Remove most linaro cloud resources

This removes ansible configuration for the linaro cloud itself and the
linaro cloud mirror. This cloud is in the process of going away and
having these nodes in our inventory is creating base jobs failures due
to unreachable nodes. This then dominoes into not running the LE refresh
job and now some certs are not getting renewed. Clean this all up so
that the rest of our systems are happy.

Note that we don't fully clean up the idea of an unmanaged group as
there may be other locations we want to do something similar (OpenMetal
perhaps?). We also don't remove the openstack clouds.yaml entries for
the linaro cloud yet. It isn't entirely clear when things will go
offline, but it may be as late as August 10 so we keep those credentials
around as they may be useful until then.

Change-Id: Idd6b455de8da2aa9901bf989b1d131f1f4533420
This commit is contained in:
Clark Boylan 2024-08-02 09:21:11 -07:00
parent 62b6ae4164
commit e66eeb8c3c
11 changed files with 2 additions and 126 deletions

View File

@ -151,50 +151,3 @@ the next Ansible pulse to renew.
# tail -f /var/log/acme.sh/acme.sh.log
... watch and should be renewed on next pulse
# rm *.conf.old
Linaro ARM64 Cloud Cert Renewal
===============================
The Linaro ARM64 cloud relies on Let's Encrypt certs for API endpoints,
but these certs are not automatically provisioned. The reason for this
is that cloud is not completely enrolled into our Ansible automation
(we share management of this install with Linaro and full integration
has not be done). We can manually refresh the SSL certs in this cloud
though.
To access the cloud backend ssh via bridge as root to
``openinfraci.linaro.cloud``.
First we provision a new certificate using acme.sh on the cloud node:
.. code-block:: console
/root/acme.sh/acme.sh --server letsencrypt --issue \
--dns dns_aws -d openinfraci.linaro.cloud
Next backup the old cert:
.. code-block:: console
cp /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem \
/root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem.$DATE
Copy the new cert into the kolla-ansible secrets:
.. code-block:: console
cat /root/.acme.sh/openinfraci.linaro.cloud/openinfraci.linaro.cloud.key \
/root/.acme.sh/openinfraci.linaro.cloud/fullchain.cer \
> /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem
Activate the kolla-ansible virtualenv to run ansible:
.. code-block:: console
source /root/venv3/bin/activate
Run kolla-ansible to deploy the cert:
.. code-block:: console
/root/venv3/bin/kolla-ansible -i ~/all-in-one deploy

