Remove embedded GPG keys only if legacy keyring is present

CHANGELOG.md

@@ -22,6 +22,7 @@ The **patch** part changes incrementally at each release.
 ### Changed
 
 * Use python3 modules for Debian 11 and later
+* Remove embedded GPG keys only if legacy keyring is present
 * elasticsearch: 7.x by default
 * evolinux-base: alert5 comes after the network
 * evolinux-base: force Debian version to buster for Evolix repository (temporary)

apt/tasks/evolix_public.yml

@@ -1,10 +1,18 @@
 ---
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - apt
+
 - name: Evolix embedded GPG key is absent
   apt_key:
     id: "B8612B5D"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
   tags:
     - apt
 

elasticsearch/tasks/packages.yml

@@ -8,11 +8,20 @@
     - elasticsearch
     - packages
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - elasticsearch
+    - packages
+
 - name: Elastic embedded GPG key is absent
   apt_key:
     id: "D88E42B4"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
   tags:
     - elasticsearch
     - packages

evolinux-base/tasks/hardware.yml

@@ -35,6 +35,11 @@
   changed_when: "'FAILED' in raidmodel.stdout"
   failed_when: "'FAILED' in raidmodel.stdout"
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+
 - name: HPE Smart Storage Administrator (ssacli) is present
   block:
     - name: HPE GPG embedded key is absent
@@ -42,6 +47,7 @@
         id: "26C2B797"
         keyring: /etc/apt/trusted.gpg
         state: absent
+      when: _trusted_gpg_keyring.stat.exists
 
     - name: HPE GPG key is installed
       copy:
@@ -108,7 +114,9 @@
         id: "23B3D3B4"
         keyring: /etc/apt/trusted.gpg
         state: absent
-      when: ansible_distribution_major_version is version('9', '>=')
+      when:
+        - trusted_gpg_keyring.stat.present
+        - ansible_distribution_major_version is version('9', '>=')
 
     - name: HWRaid GPG key is installed
       copy:

filebeat/tasks/main.yml

@@ -8,11 +8,20 @@
     - filebeat
     - packages
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - filebeat
+    - packages
+
 - name: Elastic embedded GPG key is absent
   apt_key:
     id: "D88E42B4"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
   tags:
     - filebeat
     - packages

fluentd/tasks/main.yml

@@ -1,10 +1,19 @@
 ---
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - packages
+    - fluentd
+
 - name: Fluentd embedded GPG key is absent
   apt_key:
     id: "AB97ACBE"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
   tags:
     - packages
     - fluentd

jenkins/tasks/main.yml

@@ -5,11 +5,17 @@
 # http://mirrors.jenkins.io/.*
 # http://jenkins.mirror.isppower.de/.*
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+
 - name: Jenkins embedded GPG key is absent
   apt_key:
     id: "D50582E6"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
 
 - name: Add Jenkins GPG key
   copy:

kibana/tasks/main.yml

@@ -8,11 +8,20 @@
     - kibana
     - packages
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - kibana
+    - packages
+
 - name: Elastic embedded GPG key is absent
   apt_key:
     id: "D88E42B4"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
   tags:
     - kibana
     - packages

logstash/tasks/main.yml

@@ -8,11 +8,20 @@
     - logstash
     - packages
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - logstash
+    - packages
+
 - name: Elastic embedded GPG key is absent
   apt_key:
     id: "D88E42B4"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
   tags:
     - logstash
     - packages

metricbeat/tasks/main.yml

@@ -8,11 +8,20 @@
     - metricbeat
     - packages
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - metricbeat
+    - packages
+
 - name: Elastic embedded GPG key is absent
   apt_key:
     id: "D88E42B4"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
   tags:
     - metricbeat
     - packages

mongodb/tasks/main_bullseye.yml

@@ -1,11 +1,16 @@
 ---
 
-# https://wiki.debian.org/DebianRepository/UseThirdParty
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+
 - name: MongoDB embedded GPG key is absent
   apt_key:
     id: "B8612B5D"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
 
 - name: Add MongoDB GPG key
   copy:

mongodb/tasks/main_buster.yml

@@ -1,10 +1,16 @@
 ---
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+
 - name: MongoDB embedded GPG key is absent
   apt_key:
     id: "B8612B5D"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
 
 - name: Add MongoDB GPG key
   copy:

newrelic/tasks/sources.yml

@@ -1,10 +1,16 @@
 ---
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+
 - name: NewRelic embedded GPG key is absent
   apt_key:
     id: "548C16BF"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
 
 - name: Add NewRelic GPG key
   copy:

nodejs/tasks/main.yml

@@ -9,11 +9,21 @@
     - packages
     - nodejs
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - system
+    - packages
+    - nodejs
+
 - name: NodeJS embedded GPG key is absent
   apt_key:
     id: "68576280"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
   tags:
     - system
     - packages

nodejs/tasks/yarn.yml

@@ -1,10 +1,21 @@
 ---
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - system
+    - packages
+    - nodejs
+    - yarn
+
 - name: Yarn embedded GPG key is absent
   apt_key:
     id: "86E50310"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
   tags:
     - system
     - packages

percona/tasks/main.yml

@@ -3,11 +3,17 @@
 - set_fact:
     percona__apt_config_package_file: "percona-release_latest.{{ ansible_distribution_release }}_all.deb"
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+
 - name: Percona embedded GPG key is absent
   apt_key:
     id: "8507EFA5"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
 
 - name: Add Percona GPG key
   copy:

postgresql/tasks/pgdg-repo.yml

@@ -13,11 +13,17 @@
     repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main"
     update_cache: yes
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+
 - name: PGDG embedded GPG key is absent
   apt_key:
     id: "ACCC4CF8"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
 
 - name: Add PGDG GPG key
   copy: