Google's GPG key for APT has been rotated

Our kube-common role has a hardcoded value for the Public GPG key ID for the Google Cloud APT repository that is used to install Kubernetes packages:

https://github.com/sighupio/fury-kubernetes-on-premises/blob/b4bfa03638a1c7e253be73bca6e08f61d2258938/roles/kube-node-common/vars/main.yml#L7

the new key ID is:

$ curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg -v -
gpg: enabled compatibility flags:
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2022-05-21 [SC]
      A362B822F6DEDC652817EA46B53DC80D13EDEF05
uid           Rapture Automatic Signing Key (cloud-rapture-signing-key-2022-03-07-08_01_01.pub)
sig        B53DC80D13EDEF05 2022-05-21   [selfsig]
sub   rsa2048 2022-05-21 [E]
sig        B53DC80D13EDEF05 2022-05-21   [keybind]

A362B822F6DEDC652817EA46B53DC80D13EDEF05

This key seems to get rotated often, should we evaluate dropping the hardcoded ID in the ansible role? Otherwise each time we'll have to patch most of the latest on-prem releases.

Another option, that would require manual intervention from the user, would be to document this case and explain how to override the ID. The issue with this approach is that it is not possible to override a single key of a dictionary without changing the merge behaviour for all the roles.

I tried overriding it in the hosts.ini, did not work, migrated all my inventory to hosts.yaml, it did not work either (it doesn't even complain, the custom value gets ignored). The only way to override the value was using the extra vars flag: ansible-playbook 3.cluster.yml --extra-vars='{"kubernetes_repo": {"apt_gpg_key_id": "A362B822F6DEDC652817EA46B53DC80D13EDEF05"}}'

So, if we want to go with override I think we'll need to do a little refactoring and maybe use a single var for the GPG Key ID.

sighupio / fury-kubernetes-on-premises

Google's GPG key for APT has been rotated #42