diff --git a/.gitignore b/.gitignore
index 5d381cc..4de9fc1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -159,4 +159,6 @@ cython_debug/
# and can be added to the global gitignore or merged into this file. For a more nuclear
# option (not recommended) you can uncomment the following to ignore the entire idea folder.
#.idea/
-
+playbooks/certs
+certs
+inventory/sensitive
diff --git a/doc/requirements.txt b/doc/requirements.txt
deleted file mode 100644
index b508b94..0000000
--- a/doc/requirements.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-docutils>=0.11 # OSI-Approved Open Source, Public Domain
-beautifulsoup4>=4.6.0 # MIT
-reno>=3.1.0 # Apache-2.0
-sphinx>=4.0.0 # BSD
-zuul-sphinx>=0.1.1
-graphviz
diff --git a/doc/source/_images/ansible.png b/doc/source/_images/ansible.png
deleted file mode 100644
index 39d77aa..0000000
Binary files a/doc/source/_images/ansible.png and /dev/null differ
diff --git a/doc/source/_images/designate.png b/doc/source/_images/designate.png
deleted file mode 100644
index 940aee7..0000000
Binary files a/doc/source/_images/designate.png and /dev/null differ
diff --git a/doc/source/_images/elb-network-load-balancer.png b/doc/source/_images/elb-network-load-balancer.png
deleted file mode 100644
index d8d880d..0000000
Binary files a/doc/source/_images/elb-network-load-balancer.png and /dev/null differ
diff --git a/doc/source/_images/git.png b/doc/source/_images/git.png
deleted file mode 100644
index e4d7180..0000000
Binary files a/doc/source/_images/git.png and /dev/null differ
diff --git a/doc/source/_images/github.png b/doc/source/_images/github.png
deleted file mode 100644
index 1916642..0000000
Binary files a/doc/source/_images/github.png and /dev/null differ
diff --git a/doc/source/_images/gitlab.png b/doc/source/_images/gitlab.png
deleted file mode 100644
index 89eb25c..0000000
Binary files a/doc/source/_images/gitlab.png and /dev/null differ
diff --git a/doc/source/_images/grafana.png b/doc/source/_images/grafana.png
deleted file mode 100644
index 6110a96..0000000
Binary files a/doc/source/_images/grafana.png and /dev/null differ
diff --git a/doc/source/_images/haproxy.png b/doc/source/_images/haproxy.png
deleted file mode 100644
index 49d87db..0000000
Binary files a/doc/source/_images/haproxy.png and /dev/null differ
diff --git a/doc/source/_images/helm.png b/doc/source/_images/helm.png
deleted file mode 100644
index 355f40c..0000000
Binary files a/doc/source/_images/helm.png and /dev/null differ
diff --git a/doc/source/_images/internet.png b/doc/source/_images/internet.png
deleted file mode 100644
index 9c7c20f..0000000
Binary files a/doc/source/_images/internet.png and /dev/null differ
diff --git a/doc/source/_images/k8/cm.png b/doc/source/_images/k8/cm.png
deleted file mode 100644
index 4f1c049..0000000
Binary files a/doc/source/_images/k8/cm.png and /dev/null differ
diff --git a/doc/source/_images/k8/pvc.png b/doc/source/_images/k8/pvc.png
deleted file mode 100644
index de66402..0000000
Binary files a/doc/source/_images/k8/pvc.png and /dev/null differ
diff --git a/doc/source/_images/k8/secret.png b/doc/source/_images/k8/secret.png
deleted file mode 100644
index e7a8b3e..0000000
Binary files a/doc/source/_images/k8/secret.png and /dev/null differ
diff --git a/doc/source/_images/k8/sts.png b/doc/source/_images/k8/sts.png
deleted file mode 100644
index 71b46b9..0000000
Binary files a/doc/source/_images/k8/sts.png and /dev/null differ
diff --git a/doc/source/_images/k8/svc.png b/doc/source/_images/k8/svc.png
deleted file mode 100644
index 8cca480..0000000
Binary files a/doc/source/_images/k8/svc.png and /dev/null differ
diff --git a/doc/source/_images/keystone.png b/doc/source/_images/keystone.png
deleted file mode 100644
index 3617cc4..0000000
Binary files a/doc/source/_images/keystone.png and /dev/null differ
diff --git a/doc/source/_images/loki.png b/doc/source/_images/loki.png
deleted file mode 100644
index 3029249..0000000
Binary files a/doc/source/_images/loki.png and /dev/null differ
diff --git a/doc/source/_images/memcached.png b/doc/source/_images/memcached.png
deleted file mode 100644
index ffc1571..0000000
Binary files a/doc/source/_images/memcached.png and /dev/null differ
diff --git a/doc/source/_images/neutron.png b/doc/source/_images/neutron.png
deleted file mode 100644
index 7d2b1fb..0000000
Binary files a/doc/source/_images/neutron.png and /dev/null differ
diff --git a/doc/source/_images/nginx.png b/doc/source/_images/nginx.png
deleted file mode 100644
index 8c38768..0000000
Binary files a/doc/source/_images/nginx.png and /dev/null differ
diff --git a/doc/source/_images/nova.png b/doc/source/_images/nova.png
deleted file mode 100644
index e894c11..0000000
Binary files a/doc/source/_images/nova.png and /dev/null differ
diff --git a/doc/source/_images/octavia.png b/doc/source/_images/octavia.png
deleted file mode 100644
index 69a8704..0000000
Binary files a/doc/source/_images/octavia.png and /dev/null differ
diff --git a/doc/source/_images/openstack.png b/doc/source/_images/openstack.png
deleted file mode 100644
index 75152a7..0000000
Binary files a/doc/source/_images/openstack.png and /dev/null differ
diff --git a/doc/source/_images/openstackclient.png b/doc/source/_images/openstackclient.png
deleted file mode 100644
index f4611b0..0000000
Binary files a/doc/source/_images/openstackclient.png and /dev/null differ
diff --git a/doc/source/_images/postgresql.png b/doc/source/_images/postgresql.png
deleted file mode 100644
index 0381b34..0000000
Binary files a/doc/source/_images/postgresql.png and /dev/null differ
diff --git a/doc/source/_images/swift.png b/doc/source/_images/swift.png
deleted file mode 100644
index 5ac0fd5..0000000
Binary files a/doc/source/_images/swift.png and /dev/null differ
diff --git a/doc/source/_images/users.png b/doc/source/_images/users.png
deleted file mode 100644
index 5cb409b..0000000
Binary files a/doc/source/_images/users.png and /dev/null differ
diff --git a/doc/source/_images/vault.png b/doc/source/_images/vault.png
deleted file mode 100644
index cd36e58..0000000
Binary files a/doc/source/_images/vault.png and /dev/null differ
diff --git a/doc/source/_images/zookeeper.png b/doc/source/_images/zookeeper.png
