Commit Graph

798 Commits

Author SHA1 Message Date
Jeremy Stanley f1ad3c5198 Add backups for the new Keycloak server
We should really be backing this up before it begins to get used by
additional services. Also, since our newer deployment uses a
separate RDBMS, back that up safely.

Change-Id: I4510dd05204f4b0f450d1925ed7be148d7d73e6e
2024-02-09 17:35:02 +00:00
Jeremy Stanley e9f2a1b979 Inventory entry for another new Keycloak server
This is a new server for our Keycloak service. The previous one is
also removed by this change, since it did not have the correct CPU
flags to run the latest Keycloak container images. The problem which
necessitated this rebuild is addressed by an additional check to our
launch script in Ib0f482a939f94e801c82f3583e0a58dc4ca1f35c.

Depends-On: https://review.opendev.org/908608
Change-Id: I4a4a8cb629cbda430a113d61689c9d8ec15408b5
2024-02-09 17:34:20 +00:00
Zuul 1bd482e062 Merge "Add inventory entry for new Keycloak server" 2024-02-08 15:09:53 +00:00
Zuul 606229382f Merge "Upgrade to Keycloak 23.0" 2024-02-08 15:09:50 +00:00
Jeremy Stanley 8c83865c27 Add inventory entry for new Keycloak server
This is a new server for our Keycloak service.

Depends-On: https://review.opendev.org/908348
Change-Id: I3de6bc31602c288b8abf8d8dc11b33ba5a3e2b6e
2024-02-07 21:08:54 +00:00
Jeremy Stanley f477e35561 Upgrade to Keycloak 23.0
This includes a switch from the "legacy" style Wildfly-based image
to a new setup using Quarkus.

Because Keycloak maintainers consider H2 databases as a test/dev
only option, there are no good migration and upgrade paths short of
export/import data. Go ahead and change our deployment model to rely
on a proper RDBMS, run locally from a container on the same server.

Change-Id: I01f8045563e9f6db6168b92c5a868b8095c0d97b
2024-02-06 05:33:37 +00:00
Jeremy Stanley 02040d6bb2 Retire the OpenInfra Labs mailing list
The OpenInfra Labs pilot project was closed down by mutual agreement
of the OpenInfra Foundation and former project contributors[*]. Its
mailing list will no longer be used. Reject any future posts at the
MTA in order to avoid creating the backscatter which would result if
Mailman itself were configured to bounce messages or send notices.

[*] https://lists.opendev.org/archives/list/openinfralabs@lists.opendev.org/thread/FHFSNRS5ZOWW7LJCKSMXT3HVPMSTSUEA/

Change-Id: I40c1568928399e86ac4ab501040ded6874172243
2024-01-29 17:12:32 +00:00
Clark Boylan 88893cad0b Set both replication gitea ssh keys to the same value
This should have the side effect of removing the older smaller key from
gitea. This is now safe as we have just restarted gerrit to pick up new
configuration forcing it to replicate with the new key. We know it isn't
using the old key because we moved the old key aside during the restart.

This is being done so that the gitea 1.21 upgrade can be made without
disabling key verification in gitea.

Change-Id: I1bad1dda2adf32c5c01b8b5f134130d887d8ec06
2023-12-15 09:36:02 -08:00
Tony Breeds a9ad2b4468 Remove Ansible configuration and inventory entries for old mirror servers
Remove the old mirror nodes after we switched the workloads to newwer
jammy nodes in [1]

[1] https://review.opendev.org/c/opendev/zone-opendev.org/+/902100

Change-Id: Ib33f9ae4f0e993b14b0b5c0137af33b917ded386
2023-12-05 12:35:04 -06:00
Zuul 46f7377827 Merge "Rotate the new Gitea replication key into Gitea config" 2023-12-01 18:55:34 +00:00
Clark Boylan 91322002ff Rotate the new Gitea replication key into Gitea config
We use a new larger rsa key so that gitea checks on key size don't fail
when we upgrade gitea to 1.21 or newer. We did consider an ed25519 key
isntead but those keys can only be generated in the new openssh key file
format and there is some question around whether or not Gerrit's
replication plugin (ultimately MINA ssh client) can read those files. To
be safe we stick with what we know works and simply increase the bit
count.

