Commit Graph

301 Commits

Author SHA1 Message Date
Jeremy Stanley
81f8cdfb7b Add HTTPS vhosts to mailman servers
Add secondary vhosts for HTTPS to each mailman site, but don't
remove the plain HTTP ones for now. Before switching to Mailman 3
we'll replace the current HTTP vhosts with blanket redirects to
HTTPS.

Add tests to make sure this is working, and also add a command-line
test for the lists.openinfra.dev site now that it's got a first
non-default list of its own. Also collect Apache logs from the test
nodes so we can see for sure what might break.

Change-Id: I4d93d643381f17c9a968595587909f0ba3dd6f92
2021-12-20 20:35:14 +00:00
Jeremy Stanley
fa0c1b495c Generate HTTPS certs for Mailman sites
We're going to want Mailman 3 served over HTTPS for security
reasons, so start by generating certificates for each of the sites
we have in v2. Also collect the acme.sh logs for verification.

Change-Id: I261ae55c6bc0a414beb473abcb30f9a86c63db85
2021-12-17 22:25:22 +00:00
Zuul
ef24d3e9ce Merge "Add a domain aliases mechanism to lists.o.o" 2021-12-16 23:14:15 +00:00
Jeremy Stanley
1addce7dbc Add a domain aliases mechanism to lists.o.o
In order to be able to redirect list addresses which have moved from
one domain to another, we need a solution to alias the old addresses
to the new ones. We have simple aliases but they only match on the
local part. Add a new /etc/aliases.domain which matches full
local_part@domain addresses instead. Also collect this file in the
Mailman deployment test for ease of inspection.

Change-Id: I16f871e96792545e1a8cc8eb3834fa4eb82e31c8
2021-12-16 19:22:11 +00:00
Zuul
a1885ef992 Merge "Update limboria ircbot to bullseye" 2021-12-15 22:27:33 +00:00
Zuul
8ee2833521 Merge "Restart mailman services when testing" 2021-12-15 19:05:12 +00:00
Zuul
d328a7dd8b Merge "Collect mailman logs in deployment testing" 2021-12-15 17:46:38 +00:00
Zuul
29fbc1f078 Merge "Update matrix-eavesdrop image to bullseye" 2021-12-15 17:46:36 +00:00
Jeremy Stanley
333534fa9f Restart mailman services when testing
Mailman utilizes on-disk queues to store its actions, so doesn't act
unless its queue runners are operating. They're not started at
setup, so perform a service restart to make sure they're running in
our tests.

Change-Id: I4365f6111d4d394ed7f845660d9f342551c31e80
2021-12-15 17:42:55 +00:00
Zuul
433a744205 Merge "Copy Exim logs in system-config-run jobs" 2021-12-15 16:32:35 +00:00
Zuul
57d5e116a0 Merge "Update the accessbot image to bullseye" 2021-12-14 23:40:39 +00:00
Zuul
63fb188aa3 Merge "Update the hound image to bullseye" 2021-12-13 22:08:29 +00:00
Clark Boylan
22957c6549 Update limboria ircbot to bullseye
Spring cleaning updates of our docker images now that bullseye is out.

Change-Id: I5e4b84edd2c5a8e196659e4815c5b349c0226393
2021-12-13 09:22:17 -08:00
Clark Boylan
ed0526cd8b Update the accessbot image to bullseye
This is general spring cleaning that we are going to try and do for our
images now that bullseye is out.

Change-Id: Iad8f5b76896b88a6aafbfba0c38d0749b9d5c88f
2021-12-13 09:18:56 -08:00
Clark Boylan
b07d5eca37 Update matrix-eavesdrop image to bullseye
Just some spring cleaning now that bullseye is released.

Change-Id: I9641dae9ee7679fb45bef93e770f69d9673d75bf
2021-12-13 09:12:10 -08:00
Clark Boylan
8530ed39a1 Update the hound image to bullseye
Just some spring cleaning now that bullseye has released.

