[BUG] Epicli hangs on importing GPG keys for kubernetes repository on RHEL

[przemyslavic]

Describe the bug
There is an issue with importing GPG keys for kubernetes repository on RedHat. Ansible hangs for ~10 hours on download-requirements task and then fails with error Failed to connect to the host via ssh: Shared connection to xx.xx.xx.xx closed."

How to reproduce
Steps to reproduce the behavior:

1. execute epicli apply (repository component is enough to reproduce)

Expected behavior
The cluster has been deployed successfully.

Config files
If applicable, add config files to help explain your problem.

Environment

• Cloud provider: [all]
• OS: [RHEL]

Additional context
Log

Mar 08 15:38:49 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Adding repository: kubernetes
Mar 08 15:38:50 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Importing GPG key 0x836F4BEB:
Mar 08 15:38:50 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Userid     : "gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeysMar 08 15:38:50 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Fingerprint: xxxx
Mar 08 15:38:50 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: From       : https://packages.cloud.google.com/yum/doc/yum-key.gpg
Mar 08 15:38:51 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature couldMar 08 15:38:51 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Trying other mirror.
Mar 08 15:38:52 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature couldMar 08 15:38:52 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Trying other mirror.
Mar 08 15:38:53 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature couldMar 08 15:38:53 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Trying other mirror.
Mar 08 15:38:54 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature couldMar 08 15:38:54 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Trying other mirror.
Mar 08 15:38:54 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Adding repository: opendistroforelasticsearch
Mar 08 15:38:57 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature couldMar 08 15:38:57 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Trying other mirror.
Mar 08 15:38:58 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature couldMar 08 15:38:58 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Trying other mirror.
Mar 08 15:38:58 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Importing GPG key 0xE370325E:
Mar 08 15:38:58 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Userid     : "OpenDistroForElasticsearch (Key For signing OpenDistroForElasticsearch artifacts.) <opendistroforelasticsearchMar 08 15:38:58 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Fingerprint: xxxx
Mar 08 15:38:58 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: From       : https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch
Mar 08 15:39:02 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature couldMar 08 15:39:02 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Trying other mirror.
Mar 08 15:39:03 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Importing GPG key 0xA7317B0F:
Mar 08 15:39:03 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Userid     : "Google Cloud Packages Automatic Signing Key <gc-team@google.com>"
Mar 08 15:39:03 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: Fingerprint: xxxx
Mar 08 15:39:03 ci-devazurrhelflannel-repository-vm-0 download-requirements.sh[14949]: From       : https://packages.cloud.google.com/yum/doc/yum-key.gpg

---

DoD checklist

• Changelog updated (if affected version was released)
• COMPONENTS.md updated / doesn't need to be updated
• Automated tests passed (QA pipelines)
  • apply
  • upgrade
• Case covered by automated test (if possible) ℹ️ self-tested each time at runtime
• Idempotency tested
• Documentation doesn't need to be updated
• All conversations in PR resolved

[przemyslavic]

✅ The original issue seems to be gone, but this fix brings additional improvements anyway, so it's worth applying.

[przemyslavic]

The issue is back. It blocks me from RedHat testing.

Mar 29 12:54:10 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: username =
Mar 29 12:54:14 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Adding repository: docker-ce-stable-patched
Mar 29 12:54:14 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Executing: rpm --import https://download.docker.com/linux/centos/gpg
Mar 29 12:54:15 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Checking if 'docker-ce-stable-patched' repo is available
Mar 29 12:54:15 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Adding repository: elastic-6
Mar 29 12:54:15 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Executing: rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Mar 29 12:54:16 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Adding repository: elasticsearch-7
Mar 29 12:54:16 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Executing: rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Mar 29 12:54:18 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Adding repository: elasticsearch-curator-5
Mar 29 12:54:18 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Executing: rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
Mar 29 12:54:19 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Adding repository: grafana
Mar 29 12:54:19 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Executing: rpm --import https://packages.grafana.com/gpg.key
Mar 29 12:54:20 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Importing GPG key 0x24098CB6:
Mar 29 12:54:20 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Userid     : "Grafana <info@grafana.com>"
Mar 29 12:54:20 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Fingerprint: xxxx
Mar 29 12:54:20 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: From       : https://packages.grafana.com/gpg.key
Mar 29 12:54:20 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Adding repository: kubernetes
Mar 29 12:54:20 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Executing: rpm --import https://packages.cloud.google.com/yum/doc/yum-key.gpg
Mar 29 12:54:21 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Executing: rpm --import https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
Mar 29 12:54:22 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Importing GPG key 0xA7317B0F:
Mar 29 12:54:22 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Userid     : "Google Cloud Packages Automatic Signing Key <gc-team@google.com>"
Mar 29 12:54:22 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Fingerprint: xxxx
Mar 29 12:54:22 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: From       : https://packages.cloud.google.com/yum/doc/yum-key.gpg
Mar 29 12:54:22 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature
Mar 29 12:54:22 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Trying other mirror.
Mar 29 12:54:23 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Importing GPG key 0xA7317B0F:
Mar 29 12:54:23 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Userid     : "Google Cloud Packages Automatic Signing Key <gc-team@google.com>"
Mar 29 12:54:23 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Fingerprint: xxxx
Mar 29 12:54:23 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: From       : https://packages.cloud.google.com/yum/doc/yum-key.gpg
Mar 29 12:54:23 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature
Mar 29 12:54:23 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Trying other mirror.
Mar 29 12:54:24 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Importing GPG key 0xA7317B0F:
Mar 29 12:54:24 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Userid     : "Google Cloud Packages Automatic Signing Key <gc-team@google.com>"
Mar 29 12:54:24 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: Fingerprint: xxxx
Mar 29 12:54:24 ip-10-1-11-136.eu-west-3.compute.internal download-requirements.sh[11124]: From       : https://packages.cloud.google.com/yum/doc/yum-key.gpg

[rafzei]

Can be useful:
https://gist.github.com/simbo1905/ba3e8af9a45435db6093aea35c6150e8
https://people.kernel.org/monsieuricon/run-gnupg-2-2-17-on-your-el7-system

[mkyc]

@plirglo that might be useful for you.

[to-bar]

We are not able to reproduce this issue now so made decision to close it and re-open if occurs again.

This is not fully confirmed but a workaround could be to disable verification of repository metadata for Kubernetes repo (repo_gpgcheck=0) as a fallback.