Change-Id: I51e97e8545a54202b05f32de70c0715083954119
2023-11-30 11:02:36 -08:00
Zuul 1d75147a4e Merge "Add inventory/LE records for mirror02.dfw.rax" 2023-11-30 19:00:36 +00:00
Zuul 5cd1418420 Merge "Add inventory/LE records for mirror02.bhs1.ovh and mirror03.gra1.ovh" 2023-11-30 19:00:34 +00:00
Zuul 89909790b2 Merge "Add ssh key rotation to gitea ssh key management" 2023-11-29 23:53:18 +00:00
Jeremy Stanley e4a59f29ba Add OpenInfra Asia mailing lists
The OpenInfra Foundation executive team is requesting creation of
new mailing lists on lists.openinfra.dev for the foundation's new
Asia hub. One list will have an open subscription policy and
publicly available archives, while the other will be utilized by the
advisory board for any sensitive topics that must be kept private.

Change-Id: Ie8b6b21b27dfaf932267266f644e7bd8c2f03981
2023-11-29 17:54:13 +00:00
Tony Breeds f4833462e6 Add inventory/LE records for mirror02.dfw.rax
Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/902007
Change-Id: I339038db5a79ccec5dd224b42f25181c1294256b
2023-11-28 11:09:01 -06:00
Tony Breeds c48c2f533b Add inventory/LE records for mirror02.bhs1.ovh and mirror03.gra1.ovh
Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/901627
Change-Id: Ic54ef48473f29658751ec81937384fd63049112e
2023-11-28 11:09:01 -06:00
Clark Boylan c843085a02 Add ssh key rotation to gitea ssh key management
This change refactors how gerrit's key(s) in gitea are managed. The
motivation behind this is to allow us to do key rotation with overlap in
accepted keys. To do this we first check whcih keys are present. Then
any missing keys are added. Finally we remove any keys which are not in
our key options.

This also corrects a bug where replacing keys would've required two
Ansible passed to delete the old key then add the new key. All keys
should be properly set in a single Ansible pass with this update.

Change-Id: I1eaf5ae89542e3e4f479c77e4df72a34d65d9c46
2023-11-15 15:12:19 -08:00
Zuul b24a3c3232 Merge "Add letsencrypt_certs for mirror02.ord" 2023-11-15 15:02:36 +00:00
Zuul a01fecb422 Merge "Revert registry.zuul-ci.org" 2023-11-15 02:46:11 +00:00
James E. Blair 3d5c2a810e Revert registry.zuul-ci.org
This project didn't proceed past the test phase,
let's clean it up.

Revert "Add a functional test for registry.zuul-ci.org"
This reverts commit e701fdd3ca.

Revert "Add testinfra for registry.zuul-ci.org"
This reverts commit e00f4e59b3.

Revert "Add static site for registry.zuul-ci.org"
This reverts commit 31b505d3ba.

Revert "Add SSL cert for registry.zuul-ci.org"
This reverts commit d0a8473d42.

Change-Id: I1d39306187c7b2d7a908389f88d1a60e1b29ffe3
2023-11-14 16:05:28 -08:00
Tony Breeds 75713169b0 Add tonyb to statusbot nicks
Change-Id: I5c37544e799023d91ededb19d528c447a71da7fc
2023-11-14 16:54:35 -06:00
Tony Breeds d31288a2e6 Add letsencrypt_certs for mirror02.ord
In 900923[1] adding the letsencrypt_certs and associated handler was
missed #oops

This change fixes that.

[1] https://review.opendev.org/c/opendev/system-config/+/900923

Change-Id: Ieb7b87c11cffa2a3449b4d8f6438a8972e52fb16
2023-11-14 16:38:10 -06:00
Tony Breeds b716baba70 Add new mirror02.ord.rax to inventory
New node coming online to repleace existing 01 node

Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/900922
Change-Id: Ieabff4bf0dfcbe32ff8b42e5f225e7b6676c7c3d
2023-11-14 10:43:55 -06:00
Tony Breeds 5e138a4b7d Add Tony Breeds to base_users for all hosts
Change-Id: I397317034e5c0d4ed1e9dfefaacac79efbfce30a
2023-11-07 13:59:20 -06:00
Jeremy Stanley 89d01144a1 Clean up old Mailman v2 roles and vars
Now that we no longer run a Mailman v2 server, we can drop all the
automation we used for deploying and maintaining it.

