This was running on all group var updates but we only need to run it
when refstack group vars update. Change the file requirements to match
the refstack.yaml group file to address this.
Change-Id: Id5ed4b65c1ed6566696fea9a33db27e9318af1a6
This plugin was updated to accomodate the ${hash} substition in gerrit
gitweb weblinks. We now need this updated version to build Gerrit
successfully but there is no tag for it yet. Just use the branch to
address this.
Change-Id: I4b0fd4ac845cc4289f78aacfa536db4185f12d38
The dependent change enables the "detect-ref" option of hound, which
looks at the remote origin HEAD and indexes on that. That should
allow indexing of our mixed repos that have a mix of "master" and
"main".
Add cirros to the test, which should exercise this path, and take some
screenshosts because this a js/react app and just a "curl" doesn't
help.
Change-Id: I1850577c63566b594f9730f5b8f0bc10b07ff7e4
Depends-On: https://review.opendev.org/c/opendev/jeepyb/+/830919
We have validated that the log encryption/export path is working, so
turn it on for all prod jobs.
Change-Id: Ic04d5b6e716dffedc925cb799e3630027183d890
Based on the changes in I5b9f9dd53eb896bb542652e8175c570877842584,
enable returning encrypted log artifacts for the codesearch production
job, as an initial test.
Change-Id: I9bd4ed0880596968000b1f153c31df849cd7fa8d
Our production jobs currently only put their logging locally on the
bastion host. This means that to help maintain a production system,
you effectively need full access to the bastion host to debug any
misbehaviour.
We've long discussed publishing these Ansible runs as public logs, or
via a reporting system (ARA, etc.) but, despite our best efforts at
no_log and similar, we are not 100% sure that secret values may not
leak.
This is the infrastructure for an in-between solution, where we
publish the production run logs encrypted to specific GPG public keys.
Here we are capturing and encrypting the logs of the
system-config-run-* jobs, and providing a small download script to
automatically grab and unencrypt the log files. Obviously this is
just to exercise the encryption/log-download path for these jobs, as
the logs are public.
Once this has landed, I will propose similar for the production jobs
(because these are post-pipeline this takes a bit more fiddling and
doens't run in CI). The variables will be setup in such a way that if
someone wishes to help maintain a production system, they can add
their public-key and then add themselves to the particular
infra-prod-* job they wish to view the logs for.
It is planned that the extant operators will be in the default list;
however this is still useful over the status quo -- instead of having
to search through the log history on the bastion host when debugging a
failed run, they can simply view the logs from the failing build in
Zuul directly.
Depends-On: https://review.opendev.org/c/zuul/zuul-jobs/+/828818/
Change-Id: I5b9f9dd53eb896bb542652e8175c570877842584
This should act as a sanity check that the puppet modules that we are
planning to retire are not used. The jobs updated here run puppet noop
applies and should confirm we don't have transitive needs for this
modules.
Change-Id: Ie4c7b809b22e9bded65a17876a9eb98195fc8910
This triggers the test job on changes to any gitea.* roles, including
gitea-lb which wasn't included before.
It also removes the letescrypt job as a soft dependency from the lb
jobs since that is not strictly necessary.
Change-Id: Ie5bcd4d8215bb14d939dddf3e20d3173ccc0acdc
We removed the promote jobs for Gerrit 3.3 images but left them in place
as infra-prod-service-review dependencies. Fix that by updating the
infra prod job dependencies to the job for Gerrit 3.4 image promotion.
Change-Id: If2277799db91ea61aaffafb600f403531a0fb562
This reenables Gerrit upgrade testing but tests the 3.4 to 3.5 upgrade
now. Note this may need some work to get happy once we have 3.5 images
which is why we've split it out into a separate change.
Change-Id: Ibbbd3f98ac2df8d99d4ffda57df59f4a47da3cd3
This will build gerrit 3.5 images and run it through our standard Gerrit
testing. Upgrade testing from 3.4 to 3.5 to follow in followup changes.
Change-Id: I76d0389d1455e62b242aad1926b3a09830301801
We've upgraded to 3.4 and don't appear to be reverting. Remove the 3.3
images as they are no longer needed.
Note we comment out the review upgrade testing jobs until we have 3.5
images building.
Depends-On: https://review.opendev.org/c/openstack/project-config/+/827562
Change-Id: I0e3cb81b790ab06c690ed0245526e4f47911c584
We dropped making our own grafana container with with
If0d584f848f213aeea385885e3decfaee6303de5, so we don't need this job
any more.
Change-Id: Ide212f25cda6d25e5cc31b0e8d2a65f3759bafdd
Instead of building a local grafana image with grafyaml installed,
use the plain upstream grafana image along with the newly created
separate opendev grafyaml image to run the dashboards.
Depends-On: https://review.opendev.org/780119
Change-Id: If0d584f848f213aeea385885e3decfaee6303de5
This testing is primarily for the openafs role. We may need
https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/824236 to
land first and update packages specifically for centos-8-stream before
this is mergeable. But CentOS 8 is EOL so we don't have much choice.
Change-Id: Idbd85c8f49cd169ee17f1b09db2de8bd36a52950
Some spring cleaning now that bullseye is available. While we are at it
we fix up the job requires and provides for the related image building
and service testing jobs too.
Change-Id: I8a392e06df66b2e0c85157e61e529bb649d8ad58
The comments around the organization of these plugins wasn't accurate.
Instead of grouping them by git repo state group them by what
functionality they affect.
Change-Id: I6a21574e7079b7ddda520f727bef5562e5999126
This includes the fixes for right to left unicode that we've already
picked up, but now in an official release. It also updates Elasticsearch
support to prevent use with elasticsearch versions that are vulnerable
to log4shell. We don't use elasticsearch with Gerrit so this doesn't
affect us.
Change-Id: Ifbba7391bd16bc20c003293030a71e0ea787d0c7
Add secondary vhosts for HTTPS to each mailman site, but don't
remove the plain HTTP ones for now. Before switching to Mailman 3
we'll replace the current HTTP vhosts with blanket redirects to
HTTPS.
Add tests to make sure this is working, and also add a command-line
test for the lists.openinfra.dev site now that it's got a first
non-default list of its own. Also collect Apache logs from the test
nodes so we can see for sure what might break.
Change-Id: I4d93d643381f17c9a968595587909f0ba3dd6f92
We're going to want Mailman 3 served over HTTPS for security
reasons, so start by generating certificates for each of the sites
we have in v2. Also collect the acme.sh logs for verification.
Change-Id: I261ae55c6bc0a414beb473abcb30f9a86c63db85
In order to be able to redirect list addresses which have moved from
one domain to another, we need a solution to alias the old addresses
to the new ones. We have simple aliases but they only match on the
local part. Add a new /etc/aliases.domain which matches full
local_part@domain addresses instead. Also collect this file in the
Mailman deployment test for ease of inspection.
Change-Id: I16f871e96792545e1a8cc8eb3834fa4eb82e31c8
Mailman utilizes on-disk queues to store its actions, so doesn't act
unless its queue runners are operating. They're not started at
setup, so perform a service restart to make sure they're running in
our tests.
Change-Id: I4365f6111d4d394ed7f845660d9f342551c31e80
This is general spring cleaning that we are going to try and do for our
images now that bullseye is out.
Change-Id: Iad8f5b76896b88a6aafbfba0c38d0749b9d5c88f
This is a typo from the job shuffle in
I8f6150ec2f696933c93560c11fed0fd16b11bf65 -- this should be a soft
dependency.
It is currently causing periodic jobs to fail
Change-Id: Ia420e74a1d64b12b63b1697e61992c46119451dc
It's good to be able to look at the MTA logs and see whether
anything's (attempted to be) sent, since we block SMTP egress from
these test nodes by default.
Change-Id: I02154f2b1b6cfdf1c3914d3877c80c9289057057