Module currently doesn't work on Debian-based systems due to missing Apt key on keyserver.ubuntu.com

[omeinderink]

Hi,

on Debian and its derivatives the repo.pp manifest tells Puppet to attempt to download the Gitlab Apt signing key with the fingerprint F6403F6544A38863DAA0B6E03F01618A51312F3F and to add it to the trusted keys. The source for this key is $repo_keyserver, which is an optional parameter for the init.pp and is set to undef by default. https://github.com/voxpupuli/puppet-gitlab_ci_runner/blob/master/manifests/repo.pp#L19 https://github.com/voxpupuli/puppet-gitlab_ci_runner/blob/master/manifests/init.pp#L69

The repo.pp manifest uses a defined type from the puppetlabs-apt module (apt::source) to actually download the key. That module has some default values, and if no value for $keyserver is provided it uses a default value of "keyserver.ubuntu.com" https://github.com/puppetlabs/puppetlabs-apt/blob/main/manifests/params.pp#L21

without going into more detail, in the end Puppet attempts to do this: /usr/bin/apt-key adv --keyserver keyserver.ubuntu.com --recv-keys F6403F6544A38863DAA0B6E03F01618A51312F3F

The problem is that the Ubuntu keyserver doesn't seem to have this key any more. In fact, the Gitlab documentation only asks users to download the key from packages.gitlab.com and then add the local key file with apt-key. https://docs.gitlab.com/omnibus/update/package_signatures#package-repository-metadata-signing-keys

If I haven't missed anything this module effectively won't work at all on Debian-based systems until changes are made to it.

The puppetlabs-apt module's Apt::Key defined type has a parameter "source" that would probably fix this problem, as the key could be added directly from packages.gitlab.com: https://github.com/puppetlabs/puppetlabs-apt/blob/main/manifests/key.pp#L24

If you could confirm my findings (maybe I just missed the key on keyserver.ubuntu.com and it's actually there?) then I can create a PR to fix this issue.