deleted file mode 100644
index 16e0604..0000000
Binary files a/doc/source/_images/zookeeper.png and /dev/null differ
diff --git a/doc/source/_images/zuulci.png b/doc/source/_images/zuulci.png
deleted file mode 100644
index 40c0f2f..0000000
Binary files a/doc/source/_images/zuulci.png and /dev/null differ
diff --git a/doc/source/_svg/docsportal b/doc/source/_svg/docsportal
deleted file mode 100644
index 306c734..0000000
--- a/doc/source/_svg/docsportal
+++ /dev/null
@@ -1,13 +0,0 @@
-digraph HelpCenter {
- graph [bgcolor=transparent compound=true fontcolor="#2D3436" fontname="Sans-Serif" fontsize=10 rankdir=LR]
- node [fixedsize=false]
- user [label=Clients fixedsize=true fontsize=10 height=1.4 image="../_images/users.png" imagescale=true labelloc=b shape=none width=1]
- web [label=WebServer fixedsize=true fontsize=10 height=1.4 image="../_images/nginx.png" imagescale=true labelloc=b shape=none width=1]
- github [label="GitHub Projects" fixedsize=true fontsize=10 height=1.4 href="https://github.com/opentelekomcloud-docs" image="../_images/github.png" imagescale=true labelloc=b shape=none width=1]
- zuul [label="Zuul CI/CD" fixedsize=true fontsize=10 height=1.4 href="https://docs.otc-service.com/system-config/zuul.html" image="../_images/zuulci.png" imagescale=true labelloc=b shape=none width=1]
- swift [label="Swift Object Store" fixedsize=true fontsize=10 height=1.4 image="../_images/swift.png" imagescale=true labelloc=b shape=none width=1]
- user -> web [label=Pull color=black fontsize=8]
- web -> swift [label=Pull color=black fontsize=8]
- github -> zuul [label=Push color=red fontsize=8]
- zuul -> swift [label=Push color=red fontsize=8]
-}
diff --git a/doc/source/_svg/docsportal.svg b/doc/source/_svg/docsportal.svg
deleted file mode 100644
index 3de0ea1..0000000
--- a/doc/source/_svg/docsportal.svg
+++ /dev/null
@@ -1,76 +0,0 @@
-
-
-
-
-
diff --git a/doc/source/_svg/docsportal_sec b/doc/source/_svg/docsportal_sec
deleted file mode 100644
index 57e17c3..0000000
--- a/doc/source/_svg/docsportal_sec
+++ /dev/null
@@ -1,35 +0,0 @@
-digraph "Documentation Portal Security diagram" {
- graph [bgcolor=transparent compound=true fontcolor="#2D3436" fontname="Sans-Serif" fontsize=10 rankdir=LR]
- node [fixedsize=false]
- subgraph cluster_web {
- graph [bgcolor="#E5F5FD" shape=box style=rounded]
- label="Web Server(s)"
- web1 [label="WebServer 1"]
- web2 [label="WebServer 2"]
- web3 [label="WebServer XX"]
- }
- subgraph cluster_storage {
- graph [bgcolor="#E5F5FD" shape=box style=rounded]
- label=Storage
- swift [label="Swift Object Store"]
- web1 -> swift [label=HTTPS color=black dir=back fontsize=8]
- web2 -> swift [label=HTTPS color=black dir=back fontsize=8]
- web3 -> swift [label=HTTPS color=black dir=back fontsize=8]
- }
- subgraph cluster_zuul {
- graph [bgcolor="#E5F5FD" shape=box style=rounded]
- label="Zuul CI/CD"
- zuul [label="Zuul CI/CD" href="https://docs.otc-service.com/system-config/zuul.html"]
- zuul -> swift [label=HTTPS color=black fontsize=8]
- }
- subgraph cluster_git {
- graph [bgcolor="#E5F5FD" shape=box style=rounded]
- label="Git Hosting"
- github1 [label="Project 1"]
- github2 [label="Project 2"]
- github3 [label="Project XX"]
- github1 -> zuul [label=HTTPS color=black fontsize=8]
- github2 -> zuul [label=HTTPS color=black fontsize=8]
- github3 -> zuul [label=HTTPS color=black fontsize=8]
- }
-}
diff --git a/doc/source/_svg/docsportal_sec.svg b/doc/source/_svg/docsportal_sec.svg
deleted file mode 100644
index 38631a7..0000000
--- a/doc/source/_svg/docsportal_sec.svg
+++ /dev/null
@@ -1,132 +0,0 @@
-
-
-
-
-
diff --git a/doc/source/_svg/helpcenter b/doc/source/_svg/helpcenter
deleted file mode 100644
index 306c734..0000000
--- a/doc/source/_svg/helpcenter
+++ /dev/null
@@ -1,13 +0,0 @@
-digraph HelpCenter {
- graph [bgcolor=transparent compound=true fontcolor="#2D3436" fontname="Sans-Serif" fontsize=10 rankdir=LR]
- node [fixedsize=false]
- user [label=Clients fixedsize=true fontsize=10 height=1.4 image="../_images/users.png" imagescale=true labelloc=b shape=none width=1]
- web [label=WebServer fixedsize=true fontsize=10 height=1.4 image="../_images/nginx.png" imagescale=true labelloc=b shape=none width=1]
- github [label="GitHub Projects" fixedsize=true fontsize=10 height=1.4 href="https://github.com/opentelekomcloud-docs" image="../_images/github.png" imagescale=true labelloc=b shape=none width=1]
- zuul [label="Zuul CI/CD" fixedsize=true fontsize=10 height=1.4 href="https://docs.otc-service.com/system-config/zuul.html" image="../_images/zuulci.png" imagescale=true labelloc=b shape=none width=1]
- swift [label="Swift Object Store" fixedsize=true fontsize=10 height=1.4 image="../_images/swift.png" imagescale=true labelloc=b shape=none width=1]
- user -> web [label=Pull color=black fontsize=8]
- web -> swift [label=Pull color=black fontsize=8]
- github -> zuul [label=Push color=red fontsize=8]
- zuul -> swift [label=Push color=red fontsize=8]
-}
diff --git a/doc/source/_svg/helpcenter.svg b/doc/source/_svg/helpcenter.svg
deleted file mode 100644
index 3de0ea1..0000000
--- a/doc/source/_svg/helpcenter.svg
+++ /dev/null
@@ -1,76 +0,0 @@
-
-
-
-
-
diff --git a/doc/source/_svg/helpcenter_sec b/doc/source/_svg/helpcenter_sec
deleted file mode 100644
index c013fa0..0000000
--- a/doc/source/_svg/helpcenter_sec
+++ /dev/null
@@ -1,34 +0,0 @@
-digraph "HelpCenter Security diagram" {
- graph [bgcolor=transparent compound=true fontcolor="#2D3436" fontname="Sans-Serif" fontsize=10 rankdir=LR]
- node [fixedsize=false]
- subgraph cluster_web {
- graph [bgcolor="#E5F5FD" shape=box style=rounded]
- label="Web Server(s)"
- web1 [label="WebServer 1"]
- web2 [label="WebServer 2"]
- web3 [label="WebServer XX"]
- }
- subgraph cluster_storage {
- graph [bgcolor="#E5F5FD" shape=box style=rounded]
- label=Storage
- swift [label="Swift Object Store"]
- web1 -> swift [label=HTTPS color=black dir=back fontsize=8]
- web2 -> swift [label=HTTPS color=black dir=back fontsize=8]
- web3 -> swift [label=HTTPS color=black dir=back fontsize=8]
- }
- subgraph cluster_zuul {
- graph [bgcolor="#E5F5FD" shape=box style=rounded]
- label="Zuul CI/CD"
- zuul [label="Zuul CI/CD"]
- zuul -> swift [label=HTTPS color=black fontsize=8]