View File

@ -395,16 +395,6 @@ all:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCVcT1kdEvQz9+baAg8kTJ3UyIdSuH7U1fu++QXWgm0yAMkwktljytgQA8AgjclFrdsgme7CSxmGQ8xFie5r4sfWiO+TP4WRi4ylAAoRPX8xR5nrrVU4JiOiI74/5WONTRlK5MonAzA1qbtZJtKaSJcGdxC1pryyeSjqUf3QdGliKD1xh5NzmlPeQ4z/UUJlR8xyYpqqXUOcVmEx5R32WIeNWxCzwNNhBy5+e2NoQHqGucRSlNq/OuoG7AiNKixz4mjsAgxJ4cDYoBraYhKT5z9BIV+pJ8kDF4zgQVqgTfTwomEafcl2za1QnJG0nx9+l2kosn2y4YIh0U7lWnnpfskePxkhoFdKk6g3TGHRHg5yGTGGf0i+NBVrFpFgvy+6SuoonxPdUN+NwNoIgXauKe67rxPY+XzLbFw95xH/j6Bg6aswTGnuUZh+HNk0HVtHp9Bittg+GgwXkR+80m7LvXxfpSDuYM0RdK6ckUZQmrklfXXTKqP2tygMwk9HG9MBcM='
- 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGmfQrjbtpQLaOzQWgfmkDAWMxUyr+gHwcKXzuHzGpjqzWUsBpAw2LQw1DIbnpIF2c2nAr7BEg8Fi6Q9Fe1FMUE='
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINA8ajkyUlXiclmsCD9pEdAL2HW+ns2eIj5BWctByaiF'
mirror01.regionone.linaro.opendev.org:
ansible_host: 147.28.149.111
location:
cloud: opendevci-linaro
region_name: RegionOne
public_v4: 147.28.149.111
host_keys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDE+Ivd+4A7P3uYxymn1AdcunE94llD7ZOm7RIWfoL6paAFqX/ySbtZ3OGQICr7z2BEvKkD9SW+O2J1g7jj/BONkCJ9GjdjpRyqO/o8DaNJIu3ZTlrIiRWsVqO6nsgac4q7XMF5exEJRU7vwTjH7UfxuBuaZ+s9s8WcrsWReYyIuGZ1M8a+HfF7abmRNQBr4A85dD5EnqKqrCYgTgxtmqi9PPBJLRJrE666aRs50427wdQ64qXFhhgAsmiKEjIIjUlciKA4EMtJmdfKoNF8MvgmxHELELA4fRoeXD7zQ4Poa+Dxd3JP/sXg64AHlnmgbZ2Ul4xPspdlsnuPUB7/w4i2AthDlqT61wNJUpnBYuB8W4gRnkhH0m0EgYA9G1GJ2NTC6WvGHCCFV3YHbSz1N2RTGSzg5oH56b90toLYltPHqAdVl1xtnIx2gykX+FTKQbmM0PlfKPL3wTF52hBDJlnJIfShG/9igRw+6W7wnHqcvSgPsZBxTvsEEJRrMznzm3U='
- 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKcrLy5+mi4FzqL3jqj9VZc+CF9dUf58HJMFx8nC2+4TJDc2VH6c3Udq3oAVyTKqViuqRqGfYIVdAhID6aE7P38='
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1ydhnETmFh9UPeRStC0ZMcvWju3HJ9P4R4nezY+4RK'
mirror02.ord.rax.opendev.org:
ansible_host: 23.253.20.59
location:
@ -964,16 +954,3 @@ all:
- ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKLGqwSmj46QBLtpBdEX2S8l78FKnOdNqdtQwDG5LJr0Lo6+OaFIU1DX5ebRac2vQuH1kqyIfI5kiMBE4AHkTrY=
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDvQQdj/ivFSVWHcdzlsjMwbn5lD4Mm+ZW2VIHZQvcCP2EI6x/HDdtsi6a6aMwW6v0jd2leaO1Q0MPel3b1FcQshyEfSNYq9DqgMV1Hpc6Xaa9YeJUe+yosxXAPktpNR6qBUFJcLajiKT7LVmMwq35EzoqxK1KM3JYfTPFHWQ9dSeVPlJ+fL4f1gyVyonBC6u9YA+QzyEFFzqLhMQxj4wGE/RNr/jMBaxCwWFJ7tLxlskxw1nT7S+6wzUkNrSlSpg1oPDLZcM1s5xWO2515nzOkkJ4RIju1+FVrwiWYzJW0FJg0b8R6BhjKcthXb9c9fBrqZG9gQsSnz+3z2QzCS6oAIvv/TMjodaIpBmqKypbt8ZCPKUDD+jiFp7AZNfn1Wbr673JdNjkoETJaD1oWcKX1M3s3xSV+DbgGghdGaBtdWQUvHMcQZpsqFxt07kyHrLaCD7DjcCc7dJsWehmlCccxbwN3F9LK+Mr2zIdoRPk/20bJDOoiER6hOzetnN8JZc=
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJv4rnJCRwIkPHSYWO9Fg7Uc5nioX62YpzmQfT3YfWeU
# NOTE - the following hosts are "partially managed" in that we
# don't run the full base deployment on them, but rather a
# specific subset of hand-picked roles, etc.
openinfraci.linaro.cloud:
ansible_host: 147.75.35.206
location:
cloud: opendevci-linaro
region_name: RegionOne
public_v4: 147.75.35.206
host_keys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4VJyWg7kQTXQ+j2J2U1yrh61VAeZTTIerpc5tu5R+I+ebxZzcE9AAvqDLgflaCGDfv02Ds5BRGsD43sUHNzr/RtxNREqkTe713+dZGFuIdhDJSIz56iOzKmT6woc1n4wh4r8JEjTyiEGFimJYclkIHHx3RZyQroy/ntMr7lQSMfYeMr65LIahJzxOLHM1SEa/fMaMBqerdPsit56tnqfPxEM4iEUkN/Rfc8t94JgtB52VzqKWtvpFHy5DIP0MilrPI2xf/2PMycl1hj+LL4AO+mgSqRtv5TmPjv4KTH6ro0edFXm7vWZEl+8OXCUOErmPwSHFwLVIyuCsV4vI/nUGIZ7ttxUv8ZsKTC8yrzZBZen/0xF+kcLKhm3A3poR/KN8yqoCO542Wl+zwDcXiYvdDVS908796JSlfqf59mMnmuDg4gGGRYGEeRmPkdwwm1Lm8tgkwJX3HAx7ziEZbZ2hu1v3yg2DKI+K1OEhp+eucL0OkaBmdvAAvVMQEn1FbJ8='
- 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGnFxrjQah1S64D3hNzdWl8FmQR93gkw4zsgkCE+ZY1Bc5bdrfS/xQeTuxIpBP6L/7UlCe8ks48qc8caJ5vmy+0='
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5xRCcYInStxHXEhkVws5RmqzUc0S/4wi1zOtd6zlUB'

