As you may or may not know the functionality provided by key_url in salts pkgrepo.managed is deprecated in Debian Bullseye and replaced by explicitly defining the signing key in the repo definition. Ideally pkgrepo.managed would understand that this is Bullseye and create a keyring for us from the key_url, but this is not currently the case.
I need to use an internal mirrored repository of salt with mirrored version of the key_url and pkgrepo_keyring available, but the state salt-pkgrepo-install-saltstack-debian keeps on failing because salt can't apt-key add the key_url because the functionality is deprecated. salt-formula currently handles the keyring outside of pkgrepo.managed so everything should be fine as long as you provide the signed-by file in the repo definition.
The fix is easy however, either
Don't add the key_url kwarg in salt-pkgrepo-install-saltstack-debian for Debian Bullseye by default
...or give us a pillar configurable way to not use key_url in the state. I tried no value and '', but those are invalid values. Bullseye need to not have it set at all with the current pkgrepo.managed state.
Steps to reproduce the bug
Change to non-default pkgrepo and key_url on bullseye (or you could probably also just remove the existing global apt-key and repo and use the defaults in this state, but not tested)
[ERROR ] Command 'apt-key' failed with return code: 2 [ERROR ] stderr: Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
gpg: no valid OpenPGP data found.
[ERROR ] retcode: 2
[ERROR ] Failed to configure repo 'deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg] https://nexus.example.com/re
pository/debian-bullseye-amd64-salt bullseye main': Error: failed to add key from https://mirror.example.com/keys/salt.asc
[WARNING ] /usr/lib/python3/dist-packages/salt/utils/files.py:385: RuntimeWarning: line buffering (buffering=1) isn't support
ed in binary mode, the default buffer size will be used
f_handle = open(*args, **kwargs) # pylint: disable=resource-leakage
[WARNING ] /usr/lib/python3/dist-packages/salt/utils/files.py:385: RuntimeWarning: line buffering (buffering=1) isn't support
ed in binary mode, the default buffer size will be used
f_handle = open(*args, **kwargs) # pylint: disable=resource-leakage
local:
----------
ID: salt-pkgrepo-install-saltstack-debian
Function: pkgrepo.managed
Name: deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg] https://nexus.example.com/repository/debian-bullsey
e-amd64-salt bullseye main
Result: False
Comment: Failed to configure repo 'deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg] https://nexus.example.com
/repository/debian-bullseye-amd64-salt bullseye main': Error: failed to add key from https://mirror.example.com/keys/salt.asc
Started: 13:44:01.126825
Duration: 171.904 ms
Changes:
Expected behaviour
salt-pkgrepo-install-saltstack-debian should work on Debian Bullseye with custom pkgrepo and pkgrepo_keyring without the not needed key_url
Attempts to fix the bug
Just commenting out key_url in salt-pkgrepo-install-saltstack-debian in the formula removes the issue on Bullseye, but obviously this should be controlled by a toggle in os*.yaml or something.
Your setup
Formula commit hash / release tag
1.9.4: 99b14699f3f2eedf9f01081e218c1d29112f3a88
Versions reports (master & minion)
Pillar / config used
pillar config:
Bug details
Describe the bug
As you may or may not know the functionality provided by key_url in salts pkgrepo.managed is deprecated in Debian Bullseye and replaced by explicitly defining the signing key in the repo definition. Ideally pkgrepo.managed would understand that this is Bullseye and create a keyring for us from the key_url, but this is not currently the case.
I need to use an internal mirrored repository of salt with mirrored version of the key_url and pkgrepo_keyring available, but the state
salt-pkgrepo-install-saltstack-debian
keeps on failing because salt can't apt-key add the key_url because the functionality is deprecated. salt-formula currently handles the keyring outside of pkgrepo.managed so everything should be fine as long as you provide the signed-by file in the repo definition.The fix is easy however, either
salt-pkgrepo-install-saltstack-debian
for Debian Bullseye by defaultSteps to reproduce the bug
Change to non-default pkgrepo and key_url on bullseye (or you could probably also just remove the existing global apt-key and repo and use the defaults in this state, but not tested)
Expected behaviour
salt-pkgrepo-install-saltstack-debian should work on Debian Bullseye with custom pkgrepo and pkgrepo_keyring without the not needed key_url
Attempts to fix the bug
Just commenting out key_url in
salt-pkgrepo-install-saltstack-debian
in the formula removes the issue on Bullseye, but obviously this should be controlled by a toggle in os*.yaml or something.Additional context
salt.asc was downloaded from this url: https://repo.saltproject.io/py3/debian/11/amd64/latest/SALTSTACK-GPG-KEY.pub