Change-Id: I522cdbef86d1fe491d446e4b721a7873564c927a
2023-10-31 18:20:12 +00:00
Jeremy Stanley 73f0a5336a Merge production and test node mailman configs
Now that the Mailman v3 migration is complete, we no longer need any
divergence between the lists01 (production) and lists99 (test node)
host vars, so put everything into the group vars file instead.

Change-Id: If92943694e95ef261fbd254eff65a51d8d3f7ce5
2023-10-30 19:26:03 +00:00
Zuul b79818feae Merge "Add OpenInfra EU mailing lists" 2023-10-25 16:42:34 +00:00
Jeremy Stanley 704321653b Add OpenInfra EU mailing lists
The OpenInfra Foundation executive team is requesting creation of
new mailing lists on lists.openinfra.dev for the foundation's new EU
hub. One list will have an open subscription policy and publicly
available archives, while the other will be utilized by the advisory
board for any sensitive topics that must be kept private.

Change-Id: I138bcdddd8b8feeb94adb71f0ba5e03d8c809e20
2023-10-25 15:31:37 +00:00
Zuul bd3fd30462 Merge "Remove the old mailing list server" 2023-10-20 23:04:26 +00:00
Jeremy Stanley cab53d10ac Remove the old mailing list server
Clean up references to lists.openstack.org other than as a virtual
host on the new lists01.opendev.org Mailman v3 server. Update a few
stale references to the old openstack-infra mailing list (and
accompanying stale references to the OpenStack Foundation and
OpenStack Infra team). Update our mailing list service documentation
to reflect the new system rather than the old one. Once this change
merges, we can create an archival image of the old server and delete
it (as well as removing it from our emergency skip list for
Ansible).

Side note, the lists.openstack.org server will be 11.5 years old on
November 1, created 2012-05-01 21:14:53 UTC. Farewell, old friend!

Change-Id: I54eddbaaddc7c88bdea8a1dbc88f27108c223239
2023-10-20 18:10:08 +00:00
Clark Boylan 53fe07271c Noop change to retrigger lists3 deployment
We've been trying to get this to deploy automatically without much
success due to a couple of unrelated errors. The most recent appears to
possibly be an ansible issue within ansible itself (eg not our
playbooks). Land a noop change to retrigger things and see if this is
consistent or not.

Change-Id: Iaf0aa14a82fb7d0a2b61a5138c7435d3eda21a3e
2023-10-16 11:54:48 -07:00
Clark Boylan 944b78154d Fix the relevant files lists for lists3 jobs
Fix the infra-prod-service-lists3 job to trigger when we update the
mailman3.yaml group vars file. In addition we make a noop reorganization
change to the mailman3 group file to group exim vars together which will
be used to ensure that this change triggers the lists3 job as expected.

In system-config-run-lists3 we update that job to be triggered when we
update the docker images for mailman. We don't bother testing this now
as that would be masked off by the update to the mailman3 groups file.
But in the future when we do mailman3 image updates we'll be looking for
this job to run.

Change-Id: I994b0a79bf46f525dd9e059719f5a08c9c390b8c
2023-10-15 19:52:01 -07:00
Jeremy Stanley 82b5640ff4 Drop the mailman_copy Exim router
In Ic1156849957bc326e9216c2aca0ab9d180e158e6 we added a temporary
router named mailman_copy to dump raw messages for the
openstack-discuss mailing list to an mbox file at
/var/mail/openstack-discuss in order to be able to compare
pre-Mailman state of messages for DKIM signature debugging. Since
this file doesn't exist and Exim lacks permission to create it, the
resulting router errors are leading to message deferrals for the
openstack-discuss mailing list.

Rather than add Ansible to create the mbox file for this, just drop
the router and accompanying transport definitions from our Exim
config. We can always set it up more thoroughly in the future if we
ever want to re-add it.

Change-Id: If4f6c7b90b7b312b23a7736251f704dace668879
2023-10-15 01:04:47 +00:00
Jeremy Stanley f4902e98fd Move OpenStack lists to Mailman 3
This uncomments the list additions for the lists.openstack.org site
on the new mailman server, and should be merged the day of the
maintenance prior to the start of the scheduled outage window.

Separately removing configuration from the old server is
unnecessary, as there will be a cleanup change merged after the
maintenance window to remove all files associated with it and clear
it out of our inventory in preparation for archival imaging and
deletion (the old server will have its services disabled and be kept
in our emergency skip list for Ansible until that happens).