- }
- subgraph cluster_git {
- graph [bgcolor="#E5F5FD" shape=box style=rounded]
- github1 [label="Project 1"]
- github2 [label="Project 2"]
- github3 [label="Project XX"]
- github1 -> zuul [label=HTTPS color=black fontsize=8]
- github2 -> zuul [label=HTTPS color=black fontsize=8]
- github3 -> zuul [label=HTTPS color=black fontsize=8]
- }
-}
diff --git a/doc/source/_svg/helpcenter_sec.svg b/doc/source/_svg/helpcenter_sec.svg
deleted file mode 100644
index 21308dc..0000000
--- a/doc/source/_svg/helpcenter_sec.svg
+++ /dev/null
@@ -1,128 +0,0 @@
-
-
-
-
-
diff --git a/doc/source/_svg/reverse_proxy b/doc/source/_svg/reverse_proxy
deleted file mode 100644
index 47a1e49..0000000
--- a/doc/source/_svg/reverse_proxy
+++ /dev/null
@@ -1,41 +0,0 @@
-digraph "Reverse Proxy" {
- graph [bgcolor=transparent compound=true fontcolor="#2D3436" fontname="Sans-Serif" fontsize=10 rankdir=LR]
- node [fixedsize=false]
- user [label=Clients fixedsize=true fontsize=10 height=1.4 image="../_images/users.png" imagescale=true labelloc=b shape=none width=1]
- lb [label="Load Balancer" imagescale=true shape=box tooltip="Load Balancer in OTC"]
- gw [label="Network Gateway" imagescale=true shape=box tooltip="Network Gateway in vCloud"]
- user -> lb
- user -> gw
- lb -> proxy1
- lb -> proxy2
- gw -> web3
- subgraph cluster_proxy {
- graph [bgcolor="#E5F5FD" shape=box style=rounded]
- label="Reverse Proxy"
- proxy1 [label=proxy1 fixedsize=true fontsize=10 height=1.4 image="../_images/haproxy.png" imagescale=true labelloc=b shape=none tooltip="proxy1.eco.tsi-dev.otc-service.com" width=1]
- proxy2 [label=proxy2 fixedsize=true fontsize=10 height=1.4 image="../_images/haproxy.png" imagescale=true labelloc=b shape=none tooltip="proxy2.eco.tsi-dev.otc-service.com" width=1]
- web3 [label=web3 fixedsize=true fontsize=10 height=1.4 image="../_images/haproxy.png" imagescale=true labelloc=b shape=none tooltip="web3.eco.tsi-dev.otc-service.com" width=1]
- }
- proxy2 -> alerta [ltail=cluster_proxy]
- proxy2 -> dashboard [ltail=cluster_proxy]
- proxy2 -> "dashboard-eco" [ltail=cluster_proxy]
- proxy2 -> docs [ltail=cluster_proxy]
- proxy2 -> "graphite-apimon" [ltail=cluster_proxy]
- proxy2 -> "graphite-ca" [ltail=cluster_proxy]
- proxy2 -> influx [ltail=cluster_proxy]
- proxy2 -> matrix [ltail=cluster_proxy]
- proxy2 -> vault [ltail=cluster_proxy]
- subgraph cluster_apps {
- graph [bgcolor="#E5F5FD" shape=box style=rounded]
- label=Applications
- alerta
- dashboard
- "dashboard-eco"
- docs
- "graphite-apimon"
- "graphite-ca"
- influx
- matrix
- vault
- }
-}
diff --git a/doc/source/_svg/reverse_proxy.svg b/doc/source/_svg/reverse_proxy.svg
deleted file mode 100644
index 376f5ea..0000000
--- a/doc/source/_svg/reverse_proxy.svg
+++ /dev/null
@@ -1,211 +0,0 @@
-
-
-
-
-
diff --git a/doc/source/_svg/zuul b/doc/source/_svg/zuul
deleted file mode 100644
index 40815a2..0000000
--- a/doc/source/_svg/zuul
+++ /dev/null
@@ -1,33 +0,0 @@
-digraph "Zuul CI/CD" {
- graph [bgcolor=transparent compound=true fontcolor="#2D3436" fontname="Sans-Serif" fontsize=10 rankdir=LR]
- node [fixedsize=false]
- user [label=Clients fixedsize=true fontsize=10 height=1.4 image="../_images/users.png" imagescale=true labelloc=b shape=none width=1]
- git [label="Git Provider" fixedsize=true fontsize=10 height=1.4 image="../_images/git.png" imagescale=true labelloc=b shape=none width=1]
- subgraph cluster_zuul {
- graph [bgcolor="#E5F5FD" shape=box style=rounded]
- node [fontsize=8]
- label="Zuul CI/CD"
- "zuul-web" [label="Zuul Web"]
- "zuul-merger" [label="Zuul Merger"]
- "zuul-executor" [label="Zuul Executor"]
- "zuul-scheduler" [label="Zuul Scheduler"]
- "nodepool-launcher" [label="Nodepool Launcher"]
- "nodepool-builder" [label="Nodepool Builder"]
- }
- zookeeper [label=Zookeeper fixedsize=true fontsize=10 height=1.4 image="../_images/zookeeper.png" imagescale=true labelloc=b shape=none width=1]
- "zuul-web" -> zookeeper
- "zuul-merger" -> zookeeper
- "zuul-executor" -> zookeeper
- "zuul-scheduler" -> zookeeper
- "nodepool-launcher" -> zookeeper
- "nodepool-builder" -> zookeeper
- db [label="SQL Database" fixedsize=true fontsize=10 height=1.4 image="../_images/postgresql.png" imagescale=true labelloc=b shape=none width=1]
- cloud [label="Clouds resources" fixedsize=true fontsize=10 height=1.4 image="../_images/openstack.png" imagescale=true labelloc=b shape=none width=1]
- user -> "zuul-web"
- "zuul-merger" -> git
- "zuul-executor" -> git
- "zuul-web" -> db
- "nodepool-launcher" -> cloud
- "nodepool-builder" -> cloud
- "zuul-executor" -> cloud
-}
diff --git a/doc/source/_svg/zuul.svg b/doc/source/_svg/zuul.svg
deleted file mode 100644
index 58eac72..0000000
--- a/doc/source/_svg/zuul.svg
+++ /dev/null
@@ -1,161 +0,0 @@
-
-
-
-
-
diff --git a/doc/source/_svg/zuul_dpl b/doc/source/_svg/zuul_dpl
deleted file mode 100644
index c4f70d1..0000000
--- a/doc/source/_svg/zuul_dpl
+++ /dev/null
@@ -1,38 +0,0 @@
-digraph "Zuul CI/CD Deployment Design" {
- graph [bgcolor=transparent compound=true fontcolor="#2D3436" fontname="Sans-Serif" fontsize=10 rankdir=LR]
- node [fixedsize=false]
- vault [label=Vault fixedsize=true fontsize=10 height=1.4 image="../_images/vault.png" imagescale=true labelloc=b shape=none width=1]
- "zuul-web" -> vault [label=TLS color=blue fontsize=8]
- "zuul-merger" -> vault [label=TLS color=blue fontsize=8]
- "zuul-executor" -> vault [label=TLS color=blue fontsize=8]
- "zuul-scheduler" -> vault [label=TLS color=blue fontsize=8]
- "nodepool-launcher" -> vault [label=TLS color=blue fontsize=8]
- "nodepool-builder" -> vault [label=TLS color=blue fontsize=8]
- zookeeper -> vault [label=TLS color=blue fontsize=8]
- "zuul-web" -> zookeeper [label=TLS color=red fontsize=8]
- "zuul-merger" -> zookeeper [label=TLS color=red fontsize=8]
- "zuul-executor" -> zookeeper [label=TLS color=red fontsize=8]
- "zuul-scheduler" -> zookeeper [label=TLS color=red fontsize=8]
- "nodepool-launcher" -> zookeeper [label=TLS color=red fontsize=8]
- "nodepool-builder" -> zookeeper [label=TLS color=red fontsize=8]
- subgraph cluster_k8 {
- graph [bgcolor="#E5F5FD" shape=box style=rounded]
- node [fontsize=8]
- label="Kubernetes Cluster"
- subgraph cluster_zuul {
- node [fontsize=8]
- label="Zuul Namespace"
- "zuul-web" [label="Zuul Web"]
- "zuul-merger" [label="Zuul Merger"]
- "zuul-executor" [label="Zuul Executor"]
- "zuul-scheduler" [label="Zuul Scheduler"]
- "nodepool-launcher" [label="Nodepool Launcher"]
- "nodepool-builder" [label="Nodepool Builder"]
- }
- subgraph cluster_zk {
- node [fontsize=8]
- label="Zuul Namespace"
- zookeeper [label=Zookeeper fixedsize=true fontsize=10 height=1.4 image="../_images/zookeeper.png" imagescale=true labelloc=b shape=none width=1]
- }
- }
-}
diff --git a/doc/source/_svg/zuul_dpl.svg b/doc/source/_svg/zuul_dpl.svg
deleted file mode 100644
index eb5950b..0000000
--- a/doc/source/_svg/zuul_dpl.svg
+++ /dev/null
@@ -1,166 +0,0 @@
-
-
-
-
-
diff --git a/doc/source/_svg/zuul_sec b/doc/source/_svg/zuul_sec
deleted file mode 100644
index 94bf207..0000000
--- a/doc/source/_svg/zuul_sec
+++ /dev/null
@@ -1,39 +0,0 @@
-digraph "Zuul CI/CD Security Design" {
- graph [bgcolor=transparent compound=true fontcolor="#2D3436" fontname="Sans-Serif" fontsize=10 rankdir=LR]
- node [fixedsize=false]
- git [label="Git Provider" fixedsize=true fontsize=10 height=1.4 image="../_images/git.png" imagescale=true labelloc=b shape=none width=1]
- db [label="SQL Database" fixedsize=true fontsize=10 height=1.4 image="../_images/postgresql.png" imagescale=true labelloc=b shape=none width=1]
- cloud [label="Clouds resources" fixedsize=true fontsize=10 height=1.4 image="../_images/openstack.png" imagescale=true labelloc=b shape=none width=1]
- "zuul-web" -> zookeeper [label=TLS color=red fontsize=8]
- "zuul-merger" -> zookeeper [label=TLS color=red fontsize=8]
- "zuul-executor" -> zookeeper [label=TLS color=red fontsize=8]
- "zuul-scheduler" -> zookeeper [label=TLS color=red fontsize=8]
- "nodepool-launcher" -> zookeeper [label=TLS color=red fontsize=8]
- "nodepool-builder" -> zookeeper [label=TLS color=red fontsize=8]
- subgraph cluster_k8 {
- graph [bgcolor="#E5F5FD" shape=box style=rounded]
- node [fontsize=8]
- label="Kubernetes Cluster"
- subgraph cluster_zuul {
- node [fontsize=8]
- label="Zuul Namespace"
- "zuul-web" [label="Zuul Web"]
- "zuul-merger" [label="Zuul Merger"]
- "zuul-executor" [label="Zuul Executor"]
- "zuul-scheduler" [label="Zuul Scheduler"]
- "nodepool-launcher" [label="Nodepool Launcher"]
- "nodepool-builder" [label="Nodepool Builder"]
- }
- subgraph cluster_zk {
- node [fontsize=8]
- label="Zuul Namespace"
- zookeeper [label=Zookeeper fixedsize=true fontsize=10 height=1.4 image="../_images/zookeeper.png" imagescale=true labelloc=b shape=none width=1]
- }
- }
- "zuul-merger" -> git [label=SSH color=blue fontsize=8]
- "zuul-executor" -> git [label=SSH color=blue fontsize=8]
- "zuul-web" -> db [label=TLS fontsize=8]
- "nodepool-launcher" -> cloud [label=HTTPS color=green fontsize=8]
- "nodepool-builder" -> cloud [label=HTTPS color=green fontsize=8]
- "zuul-executor" -> cloud [label=SSH color=blue fontsize=8]
-}
diff --git a/doc/source/_svg/zuul_sec.svg b/doc/source/_svg/zuul_sec.svg
deleted file mode 100644
index 9916dae..0000000
--- a/doc/source/_svg/zuul_sec.svg
+++ /dev/null
@@ -1,171 +0,0 @@
-
-
-
-
-
diff --git a/doc/source/bridge.rst b/doc/source/bridge.rst
deleted file mode 100644
index 113703d..0000000
--- a/doc/source/bridge.rst
+++ /dev/null
@@ -1,66 +0,0 @@
-:title: Bridge
-
-.. _bridge:
-
-Bridge
-######
-
-Bridge is a bastion host that is the starting point for ops operations in
-OpenTelekomCloudEco. It is the server from which Ansible is run, and contains
-decrypted secure information such as passwords. The bridge server contains all
-of the ansible playbooks as well as the scripts to create new servers.
-
-Sensitive information like passwords is stored encrypted in the private git and
-are pulled by the bridge host on a cron basis.
-
-At a Glance
-===========
-
-:Projects:
- * https://ansible.com/
-:Bugs:
-:Resources:
-
-Ansible Hosts
--------------
-In OTC Eco, all host configuration is done via ansible playbooks.
-
-Adding a node
--------------
-
-In principle hosts in the inventory (``inventory/base/hosts.yaml``) contain
-required variables so that playbooks are able to provision the infrastructure.
-This is not yet implemented for all hosts/systems.
-
-.. _running-ansible-on-nodes:
-
-Running Ansible on Nodes
-------------------------
-
-Each service that has been migrated fully to Ansible has its own playbook in
-:git_file:`playbooks` named ``service_{ service_name }.yaml``.
-
-Because the playbooks are normally run by zuul, to run them manually, first run
-the utility ``disable-ansible`` as root. That will touch the file
-``/home/zuul/DISABLE-ANSIBLE``. We use the utility to avoid mistyping the
-lockfile name. Then make sure no jobs are currently executing ansible. Ensure
-that ``/home/zuul/src/github.com/opentelekomcloud-infra/system-config`` is in
-the appropriate state, then run:
-
-.. code-block:: bash
-
- cd /home/zuul/src/github.com/opentelekomcloud-infra/system-config
- ansible-playbook --limit="$HOST:localhost" playbooks/service-$SERVICE.yaml
-
-as root, where `$HOST` is the host you want to run puppet on.
-The `:localhost` is important as some of the plays depend on performing a task
-on the localhost before continuing to the host in question, and without it in
-the limit section, the tasks for the host will have undefined values.
-
-When done, don't forget to remove ``/home/zuul/DISABLE-ANSIBLE``
-
-Disabling Ansible on Nodes
---------------------------
-
-In the case of needing to disable the running of ansible on a node, it's a
-simple matter of adding an entry to the ansible inventory "disabled" group.
diff --git a/doc/source/conf.py b/doc/source/conf.py
deleted file mode 100644
index 2b0f824..0000000
--- a/doc/source/conf.py
+++ /dev/null
@@ -1,69 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-# implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import os
-import sys
-import warnings
-
-# -- General configuration ----------------------------------------------------
-# If extensions (or modules to document with autodoc) are in another directory,
-# add these directories to sys.path here. If the directory is relative to the
-# documentation root, use os.path.abspath to make it absolute, like shown here.
-sys.path.insert(0, os.path.abspath('.'))
-
-# Add any Sphinx extension module names here, as strings. They can be
-# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
-extensions = [
- 'sphinx.ext.graphviz',
- 'custom_roles',
- 'zuul_sphinx'
-]
-
-# We have roles split between zuul-suitable roles at top level roles/*
-# (automatically detected by zuul-sphinx) and playbook-specific roles
-# (might have plugins, etc that make them unsuitable as potential zuul
-# roles). Document both.
-zuul_role_paths = ['playbooks/roles']
-
-# The suffix of source filenames.
-source_suffix = '.rst'
-
-# The master toctree document.
-master_doc = 'index'
-
-# General information about the project.
-project = u'Open Telekom Cloud Ecosystem Infra'
-copyright = u'2021, Various members of the OpenTelekomCloud'
-
-# The name of the Pygments (syntax highlighting) style to use.
-pygments_style = 'sphinx'
-
-# Locations to exclude when looking for source files.
-exclude_patterns = ['_build']
-
-# -- Options for HTML output ----------------------------------------------
-
-html_theme = 'alabaster'
-html_static_path = ['_svg']
-
-graphviz_output_format = 'svg'
-
-# Grouping the document tree into LaTeX files. List of tuples
-# (source start file, target name, title, author, documentclass
-# [howto/manual]).
-latex_documents = [
- ('index',
- '%s.tex' % project,
- u'%s Documentation' % project,
- u'OpenTelekomCloud', 'manual'),
-]
diff --git a/doc/source/custom_roles.py b/doc/source/custom_roles.py
deleted file mode 100644
index 6747f60..0000000
--- a/doc/source/custom_roles.py
+++ /dev/null
@@ -1,80 +0,0 @@
-# Copyright 2013 OpenStack Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-# Most of this code originated in sphinx.domains.python and
-# sphinx.ext.autodoc and has been only slightly adapted for use in
-# subclasses here.
-
-# Thanks to Doug Hellman for:
-# http://doughellmann.com/2010/05/defining-custom-roles-in-sphinx.html
-
-from docutils import nodes
-
-
-def git_file_role(name, rawtext, text, lineno, inliner,
- options={}, content=[]):
- """Link a local path to a git file view.
-
- Returns 2 part tuple containing list of nodes to insert into the
- document and a list of system messages. Both are allowed to be
- empty.
-
- :param name: The role name used in the document.
- :param rawtext: The entire markup snippet, with role.
- :param text: The text marked with the role.
- :param lineno: The line number where rawtext appears in the input.
- :param inliner: The inliner instance that called us.
- :param options: Directive options for customization.
- :param content: The directive content for customization.
- """
-
- ref = ('https://github.com/opentelekomcloud-infra/'
- 'system-config/blob/main/%s' % text)
- linktext = 'system-config: %s' % text
- node = nodes.reference(rawtext, linktext, refuri=ref, **options)
- return [node], []
-
-
-def config_role(name, rawtext, text, lineno, inliner,
- options={}, content=[]):
- """Link a local path to a git file view.
-
- Returns 2 part tuple containing list of nodes to insert into the
- document and a list of system messages. Both are allowed to be
- empty.
-
- :param name: The role name used in the document.
- :param rawtext: The entire markup snippet, with role.
- :param text: The text marked with the role.
- :param lineno: The line number where rawtext appears in the input.
- :param inliner: The inliner instance that called us.
- :param options: Directive options for customization.
- :param content: The directive content for customization.
- """
-
- ref = ('https://github.com/opentelekomcloud/'
- 'zuul-project-config/src/branch/master/%s' % text)
- linktext = 'project-config: %s' % text
- node = nodes.reference(rawtext, linktext, refuri=ref, **options)
- return [node], []
-
-
-def setup(app):
- """Install the plugin.
-
- :param app: Sphinx application context.
- """
- app.add_role('git_file', git_file_role)
- app.add_role('config', config_role)
- return
diff --git a/doc/source/docsportal.rst b/doc/source/docsportal.rst
deleted file mode 100644
index f2b4e7a..0000000
--- a/doc/source/docsportal.rst
+++ /dev/null
@@ -1,59 +0,0 @@
-:title: Documentation Portal
-
-.. _docsportal:
-
-Documentation Portal
-####################
-
-Documentation portal is a web server that serves documentation maintained by
-various git projects.
-
-At a Glance
-===========
-
-:Hosts:
- * https://docs.otc-service.com
-:Projects:
- * https://github.com/opentelekomcloud/otcdocstheme
-:Configuration:
- * :git_file:`playbooks/roles/document_hosting_k8s/templates/nginx-site.conf.j2`
- * :git_file:`inventory/service/group_vars/k8s-controller.yaml`
-:Bugs:
-:Resources:
-
-Overview
-========
-
-Every project managed by the Zuul Eco tenant is capable to use general jobs for
-publishing documentation and releasenotes. Those jobs push rendered html
-content into the Swift (dedicated containers) and make them word readable.
-
-Integration of projects under the :ref:`Zuul` allows following:
-
-- CI for the changes in the project (i.e. only tested and approved content is
- being merged into the main branch)
-
-- CD: for the changes that are being merged documents are being built and
- pushed to the HelpCenter.
-
-
-Software Architecture
-=====================
-
-A Web-Server (nginx) is listening in the frontend for the requests and based
-on the URL decides in which container the data is actually located. It
-contacts Storage server and gets the original content from there, which is
-then being cached and returned back to the requestor.
-
-.. graphviz:: dot/docsportal.dot
- :caption: Docs portal software architecture
-
-.. include:: docsportal_sec.rst.inc
-
-Deployment
-==========
-
-:git_file:`playbooks/service-docs.yaml` is a playbook for the service
-configuration and deployment. It is automatically executed once a pull request
-touching any of the affected files (roles, inventory) is being merged.
-Additionally it is applied periodically.
diff --git a/doc/source/docsportal_sec.rst.inc b/doc/source/docsportal_sec.rst.inc
deleted file mode 100644
index a36cbac..0000000
--- a/doc/source/docsportal_sec.rst.inc
+++ /dev/null
@@ -1,204 +0,0 @@
-Security Design
-===============
-
-.. graphviz:: dot/docsportal_sec.dot
- :caption: Docs portal secutiry architecture
-
-Security Architecture
----------------------
-
-Documentation portal takes care of making documentation publicly available.
-This means that the content it is processing will be publicly available. No
-care about avoiding placing sensitive information from git repositories is
-taken and it is explicitly in the responsibility of each individual project
-maintainers to ensure no sensitive information land in git.
-
-Ensuring, that only checked and approved content will be merged in git and
-published is a primary responsibility of :ref:`Zuul` which applies also
-:ref:`git_control` to manage required conditions that need to be fulfilled on
-every pull request of every project.
-
-Separation
-----------
-
-The project is implemented as a combination of multiple software
-and solution components communicating with each other. Those
-components are installed physically separated from each other
-with no direct connectivity except of public HTTPS.
-
-* Web Server
-
- * Nginx web server accepts HTTP protocol requests. It rewrites
- the request to a destination on the Remote Storage.
-
- * It performs remote request to fetch the requested content
- and serves it back to the initial requestor.
-
- * Depending on the content accessibility web server is either exposed
- directly to the web or behind additional reverse proxy implementing
- required security limitations.
