Install haproxy without using apt-key. Unifies Debian and Ubuntu

Author: Julien Girardin

roles/apiserver_haproxy/defaults/main.yml

@@ -2,6 +2,8 @@
 apiserver_proxy_apiserver_port: 6443
 _apiserver_proxy_haproxy_version: '2.6.*'
 force_apt_update: false
+haproxy_repo_url: '{{ haproxy_upstream_repo_url }}'
+haproxy_gpg_url: '{{ haproxy_upstream_gpg_url }}'
 
 # From apiserver_docker
 apiserver_proxy_stack_dir: '/etc/docker-compose/apiserver-proxy'

roles/apiserver_haproxy/tasks/haproxy_repo_Debian.yml

@@ -1,19 +1,56 @@
 ---
+- name: 'Install software-properties-common if installing ppa'
+  apt:
+    name: software-properties-common
+  when: haproxy_repo_url.startswith('ppa:')
+
+- name: 'Create directory to store keys'
+  file:
+    dest: /etc/apt/keyrings
+    state: directory
+  register: _apt_keyring_directory
+  when: haproxy_gpg_url is not none and haproxy_gpg_url|length > 0
+
 - name: 'Add HAProxy repo signing key'
-  apt_key:
-    url: 'https://haproxy.debian.net/bernat.debian.org.gpg'
+  ansible.builtin.get_url:
+    url: '{{ haproxy_gpg_url }}'
+    dest: /etc/apt/keyrings/haproxy.asc'
     state: present
+    force: true
+  when:
+    - haproxy_gpg_url is not none and haproxy_gpg_url|length > 0
+    - not(_apt_keyring_directory is changed and ansible_check_mode)
+
+- name: 'Add the HAProxy repository'
+  apt_repository:
+    repo: '{{ haproxy_repo_url }}'
+    filename: haproxy
+    state: present
+  register: _haproxy_repo_just_added
+
+- name: 'Add the HAProxy repository (in dry-run to check change)'
+  apt_repository:
+    repo: '{{ haproxy_repo_url }}'
+    filename: haproxy
+    state: present
+  register: _haproxy_repo_dry_run
+
+- name: Remove repository file if modification exists.
+  file:
+    dest: /etc/apt/sources.list.d/haproxy.list
+    state: absent
+  when: _haproxy_repo_dry_run is changed
 
 - name: 'Add the HAProxy repository'
   apt_repository:
-    repo: 'deb http://haproxy.debian.net bullseye-backports-{{ _apiserver_proxy_haproxy_version | regex_replace("^(\d+[.]\d+)[.].+", "\1") }} main'
+    repo: '{{ haproxy_repo_url }}'
     filename: haproxy
     state: present
-  register: haproxy_repo_just_added
+  register: _haproxy_repo_just_added
 
 - name: 'refresh source list'
   apt:
     update_cache: true
   when: >-
-    haproxy_repo_just_added is changed
+    _haproxy_repo_just_added is changed
     or force_apt_update|bool

roles/apiserver_haproxy/tasks/haproxy_repo_Ubuntu.yml

@@ -2,8 +2,19 @@
 - name: 'Detect if compose-based apiserver proxy exists'
   include_tasks: upgrade_from_docker.yml
 
+- name: 'Include HAproxy OS variables'
+  include_vars: '{{ file_vars }}'
+  loop_control:
+    loop_var: file_vars
+  with_fileglob:
+    - 'vars/os_{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml'
+    - 'vars/os_{{ ansible_distribution }}.yml'
+    - 'vars/os_{{ ansible_os_family }}.yml'
+
 - name: 'Add HAProxy repository'
-  include_tasks: '{{ item }}'
+  include_tasks: '{{ file_tasks }}'
+  loop_control:
+    loop_var: file_tasks
   with_first_found:
     - 'haproxy_repo_{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml'
     - 'haproxy_repo_{{ ansible_distribution }}.yml'

roles/apiserver_haproxy/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+_haproxy_version: '{{ _apiserver_proxy_haproxy_version | regex_replace("^(\d+[.]\d+)[.].+", "\1") }}'
+haproxy_upstream_repo_url: 'deb [signed-by=/usr/share/keyrings/haproxy.asc] http://haproxy.debian.net {{ ansible_distribution_release }}-backports-{{ _haproxy_version }}'
+haproxy_upstream_gpg_url: 'https://haproxy.debian.net/bernat.debian.org.gpg'

roles/apiserver_haproxy/vars/os_Debian.yml

@@ -0,0 +1,3 @@
+---
+haproxy_upstream_repo_url: 'ppa:vbernat/haproxy-{{ _haproxy_version }}'
+haproxy_upstream_gpg_url: