Now that we can confirm this hasn't broken for gitea01, set check on
all the remaining server lines as well.
Change-Id: I11f1f15210dafed66e1209329ddf7f3838592881
Apparently the check-ssl option only modifies check behavior, but
does not actually turn it on. The check option also needs to be set
in order to activate checks of the server. See §5.2 of the haproxy
docs for details:
https://git.haproxy.org/?p=haproxy-2.5.git;a=blob;f=doc/configuration.txt;h=e3949d1eebe171920c451b4cad1d5fcd07d0bfb5;hb=HEAD#l14396
Turn it on for all of our balance_zuul_https server entries.
Also set this on the gitea01 server entry in balance_git_https, so
we can make sure it's still seen as "up" once this change takes
effect. A follow-up change will turn it on for the other
balance_git_https servers out of an abundance of caution around that
service.
Change-Id: I4018507f6e0ee1b5c30139de301e09b3ec6fc494
Switch the port 80 and 443 endpoints over to doing http checks instead
of tcp checks. This ensures that both apache and the zuul-web backend
are functional before balancing to them.
The fingergw remains a tcp check.
Change-Id: Iabe2d7822c9ef7e4514b9a0eb627f15b93ad48e2
We've been told these resources are going away. Trying to remove them
gracefully from nodepool. Once that is done we can remove our configs
here.
Depends-On: https://review.opendev.org/c/openstack/project-config/+/831398
Change-Id: I396ca49ab33c09622dd398012528fe7172c39fe8
The enterprise-wg and product-wg lists were deleted from the
openstack site per the announcement[*] on 2022-02-01, but I
neglected to push a change to remove them from our configuration
management, so Ansible helpfully recreated them for me. Clean this
up so I can re-remove the lists once and for all.
[*] http://lists.openinfra.dev/pipermail/foundation/2022-February/003048.html
Change-Id: Iddcb5cbac68d426e0ad13dd41541ad1371366bb1
The docker v1 protocol proxy listened on these ports and was removed
by 9b6398394d5d5d9e9e9aff244ccac2f98a4317d1 as everything uses v2 now.
The firewall holes were left open though. Clean that up.
Change-Id: Ie00acd5bfb657153b9bc49222ae5d9778ad36e70
Previously we were only checking that Apache can open TCP connections to
determine if Gitea is up or down on a backend. This is insufficient
because Gitea itself may be down while Apache is up. In this situation
TCP connection to Apache will function, but if we make an HTTP request
we should get back an error.
To check if both Apache and Gitea are working properly we switch to
using http checks instead. Then if Gitea is down Apache can return a 500
and the Gitea backend will be removed from the pool. Similarly if Apache
is non functional the check will fail to connect via TCP.
Note we don't verify ssl certs for simplicity as checking these in
testing is not straightforward. We didn't have verification with the old
tcp checks so this isn't a regression, but does represent something we
could try and improve in the future.
Change-Id: Id47a1f9028c7575e8fbbd10fabfc9730095cb541
We never finished puppeting the OpenStack wiki, and if we do manage
to get it under configuration management in the future it will
likely not use Puppet anyway. The dev server is already gone, and
deployment has been explicitly disabled for the other, so let's go
ahead and remove the references here and then we should be able to
retire the separate Puppet module we've been hosting.
Change-Id: I3f9ada3eb3d6f16545270135fab994ac460be94b
The sql connection is no longer supported, we need to use "database"
instead. The corresponding hostvars change has already been made
on bridge.
Change-Id: Ibcac56568f263bd50b2be43baa26c8c514c5272b
The wiki-dev03.openstack.org server was a test deployment working
through completing the puppetry for our Mediawiki environment. Since
it's on a now-EoL Ubuntu version, and that configuration management
work has stalled, delete this test server from our inventory rather
than needlessly consuming resources and an ESM entitlement.
Also clean up an old disabled entry for wiki-dev01.openstack.org
which no longer exists (it was a predecessor of this server). Leave
the templating for wiki-dev* in place for now in case we decide to
launch a replacement.
Change-Id: I5beed4dde8e4e84d92f510f8726f8443daf774c1
The OpenStackID project has been rebranded, and the old
openstackid.org deployment is being retained temporarily in order to
ease transition, but id.openinfra.dev is in place now and intended
as its successor.
Note that when this merges, a manual database edit will be required
to associate every user's new ID with their existing accounts, so
this should only be merged when we're ready to do that part just
prior to deploying and then check it again after to make sure we
didn't race any user additions.
Change-Id: I2716e469bc61e53645c23d362b8637bab0a32bb1
The old openstack-track-chairs mailing list was retired recently.
This new summit-programming-committee list will take its place.
Change-Id: I4e0c3fc65e0da8f17dec518a867e4b0a59ead94b
The following OpenInfra Foundation mailing lists are no longer
required (some were never used at all, some haven't had a post in
many years):
* admin-cert-wg
* ambassadors
* analyst-relations
* app-catalog-admin
* defcore-committee
* foundation-testing-standards
* nov-2013-track-chairs
* openstack-track-chairs
* openstack-travel-committee
* superuser
* tax-affairs
Remove them from our configuration, they'll be manually retired with
the rmlist command once this merges (leaving any public archives
behind for historical reference).
Change-Id: I30dcdd52aa16bed8af866f629d85fde3b9502fa1
The edge-computing discussion list is not OpenStack-specific. It was
originally included on the lists.openstack.org site when we didn't
yet have a more neutral list hosting location. While we're in the
process of moving other non-OpenStack mailing lists off the
lists.openstack.org site, rehome this one to lists.opendev.org by
setting up address forwarding and Web redirects, and moving the
existing mailman list entry for it in our configuration.
Note that this should be a no-op when it merges, as the list move
will be handled manually while deployment is temporarily disabled
for the server.
Change-Id: If5207f0237bee1571924855b769a22d653964af7
In keeping with its name change to the Open Infrastructure
Foundation, the summit sponsors mailing list is moving from
lists.openstack.org to lists.openinfra.dev. Set up address
forwarding and Web redirects to reflect this, and move the existing
mailman list entry for it in our configuration.
Note that this should be a no-op when it merges, as the list move
will be handled manually while deployment is temporarily disabled
for the server.
Change-Id: I29e1e94885fd16b0edd7001662f367caec591439
In keeping with its name change to the Open Infrastructure
Foundation, the foundation marketing mailing list is moving from
lists.openstack.org to lists.openinfra.dev. Set up address
forwarding and Web redirects to reflect this, and add a mailman list
entry for it (there's no old one to remove as it wasn't previously
included in our configuration).
Note that this should be a no-op when it merges, as the list move
will be handled manually while deployment is temporarily disabled
for the server.
Change-Id: Ibadc4bfc430656286774e25b4dce6d8e29b5acf7
In keeping with its name change to the Open Infrastructure
Foundation, the foundation gold member mailing list is moving from
lists.openstack.org to lists.openinfra.dev. Set up address
forwarding and Web redirects to reflect this, and add a mailman list
entry for it (there's no old one to remove as it wasn't previously
included in our configuration).
Note that this should be a no-op when it merges, as the list move
will be handled manually while deployment is temporarily disabled
for the server.
Change-Id: I6cd92e052b26705bd16a4b38b3725248cb5691fd
In keeping with its name change to the Open Infrastructure
Foundation, the confidential board mailing list is moving from
lists.openstack.org to lists.openinfra.dev. Set up address
forwarding and Web redirects to reflect this, and add a mailman list
entry for it (there's no old one to remove as it wasn't previously
included in our configuration).
Note that this should be a no-op when it merges, as the list move
will be handled manually while deployment is temporarily disabled
for the server.
Change-Id: I191676bcb7f878afab17ec3c1735219d91b4de4d
In keeping with its name change to the Open Infrastructure
Foundation, the foundation board mailing list is moving from
lists.openstack.org to lists.openinfra.dev. Set up address
forwarding and Web redirects to reflect this, and add a mailman list
entry for it (there's no old one to remove as it wasn't previously
included in our configuration).
Note that this should be a no-op when it merges, as the list move
will be handled manually while deployment is temporarily disabled
for the server.
Change-Id: Idcac72c067fab66b6322f08c027e9c451a488ca3
In keeping with its name change to the Open Infrastructure
Foundation, the foundation community mailing list is moving from
lists.openstack.org to lists.openinfra.dev. Set up address
forwarding and Web redirects to reflect this, and add a mailman list
entry for it (there's no old one to remove as it wasn't previously
included in our configuration).
Note that this should be a no-op when it merges, as the list move
will be handled manually while deployment is temporarily disabled
for the server.
Change-Id: I9fff3b920a7fd0f75a3cc7a704003eeb3aab4d8a
In keeping with its name change to the Open Infrastructure
Foundation, the general foundation mailing list is moving from
lists.openstack.org to lists.openinfra.dev. Set up address
forwarding and Web redirects to reflect this, and add a mailman list
entry for it (there's no old one to remove as it wasn't previously
included in our configuration).
Note that this should be a no-op when it merges, as the list move
will be handled manually while deployment is temporarily disabled
for the server.
Change-Id: I367dd2a3d9a1c70c14915efa729d643419375060
Add secondary vhosts for HTTPS to each mailman site, but don't
remove the plain HTTP ones for now. Before switching to Mailman 3
we'll replace the current HTTP vhosts with blanket redirects to
HTTPS.
Add tests to make sure this is working, and also add a command-line
test for the lists.openinfra.dev site now that it's got a first
non-default list of its own. Also collect Apache logs from the test
nodes so we can see for sure what might break.
Change-Id: I4d93d643381f17c9a968595587909f0ba3dd6f92
We're going to want Mailman 3 served over HTTPS for security
reasons, so start by generating certificates for each of the sites
we have in v2. Also collect the acme.sh logs for verification.
Change-Id: I261ae55c6bc0a414beb473abcb30f9a86c63db85
Once the staff mailing list has been migrated to its new Mailman
site, merge this in order to forward posts destined for its old
address to the new one.
Add a test to make sure domain aliases are bein written as expected.
Change-Id: I5fea8e9ee6460417283c0ed7339d0dd447b2ff63
This is a new mailing list into which the current staff ML from the
lists.openstack.org site will be manually migrated. The existing one
is not included in our current configuration anyway, but a followup
change will set up an appropriate forward for its old address once
migration is complete.
Change-Id: I15f47d210e38a8f04925ffba27e44b2ad5e97dd5
In order to be able to redirect list addresses which have moved from
one domain to another, we need a solution to alias the old addresses
to the new ones. We have simple aliases but they only match on the
local part. Add a new /etc/aliases.domain which matches full
local_part@domain addresses instead. Also collect this file in the
Mailman deployment test for ease of inspection.
Change-Id: I16f871e96792545e1a8cc8eb3834fa4eb82e31c8
Mailman uses a (usually hidden) mailing list named "mailman" to
handle things like password reminders and certain other sorts of
notifications. We have one in the configuration for all the sites on
lists.openstack.org but not on lists.katacontainers.io, even though
the production server has one. Not creating this list will cause
the services to fail to start, and since we want to test restarting
them in an upcoming change, add the missing entry (it will be a
no-op in production anyway).
Change-Id: If06d9d060e40055f95c1df337eb6f32c6064a89f
This adds a keycloak server so we can start experimenting with it.
It's based on the docker-compose file Matthieu made for Zuul
(see https://review.opendev.org/819745 )
We should be able to configure a realm and federate with openstackid
and other providers as described in the opendev auth spec. However,
I am unable to test federation with openstackid due its inability to
configure an oauth app at "localhost". Therefore, we will need an
actual deployed system to test it. This should allow us to do so.
It will also allow use to connect realms to the newly available
Zuul admin api on opendev.
It should be possible to configure the realm the way we want, then
export its configuration into a JSON file and then have our playbooks
or the docker-compose file import it. That would allow us to drive
change to the configuration of the system through code review. Because
of the above limitation with openstackid, I think we should regard the
current implementation as experimental. Once we have a realm
configuration that we like (which we will create using the GUI), we
can chose to either continue to maintain the config with the GUI and
appropriate file backups, or switch to a gitops model based on an
export.
My understanding is that all the data (realms configuration and session)
are kept in an H2 database. This is probably sufficient for now and even
production use with Zuul, but we should probably switch to mariadb before
any heavy (eg gerrit, etc) production use.
This is a partial implementation of https://docs.opendev.org/opendev/infra-specs/latest/specs/central-auth.html
We can re-deploy with a new domain when it exists.
Change-Id: I2e069b1b220dbd3e0a5754ac094c2b296c141753
Co-Authored-By: Matthieu Huin <mhuin@redhat.com>
This makes the haproxy role more generic so we can run another (or
potentially even more) haproxy instance(s) to manage other services.
The config file is moved to a variable for the haproxy role. The
gitea specific config is then installed for the gitea-lb service by a
new gitea-lb role.
statsd reporting is made optional with an argument. This
enables/disables the service in the docker compose.
Role documenation is updated.
Needed-By: https://review.opendev.org/678159
Change-Id: I3506ebbed9dda17d910001e71b17a865eba4225d
The Open Infrastructure Foundation has a number of mailing lists
located in the lists.openstack.org site due to historical reasons
(from when they were the OpenStack Foundation). In order to better
disambiguate their mailing lists, a new Mailman site is being
created into which they'll be moved, leaving the old site
exclusively for OpenStack project-specific lists.
As a first step, create the new lists.openinfra.dev site with the
default "mailman" meta-list (which will be hidden once created).
Subsequent changes will create new lists, and remove/redirect the
old ones once configuration is manually replicated.
Change-Id: I64770fbc33184374f1d24f4a2c234f849ab47bce