Hashicorp package repos and cloud-init

Terraform
1

Anyone here managed to get the addition of the Hashicorp apt repos baked into cloud-init? The current config I have, which I havent touched for a long while, appears to have stopped working. Here is what I have in my cloud-init currently:


# setup the Hashicorp Debian repo https://learn.hashicorp.com/tutorials/vault/getting-started-install
apt:
  preserve_sources_list: true
  sources:
    hashicorp:
      source: "deb [arch=amd64] https://apt.releases.hashicorp.com focal main"
      key: |
        ----BEGIN PGP PUBLIC KEY BLOCK-----

        mQINBGO9u+MBEADmE9i8rpt8xhRqxbzlBG06z3qe+e1DI+SyjscyVVRcGDrEfo+J
        W5UWw0+afey7HFkaKqKqOHVVGSjmh6HO3MskxcpRm/pxRzfni/OcBBuJU2DcGXnG
        nuRZ+ltqBncOuONi6Wf00McTWviLKHRrP6oWwWww7sYF/RbZp5xGmMJ2vnsNhtp3

...<SNIP SNIP>...

Cloud-init reports the following error though:

2023-10-23 23:32:27,334 - util.py[WARNING]: Gpg error, failed to add key: ----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGO9u+MBEADmE9i8rpt8xhRqxbzlBG06z3qe+e1DI+SyjscyVVRcGDrEfo+J
W5UWw0+afey7HFkaKqKqOHVVGSjmh6HO3MskxcpRm/pxRzfni/OcBBuJU2DcGXnG
nuRZ+ltqBncOuONi6Wf00McTWviLKHRrP6oWwWww7sYF/RbZp5xGmMJ2vnsNhtp3

The page at Official Packaging Guide describes some scripted steps to setup the repo on the Ubuntu VM. Im wondering if anyone here has achieved the same outcome using cloud-init. Cloud-init docs ref Cloud config examples - cloud-init 23.3.1 documentation

2

Hi @abest,

Earlier this year (in April) the original signing key for this repository was revoked because we were unable to prove that its private counterpart wasn’t exposed by a CircleCI security incident. If the last time this was working for you was during or before April then this might be the cause of the problem.

However, I can see that the first three lines of the public key block you shared match the public key I just fetched from the server, so this might not actually be the problem. I suggest fetching the current key (linked from the Official Packaging Guide you already found) and checking whether the whole thing matches what’s in your cloud-config YAML file.

Unfortunately at the moment I don’t have any other ideas to share. I’m not familiar with this specific technique, and the documentation for this apt cloud-config module didn’t give me any clues: what you’ve shared seems consistent with what’s mentioned in the documentation for sources, although the formatting of that part of the docs is currently a little hard to read. :confounded:

3

Thanks for replying (again) @apparentlymart.

I can confirm the key I am using is the current correct one.

I have found a couple of references to known bugs with cloud-init assuming that the gpg binary is available on the machine during this part of its flow, when in fact it is not. My plan is to first chase things down that rabbit hole and see what I find. Failing that, I think im just going replicate the scripted steps in the Hashicorp docs under a runcmd: section in the YAML and move on with my life.

The cloud-init docs are… something. There is a lot of them, there are a lot of examples, yet cloud-init can still be difficult to deal with. Like a lot of Hashicorp’s doco and products if im honest. :wink:

I’ll post back here with what I find. In the meantime, hopefully someone else here has solved this?

4

Okay, I went with a little of column A and B.

First up, in the cloud-config.yaml I add Hashicorp’s public PGP key like this:

  - path: /usr/share/keyrings/hashicorp.asc
    owner: root:root
    permissions: '0644'
    content: |
      -----BEGIN PGP PUBLIC KEY BLOCK-----

      mQINBGO9u+MBEADmE9i8rpt8xhRqxbzlBG06z3qe+e1DI+SyjscyVVRcGDrEfo+J
      .........

And then, I add the Hashicorp repo like this:

apt:
  preserve_sources_list: true
  sources:
    hashicorp:
      source: "deb [arch=amd64 signed-by=/usr/share/keyrings/hashicorp.asc] https://apt.releases.hashicorp.com focal main"

That seems to have done the trick and cloud-init does its thing correctly now.