Grafana RPM repository metadata fails GPG signature check

Packagecloud has force-migrated older repositories to use per-project GPG signing keys as of January 7[1]. It is unclear if this is the root cause of the issue, or if it's a coincidence.

Kolla currently imports https://grafanarel.s3.amazonaws.com/RPM-GPG-KEY-grafana as the signing key for the RPM package. This is no longer valid, it seems. The correct stable link is https://packagecloud.io/grafana/stable/gpgkey.

Example output:

INFO:kolla.common.utils.base:Retrieving key from https://grafanarel.s3.amazonaws.com/RPM-GPG-KEY-grafana
INFO:kolla.common.utils.base:https://packagecloud.io/grafana/stable/el/7/x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for grafana
INFO:kolla.common.utils.base:
INFO:kolla.common.utils.base:Trying other mirror.
INFO:kolla.common.utils.base:
INFO:kolla.common.utils.base:
INFO:kolla.common.utils.base: One of the configured repositories failed (grafana),
INFO:kolla.common.utils.base: and yum doesn't have enough cached data to continue. At this point the only
INFO:kolla.common.utils.base: safe thing yum can do is fail. There are a few ways to work "fix" this:
INFO:kolla.common.utils.base: 1. Contact the upstream for the repository and get them to fix the problem.
INFO:kolla.common.utils.base: 2. Reconfigure the baseurl/etc. for the repository, to point to a working
INFO:kolla.common.utils.base: upstream. This is most often useful if you are using a newer
INFO:kolla.common.utils.base: distribution release than is supported by the repository (and the
INFO:kolla.common.utils.base: packages for the previous distribution release still work).
INFO:kolla.common.utils.base: 3. Run the command with the repository temporarily disabled
INFO:kolla.common.utils.base: yum --disablerepo=grafana ...
INFO:kolla.common.utils.base: 4. Disable the repository permanently, so yum won't use it by default. Yum
INFO:kolla.common.utils.base: will then just ignore the repository until you permanently enable it
INFO:kolla.common.utils.base: again or use --enablerepo for temporary usage:
INFO:kolla.common.utils.base: yum-config-manager --disable grafana
INFO:kolla.common.utils.base: or
INFO:kolla.common.utils.base: subscription-manager repos --disable=grafana
INFO:kolla.common.utils.base: 5. Configure the failing repository to be skipped, if it is unavailable.
INFO:kolla.common.utils.base: Note that yum will try to contact the repo. when it runs most commands,
INFO:kolla.common.utils.base: so will have to try and fail each time (and thus. yum will be be much
INFO:kolla.common.utils.base: slower). If it is a very temporary problem though, this is often a nice
INFO:kolla.common.utils.base: compromise:
INFO:kolla.common.utils.base: yum-config-manager --save --setopt=grafana.skip_if_unavailable=true
INFO:kolla.common.utils.base:failure: repodata/repomd.xml from grafana: [Errno 256] No more mirrors to try.
INFO:kolla.common.utils.base:https://packagecloud.io/grafana/stable/el/7/x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for grafana
INFO:kolla.common.utils.base:

[1]: https://blog.packagecloud.io/eng/2018/10/17/gpg-key-migration/