Remove most linaro cloud resources
This removes ansible configuration for the linaro cloud itself and the linaro cloud mirror. This cloud is in the process of going away and having these nodes in our inventory is creating base jobs failures due to unreachable nodes. This then dominoes into not running the LE refresh job and now some certs are not getting renewed. Clean this all up so that the rest of our systems are happy. Note that we don't fully clean up the idea of an unmanaged group as there may be other locations we want to do something similar (OpenMetal perhaps?). We also don't remove the openstack clouds.yaml entries for the linaro cloud yet. It isn't entirely clear when things will go offline, but it may be as late as August 10 so we keep those credentials around as they may be useful until then. Change-Id: Idd6b455de8da2aa9901bf989b1d131f1f4533420
This commit is contained in:
parent
62b6ae4164
commit
e66eeb8c3c
@ -151,50 +151,3 @@ the next Ansible pulse to renew.
|
||||
# tail -f /var/log/acme.sh/acme.sh.log
|
||||
... watch and should be renewed on next pulse
|
||||
# rm *.conf.old
|
||||
|
||||
Linaro ARM64 Cloud Cert Renewal
|
||||
===============================
|
||||
|
||||
The Linaro ARM64 cloud relies on Let's Encrypt certs for API endpoints,
|
||||
but these certs are not automatically provisioned. The reason for this
|
||||
is that cloud is not completely enrolled into our Ansible automation
|
||||
(we share management of this install with Linaro and full integration
|
||||
has not be done). We can manually refresh the SSL certs in this cloud
|
||||
though.
|
||||
|
||||
To access the cloud backend ssh via bridge as root to
|
||||
``openinfraci.linaro.cloud``.
|
||||
|
||||
First we provision a new certificate using acme.sh on the cloud node:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
/root/acme.sh/acme.sh --server letsencrypt --issue \
|
||||
--dns dns_aws -d openinfraci.linaro.cloud
|
||||
|
||||
Next backup the old cert:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
cp /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem \
|
||||
/root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem.$DATE
|
||||
|
||||
Copy the new cert into the kolla-ansible secrets:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
cat /root/.acme.sh/openinfraci.linaro.cloud/openinfraci.linaro.cloud.key \
|
||||
/root/.acme.sh/openinfraci.linaro.cloud/fullchain.cer \
|
||||
> /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem
|
||||
|
||||
Activate the kolla-ansible virtualenv to run ansible:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
source /root/venv3/bin/activate
|
||||
|
||||
Run kolla-ansible to deploy the cert:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
/root/venv3/bin/kolla-ansible -i ~/all-in-one deploy
|
||||
|
@ -395,16 +395,6 @@ all:
|
||||
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCVcT1kdEvQz9+baAg8kTJ3UyIdSuH7U1fu++QXWgm0yAMkwktljytgQA8AgjclFrdsgme7CSxmGQ8xFie5r4sfWiO+TP4WRi4ylAAoRPX8xR5nrrVU4JiOiI74/5WONTRlK5MonAzA1qbtZJtKaSJcGdxC1pryyeSjqUf3QdGliKD1xh5NzmlPeQ4z/UUJlR8xyYpqqXUOcVmEx5R32WIeNWxCzwNNhBy5+e2NoQHqGucRSlNq/OuoG7AiNKixz4mjsAgxJ4cDYoBraYhKT5z9BIV+pJ8kDF4zgQVqgTfTwomEafcl2za1QnJG0nx9+l2kosn2y4YIh0U7lWnnpfskePxkhoFdKk6g3TGHRHg5yGTGGf0i+NBVrFpFgvy+6SuoonxPdUN+NwNoIgXauKe67rxPY+XzLbFw95xH/j6Bg6aswTGnuUZh+HNk0HVtHp9Bittg+GgwXkR+80m7LvXxfpSDuYM0RdK6ckUZQmrklfXXTKqP2tygMwk9HG9MBcM='
|
||||
- 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGmfQrjbtpQLaOzQWgfmkDAWMxUyr+gHwcKXzuHzGpjqzWUsBpAw2LQw1DIbnpIF2c2nAr7BEg8Fi6Q9Fe1FMUE='
