Task failed: The repository is not signed.

[JorgeMGuimaraes]

Hello, everyone,

I am running this beautiful module on Debian 12 and the log can be found below:

Environment

$ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"


$ uname -a
Linux containers 6.1.0-32-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.129-1 (2025-03-06) x86_64 GNU/Linux

(client): $ python3 --version
Python 3.11.2

(controller): $ python --version
Python 3.11.2

Log

PLAY [Setup Containers Instance] ****************************************************************************************************************************

TASK [Gathering Facts] **************************************************************************************************************************************
[WARNING]: Platform linux on host 192.168.122.226 is using the discovered Python interpreter at /usr/bin/python3.11, but future installation of another
Python interpreter could change the meaning of that path. See https://docs.ansible.com/ansible-core/2.18/reference_appendices/interpreter_discovery.html for
more information.
ok: [192.168.122.226]

TASK [rename_hostname : Get current hostname] ***************************************************************************************************************
ok: [192.168.122.226]

TASK [rename_hostname : Check if hostname needs updating] ***************************************************************************************************
ok: [192.168.122.226]

TASK [rename_hostname : Update hostname] ********************************************************************************************************************
changed: [192.168.122.226]

TASK [rename_hostname : Update /etc/hostname file] **********************************************************************************************************
ok: [192.168.122.226]

TASK [rename_hostname : Update /etc/hosts file] *************************************************************************************************************
changed: [192.168.122.226]

TASK [geerlingguy.docker : Load OS-specific vars.] **********************************************************************************************************
ok: [192.168.122.226]

TASK [geerlingguy.docker : include_tasks] *******************************************************************************************************************
skipping: [192.168.122.226]

TASK [geerlingguy.docker : include_tasks] *******************************************************************************************************************
included: /home/iacmanager/.ansible/roles/geerlingguy.docker/tasks/setup-Debian.yml for 192.168.122.226

TASK [geerlingguy.docker : Ensure apt key is not present in trusted.gpg.d] **********************************************************************************
ok: [192.168.122.226]

TASK [geerlingguy.docker : Ensure old apt source list is not present in /etc/apt/sources.list.d] ************************************************************
ok: [192.168.122.226]

TASK [geerlingguy.docker : Ensure the repo referencing the previous trusted.gpg.d key is not present] *******************************************************
ok: [192.168.122.226]

TASK [geerlingguy.docker : Ensure old versions of Docker are not installed.] ********************************************************************************
ok: [192.168.122.226]

TASK [geerlingguy.docker : Ensure dependencies are installed.] **********************************************************************************************
changed: [192.168.122.226]

TASK [geerlingguy.docker : Ensure directory exists for /etc/apt/keyrings] ***********************************************************************************
ok: [192.168.122.226]

TASK [geerlingguy.docker : Add Docker apt key.] *************************************************************************************************************
changed: [192.168.122.226]

TASK [geerlingguy.docker : Ensure curl is present (on older systems without SNI).] **************************************************************************
skipping: [192.168.122.226]

TASK [geerlingguy.docker : Add Docker apt key (alternative for older systems without SNI).] *****************************************************************
skipping: [192.168.122.226]

TASK [geerlingguy.docker : Add Docker repository.] **********************************************************************************************************
changed: [192.168.122.226]

TASK [geerlingguy.docker : Install Docker packages.] ********************************************************************************************************
skipping: [192.168.122.226]

TASK [geerlingguy.docker : Install Docker packages (with downgrade option).] ********************************************************************************
changed: [192.168.122.226]

TASK [geerlingguy.docker : Install docker-compose plugin.] **************************************************************************************************
skipping: [192.168.122.226]

TASK [geerlingguy.docker : Install docker-compose-plugin (with downgrade option).] **************************************************************************
ok: [192.168.122.226]

TASK [geerlingguy.docker : Ensure /etc/docker/ directory exists.] *******************************************************************************************
skipping: [192.168.122.226]

TASK [geerlingguy.docker : Configure Docker daemon options.] ************************************************************************************************
skipping: [192.168.122.226]

TASK [geerlingguy.docker : Ensure Docker is started and enabled at boot.] ***********************************************************************************
ok: [192.168.122.226]

TASK [geerlingguy.docker : Ensure handlers are notified now to avoid firewall conflicts.] *******************************************************************

RUNNING HANDLER [geerlingguy.docker : restart docker] *******************************************************************************************************
changed: [192.168.122.226]

