Commit Graph

96 Commits

Author SHA1 Message Date
Jeremy Stanley
e1df180235 Replace 2024.1/Caracal key with 2024.2/Dalmatian
This is a zuul-encrypted export of the signing subkey for the
OpenStack 2024.2/Dalmatian release cycle:
0xf8675126e2411e7748dd46662fc2093e4682645f

This was created using the instructions from our documentation:
https://docs.opendev.org/opendev/system-config/latest/signing.html

Change-Id: I45855aefb1f10e54cfc2a1fd1aeef1a96364b77a
Depends-On: https://review.opendev.org/913273
2024-03-14 21:57:02 +00:00
Jeremy Stanley
4591e763c0 Update secret for Weblate REST API key
I have added an infra-root E-mail alias for a new
weblate@openstack.org account in id.openinfra.dev, created an
account in openstack.weblate.cloud with that ID, and used it to
generate a Weblate REST API key. This change updates the previous
placeholder secret with one containing the new key.

Change-Id: I88c5ee4d3847fc4a59130f746cbfb8609df08939
2024-01-17 14:54:51 +00:00
Seongsoo Cho
544e9e7f75 Add weblate api key in zuul secret
To migrate i18n translation platform from zanata to weblate,
add a weblate api key in zuul secret.

Change-Id: I9170509a99d6164de9fc93d729219c3007fc64f7
2024-01-17 01:11:46 +09:00
Jeremy Stanley
4d308540ae Replace 2023.2/Bobcat key with 2024.1/Caracal
This is a zuul-encrypted export of the signing subkey for the
OpenStack 2024.1/Caracal release cycle:
0x2EF3FE0EC2B075AB7458B5F8B702B20B13DF2318

This was created using the instructions from our documentation:
https://docs.opendev.org/opendev/system-config/latest/signing.html

Depends-On: https://review.opendev.org/896943
Change-Id: I216431237a8ffcc0576fcc74405c8481ae12bbba
2023-09-29 14:07:22 +00:00
Zuul
b0e4070649 Merge "Replace old Antelope cycle key with 2023.2/Bobcat" 2023-03-31 13:08:26 +00:00
Dr. Jens Harbott
f82a58e939 Update github ssh rsa hostkey for uploads
Github changed their key[0], need to update our data accordingly.

[0] https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

Change-Id: I38c347163f28a2b9287adf77e2f57513e0e610ff
2023-03-27 09:04:57 +02:00
Jeremy Stanley
e046f82da4 Replace old Antelope cycle key with 2023.2/Bobcat
This is a zuul-encrypted export of the signing subkey for the
OpenStack 2023.2/Bobcat release cycle:
0x815AFEC729392386480E076DCC0DFE2D21C023C9

This was created using the instructions from our documentation:
https://docs.opendev.org/opendev/system-config/latest/signing.html

Depends-On: https://review.opendev.org/878143

Change-Id: Ie19c164d3aa0711420f5deb90237f0268c174942
2023-03-21 17:24:22 +00:00
Jeremy Stanley
97c7084cd7 Add an Ubuntu FIPS testing token
OpenStack contributors have worked out a solution for enabling FIPS
testing on Ubuntu nodes, which normally requires a paid
subscription. The "token" field of the "openstack_ubuntu_fips"
secret supplied here can be applied to a test node early during job
setup by calling "pro attach {{ token }}" as root.

The secret will be replaced periodically, in order to make any
entitlement exfiltrated from job nodes unattractive for production
use.

