From f151d8504932bac6df0bc2ab764cf1672ed53c30 Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
Date: Sat, 6 Sep 2025 11:46:27 +0200
Subject: [PATCH] Add ability to use third-party repos for debootstrap

At the moment in case an arbitrary repository is defined for
`lxc_apt_mirror` debootsrap may fail with being impossible to verify
gpg key. This patch provides an option to supply arbitrary path to
the gpg against which Release file will be verified.

Change-Id: I3e81c9296361ef621b933be06b0803ca09a8b127
Signed-off-by: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
---
 defaults/main.yml                                     |  2 ++
 .../debootstrap_gpg_verify-dea6004d7f5d505c.yaml      | 11 +++++++++++
 vars/debian.yml                                       |  2 ++
 3 files changed, 15 insertions(+)
 create mode 100644 releasenotes/notes/debootstrap_gpg_verify-dea6004d7f5d505c.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 6ae09126..69951f82 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -232,5 +232,7 @@ lxc_centos_repos: "{{ _lxc_centos_repos }}"
 # DEB repository options
 lxc_ubuntu_mirror: "{{ (ansible_facts['architecture'] == 'x86_64') | ternary('http://archive.ubuntu.com/ubuntu', 'http://ports.ubuntu.com/ubuntu-ports') }}"
 lxc_apt_mirror: "{{ (ansible_facts['distribution'] == 'Ubuntu') | ternary(lxc_ubuntu_mirror, 'http://deb.debian.org/debian') }}"
+lxc_apt_mirror_gpg_check: true
+lxc_apt_mirror_gpg_file: ''
 
 lxc_sysctl_file: "{{ openstack_sysctl_file | default('/etc/sysctl.conf') }}"
diff --git a/releasenotes/notes/debootstrap_gpg_verify-dea6004d7f5d505c.yaml b/releasenotes/notes/debootstrap_gpg_verify-dea6004d7f5d505c.yaml
new file mode 100644
index 00000000..57780781
--- /dev/null
+++ b/releasenotes/notes/debootstrap_gpg_verify-dea6004d7f5d505c.yaml
@@ -0,0 +1,11 @@
+---
+features:
+  - |
+    Added variable ``lxc_apt_mirror_gpg_check`` to either enforce or disable
+    gpg check during LXC image preparation through debootstrap. It is enabled
+    by default.
+
+  - |
+    Added variable ``lxc_apt_mirror_gpg_file`` which provides path on the
+    remote host to GPG file location, against which to verify packages
+    from ``lxc_apt_mirror`` during debootstrap process.
diff --git a/vars/debian.yml b/vars/debian.yml
index d3ffe7e1..c84336a2 100644
--- a/vars/debian.yml
+++ b/vars/debian.yml
@@ -16,6 +16,8 @@
 _lxc_hosts_container_build_command: >-
   debootstrap --variant minbase
   --include ca-certificates
+  {{ (lxc_apt_mirror_gpg_check | bool) | ternary('--force-check-gpg', '--no-check-gpg') }}
+  {{ (lxc_apt_mirror_gpg_file | length > 0) | ternary('--keyring=' ~ lxc_apt_mirror_gpg_file, '') }}
   {{ ansible_facts['distribution_release'] }}
   /var/lib/machines/{{ lxc_container_base_name }}
   {{ lxc_apt_mirror }}