Add Kubernetes apt key fails

[lukonjun]

Hi, I am using this role for the first time to install Kubernetes on 2 Ubuntu 20.04 VMs. During script execution the following TASK Fails

TASK [geerlingguy.kubernetes : Add Kubernetes apt key.] **************************************************************************************************************
fatal: [worker01]: FAILED! => {"changed": false, "msg": "Unable to extract key from '-'", "stderr": "gpg: WARNING: no command supplied.  Trying to guess what you mean ...\ngpg: [don't know]: invalid packet (ctb=0a)\n", "stderr_lines": ["gpg: WARNING: no command supplied.  Trying to guess what you mean ...", "gpg: [don't know]: invalid packet (ctb=0a)"], "stdout": "pub:-:2048:1:FEEA9169307EA071:1614614617:1677728521::-:\nuid:::::::::Rapture Automatic Signing Key (cloud-rapture-signing-key-2021-03-01-08_01_09.pub):\nsub:-:2048:1:AA42F36EE8BEEE0E:1614614617::::\npub:-:2048:1:8B57C5C2836F4BEB:1607040606:1670154510::-:\nuid:::::::::gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <[email protected]>:\nsub:-:2048:1:48419E688DD52AC0:1607040606::::\n", "stdout_lines": ["pub:-:2048:1:FEEA9169307EA071:1614614617:1677728521::-:", "uid:::::::::Rapture Automatic Signing Key (cloud-rapture-signing-key-2021-03-01-08_01_09.pub):", "sub:-:2048:1:AA42F36EE8BEEE0E:1614614617::::", "pub:-:2048:1:8B57C5C2836F4BEB:1607040606:1670154510::-:", "uid:::::::::gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <[email protected]>:", "sub:-:2048:1:48419E688DD52AC0:1607040606::::"]}

Related to this code

- name: Add Kubernetes apt key.
  apt_key:
    url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
    state: present
  register: add_repository_key
  ignore_errors: "{{ kubernetes_apt_ignore_key_error }}"

Following the steps from the kubeadm documentation works flawlessly https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/

sudo apt-get update
sudo apt-get install -y apt-transport-https ca-certificates curl
sudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gp
echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list

Any Ideas why the task fails?

[DaveDesrochers]

I've recently run into this as well on a Debian host. It appears that apt_key only works correctly when provided a text like gpg key like the docker apt-key at https://download.docker.com/linux/debian/gpg and the formatting of the google key at https://packages.cloud.google.com/apt/doc/apt-key.gpg for k8's is problematic for ansible.

How I've managed to get this to work is by replacing the apt_key with a curl and changing the default/main.yml kubernetes_apt_repository value.

ansible-role-kubernetes/tasks/setup-Debian.yml

- name: Get k8's apt key
  get_url:
    url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
    dest: /usr/share/keyrings/kubernetes-archive-keyring.gpg

ansible-role-kubernetes/defaults/main.yml

kubernetes_apt_repository: "deb  [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] http://apt.kubernetes.io/ kubernetes-xenial {{ kubernetes_apt_release_channel }}"

This more closely mirrors the official documentation to my knowledge.

[matthew-mcdermott]

@DaveDesrochers that worked for me. Thank you for the input!

[angelbarrera92]

I've recently run into this as well on a Debian host. It appears that apt_key only works correctly when provided a text like gpg key like the docker apt-key at https://download.docker.com/linux/debian/gpg and the formatting of the google key at https://packages.cloud.google.com/apt/doc/apt-key.gpg for k8's is problematic for ansible.

How I've managed to get this to work is by replacing the apt_key with a curl and changing the default/main.yml kubernetes_apt_repository value.

ansible-role-kubernetes/tasks/setup-Debian.yml

- name: Get k8's apt key
  get_url:
    url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
    dest: /usr/share/keyrings/kubernetes-archive-keyring.gpg

ansible-role-kubernetes/defaults/main.yml

kubernetes_apt_repository: "deb  [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] http://apt.kubernetes.io/ kubernetes-xenial {{ kubernetes_apt_release_channel }}"

This more closely mirrors the official documentation to my knowledge.

Are you planning creating a PR? do you know if @geerlingguy will change the behavior? Your solution worked for me too :) It would be a amazing having it upstream in this role :)

[DaveDesrochers]

Are you planning creating a PR? do you know if @geerlingguy will change the behavior? Your solution worked for me too :) It would be a amazing having it upstream in this role :)

This might also be related to an upstream ansible bug geerling's already keeping an eye on. It doesn't feel right to put a workaround to an upstream bug as part of the formal codebase here.

https://github.com/ansible/ansible/issues/74770 https://github.com/geerlingguy/ansible-role-php/issues/332

I'm not actually using this role either. I was using geerling's tutorials to learn ansible by automating my Rpi K8's deployment. When I get stuck I was referencing this role for help. I'm not 100% sure if what I suggested has negative side effects since I've neither got Molecule working. I was using this weird setup with vagrant for testing.

All that being said I do wish there was a better way to handle this workaround. Maybe put a notice or 'workaround' branch to make this more visible until ansible fixes it upstream?

[geerlingguy]

@DaveDesrochers - You're correct—since this seems to be an issue with a specific version of Ansible, I'd rather not toss in a short-term workaround that won't be necessary once people have upgraded to the latest versions of Ansible that fix it.

That said, is this released yet in a public version of Ansible?

[DaveDesrochers]

@geerlingguy - I think it might be limited to rolling release distro's. My desktop is Arch Linux and I did run into this. It might also show up if you install ansible via pip as that tends to be more up to date than OS repo's but I would have to double check.

[geerlingguy]

(Can anyone confirm if this has been fixed in the latest Ansible versions?)

[DaveDesrochers]

I observed the apt_key error with ansible-core 2.11.0, after pip upgrading to 2.11.3, the problem with apt_key appears to be resolved. Be aware that I've not run this role in its entirety as I don't have a testing env for it.

For the sake of clarity, it seems that this was present in the version of Ansible available though pip at the time this was reported. My original statement about being limited to rolling distro's was incorrect as I installed via pip, not the distro's package manager.

[rdxmb]

As apt-key is deprecated (at least in ubuntu), I guess we should also remove it here and replace it with "the new way to go". Maybe this can help: https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html

[geerlingguy]

See: https://www.jeffgeerling.com/blog/2022/aptkey-deprecated-debianubuntu-how-fix-ansible

[rfranks-securenet]

I've created a pull request #143 to change the method of importing the apt key to using /etc/trusted.gpg.d/ instead of apt-key.