Change-Id: I1202400932860a04841d376b9f10beb89acc175c
2021-12-13 09:04:20 -08:00
Ian Wienand
5a215e0654 infra-prod: fix infra-prod-service-zookeeper soft dependency
This is a typo from the job shuffle in
I8f6150ec2f696933c93560c11fed0fd16b11bf65 -- this should be a soft
dependency.

It is currently causing periodic jobs to fail

Change-Id: Ia420e74a1d64b12b63b1697e61992c46119451dc
2021-12-13 11:01:45 +11:00
Clark Boylan
999edcc88b Remove melody
We don't need this plugin right now

Change-Id: I7b2f0d831579076d890ef8dd3bbe6e14fa1371bc
2021-12-10 10:00:41 -08:00
Jeremy Stanley
ca2455c57b Collect mailman logs in deployment testing
Get the logs from the test mailman deployments for inspection in
build results.

Change-Id: I68ea634d6048691bf14a573e66983038bc485f3c
2021-12-09 18:46:43 +00:00
Jeremy Stanley
ce18a45a16 Copy Exim logs in system-config-run jobs
It's good to be able to look at the MTA logs and see whether
anything's (attempted to be) sent, since we block SMTP egress from
these test nodes by default.

Change-Id: I02154f2b1b6cfdf1c3914d3877c80c9289057057
2021-12-09 18:46:43 +00:00
Ian Wienand
73a9acc7ad Rename install-ansible to bootstrap-bridge
This used to be called "bridge", but was then renamed with
Ia7c8dd0e32b2c4aaa674061037be5ab66d9a3581 to install-ansible to be
clearer.

It is true that this is installing Ansible, but as part of our
reworking for parallel jobs this is the also the synchronisation point
where we should be deploying the system-config code to run for the
buildset.

Thus naming this "boostrap-bridge" should hopefully be clearer again
about what's going on.

I've added a note to the job calling out it's difference to the
infra-prod-service-bridge job to hopefully also avoid some of the
inital confusion.

Change-Id: I4db1c883f237de5986edb4dc4c64860390cc8e22
2021-12-07 16:24:53 +11:00
Ian Wienand
362d8fa147 Update bridge playbook match
This playbook was renamed "install-ansible.yaml" with
Ia7c8dd0e32b2c4aaa674061037be5ab66d9a3581

We want all jobs to match on this; it will make them run if we update
the ansible version on the bastion host, bridge.

Change-Id: Id38fc39f8f6b4d8f532eb9796259e8f4bf18d861
2021-12-07 16:24:41 +11:00
Zuul
94bc7c1455 Merge "Add a keycloak server" 2021-12-04 16:50:26 +00:00
James E. Blair
e79dbbe6bb Add a keycloak server
This adds a keycloak server so we can start experimenting with it.

It's based on the docker-compose file Matthieu made for Zuul
(see https://review.opendev.org/819745 )

We should be able to configure a realm and federate with openstackid
and other providers as described in the opendev auth spec.  However,
I am unable to test federation with openstackid due its inability to
configure an oauth app at "localhost".  Therefore, we will need an
actual deployed system to test it.  This should allow us to do so.

It will also allow use to connect realms to the newly available
Zuul admin api on opendev.

It should be possible to configure the realm the way we want, then
export its configuration into a JSON file and then have our playbooks
or the docker-compose file import it.  That would allow us to drive
change to the configuration of the system through code review.  Because
of the above limitation with openstackid, I think we should regard the
current implementation as experimental.  Once we have a realm
configuration that we like (which we will create using the GUI), we
can chose to either continue to maintain the config with the GUI and
appropriate file backups, or switch to a gitops model based on an
export.

My understanding is that all the data (realms configuration and session)
are kept in an H2 database.  This is probably sufficient for now and even
production use with Zuul, but we should probably switch to mariadb before
any heavy (eg gerrit, etc) production use.

This is a partial implementation of https://docs.opendev.org/opendev/infra-specs/latest/specs/central-auth.html

We can re-deploy with a new domain when it exists.

