This adds a keycloak server so we can start experimenting with it.
It's based on the docker-compose file Matthieu made for Zuul
(see https://review.opendev.org/819745 )
We should be able to configure a realm and federate with openstackid
and other providers as described in the opendev auth spec. However,
I am unable to test federation with openstackid due its inability to
configure an oauth app at "localhost". Therefore, we will need an
actual deployed system to test it. This should allow us to do so.
It will also allow use to connect realms to the newly available
Zuul admin api on opendev.
It should be possible to configure the realm the way we want, then
export its configuration into a JSON file and then have our playbooks
or the docker-compose file import it. That would allow us to drive
change to the configuration of the system through code review. Because
of the above limitation with openstackid, I think we should regard the
current implementation as experimental. Once we have a realm
configuration that we like (which we will create using the GUI), we
can chose to either continue to maintain the config with the GUI and
appropriate file backups, or switch to a gitops model based on an
export.
My understanding is that all the data (realms configuration and session)
are kept in an H2 database. This is probably sufficient for now and even
production use with Zuul, but we should probably switch to mariadb before
any heavy (eg gerrit, etc) production use.
This is a partial implementation of https://docs.opendev.org/opendev/infra-specs/latest/specs/central-auth.html
We can re-deploy with a new domain when it exists.
Change-Id: I2e069b1b220dbd3e0a5754ac094c2b296c141753
Co-Authored-By: Matthieu Huin <mhuin@redhat.com>
The Open Infrastructure Foundation's developers who maintain the
OpenStackID software are taking over management of the site itself,
and have deployed it on new servers. DNS records have already been
updated to the new IP address, so it's time to clean up our end in
preparation for deleting the old servers we've been running.
OpenStackID is still used by some services we run, like RefStack and
Zanata, and we're still hosting the OpenStackID Git repository and
documentation, so this does not get rid of all references to it.
Change-Id: I1d625d5204f1e9e3a85ba9605465f6ebb9433021
The Limesurvey service hosted at survey.openstack.org was a beta
which saw limited use. The platform it runs on, Xenial, is now EOL
from Ubuntu/Canonical and in order to upgrade to a newer
distribution release we would need to rewrite all the configuration
management (the version of Puppet supported by newer Ubuntu is not
backward-compatible with what we've been running).
If a similar service becomes interesting to users of our
collaboratory in the future, it will need to be reintroduced with
freshly written configuration management anyway. The old configs and
documentation remain in our Git history should anyone wish to use
them as inspiration.
Change-Id: I59b419cf112d32f20084ab93eb6f2417a7f93fdb
Once we are satisfied that we have disabled the inputs to firehose we
can land this change to stop managing it in config management. Once that
is complete the server can be removed.
Change-Id: I7ebd54f566f8d6f940a921b38139b54a9c4569d8
We've got some old out of date docs in some places. This isn't even
a full reworking, but at least tries to remove some of the more
egregiously wrong things.
Change-Id: I9033acb9572e1ce1b3e4426564b92706a4385dcb
Update the Zuul v3 page with correct links and description of promote
pipeline and remove the now obsolete note - and follow it with renaming
the document to zuul.
Change-Id: I9c89cb56d4a318f3a234e7f2f08dabb46d0dfab6
The OpenStack/OpenDev PPA repositories are currently undocumented.
Add some information on where to find things.
Change-Id: Iea03c5d558b3dd6af9f7c860dfcc75a71dc59d9f
There's a lot of these, so doing them in chunks. This fixes
the custom roles.
Remove the git and jjb docs, since we don't use them anymore.
Change-Id: I0c5b74f7b73315dac93bce6be0d920cddb94fb58
Bandersnatch mirroring has been disabled since
I88a838cb28fee3bd16b2b0a26e614ac5c2f23241 which is currently almost 6
months ago. Since then we have been running a reverse caching proxy.
Although bandersnatch served us well, it seems pypi has become
impractical to mirror locally. This is partially due to 2TB volume
limitations of OpenAFS and partially due to us not having a sane way
to filter large, frequently updating packages. With the reverse proxy
working there are no plans to restore our local mirror.
Retire the references to it before we clean up the AFS volumes.
Change-Id: Ia23828328dd859bbf26f95735c1c2e99c573d10e
stackalytics.openstack.org does not resolve and seems very dead. Remove
its node from site.pp and remove it from the docs to avoid confusion
about what servers we're really managing. We can always add it back when
the time comes to try again.
Change-Id: I733130ebe97ae7e06ca57b3c8e3a8708fcfa069c
This patch creates the documentation for the survey service.
Co-Authored-By: Jeremy Stanley <fungi@yuggoth.org>
Change-Id: Ie602a952b58c5f5200518cb31218097bddd5b747
Story: 2000691
Add some documentation on reprepo, including some recovery techniques
gleaned from the battlefield.