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINA8ajkyUlXiclmsCD9pEdAL2HW+ns2eIj5BWctByaiF'
|
||||
mirror01.regionone.linaro.opendev.org:
|
||||
ansible_host: 147.28.149.111
|
||||
location:
|
||||
cloud: opendevci-linaro
|
||||
region_name: RegionOne
|
||||
public_v4: 147.28.149.111
|
||||
host_keys:
|
||||
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDE+Ivd+4A7P3uYxymn1AdcunE94llD7ZOm7RIWfoL6paAFqX/ySbtZ3OGQICr7z2BEvKkD9SW+O2J1g7jj/BONkCJ9GjdjpRyqO/o8DaNJIu3ZTlrIiRWsVqO6nsgac4q7XMF5exEJRU7vwTjH7UfxuBuaZ+s9s8WcrsWReYyIuGZ1M8a+HfF7abmRNQBr4A85dD5EnqKqrCYgTgxtmqi9PPBJLRJrE666aRs50427wdQ64qXFhhgAsmiKEjIIjUlciKA4EMtJmdfKoNF8MvgmxHELELA4fRoeXD7zQ4Poa+Dxd3JP/sXg64AHlnmgbZ2Ul4xPspdlsnuPUB7/w4i2AthDlqT61wNJUpnBYuB8W4gRnkhH0m0EgYA9G1GJ2NTC6WvGHCCFV3YHbSz1N2RTGSzg5oH56b90toLYltPHqAdVl1xtnIx2gykX+FTKQbmM0PlfKPL3wTF52hBDJlnJIfShG/9igRw+6W7wnHqcvSgPsZBxTvsEEJRrMznzm3U='
|
||||
- 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKcrLy5+mi4FzqL3jqj9VZc+CF9dUf58HJMFx8nC2+4TJDc2VH6c3Udq3oAVyTKqViuqRqGfYIVdAhID6aE7P38='
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1ydhnETmFh9UPeRStC0ZMcvWju3HJ9P4R4nezY+4RK'
|
||||
mirror02.ord.rax.opendev.org:
|
||||
ansible_host: 23.253.20.59
|
||||
location:
|
||||
@ -964,16 +954,3 @@ all:
|
||||
- ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKLGqwSmj46QBLtpBdEX2S8l78FKnOdNqdtQwDG5LJr0Lo6+OaFIU1DX5ebRac2vQuH1kqyIfI5kiMBE4AHkTrY=
|
||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDvQQdj/ivFSVWHcdzlsjMwbn5lD4Mm+ZW2VIHZQvcCP2EI6x/HDdtsi6a6aMwW6v0jd2leaO1Q0MPel3b1FcQshyEfSNYq9DqgMV1Hpc6Xaa9YeJUe+yosxXAPktpNR6qBUFJcLajiKT7LVmMwq35EzoqxK1KM3JYfTPFHWQ9dSeVPlJ+fL4f1gyVyonBC6u9YA+QzyEFFzqLhMQxj4wGE/RNr/jMBaxCwWFJ7tLxlskxw1nT7S+6wzUkNrSlSpg1oPDLZcM1s5xWO2515nzOkkJ4RIju1+FVrwiWYzJW0FJg0b8R6BhjKcthXb9c9fBrqZG9gQsSnz+3z2QzCS6oAIvv/TMjodaIpBmqKypbt8ZCPKUDD+jiFp7AZNfn1Wbr673JdNjkoETJaD1oWcKX1M3s3xSV+DbgGghdGaBtdWQUvHMcQZpsqFxt07kyHrLaCD7DjcCc7dJsWehmlCccxbwN3F9LK+Mr2zIdoRPk/20bJDOoiER6hOzetnN8JZc=
|
||||
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJv4rnJCRwIkPHSYWO9Fg7Uc5nioX62YpzmQfT3YfWeU
|
||||
# NOTE - the following hosts are "partially managed" in that we
|
||||
# don't run the full base deployment on them, but rather a
|
||||
# specific subset of hand-picked roles, etc.
|
||||
openinfraci.linaro.cloud:
|
||||
ansible_host: 147.75.35.206
|
||||
location:
|
||||
cloud: opendevci-linaro
|
||||
region_name: RegionOne
|
||||
public_v4: 147.75.35.206
|
||||
host_keys:
|
||||
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4VJyWg7kQTXQ+j2J2U1yrh61VAeZTTIerpc5tu5R+I+ebxZzcE9AAvqDLgflaCGDfv02Ds5BRGsD43sUHNzr/RtxNREqkTe713+dZGFuIdhDJSIz56iOzKmT6woc1n4wh4r8JEjTyiEGFimJYclkIHHx3RZyQroy/ntMr7lQSMfYeMr65LIahJzxOLHM1SEa/fMaMBqerdPsit56tnqfPxEM4iEUkN/Rfc8t94JgtB52VzqKWtvpFHy5DIP0MilrPI2xf/2PMycl1hj+LL4AO+mgSqRtv5TmPjv4KTH6ro0edFXm7vWZEl+8OXCUOErmPwSHFwLVIyuCsV4vI/nUGIZ7ttxUv8ZsKTC8yrzZBZen/0xF+kcLKhm3A3poR/KN8yqoCO542Wl+zwDcXiYvdDVS908796JSlfqf59mMnmuDg4gGGRYGEeRmPkdwwm1Lm8tgkwJX3HAx7ziEZbZ2hu1v3yg2DKI+K1OEhp+eucL0OkaBmdvAAvVMQEn1FbJ8='
|
||||
- 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGnFxrjQah1S64D3hNzdWl8FmQR93gkw4zsgkCE+ZY1Bc5bdrfS/xQeTuxIpBP6L/7UlCe8ks48qc8caJ5vmy+0='
|
||||
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5xRCcYInStxHXEhkVws5RmqzUc0S/4wi1zOtd6zlUB'
|
||||
|
@ -213,21 +213,6 @@ cloud_launcher_clouds:
|
||||
profiles:
|
||||
- openstackci-keypairs
|
||||
|
||||
# Linaro
|
||||
- name: opendevci-linaro
|
||||
oscc_cloud: opendevci-linaro
|
||||