TASK [geerlingguy.docker : include_tasks] *******************************************************************************************************************
skipping: [192.168.122.226]

TASK [geerlingguy.docker : Get docker group info using getent.] *********************************************************************************************
skipping: [192.168.122.226]

TASK [geerlingguy.docker : Check if there are any users to add to the docker group.] ************************************************************************
skipping: [192.168.122.226]

TASK [geerlingguy.docker : include_tasks] *******************************************************************************************************************
skipping: [192.168.122.226]

TASK [geerlingguy.kubernetes : Include OS-specific variables.] **********************************************************************************************
ok: [192.168.122.226]

TASK [geerlingguy.kubernetes : include_tasks] ***************************************************************************************************************
skipping: [192.168.122.226]

TASK [geerlingguy.kubernetes : include_tasks] ***************************************************************************************************************
included: /home/iacmanager/.ansible/roles/geerlingguy.kubernetes/tasks/setup-Debian.yml for 192.168.122.226

TASK [geerlingguy.kubernetes : Ensure dependencies are installed.] ******************************************************************************************
ok: [192.168.122.226]

TASK [geerlingguy.kubernetes : Add Kubernetes repository.] **************************************************************************************************
changed: [192.168.122.226]

TASK [geerlingguy.kubernetes : Update Apt cache.] ***********************************************************************************************************
[WARNING]: Failed to update cache after 1 retries due to W:GPG error: https://prod-cdn.packages.k8s.io/repositories/isv:/kubernetes:/core:/stable:/v1.25/deb
InRelease: The following signatures were invalid: EXPKEYSIG 234654DA9A296436 isv:kubernetes OBS Project <isv:[email protected]>, E:The
repository 'https://pkgs.k8s.io/core:/stable:/v1.25/deb  InRelease' is not signed., retrying
[WARNING]: Sleeping for 1 seconds, before attempting to refresh the cache again
[WARNING]: Failed to update cache after 2 retries due to W:Updating from such a repository can't be done securely, and is therefore disabled by default.,
W:See apt-secure(8) manpage for repository creation and user configuration details., W:GPG error: https://prod-
cdn.packages.k8s.io/repositories/isv:/kubernetes:/core:/stable:/v1.25/deb  InRelease: The following signatures were invalid: EXPKEYSIG 234654DA9A296436
isv:kubernetes OBS Project <isv:[email protected]>, E:The repository 'https://pkgs.k8s.io/core:/stable:/v1.25/deb  InRelease' is not signed.,
retrying
[WARNING]: Sleeping for 2 seconds, before attempting to refresh the cache again
[WARNING]: Failed to update cache after 3 retries due to W:Updating from such a repository can't be done securely, and is therefore disabled by default.,
W:See apt-secure(8) manpage for repository creation and user configuration details., W:GPG error: https://prod-
cdn.packages.k8s.io/repositories/isv:/kubernetes:/core:/stable:/v1.25/deb  InRelease: The following signatures were invalid: EXPKEYSIG 234654DA9A296436
isv:kubernetes OBS Project <isv:[email protected]>, E:The repository 'https://pkgs.k8s.io/core:/stable:/v1.25/deb  InRelease' is not signed.,
retrying
[WARNING]: Sleeping for 4 seconds, before attempting to refresh the cache again
[WARNING]: Failed to update cache after 4 retries due to W:Updating from such a repository can't be done securely, and is therefore disabled by default.,
W:See apt-secure(8) manpage for repository creation and user configuration details., W:GPG error: https://prod-
cdn.packages.k8s.io/repositories/isv:/kubernetes:/core:/stable:/v1.25/deb  InRelease: The following signatures were invalid: EXPKEYSIG 234654DA9A296436
isv:kubernetes OBS Project <isv:[email protected]>, E:The repository 'https://pkgs.k8s.io/core:/stable:/v1.25/deb  InRelease' is not signed.,
retrying
[WARNING]: Sleeping for 8 seconds, before attempting to refresh the cache again
[WARNING]: Failed to update cache after 5 retries due to W:Updating from such a repository can't be done securely, and is therefore disabled by default.,
W:See apt-secure(8) manpage for repository creation and user configuration details., W:GPG error: https://prod-
cdn.packages.k8s.io/repositories/isv:/kubernetes:/core:/stable:/v1.25/deb  InRelease: The following signatures were invalid: EXPKEYSIG 234654DA9A296436
isv:kubernetes OBS Project <isv:[email protected]>, E:The repository 'https://pkgs.k8s.io/core:/stable:/v1.25/deb  InRelease' is not signed.,
retrying
[WARNING]: Sleeping for 12 seconds, before attempting to refresh the cache again
fatal: [192.168.122.226]: FAILED! => changed=false 
  msg: 'Failed to update apt cache after 5 retries: W:Updating from such a repository can''t be done securely, and is therefore disabled by default., W:See apt-secure(8) manpage for repository creation and user configuration details., W:GPG error: https://prod-cdn.packages.k8s.io/repositories/isv:/kubernetes:/core:/stable:/v1.25/deb  InRelease: The following signatures were invalid: EXPKEYSIG 234654DA9A296436 isv:kubernetes OBS Project <isv:[email protected]>, E:The repository ''https://pkgs.k8s.io/core:/stable:/v1.25/deb  InRelease'' is not signed.'

