As a follow-on to Ie37abb4fd3eb3342b66ade52ab65024c420d7264 remove the
linaro credentials that were related to the (now removed) linaro-cn1
cloud.
Change-Id: Ia1e8dd3732164708c2e9fd82509e350829c438ba
We're retiring ubuntu-trusty and thus do not need instructions on
uploading these images anymore, remove the openstackci-images section.
Change-Id: I2b1491836f29fa72bc6eda62e427084ac43b5e1a
haproxy-statsd uses opendevorg/python-base already. Add that to its
job dependencies and make sure it triggers on updates to python-base.
Update the FROM line to be fully qualified.
Change-Id: I9c8e8094f5570bf44076915610cd1be6d95ed326
This was missed when converting the registry server over to LE in
production. We need to test it this way too.
Change-Id: Ic2a05ebeae6991b69c000d5269165a45a0c72d38
Apache doesn't have a reload, but it has something almost as good: a
"graceful" restart. This begins accepting connections while existing
ones wind down, rather than terminating them prematurely. Most
distributions (including the ones we use) map this to the "reload"
action of their SysV initscripts or SystemD service units for
Apache. As a result, we can be nicer to our users by applying the
"reloaded" state to the service module for it in our Ansible role
when Let's Encrypt SSL certs are replaced.
Change-Id: Iac3fad3d0d8216914d94a42f7705e07cef741847
The review-dev service playbook should do everything now that
the puppet did. Update how we're running things.
Change-Id: I70303c48328ea6713c24bf9c6f63d4808d30b95c
This adds a new handler to restart the zuul registry to pick up the new
cert. We may want to consider updating zuul registry to accept a reload
of ssl config without restarting the service.
Depends-On: https://review.opendev.org/702050
Change-Id: I23f6bea68285bc7cb0d12224235eaa16f0d07986
This name/host doesn't actually exist so don't try issuing a cert for
it. Instead only issue a cert for zuul.opendev.org.
Change-Id: I6c8eaa9280c3d6f070b8a1c79d850ee42e0e8d50
This change switches the post bits to use a new centralized
role to collect all container logs.
Depends-On: https://review.opendev.org/701867
Change-Id: I9e982b37518c22e6d5358f7604ebc7f56b0626e3
This provisions the cert but does not use it yet. We will do the
switchover once the cert is confirmed to be in place.
Depends-On: https://review.opendev.org/701819
Change-Id: I04fee48b9a79758527d8f9e8128c0fa915cd133e
If a host is offline, Ansible will not have set the required txt
keys host variable for that host. When the task to update the
dns master with new txt records runs, it will fail due to an
undefined variable:
'ansible.vars.hostvars.HostVarsVars object' has no attribute 'acme_txt_required'
This supplies a default value so that in that case, the task may
proceed and other hosts will have their LE certs serviced.
Change-Id: I62efbe086d801d803b2f2c3223ece8f608c668a1
We were setting the cert file contents to the paths rather than updating
the paths to point at the new LE certs. Fix this by setting the _file
vars which update the path.
This includes a partial revert of the previous change to not switch
git.zuul-ci.org over to LE as we haven't provisioned an LE cert for it
yet.
Change-Id: I41c2aa1d03afba4ebf6378e9abf8276154666df7
The insecure-ci-registry.opendev.org service uses an X.509 cert on
5000/tcp, so we should track this to catch when it's going to
expire.
Change-Id: I5d18599e5b5b258ce158f964cb1ff95df6dc6d92
The ssldomains file we use for our cert check is getting longish,
and sorting it will make entries easier to find.
Change-Id: Iad182ecee45274d6c8f336a97d20a3130e4b8abe