region_name: RegionOne
|
||||
profiles:
|
||||
- openstackci-keypairs
|
||||
- openstackci-security
|
||||
|
||||
- name: opendevzuul-linaro
|
||||
oscc_cloud: opendevzuul-linaro
|
||||
region_name: RegionOne
|
||||
profiles:
|
||||
- openstackci-keypairs
|
||||
- openstackci-security
|
||||
|
||||
# OSUOSL
|
||||
- name: opendevci-osuosl
|
||||
oscc_cloud: opendevci-osuosl
|
||||
|
@ -155,8 +155,7 @@ groups:
|
||||
translate:
|
||||
- translate[0-9]*.open*.org
|
||||
# This group does not run the base jobs
|
||||
unmanaged:
|
||||
- openinfraci.linaro.cloud
|
||||
unmanaged: []
|
||||
webservers:
|
||||
- cacti[0-9]*.open*.org
|
||||
- codesearch[0-9]*.opendev.org
|
||||
|
@ -1,11 +0,0 @@
|
||||
letsencrypt_certs:
|
||||
mirror01-regionone-linaro-main:
|
||||
- mirror01.regionone.linaro.opendev.org
|
||||
- mirror.regionone.linaro.opendev.org
|
||||
|
||||
# Allocated 100GB volume for this mirror, so openafs cache has to be <
|
||||
# 95%; we go for 45gb
|
||||
afs_client_cache_size: '45000000'
|
||||
# Simiarly we need to limit the size of the apache mirror to < 50GB
|
||||
# and the default is 60000M.
|
||||
mirror_apache_cache_limit: '40000M'
|
@ -3,5 +3,4 @@ letsencrypt_certcheck_additional_domains:
|
||||
- wiki.openstack.org 443
|
||||
- openstack.org 443
|
||||
- www.openstack.org 443
|
||||
- openinfraci.linaro.cloud 5000
|
||||
- download.cirros-cloud.net 443
|
||||
|
@ -22,7 +22,7 @@ results:
|
||||
- letsencrypt
|
||||
- webservers
|
||||
|
||||
mirror01.regionone.linaro.opendev.org:
|
||||
mirror01.regionone.osuosl.opendev.org:
|
||||
- afs-client
|
||||
- kerberos-client
|
||||
- letsencrypt
|
||||
|
@ -203,9 +203,6 @@
|
||||
- name: letsencrypt updated mirror03-gra1-ovh-main
|
||||
include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
|
||||
|
||||
- name: letsencrypt updated mirror01-regionone-linaro-main
|
||||
include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
|
||||
|
||||
- name: letsencrypt updated mirror01-sjc1-vexxhost-main
|
||||
include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
|
||||
|
||||
|
@ -1,6 +0,0 @@
|
||||
- hosts: "openinfraci.linaro.cloud"
|
||||
tasks:
|
||||
|
||||
- name: Initial task
|
||||
debug:
|
||||
msg: "This is a placeholder"
|
@ -673,14 +673,3 @@
|
||||
files:
|
||||
- playbooks/run_cloud_launcher.yaml
|
||||
- inventory/service/group_vars/bastion.yaml
|
||||
|
||||
- job:
|
||||
name: infra-prod-cloud-linaro
|
||||
parent: infra-prod-service-base
|
||||
description: Run management tasks against Linaro
|
||||
vars:
|
||||
playbook_name: service-cloud-linaro.yaml
|
||||
required-projects:
|
||||
- opendev/system-config
|
||||
files:
|
||||
- playbooks/service-cloud-linaro.yaml
|
||||
|
@ -410,11 +410,6 @@
|
||||
- name: infra-prod-base
|
||||
soft: true
|
||||
|
||||
- infra-prod-cloud-linaro: &infra-prod-cloud-linaro
|
||||
dependencies:
|
||||
- name: infra-prod-base
|
||||
soft: true
|
||||
|
||||
#
|
||||
# Hosts using certificates and backups
|
||||
#
|
||||
@ -630,7 +625,6 @@
|
||||
- infra-prod-service-afs: *infra-prod-service-afs
|
||||
- infra-prod-service-nameserver: *infra-prod-service-nameserver
|
||||
- infra-prod-service-mirror-update: *infra-prod-service-mirror-update
|
||||
- infra-prod-cloud-linaro: *infra-prod-cloud-linaro
|
||||
- infra-prod-service-borg-backup: *infra-prod-service-borg-backup
|
||||
- infra-prod-letsencrypt: *infra-prod-letsencrypt
|
||||
- infra-prod-service-codesearch: *infra-prod-service-codesearch
|
||||
|
Loading…
Reference in New Issue
Block a user