-
-* Storage
-
- * OpenStack Swift storage. Practically this can be any other object storage
- which allows web access.
-
- * Zuul CI/CD writes approved content into the storage
- destination.
-
- * Web Server fetches the content.
-
- * The content in the Storage for the Documentation Portal is by
- definition public content (not protected by any additional ACLs).
-
- * If the content is not designed to be publicly available content in the
- Storage must be protected by ACLs. This in turn will require enabling web
- server to access this content (i.e. swift-proxy in the case of using
- OpenStack Swift).
-
-* :ref:`zuul`
-
- * Zuul installation manages git projects and implements
- configured CI rules in order to ensure that only checked and
- approved content will be merged. Default configuration
- forbids anybody (except of Zuul Administrators) to bypass
- required checks and merge content manually
- * Once all the prerequisites are fulfilled Zuul merges Pull
- Request, builds documentation and pushes it to storage with
- dedicated credentials.
- * Only git projects explicitly included in the Zuul tenant are
- being respected. Registered git projects with disabled
- branch protection rules are ignored.
-
-* `GitHub `_
-
- * An external git hosting provider.
- * Projects in the GitHub organization are managed by `dedicate process
- `_
-
-Interface Description
----------------------
-
-The only public facing interface is the regular Web using HTTPS (automatic
-forwarding from HTTP).
-
-Tenant Security
----------------
-
-Documentation Portal does not support tenants concept. All documents that are hosted
-on the Help Center are placed in a dedicated storage (as public content).
-Instead a dedicated instance of the documentation portal is deployed for
-isolating particular documentation areas.
-
-O&M Access Control
-------------------
-
-Only users enabled in the :git_file:`inventory/base/group_vars/all.yaml` are
-able to login to the underlaying infrastructure. Direct access to the hosts is
-only possible through the :ref:`Bridge` host which serves as a bastion host.
-
-Logging and Monitoring
-----------------------
-
-Every component of the HelpCenter produces own logs.
-
-* haproxy log (VM service logs)
-* nginx log (VM or Kubernetes POD log)
-* Swift proxy and storage service logs
-* Zuul logs
-
- * public job logs (test build log file)
- * executor log
- * scheduler log
-
-Patch Management
-----------------
-
-The service consists of OpenSource elements only. Whenever new release of any
-software element (haproxy, nginx, zuul) is identified a Pull Request to this
-repository need to be created to update the software. Pathing of the
-underlaying VM (haproxy) is executed as a regular job applying all the existing
-OS updates.
-
-Hardening
----------
-
-All configuration files for the hosts, Cloud Load Balancer configuration and K8
-configuration is part of this repository. Every VM is managed by the System
-Config project applying the same hardening rules to evenry host according to
-the configuration. As such system hardenings are dictated by Deutsche Telekom
-Hardening policies.
-
-Certificate Handling
---------------------
-
-SSL Certificates are obtained using Let's Encrypt Certificate authority.
-Following is important:
-
-* Certificate for the K8 deployment can be managed by the
- `CertManager `_ deployed in
- the Kubernetes cluster. This is achieved by placing
- Kubernetes annotation on the deployment.
-* Alternatively SSL Certificate for the K8 installation may be generated on the
- deployment server and provided into the K8 as secrets.
-* Certificates for the other involved components (Zuul,
- Swift) are managed by the corresponding components
- themselves.
-
-Backup and Restore
-------------------
-
-No backup/restore procedure exists besides Swift backup/restore. Sources for
-the documents are stored in GitHub in a raw form with all modification history.
-Whenever it is required to restore document to the particular point in time a
-pull request can be created restoring current version to a particular state in
-history.
-From a disaster recovery point of view a fresh generation of the documents from
-sources can be used. The same approach can be applied periodically to ensure
-generated documents are always up-to-date and matching current document
-stylizations.
-
-User and Account management
----------------------------
-
-No user accounts on the documentation portal are existing. Only a regular
-anonym access to the service is possible. No cookies or local web browser storage is used.
-
-Communication Matrix (external)
--------------------------------
-
-Complete communication between Help Center elements is happening as with
-external components (using HTTPS).
-
-Depending on the requirements additional reverse proxy may be installed in from
-of the web server to provide additional hardening or other required isolation
-measures. Also in this case communication between reverse proxy and the web
-server is happening as HTTPS traffic.
-
-.. list-table::
-
- * - From/To
- - Web Server
- - Storage
- - Zuul
- - GitHub
- * - WebServer
- - N/A
- - HTTPS
- - N/A
- - N/A
- * - Storage
- - N/A
- - N/A
- - N/A
- - N/A
- * - Zuul
- - N/A
- - HTTPS
- - N/A
- - HTTPS
- * - GitHub
- - N/A
- - N/A
- - HTTPS
- - N/A
diff --git a/doc/source/dot/docsportal.dot b/doc/source/dot/docsportal.dot
deleted file mode 100644
index 306c734..0000000
--- a/doc/source/dot/docsportal.dot
+++ /dev/null
@@ -1,13 +0,0 @@
-digraph HelpCenter {
- graph [bgcolor=transparent compound=true fontcolor="#2D3436" fontname="Sans-Serif" fontsize=10 rankdir=LR]
- node [fixedsize=false]
- user [label=Clients fixedsize=true fontsize=10 height=1.4 image="../_images/users.png" imagescale=true labelloc=b shape=none width=1]
- web [label=WebServer fixedsize=true fontsize=10 height=1.4 image="../_images/nginx.png" imagescale=true labelloc=b shape=none width=1]
- github [label="GitHub Projects" fixedsize=true fontsize=10 height=1.4 href="https://github.com/opentelekomcloud-docs" image="../_images/github.png" imagescale=true labelloc=b shape=none width=1]
- zuul [label="Zuul CI/CD" fixedsize=true fontsize=10 height=1.4 href="https://docs.otc-service.com/system-config/zuul.html" image="../_images/zuulci.png" imagescale=true labelloc=b shape=none width=1]
- swift [label="Swift Object Store" fixedsize=true fontsize=10 height=1.4 image="../_images/swift.png" imagescale=true labelloc=b shape=none width=1]
- user -> web [label=Pull color=black fontsize=8]
- web -> swift [label=Pull color=black fontsize=8]
- github -> zuul [label=Push color=red fontsize=8]
- zuul -> swift [label=Push color=red fontsize=8]
-}
diff --git a/doc/source/dot/docsportal_sec.dot b/doc/source/dot/docsportal_sec.dot
deleted file mode 100644
index 86017cd..0000000
--- a/doc/source/dot/docsportal_sec.dot
+++ /dev/null
@@ -1,30 +0,0 @@
-graph "Documentation Portal Security diagram" {
- graph [bgcolor=transparent compound=true fontcolor="#2D3436" fontname="Sans-Serif" fontsize=10 rankdir=LR]
- node [fixedsize=false]
- edge [fontsize=8]
- user [label=Clients fixedsize=true fontsize=10 height=1.4 image="../_images/users.png" imagescale=true labelloc=b shape=none width=1]
- web [label=WebServer fixedsize=true fontsize=10 height=1.4 image="../_images/nginx.png" imagescale=true labelloc=b shape=none width=1]