Change-Id: I2e069b1b220dbd3e0a5754ac094c2b296c141753
Co-Authored-By: Matthieu Huin <mhuin@redhat.com>
2021-12-03 14:17:23 -08:00
Jeremy Stanley
1987f86a9a Revert "infra-prod: clone source once"
This reverts commit 42df57b545.
This reverts commit 9cccb02bb0.

Change-Id: I56be9bcf54b634b7403e71af8b4d08d234cbb91a
Depends-On: https://review.opendev.org/820251
2021-12-02 19:18:43 +00:00
Zuul
89597880ec Merge "Upgrade to gerrit 3.3.8" 2021-12-02 03:14:10 +00:00
Dr. Jens Harbott
26805b2bb5
Fix name for haproxy-statsd dependency
Mixed up with gitea-lb naming.
Fixes I19db98fcec5715c33b62c9c9ba5234fd55700fd8

Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Change-Id: I91d077102904a2144d12bc60eb7341f1065473b4
2021-12-01 17:32:31 +01:00
Ian Wienand
42df57b545 infra-prod: fix name of clone source job
This was introduced with I19db98fcec5715c33b62c9c9ba5234fd55700fd8

opendev-infra-prod-setup-src is the abstract parent job, we should be
using infra-prod-setup-src.

Change-Id: I7fdefe7ce60ab248f9a90b6be363eefc826f8e1f
2021-12-01 13:48:44 +11:00
Clark Boylan
4285b40928 Upgrade to gerrit 3.3.8
There are new gerrit releases. This change updates our production 3.3
image to 3.3.8. We also update Our 3.4 image to 3.4.2 to keep up there.

Release notes for both:

  https://www.gerritcodereview.com/3.3.html#338
  https://www.gerritcodereview.com/3.4.html#342

Seems to largely be bugfixes and reindexing improvements.

Change-Id: Iae8aa403b4001937320767d4166a6af2bc89a2ea
2021-11-29 16:18:15 -08:00
Ian Wienand
9cccb02bb0 infra-prod: clone source once
The current opendev-infra-prod-base job sets up the executor to log
into bridge AND copies in Zuul's checkout of system-config to
/home/zuul/src.

This presents an issue for parallel operation, as every production job
is cloning system-config ontop of each other.

Since they all operate in the same buildset, we only need to clone
system-config from Zuul once, and then all jobs can share that repo.

This adds a new job "infra-prod-setup-src" which does this.  It is a
dependency of the base job so should run first.

All other jobs now inhert from opendev-infra-prod-setup-keys, which
only sets up the executor for logging into bridge.

Change-Id: I19db98fcec5715c33b62c9c9ba5234fd55700fd8
Depends-On: https://review.opendev.org/c/opendev/base-jobs/+/807807
2021-11-18 10:31:16 +11:00
Ian Wienand
d0467bfc98 Refactor infra-prod jobs for parallel running
Refactor the infra-prod jobs to specify dependencies so they can run
in parallel.

Change-Id: I8f6150ec2f696933c93560c11fed0fd16b11bf65
2021-11-18 10:31:11 +11:00
Zuul
7ef6520aad Merge "Update zookeeper-statsd to python3.9 on bullseye" 2021-11-05 20:46:07 +00:00
Clark Boylan
0f51ccf87f Update zookeeper-statsd to python3.9 on bullseye
We're currently on python3.9 on buster.

Change-Id: Ib8be56d44c89850cd63d700694cda174aa2efa4f
2021-11-04 16:49:04 -07:00
Clark Boylan
fd0aba7445 Update haproxy-statsd to bullseye and python3.9
We should generally try to keep these things up to date so do it now.

Change-Id: I59c21959094a87eb5a1e6f80e0a72be47370c072
2021-11-04 15:53:35 -07:00
Zuul
9c29fd8324 Merge "Remove the gerrit group in favor of the review group" 2021-10-22 16:15:56 +00:00
Clark Boylan
2f11da87b0 Build Gerrit 3.3.7 images
This updates our Gerrit 3.3 images to the new 3.3.7 release.