Change-Id: I3368dedc1b9a769a1c8f5e8fe831d059ff23875b
We're running a zuulv3 and it has several pieces. Make a place that we
can start documenting the sysadmin of the system. Once we go live we can
remove the old zuul.rst and move zuulv3.rst to take its place.
Change-Id: I3efaa8026f9d1c67e765ca79594b2768f0fa2fbf
While adding the last patch, I noticed the comment from doug about the
entries missing from the TOC that were added to a hidden section. I can
see no reason for these to be hidden, so add them to the main TOC.
Also, there's a warning about an invalid ref in the firehose document.
Fix it.
Change-Id: I86663407356aca0cadd633122a0257ad63d0297c
We want to start encrypting our gearman traffic for zuulv3, as such
we'll need to bring online a CA service. The idea here, is we create a
new CA for each interconnecting service we want SSL certs for.
As an example /etc/zuul-ca will be used to generate SSL certs for our
gearman service.
Change-Id: I8c341559292c78d5428fe16837f28494a76e65db
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Co-Authored-By: Jeremy Stanley <fungi@yuggoth.org>
This commit starts a new page for documenting the firehose schema. Right
now it only includes the schema for gerrit events, but it will be
expanded in future patches to include the other services reporting.
Hopefully this will serve as a better guide for people to actually being
able to consume events from firehose.
Change-Id: I2157f702c87f32055ba2fad842a05e31539bc857
Create the signing01.ci.openstack.org job node and puppet the
signing subkey onto it via pubring.gpg and secring.gpg files stored
in private hiera. Also set up some basic configuration and packages
on the management bastion to aid in key management/rotation, and add
the beginnings of administrative documentation for this.
Change-Id: Iecddb778994a38f7898e0c20e7f3f8e93f0a7f60
Depends-On: I70c3b82185681ee64791cda653360c26a93bd466
Story: #2000336
Signed-off-by: Jeremy Stanley <fungi@yuggoth.org>
This works almost the same way as JJB. Dashboards are stored in yaml,
puppet detects a file change, and grafana-dashboard publishes the
changes into grafana.
Change-Id: I91d539bdf7273a26dbd6ac46268bf5f98b1ea44f
Depends-On: I2755fe4fee720c7805eed2cb5bdf11de667bbd4f
Depends-On: I07577d72b2d5d6a552a9f50f551263fe3ac47dfb
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This implements the refstack Puppet module on a server named
refstack.openstack.org, where hosting of the refstack repo data
and site content will move in the near future.
Co-Authored-By: Jeremy Stanley <fungi@yuggoth.org>
Co-Authored-By: Paul Van Eck <pvaneck@us.ibm.com>
Change-Id: I628e190851fa6d266f612372ab03b7d6c65764ea
Depends-On: I470d7f5ebeee9949f6dd58d48a580d94866df0fd
This commit adds documentation and a module entry
for the apps_site puppet module which will host
the content for the OpenStack Community App
Catalog.
Change-Id: Ie1c53b6591135f9833e8f83ca7da82984cd68282
Depends-On: Ic9aa9385970ba98c50e915ffa8127ef0182744db
Add ask.openstack.org to openstack-infra. Setup an all-in-one
askbot site based on existing deployment, including apache,
redis,apache solr,postgresql. See askbot.rst for further
details. Refactored to depend on vamsee's puppet solr module.
Depends-On: Iffe07d3a34087cb15151787bc683208425a27594
Change-Id: I36504eac7b953c3cce3e21a3559ac95b1bc12da7
Step one in an AFS cell is getting kerberos working. This does not
provide end-to-end KDC management - the realm still needs to be
created by hand.
Change-Id: I891d784d676ab79e7aca9c883dd9e705a30db6e5
It's probably about time we added this page, especially
so that we can point people at documentation when they ask
"how do I add a project to StoryBoard".
Change-Id: I6e82ad97ab2c7ba9862b359d5a72266736eea6d1
We use bandersnatch to mirror pypi now and that should be documented.
Add all the usual header information with quick links to useful places
like local config and upstream bug trackers. Also, note how we run
bandersnatch and details on detecting and correcting stale packages on
pypi preventing local syncs.
Change-Id: I98db04c19c427335a4786a7923982fabcf57051b
Add page to our CI documenation about the elastic-recheck project
so people can find the full docs and configuration details.
Change-Id: I846d811e5b154c0e555d3458bc74920baf0be971
This initial basic nodepool document provides links to the manifests and
configuration for nodepool so people have a starting point to figure out
how it works, as well as a simple description of its purpose.
Change-Id: I3cc4e59e1e5ba4d62fd16c0da79d75352e9d78f0
Specify what is running on the new git server, add basic
SELinux, replication and jeepyb details.
Also add to list of systems.
Change-Id: I027fa00cf6b6cee8b73fa844983cc82d465617ef