Change-Id: I1f6d3c8dfcb2bb98fa5b93bcc2f4a13927c55047
2023-10-11 18:02:46 +00:00
Zuul 16744d8336 Merge "Blackhole deliveries for Mailman v3 local user" 2023-10-06 16:56:39 +00:00
Jeremy Stanley fcef589bdc Add mailing list for Nordix environment
As part of the transition from the Nordix group to OpenInfra Europe,
some systems and services will remain under the Nordix name for now.
The people managing these resources need a mailing list to better
coordinate their activities.

Change-Id: I03b679b4d5f57b1953e1815555b79caf5b6452ff
2023-10-03 14:36:32 +00:00
Jeremy Stanley 222414b585 Blackhole deliveries for Mailman v3 local user
On Mailman v2 the "mailman" addresses were mapped to special mailing
lists used for monthly password notifications and some other tasks.
This does not exist on Mailman v3, but spammers still have the old
mailman list addresses and send junk to them, which the server
attempts to deliver because there's a local user account with the
same name.

Reject messages for the old "mailman" addresses at receipt, so they
never enter our message queue.

Change-Id: I9db93ae98f4b3952400c1e478612ab70a6241dd1
2023-10-02 21:33:11 +00:00
Jeremy Stanley 4a115ed54d Move OpenInfra and StarlingX lists to Mailman 3
This uncomments the list additions for the lists.openinfra.dev and
lists.starlingx.io sites on the new mailman server, removing the
configuration for them from the lists.openstack.org server and also
cleaning up some benign entries which were missed in the previous
migration change. With this, the old server should only be hosting
specifically lists.openstack.org mailing lists.

Change-Id: I1e2d332cd4addb8970a3759157bbeceddd77ea95
2023-09-14 18:25:12 +00:00
Jeremy Stanley a6ab3543fc Move Airship and Kata lists to Mailman 3
This uncomments the list additions for the lists.airshipit.org and
lists.katacontainers.io sites on the new mailman server, removing
the configuration for them from the lists.opendev.org server and, in
the case of the latter, removing all our configuration management
for the server as it was the only site hosted there.

Change-Id: Ic1c735469583e922313797f709182f960e691efc
2023-09-14 12:08:34 +00:00
Zuul 0b86e9e148 Merge "Remove old insecure-ci-registry01 from our inventory" 2023-08-17 04:38:58 +00:00
Felipe Reyes 12208a4b5a Setup #openstack-charms IRC channel.
This change configures meetbot to join the #openstack-charms where team
meetings are hosted.

Change-Id: I2e0697b24a06b78cf410807bbbd46fe40b5deb2e
2023-08-02 10:30:23 -04:00
Zuul 03ca4627a1 Merge "Replace ze10-ze12" 2023-07-15 23:50:42 +00:00
Zuul deb37417b8 Merge "Replace ze07-ze09" 2023-07-15 23:50:40 +00:00
Zuul 31d10ee05c Merge "Replace ze04-ze06" 2023-07-11 14:54:01 +00:00
Zuul 12dcfd4cd6 Merge "Replace ze01-ze03" 2023-06-28 17:55:56 +00:00
Clark Boylan 7509976b95 Remove old insecure-ci-registry01 from our inventory
This server has been replaced by insecure-ci-registry02. Remove it. This
will allow us to delete the server as well.

Change-Id: I4d9bc6ab90b13655ace2edf4a6fa7c362623c010
2023-06-26 10:43:34 -07:00
Tony Breeds facd7ec2b3 Deploy insecure-ci-registry.opendev.org on jammy
This adds a second registry host. We will remove the other once we've
cut over successfully (should just depend on a DNS update).

Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/886874
Change-Id: Ib6be5ef242ed038c23e0007488f2c21ce10f4fcb
2023-06-23 13:21:48 -07:00
James E. Blair 1e5746a4c8 Replace ze10-ze12
Change-Id: I6fe1d38e7a25ff9ac93037773e0751423621c939
2023-06-07 08:33:39 -07:00
James E. Blair c08ad2139f Replace ze07-ze09
Change-Id: Icaefe7906d857bf35ec98c25c54bba288070547c
2023-06-07 08:33:17 -07:00