View File

@ -213,21 +213,6 @@ cloud_launcher_clouds:
profiles:
- openstackci-keypairs
# Linaro
- name: opendevci-linaro
oscc_cloud: opendevci-linaro
region_name: RegionOne
profiles:
- openstackci-keypairs
- openstackci-security
- name: opendevzuul-linaro
oscc_cloud: opendevzuul-linaro
region_name: RegionOne
profiles:
- openstackci-keypairs
- openstackci-security
# OSUOSL
- name: opendevci-osuosl
oscc_cloud: opendevci-osuosl

View File

@ -155,8 +155,7 @@ groups:
translate:
- translate[0-9]*.open*.org
# This group does not run the base jobs
unmanaged:
- openinfraci.linaro.cloud
unmanaged: []
webservers:
- cacti[0-9]*.open*.org
- codesearch[0-9]*.opendev.org

View File

@ -1,11 +0,0 @@
letsencrypt_certs:
mirror01-regionone-linaro-main:
- mirror01.regionone.linaro.opendev.org
- mirror.regionone.linaro.opendev.org
# Allocated 100GB volume for this mirror, so openafs cache has to be <
# 95%; we go for 45gb
afs_client_cache_size: '45000000'
# Simiarly we need to limit the size of the apache mirror to < 50GB
# and the default is 60000M.
mirror_apache_cache_limit: '40000M'

View File

@ -3,5 +3,4 @@ letsencrypt_certcheck_additional_domains:
- wiki.openstack.org 443
- openstack.org 443
- www.openstack.org 443
- openinfraci.linaro.cloud 5000
- download.cirros-cloud.net 443

View File

@ -22,7 +22,7 @@ results:
- letsencrypt
- webservers
mirror01.regionone.linaro.opendev.org:
mirror01.regionone.osuosl.opendev.org:
- afs-client
- kerberos-client
- letsencrypt

View File

@ -203,9 +203,6 @@
- name: letsencrypt updated mirror03-gra1-ovh-main
include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
- name: letsencrypt updated mirror01-regionone-linaro-main
include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
- name: letsencrypt updated mirror01-sjc1-vexxhost-main
include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml

View File

@ -1,6 +0,0 @@
- hosts: "openinfraci.linaro.cloud"
tasks:
- name: Initial task
debug:
msg: "This is a placeholder"

View File

@ -673,14 +673,3 @@
files:
- playbooks/run_cloud_launcher.yaml
- inventory/service/group_vars/bastion.yaml
- job:
name: infra-prod-cloud-linaro
parent: infra-prod-service-base
description: Run management tasks against Linaro
vars:
playbook_name: service-cloud-linaro.yaml
required-projects:
- opendev/system-config
files:
- playbooks/service-cloud-linaro.yaml

View File

@ -410,11 +410,6 @@
- name: infra-prod-base
soft: true
- infra-prod-cloud-linaro: &infra-prod-cloud-linaro
dependencies:
- name: infra-prod-base
soft: true
#
# Hosts using certificates and backups
#
@ -630,7 +625,6 @@
- infra-prod-service-afs: *infra-prod-service-afs
- infra-prod-service-nameserver: *infra-prod-service-nameserver
- infra-prod-service-mirror-update: *infra-prod-service-mirror-update
- infra-prod-cloud-linaro: *infra-prod-cloud-linaro
- infra-prod-service-borg-backup: *infra-prod-service-borg-backup
- infra-prod-letsencrypt: *infra-prod-letsencrypt
- infra-prod-service-codesearch: *infra-prod-service-codesearch