Change-Id: I9fb9758f8deddc3c76fb22fc859291dea8cfcd43
2022-10-14 17:02:02 +00:00
Zuul
b70a078917 Merge "Replace old Zed cycle key with 2023.1/Antelope" 2022-10-07 15:23:24 +00:00
Ian Wienand
3fa0c6cc1c upload-npm: use token auth
Replace the username/password combo with a generated token

Depends-On: https://review.opendev.org/c/zuul/zuul-jobs/+/856225
Change-Id: I69914490a0132dee42d84a17589028dc684abc09
2022-09-08 12:57:34 +10:00
Jeremy Stanley
90961679b6 Replace old Zed cycle key with 2023.1/Antelope
This is a zuul-encrypted export of the signing subkey for the
OpenStack 2023.1/Antelope release cycle:
0xa7475c5f2122fec3f90343223fe3bf5aad1080e4

This was created using the instructions from our documentation:
https://docs.opendev.org/opendev/system-config/latest/signing.html

Depends-On: https://review.opendev.org/856325
Change-Id: I141514eaf31b2249f0901ad1ff93cc1bbe940c2d
2022-09-07 19:41:04 +00:00
Ian Wienand
0a1f86fb1f pypi: use API token for upload
This converts the pypi uploads to use an API token, rather than
username/password authentication.

Depends-On: https://review.opendev.org/c/zuul/zuul-jobs/+/849597
Change-Id: I350a1fda75d76ac19546864dd01394adcd417348
2022-07-14 09:53:18 +10:00
Ian Wienand
8a36fcb9c0 Remove testpypi references
These are vestigial parts of pypi upload work that are no longer used.

Change-Id: Ie0ac2a115630a6400927eb47449b3fc805c04485
2022-07-14 08:17:43 +10:00
Jeremy Stanley
8f6a6264a0 Replace old Yoga cycle signing key with Zed
This is a zuul-encrypted export of the signing subkey for the Zed
release cycle: 0xa63ea142678138d1bb15f2e303bdfd64dd164087

This was created using the instructions from our documentation:
https://docs.opendev.org/opendev/system-config/latest/signing.html

Change-Id: I86e393994c80b0d73df21e62182a75e4b047b1c7
2022-04-08 19:18:48 +00:00
Jeremy Stanley
8899d5aa52 Update Gerrit IP addresses in SSH key secrets
When we replaced the Gerrit server some months back, we missed
updating SSH key secrets where its old addresses were hard-coded.
Fix them to match our present reality.

Change-Id: I48663badcccf3f3b4b27573d5be5ad27656019e2
2022-01-25 14:24:03 +00:00
Jeremy Stanley
f629ce62a2 Replace old Xena cycle signing key with Yoga
This is a zuul-encrypted export of the signing subkey for the
Yoga release cycle: 0x01527a34f0d0080f8a5db8d6eb6c5df21b4b6363

This was created using the updated instructions from change
I7008706aae06b6e4a16db2dd85a8c7f91530cd50.

Change-Id: Ice1bdc121dfa8fd3e33b5f237848ae1417087ee4
2021-10-26 19:47:34 +00:00
Andreas Jaeger
6e87b1ff09 Adjust secrets for developer.o.o
Adjust secrets for change in Zuul 4.6.

Change-Id: I4dda75470b2562865ab238d8dcdfd08e6f4abdbb
2021-08-11 13:13:42 +02:00
Sirajudeen
48150ae97a afsdocs_secret-tox-docs-site: Zuul 4.6.0 fix
Adjust the afsdocs_secret-tox-docs-site secret to use the new
targets tree expected by the opendev-promote-docs-base job expects.
This should solve recent failures for the promote-airship-project-docs
job when run triggered from any branch other than master

Change-Id: If454c0dfc126e23e92a68356acd7ec7e50a6c51c
2021-08-10 22:05:06 +00:00
Jeremy Stanley
6b78c7d5e3 afsdocs_secret-openstack-manuals: Zuul 4.6.0 fix
Adjust the afsdocs_secret-openstack-manuals secret to use the new
targets tree expected by the opendev-promote-docs-base job expects.
This should solve recent failures for the promote-openstack-manuals
job.

Change-Id: I208dec5a1d790e97c7e7844ed384db27fa53e3af
2021-07-06 19:01:21 +00:00
Zuul
143922e710 Merge "Correct branch path in afsdocs_secret-releasenotes" 2021-06-30 19:42:19 +00:00
Jeremy Stanley
f1d17f871b Correct branch path in afsdocs_secret-releasenotes
Another brown-bag fix for a typo in the Zuul 4.6.0 secrets
conversion.

