@ -2,8 +2,19 @@
 - name: 'Detect if compose-based apiserver proxy exists'
   include_tasks: upgrade_from_docker.yml
 
+- name: 'Include HAproxy OS variables'
+  include_vars: '{{ file_vars }}'
+  loop_control:
+    loop_var: file_vars
+  with_fileglob:
+    - 'vars/os_{{ ansible_os_family }}.yml'
+    - 'vars/os_{{ ansible_distribution }}.yml'
+    - 'vars/os_{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml'
+
 - name: 'Add HAProxy repository'
-  include_tasks: '{{ item }}'
+  include_tasks: '{{ file_tasks }}'
+  loop_control:
+    loop_var: file_tasks
   with_first_found:
     - 'haproxy_repo_{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml'
     - 'haproxy_repo_{{ ansible_distribution }}.yml'
@@ -27,7 +38,7 @@
     mode: 0600
   notify: 'Reload HAProxy'
   when:
-    - not(haproxy_repo_just_added is changed and ansible_check_mode)
+    - not(_haproxy_repo_just_added is changed and ansible_check_mode)
 
 - name: 'export vars'
   set_fact:
diff --git a/roles/apiserver_haproxy/tasks/pkg_Debian.yml b/roles/apiserver_haproxy/tasks/pkg_Debian.yml
@@ -1,13 +1,13 @@
 ---
-- name: 'Get version of kubelet package'
+- name: 'Get version of haproxy package'
   package_facts:
 
-- name: 'find version of kubeadm to install'
+- name: 'find version of haproxy to install'
   pkg_version_match:
     name: haproxy
     version: '{{ _apiserver_proxy_haproxy_version }}'
   when:
-    - not(haproxy_repo_just_added is changed and ansible_check_mode)
+    - not(_haproxy_repo_just_added is changed and ansible_check_mode)
     - packages.haproxy|default([])|select('match', _apiserver_proxy_haproxy_version)|list|length == 0
   register: haproxy_version
 
@@ -28,4 +28,4 @@
   apt:
     name: 'haproxy'
     state: 'present'
-  when: not(haproxy_repo_just_added is changed and ansible_check_mode)
+  when: not(_haproxy_repo_just_added is changed and ansible_check_mode)
diff --git a/roles/apiserver_haproxy/vars/os_Debian.yml b/roles/apiserver_haproxy/vars/os_Debian.yml
@@ -0,0 +1,4 @@
+---
+_haproxy_version: '{{ _apiserver_proxy_haproxy_version | regex_replace("^(\d+[.]\d+)[.].+", "\1") }}'
+haproxy_upstream_repo_url: 'deb [signed-by=/etc/apt/keyrings/haproxy.asc] http://haproxy.debian.net {{ ansible_distribution_release }}-backports-{{ _haproxy_version }}'
+haproxy_upstream_gpg_url: 'https://haproxy.debian.net/bernat.debian.org.gpg'
diff --git a/roles/apiserver_haproxy/vars/os_Ubuntu.yml b/roles/apiserver_haproxy/vars/os_Ubuntu.yml
@@ -0,0 +1,3 @@
+---
+haproxy_upstream_repo_url: 'ppa:vbernat/haproxy-{{ _haproxy_version }}'
+haproxy_upstream_gpg_url:

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+haproxy_upstream_repo_url: 'ppa:vbernat/haproxy-{{ _haproxy_version }}'`
	`3`	`+haproxy_upstream_gpg_url:`