- subgraph cluster_storage {
- graph [bgcolor="#E5F5FD" shape=box style=rounded]
- label=Storage
- swift [label="Swift Object Store" fixedsize=true fontsize=10 height=1.4 image="../_images/swift.png" imagescale=true labelloc=b shape=none width=1]
- }
-
- subgraph cluster_git {
- graph [bgcolor="#E5F5FD" shape=box style=rounded]
- label="Git Hosting"
- github1 [label="Project 1"]
- github2 [label="Project 2"]
- github3 [label="Project XX"]
- }
-
- zuul [label="Zuul CI/CD" fixedsize=true fontsize=10 height=1.4 href="https://docs.otc-service.com/system-config/zuul.html" image="../_images/zuulci.png" imagescale=true labelloc=b shape=none width=1]
-
- github1 -- zuul [label=HTTPS dir=forward]
- github2 -- zuul [label=HTTPS dir=forward]
- github3 -- zuul [label=HTTPS dir=forward]
- zuul -- swift [label=HTTPS dir=forward]
- web -- swift [label=HTTPS dir=back]
- user -- web [label=HTTPS dir=back]
-}
-
diff --git a/doc/source/dot/helpcenter.dot b/doc/source/dot/helpcenter.dot
deleted file mode 100644
index 306c734..0000000
--- a/doc/source/dot/helpcenter.dot
+++ /dev/null
@@ -1,13 +0,0 @@
-digraph HelpCenter {
- graph [bgcolor=transparent compound=true fontcolor="#2D3436" fontname="Sans-Serif" fontsize=10 rankdir=LR]
- node [fixedsize=false]
- user [label=Clients fixedsize=true fontsize=10 height=1.4 image="../_images/users.png" imagescale=true labelloc=b shape=none width=1]
- web [label=WebServer fixedsize=true fontsize=10 height=1.4 image="../_images/nginx.png" imagescale=true labelloc=b shape=none width=1]
- github [label="GitHub Projects" fixedsize=true fontsize=10 height=1.4 href="https://github.com/opentelekomcloud-docs" image="../_images/github.png" imagescale=true labelloc=b shape=none width=1]
- zuul [label="Zuul CI/CD" fixedsize=true fontsize=10 height=1.4 href="https://docs.otc-service.com/system-config/zuul.html" image="../_images/zuulci.png" imagescale=true labelloc=b shape=none width=1]
- swift [label="Swift Object Store" fixedsize=true fontsize=10 height=1.4 image="../_images/swift.png" imagescale=true labelloc=b shape=none width=1]
- user -> web [label=Pull color=black fontsize=8]
- web -> swift [label=Pull color=black fontsize=8]
- github -> zuul [label=Push color=red fontsize=8]
- zuul -> swift [label=Push color=red fontsize=8]
-}
diff --git a/doc/source/gitcontrol.rst b/doc/source/gitcontrol.rst
deleted file mode 100644
index 7144c20..0000000
--- a/doc/source/gitcontrol.rst
+++ /dev/null
@@ -1,155 +0,0 @@
-:title: Git Control
-
-.. _git_control:
-
-Git Control
-###########
-
-Automation of the GitHub Organizations management.
-
-At a Glance
-===========
-
-:Hosts:
-:Projects:
- * `Ansible Collection Gitcontrol`_
- * `Gitstyring`_
-:Configuration:
- * https://github.com/opentelekomcloud-infra/gitstyring/tree/main/orgs
- * supplementary closed source project (gitlab/ecosystem/gitstyring)
-:Bugs:
-:Resources:
-
-Overview
-========
-
-This project combination is taking care of automating management of the Open
-Telekom Cloud GitHub organizations. It currently takes care of following:
-
-* project settings in the organizations
-* branch protection for the projects
-* team/collaborator permissions on the projects
-* organization team management (description, membership)
-* organization collaborator management (membership)
-
-Software Architecture
-=====================
-
-Ansible collection (`opentelekomcloud.gitcontrol`) is implementing modules for
-the managing GitHub organizations, projects, users. `Gitstyring`_ projects
-defines the configuration to be applied.
-
-:ref:`Zuul` jobs defined in the `Gitstyring`_ projects are responsible for
-applying of the target configuration. The workflow is implemented as following:
-
-- A temporary VM is prepared
-- `Ansible Collection Gitcontrol`_ collection is installed together with Ansible
-- Loop over target managed organizations:
-
- - Temporary GitHub token is retrieved according to `gh_auth`_ for the OTCBot
- GitHub application for the organization. Private key for token signing is
- retrieved from Vault.
- - Configured state of the organizaiton members is applied using temporary
- token.
- - Configured state of the organizaiton teams is applied using temporary
- token.
- - Configured state of the organizaiton projects is applied using temporary
- token.
- - Temporary token is revoked.
-
-Security Design
-===============
-
-
-Security Architecture
----------------------
-
-GitHub organizations are managed using OTCBot `GitHub application
-`_. This allows
-avoiding necessity to use pre-created tokens with administration privileges.
-Private key of the GitHub application is stored in the Vault and a special
-Vault policy is defined to allow access to it. Required configuration projects
-are using dedicated `AppRole `_
-in combination with the mentioned policy to restrict which projects are able to
-access the key. Using the application private key a JWT token is generated
-which is used to get application installation token with the required scope to
-be able to apply the configuration to the organization.
-After using the installation token is forcibly revoked by sending DELETE call
-to the GitHub API.
-
-As a next step step for improving security a special Vault plugin is going to
-be created that takes organization name and desired permission set and returns
-dedicated installation token. this will allow avoiding private key to ever
-leave Vault.
-
-Every change proposed to the target configuration will be applied in the
-dry-run mode using token with read-only privileges to verify configuration.
-
-Separation
-----------
-
-Not applicable.
-
-Interface Description
----------------------
-
-Not available.
-
-Tenant Security
----------------
-
-Not applicable.
-
-O&M Access Control
-------------------
-
-Not applicable.
-
-Logging and Monitoring
-----------------------
-
-Logs for the execution can be found in the corresponding Zuul job execution
-logs.
-
-Patch Management
-----------------
-
-Not applicable.
-
-Hardening
----------
-
-Not applicable.
-
-Certificate Handling
---------------------
-
-Not required.
-
-Private key of the GitHub application is kept in the Vault. It can be rotated
-by generating new key by the administrators of the GitHub
-opentelekomcloud-infra members and overwriting it in the Vault.
-
-Backup and Restore
-------------------
-
-Not applicable.
-
-User and Account management
----------------------------
-
-User mapping is configured by `Gitstyring`_. No password/token management is implemented.
-
-Communication Matrix
---------------------
-
-Not applicable.
-
-Deployment
-==========
-
-Not applicable.
-
-.. _Gitstyring: https://github.com/opentelekomcloud-infra/gitstyring
-.. _`Ansible Collection Gitcontrol`: https://github.com/opentelekomcloud/ansible-collection-gitcontrol
-.. _gh_auth: https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-a-github-app>
diff --git a/doc/source/helpcenter.rst b/doc/source/helpcenter.rst
deleted file mode 100644
index c7b5cd5..0000000
--- a/doc/source/helpcenter.rst
+++ /dev/null
@@ -1,77 +0,0 @@
-:title: Help Center
-
-Help Center
-###########
-
-Open Telekom Cloud Help Center is a web server that serves documentation and
-releasenotes created by various software projects of the Open Telekom Cloud.