Change-Id: Ibd68dd0fada83b5d32a5550062d891a354bb9b33
2021-06-30 17:44:44 +00:00
Jeremy Stanley
337f081a93 Correct targets for afsdocs_secret-deploy-guide
Brown paper bag fix for typo stemming from the Zuul 4.6.0 secrets
conversion.

Change-Id: Ic24a0572faf7c0c30e6e99745996be4135ad78da
2021-06-30 16:53:07 +00:00
Jeremy Stanley
ff16ef203d Do var subst in openstack-github-mirroring secret
Another hotfix for Zuul 4.6.0, related change will be required for
opendev/base-jobs.

Change-Id: I47687d4e747652279f7da7a85e6a431fde525dd7
2021-06-24 17:32:45 +00:00
Jeremy Stanley
2e1623783a Update promote/publish secrets and jobs
This updates the promote and publish secrets and jobs to no longer
rely on jinja templates in secrets since Zuul removed support for
that.

Instead, we pass in only known safe static variables (ie, the "zuul"
hierarchy).

Change-Id: I4ea24dadf24437222373853cf70908d82e3dbbc3
2021-06-24 16:20:53 +00:00
Jeremy Stanley
8787f0d665 Replace old Wallaby cycle signing key with Xena
This is a zuul-encrypted export of the signing subkey for the
Xena release cycle: 0x4c29ff0e437f3351fd82bdf47c5a3bc787dc7035

Note that this key is much shorter, owing to it being ECC instead of
RSA. This was created using the updated instructions from change
Ibb1c5ae8c540713e1c39d0000497c6b8b89b67c8.

Change-Id: I33581d695cfe1bbcd98f9b5fc5dc38afe42066ba
2021-05-01 19:18:37 +00:00
Kevin Putnam
9cf7d4bdb4 Adds docs_branch_path value needed for promoting release branches.
Change-Id: I573874c09e69252c8db566d0140d4024b651e81a
2021-04-28 14:17:18 -07:00
Jeremy Stanley
f52ca2fe5f Add known_hosts entries for additional Gerrit keys
Gerrit has shuffled the order in which it returns host keys, and
ssh clients can get confused if the first host key type they support
in the list isn't included in the known_hosts file already. Just go
ahead and include all the host keys our Gerrit provides.

Change-Id: I15cdf24d9b3a372a7c8ad1aef97baa3b5eeefab0
2020-11-23 18:11:13 +00:00
Jeremy Stanley
9d55b33f4d Replace old Victoria cycle signing key with Wallaby
This is a zuul-encrypted export of the signing subkey for the
Wallaby release cycle: 0x5d2d1e4fb8d38e6af76c50d53d4fec30cf5ce3da

Change-Id: I91b897956a3aa413c1a9b2ddd06d6a582665584e
2020-10-29 14:19:45 +00:00
Thierry Carrez
0197d9f92a Define maintain-github-openstack-mirror job
Opendev no longer automatically creates repositories on the
GitHub mirror, nor does it update descriptions or closes open PRs.

Add a playbook and a job for periodically maintaining the GitHub
mirror for the 'openstack' organization:

- updating descriptions based on Gerrit project descriptions
- creating on GitHub newly-added openstack repositories
- archiving from GitHub recently-retired openstack repositories
- closing any open PR with a healpful message

This job makes use of a GitHub API token (from the openstack-mirroring
user) and is defined to run periodically on project-config.

Change-Id: Ic02f436eb655dcbe84824b304ea2933e16312e67
2020-07-08 15:42:06 +02:00
Jeremy Stanley
a50f36da57 Replace old Ussuri cycle signing key with Victoria
This is a zuul-encrypted export of the signing subkey for the
Victoria release cycle: 0x2426b928085a020d8a90d0d879ab7008d0896c8a

Change-Id: I6f55b874c154dff09568834e0c30ec7eb5dc0b29
2020-05-20 20:39:56 +00:00
Monty Taylor
295224c41b Use zuul deployment keys for yaml2ical
We're currently adding the private key of a jenkins user. But we
don't use jenkins, so this is lame. Use the zuul deploy key for
project-config instead.