Change-Id: Ib676be49bcc9cd4633dbe6fe87dd6e3a32185a55
2021-10-14 11:46:44 -07:00
Zuul
b1e65bf085 Merge "Switch test gerrit hostname to review99.opendev.org" 2021-10-13 17:47:53 +00:00
Zuul
0017bdc468 Merge "Replace testing group vars with host vars for review02" 2021-10-13 17:16:31 +00:00
Zuul
da1bd39a2a Merge "Remove Gerrit 3.2 images" 2021-10-12 20:59:11 +00:00
Clark Boylan
cf91bc0971 Remove the gerrit group in favor of the review group
Having two groups here was confusing. We seem to use the review group
for most ansible stuff so we prefer that one. We move contents of the
gerrit group_vars into the review group_vars and then clean up the use
of the old group vars file.

Change-Id: I7fa7467f703f5cec075e8e60472868c60ac031f7
2021-10-12 09:48:53 -07:00
Clark Boylan
63f5674e6f Switch test gerrit hostname to review99.opendev.org
Previously we had set up the test gerrit instance to use the same
hostname as production: review02.opendev.org. This causes some confusion
as we have to override settings specifically for testing like a reduced
heap size, but then also copy settings from the prod host vars as we
override the host vars entirely. Using a new hostname allows us to use a
different set of host vars with unique values reducing confusion.

Change-Id: I4b95bbe1bde29228164a66f2d3b648062423e294
2021-10-12 09:48:53 -07:00
Clark Boylan
76baae4e3f Replace testing group vars with host vars for review02
Previously we had a test specific group vars file for the review Ansible
group. This provided junk secrets to our test installations of Gerrit
then we relied on the review02.opendev.org production host vars file to
set values that are public.

Unfortunately, this meant we were using the production heapLimit value
which is far too large for our test instances leading to the occasionaly
failure:

  There is insufficient memory for the Java Runtime Environment to continue.
  Native memory allocation (mmap) failed to map 9596567552 bytes for committing reserved memory.

We cannot set the heapLimit in the group var file because the hostvar
file overrides those values. To fix this we need to replace the test
specific group var contents with a test specific host var file instead.
To avoid repeating ourselves we also create a new review.yaml group_vars
file to capture common settings between testing and prod. Note we should
look at combining this new file with the gerrit.yaml group_vars.

On the testing side of things we set the heapLimit to 6GB, we change the
serverid value to prevent any unexpected notedb confusion, and we remove
replication config.

Change-Id: Id8ec5cae967cc38acf79ecf18d3a0faac3a9c4b3
2021-10-12 09:48:45 -07:00
Zuul
721b832b16 Merge "letsencrypt: avoid running on handler changes" 2021-10-11 23:35:39 +00:00
Zuul
b75da802ca Merge "Test upgrade from Gerrit 3.3 to 3.4" 2021-10-11 23:35:34 +00:00
Zuul
4a557023db Merge "Test ansible-devel with an ubuntu-focal bridge.o.o" 2021-10-11 20:13:36 +00:00
Ian Wienand
432a995184 gerrit: diff config files on upgrade
This ensures we don't miss things gerrit might update in config files

Change-Id: I28cd18f7a180d9f8968441b35642f74cb0c42e34
2021-10-11 18:29:06 +11:00
Zuul
39285a57e4 Merge "Start building gerrit 3.4" 2021-10-10 22:30:40 +00:00
Zuul
fed8ec476b Merge "Upgrade Gerrit to 3.3" 2021-10-10 20:45:48 +00:00
Clark Boylan
46faa6626b Remove Gerrit 3.2 images
This should be merged after we are on 3.3 and happy with the state of
things.

Depends-On: https://review.opendev.org/c/openstack/project-config/+/813081
Change-Id: I4173df5e4ae38af6423402be0299470323762da2
2021-10-07 20:07:38 +00:00
Clark Boylan
0f6c29c0ee Test upgrade from Gerrit 3.3 to 3.4
This shifts our Gerrit upgrade testing ahead to testing 3.3 to 3.4
upgrades as we have upgraded to 3.3 at this point.

Change-Id: Ibb45113dd50f294a2692c65f19f63f83c96a3c11
2021-10-07 11:57:04 -07:00