PLAY RECAP **************************************************************************************************************************************************
192.168.122.226            : ok=24   changed=8    unreachable=0    failed=1    skipped=12   rescued=0    ignored=0

I manually changed version from 1.25 to 1.32 (latest as for now) na dthen then,m the error message change to:

TASK [geerlingguy.kubernetes : Initialize Kubernetes control plane with kubeadm init and ignore_preflight_errors] *******************************************
fatal: [192.168.122.226]: FAILED! => changed=true 
  cmd:
  - kubeadm
  - init
  - --config
  - /etc/kubernetes/kubeadm-kubelet-config.yaml
  - --ignore-preflight-errors=all
  delta: '0:00:00.761650'
  end: '2025-04-11 23:28:34.573825'
  msg: non-zero return code
  rc: 1
  start: '2025-04-11 23:28:33.812175'
  stderr: |-
    W0411 23:28:33.828033    4352 common.go:101] your configuration file uses a deprecated API spec: "kubeadm.k8s.io/v1beta3" (kind: "ClusterConfiguration"). Please use 'kubeadm config migrate --old-config old.yaml --new-config new.yaml', which will write the new, similar spec using a newer API version.
    W0411 23:28:33.828232    4352 common.go:101] your configuration file uses a deprecated API spec: "kubeadm.k8s.io/v1beta3" (kind: "InitConfiguration"). Please use 'kubeadm config migrate --old-config old.yaml --new-config new.yaml', which will write the new, similar spec using a newer API version.
    W0411 23:28:34.519714    4352 checks.go:1077] [preflight] WARNING: Couldn't create the interface used for talking to the container runtime: failed to create new CRI runtime service: validate service connection: validate CRI v1 runtime API for endpoint "unix:///var/run/containerd/containerd.sock": rpc error: code = Unimplemented desc = unknown service runtime.v1.RuntimeService
            [WARNING Swap]: swap is supported for cgroup v2 only. The kubelet must be properly configured to use swap. Please refer to https://kubernetes.io/docs/concepts/architecture/nodes/#swap-memory, or disable swap on the node
    error execution phase preflight: [preflight] Some fatal errors occurred:
    failed to create new CRI runtime service: validate service connection: validate CRI v1 runtime API for endpoint "unix:///var/run/containerd/containerd.sock": rpc error: code = Unimplemented desc = unknown service runtime.v1.RuntimeService[preflight] If you know what you are doing, you can make a check non-fatal with `--ignore-preflight-errors=...`
    To see the stack trace of this error execute with --v=5 or higher
  stderr_lines: <omitted>
  stdout: |-
    [init] Using Kubernetes version: v1.32.3
    [preflight] Running pre-flight checks
    [preflight] Pulling images required for setting up a Kubernetes cluster
    [preflight] This might take a minute or two, depending on the speed of your internet connection
    [preflight] You can also perform this action beforehand using 'kubeadm config images pull'
  stdout_lines: <omitted>

PLAY RECAP **************************************************************************************************************************************************
192.168.122.226            : ok=31   changed=7    unreachable=0    failed=1    skipped=17   rescued=0    ignored=0   

[abermea]

I fixed this error by doing this

    - role: geerlingguy.kubernetes
      kubernetes_version: '1.33'
      kubernetes_apt_release_channel: "stable"
      kubernetes_apt_repository: "https://pkgs.k8s.io/core:/{{ kubernetes_apt_release_channel }}:/v{{ kubernetes_version }}/deb"```

[github-actions[bot]]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

[github-actions[bot]]

This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.