This needs to run as project-config so that per-project deploy
keys work. To do that, shift it from being triggered by irc-meetings
to being triggered hourly by project-config.

As a followup, we should probably convert this to just publish to
AFS and serve the content from there.

Depends-On: https://review.opendev.org/721098
Change-Id: I7874ef46a616e8fd68cf8d95afc3928d3440ba51
2020-04-21 12:40:25 -05:00
Mohammed Naser
64c84190aa Revert "Revert "Introduce job for granular GitHub mirroring""
This change inroduces the usage of the parent job which enforces
a project name inside of it to avoid a project from mirroring
maliciously to another one.

It reparents it to the nodeless job inside opendev, enforeces the
setting of target_repository inside the secret so it cannot be modified
and fixes the `user` to point to `git` instead.

This reverts commit 04133b4bcc.

Change-Id: Iac5db122eb41709dffcdae675137723cd49fca8f
2020-04-10 12:57:25 -04:00
Jeremy Stanley
04133b4bcc Revert "Introduce job for granular GitHub mirroring"
Unsafe, as pointed out on the ML. We should rework and resubmit
following the suggestions there:

http://lists.openstack.org/pipermail/openstack-discuss/2020-April/014038.html

This reverts commit 341dccfb5d.

Change-Id: If0f0fdaa3ab21bc9ded13a273b7ebe35a38f4fce
2020-04-10 00:14:21 +00:00
Thierry Carrez
341dccfb5d Introduce job for granular GitHub mirroring
Create a openstack-mirror-on-github job that uses the
openstack-mirroring user on GitHub (and its SSH key) to
individually mirror repositories to the "openstack"
organization on GitHub.

That will allow us to turn off global replication of the
'openstack/* repositories at Gerrit-level.

Enable the new job on openstack/release-test as a test. It
should be able to run concurrently with Gerrit-wide
mirroring as this is an indempotent operation.

Once this merges and is validated, we can apply the job to
all official/active openstack projects, before disabling the
Gerrit-wide replication (see https://review.opendev.org/718478).

Change-Id: Ie7b4f520d6f47d56a71c812dcc06fd5d26da8fe0
2020-04-09 15:30:11 +02:00
Ian Wienand
253ba49bb6 Remove logs.openstack.org secrets
These secrets were related to jobs uploading the the static
logs.openstack.org server, which is not longer used.  Remove them.

Story: #2006598
Task: #37735
Change-Id: Iaa7fc45c25df57a9ee70088ace17f228884160e4
2020-03-04 16:10:18 +11:00
Andreas Jaeger
fd782318e4 Remove site_specs and playbooks/publish/service-types.yaml
playbooks/publish/service-types.yaml is not used anymore, with AFS
publishing it got obsoleted and can now be removed.

site_specs and site_specs_promote are not used anymore, remove them.

Change-Id: I0c3ca2455b4f8b721d48d44780dbc397ddc9cb20
2020-03-03 21:30:26 +01:00
Andreas Jaeger
e46f938f80 Remove obsolete releases publishing
Remove publish-tox-docs-static, the last user has been converted to AFS
publishing.

Remove the parent base-publish-tox-docs-static as well, it's not used
anymore.

Remove playbook files and secrets used by these jobs.

Depends-On: https://review.opendev.org/708918
Change-Id: I68b3ab7e597e230617ec1eaa8217d4f5f4c5fb15
2020-02-20 21:47:34 +01:00
Ian Wienand
e6dc1b343f Remove tarball artifact publishing to static site
Following-on from Ia3a0358249e9ed3d766b1b61535f2f6d67d4eb2d, this
removes the publishing from the static site, which is now happening to
AFS.

The site_tarballs secret is no longer required.  The two jobs still
using it have a parent of publish-openstack-artifacts so should not
need a separate secret.

Depends-On: https://review.opendev.org/706732
Change-Id: I1b1db7d2451d7fb1fdd7921e7c9efd0e020fbce6
2020-02-10 16:39:06 +11:00
Ian Wienand
344959d76a Update service/opendev-zuul key
This is an encoding of the keytab updated in
I94f0f68fa0d5383c8a71fd6e065349d7b887a8e4

Change-Id: Ie300fbb9c464bcd5773eb1348b8481e7ebd0c17f
Story: #2006598
Task: #38607
2020-02-05 11:16:50 +11:00
Ian Wienand
675bb510f1 Testing publishing artifacts to AFS
This is part of our efforts to get tarball publishing onto AFS volumes
[1].

Test a new artifact publishing job that puts output at
/afs/.openstack.org/project/tarballs.opendev.org.  This is intended to
replace the existing publishing job when it is working.

[1] https://docs.opendev.org/opendev/infra-specs/latest/specs/retire-static.html

Change-Id: Ied96194e1904fee232e144a4e89ec8ba2252e42e
2020-01-31 10:46:50 +11:00
Zuul
a0026c5098 Merge "Remove unused path variable from promote secrets" 2019-11-20 05:51:44 +00:00
Zuul
f24bc44f47 Merge "Add base promote job for moving static.o.o" 2019-11-19 19:38:41 +00:00
Andreas Jaeger
e50c2efeea Remove unused path variable from promote secrets
The promote jobs do not use "path", they use "docs...path" instead,
remove the extra unused variable.

Change-Id: I57deeadfef3234eecb3f637a6f41701dba4631c6
2019-11-19 08:19:42 +01:00
Jeremy Stanley
af40ccad59 Replace old Train cycle signing key with Ussuri
This is a zuul-encrypted export of the signing subkey for the Ussuri
release cycle: 0xbba3b1e67a7303dd1769d34595bf2e4d09004514

Change-Id: Id46052bb18734d2050b90da339e46596fd3964e8
2019-10-29 18:26:20 +00:00
Andreas Jaeger
eb2bb351fa Add base promote job for moving static.o.o
Add base job and secret for moving from publishing to
static.o.o to AFS publishing.

Story: 2006598
Task: 36854
Change-Id: I094066c1ab3b55ae6cfae99aafff125128cd73a4
2019-09-29 11:43:39 +02:00
Andreas Jaeger
e8011a79ea Add promote job for starlingx/docs
The docs repo publishes to / not to /docs, add a new promote job.

Change-Id: I07b27a97f7281af60ac64948dd69a5266c8f6114
2019-09-19 14:04:49 +02:00
Andreas Jaeger
9de5bbc224 Switch project-config to promote jobs [4]: Add promote jobs
Create new promote jobs for infra-index and docs-site.
Also, add promote-openstack-specs job that we can use for publishing
all specs site later.

Add the same file list (copied from openstack-zuul-jobs) for the two
project-config promote jobs.

Remove the now obsolete publish jobs.

Remove now obsolete playbooks.

Needed-By: https://review.opendev.org/682215
Change-Id: I3c227f4229a0572a532009f270d44059698f53e8
2019-09-14 18:02:28 +02:00
Andreas Jaeger
ca208b9b39 Fix secret for promote-tox-docs-special-base
The secret was misnamed, fix it so that it matches
promote-tox-docs-special-base.

Change-Id: I8c16536531e689cbe09163eadcb570f8d05e306e
2019-09-11 21:11:06 +02:00
Zuul
47f9ad40ab Merge "Add promote jobs for static site / releasenotes" 2019-08-26 18:08:46 +00:00
Andreas Jaeger
ef1834e2ab Add promote jobs for static site / releasenotes
Add new promote jobs for promoting jobs that publish to the static site
and for promoting releasenotes.
Update projects.yaml for this change and remove jobs that are updated.

The existing promote file does not work for static site, create a new
one.

Needed-By: https://review.opendev.org/678430
Change-Id: I112745b70448cc3e6fec6e2932e4fe651f9174b0
2019-08-26 18:31:24 +02:00