-
-At a Glance
-===========
-
-:Hosts:
- * https://docs-beta.otc.t-systems.com
-:Projects:
- * https://github.com/opentelekomcloud/otcdocstheme
- * https://github.com/opentelekomcloud-docs/docsportal
- * https://github.com/opentelekomcloud-docs/
-:Configuration:
- * :git_file:`playbooks/roles/document_hosting_k8s/templates/nginx-site.conf.j2`
- * :git_file:`inventory/service/group_vars/k8s-controller.yaml`
-:Bugs:
-:Resources:
-
-Overview
-========
-
-Every project on the GitHub under the opentelekomcloud-docs organization is
-capable in delivering documentation to the Help Center. Originally this
-documentation represents API reference documents and User Guides which need to
-be served on the Help Center for user reference. However there is no general
-limitation on which type of documents are managed and projects can manage
-further content (i.e. developer guides, how-tos, etc).
-
-Every git project ideally represents a single service of the Open Telekom
-Cloud.
-
-Integration of projects under the :ref:`Zuul` allows following:
-
-- CI for the changes in the project (i.e. only tested and approved content is
- being merged into the main branch)
-
-- CD: for the changes that are being merged documents are being built and
- pushed to the HelpCenter.
-
-Help Center is implemented as an :ref:`docsportal` instance with no additional reverse proxy used. Since the published content is designed to be public no additional access limitations are applied.
-
-Software Architecture
-=====================
-
-A Web-Server (nginx) is listening in the frontend for the requests and based
-on the URL decides in which container the data is actually located. It
-contacts Storage server and gets the original content from there, which is
-then being cached and returned back to the requestor.
-
-.. graphviz:: dot/helpcenter.dot
- :caption: Docs portal software architecture from the protocols point
-
-.. include:: docsportal_sec.rst.inc
-
-Deployment
-==========
-
-:git_file:`playbooks/service-docs.yaml` is a playbook for the service
-configuration and deployment. It is automatically executed once a pull request
-touching any of the affected files (roles, inventory) is being merged.
-Additionally it is applied periodically.
-
-Deployment model of the Help Center is as
-follows:
-
-* WebServer (nginx) is running as part of the
- K8 deployment and is exposed to the public
- internet via Ingress.
-
-* OpenStack Swift is used as object storage
- with publicly readable container (in a
- dedicated project).
diff --git a/doc/source/index.rst b/doc/source/index.rst
deleted file mode 100644
index 8ca0c2d..0000000
--- a/doc/source/index.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-Ecosystems Infrastructure
-=========================
-
-This documentation covers the installation and maintenance of the
-infrastructure elements used by the Ecosystem team of the Open Telekom Cloud.
-
-
-.. toctree::
- :maxdepth: 2
-
- systems
- roles
diff --git a/doc/source/matrix.rst b/doc/source/matrix.rst
deleted file mode 100644
index 459d109..0000000
--- a/doc/source/matrix.rst
+++ /dev/null
@@ -1,30 +0,0 @@
-:title: Matrix
-
-Matrix homeserver
-#################
-
-Matrix is a mesh communication network allowing to join multiple protocols
-under one roof
-
-
-At a Glance
-===========
-
-:Hosts:
- * https://matrix.otc-service.com
-:Projects:
-:Bugs:
-:Resources:
-:Chat:
- * #General:matrix.otc-service.com Matrix room
-
-Overview
-========
-
-
-Deployment and Processing flow
-==============================
-
-* ``playbooks/service-matrix.yaml`` is a playbook for the service configuration
- and deployment.
-
diff --git a/doc/source/proxy.rst b/doc/source/proxy.rst
deleted file mode 100644
index b0fc8d7..0000000
--- a/doc/source/proxy.rst
+++ /dev/null
@@ -1,139 +0,0 @@
-:title: Proxy
-
-Reverse Proxy
-#############
-
-Multiple resources are deployed behind the reverse proxy in order to enable
-proper load balancing, failover and hybrid resource deployment (resources
-deployed in different networks without possibility to use Cloud Load Balancer).
-
-At a Glance
-===========
-
-:Hosts:
-:Projects:
- * https://www.haproxy.org/
-:Configuration:
- * :git_file:`inventory/service/group_vars/proxy.yaml`
- * :git_file:`playbooks/roles/haproxy/templates/haproxy.cfg.j2`
-:Bugs:
-:Resources:
-
-Software Architecture
-=====================
-
-A regular unmodified haproxy software is deployed in VMs and is exposed through
-the Cloud Load Balancer.
-
-Security Design
-===============
-
-Security Architecture
----------------------
-
-* haproxy is deployed in a container on a dedicated VM
-* firewalld component is deployed on the VM and is only opening required ports
- (configured part of this repository)
-* VMs are not having public IP and can be only physically accessed through
- :ref:`bridge`
-* HTTP/HTTPS traffic is reaching the service through Cloud Load Balancer
-
-.. raw:: html
-
-
-
-Separation
-----------
-
-Service runs on the dedicated VMs without any other additional service running.
-
-Interface Description
----------------------
-
-Cloud load balancer is distributing load across mutiple haproxy instances. It
-exposes ports 80 and 443 in the internal network, where those are consumed by
-the Cloud Load Balancer.
-
-Tenant Security
----------------
-
-No customer Service is deployed in the Domain dedicated for the Ecosystem Squad. Only
-members are having permissions there.
-
-O&M Access Control
-------------------
-
-Only users enabled in the :git_file:`inventory/base/group_vars/all.yaml` are
-able to login to the underlaying infrastructure.
-
-Logging and Monitoring
-----------------------
-
-* haproxy logs (on the proxyX.YY VMs)
-* haproxy emits StatsD metrics into the Graphite DB and those can be observed
- using Grafana
-
-
-Patch Management
-----------------
-
-The service consists of OpenSource elements only. Whenever new release of any
-software element (haproxy) is identified a Pull Request to this
-repository need to be created to use it in the deployment.
-Pathing of the underlaying VM (haproxy) is executed as a regular job applying
-all the existing OS updates.
-
-Hardening
----------
-
-All configuration files for the hosts part of this repository. Every VM is managed by the System
-Config project applying the same hardening rules to every host according to
-the configuration
-
-* :git_file:`inventory/service/host_vars/proxy1.eco.tsi-dev.otc-service.com.yaml`
-* :git_file:`inventory/service/host_vars/proxy2.eco.tsi-dev.otc-service.com.yaml`
-
-Certificate Handling
---------------------
-
-SSL Certificates are obtained using Let's Encrypt Certificate authority
-(:git_file:`playbooks/acme-certs.yaml`).
-Following is important:
-
-* Haproxy certificates are generated using the same procedure on the haproxy
- hosts themselves.
-* Certificate renewal and service reload happens automatically.
-
-Backup and Restore
-------------------
-
-No backup/restore procedure exists. Infrastructure deployment is automated and
-can be redeployed when necessary.
-
-
-User and Account management
----------------------------
-
-No user accounts are existing.
-
-Communication Matrix
---------------------
-
-.. list-table::
-
- * - From \\ To
- - haproxy
- - elb
- * - haproxy
- - N/A
- - N/A
- * - elb
- - TCP(80,443)
- - N/A
-
-
-Deployment
-==========
-
-* ``playbooks/service-proxy.yaml`` is a playbook for the service configuration
- and deployment.
diff --git a/doc/source/roles.rst b/doc/source/roles.rst
deleted file mode 100644
index 085fd89..0000000
--- a/doc/source/roles.rst
+++ /dev/null
@@ -1,28 +0,0 @@
-:title: Roles
-
-Ansible Roles
-#############
-
-Documentation for roles included in `system-config`
-
-There are two types of roles. Top-level roles, kept in the ``roles/``
-directory, are available to be used as roles in Zuul jobs. This
-places some constraints on the roles, such as not being able to use
-plugins. Add
-
-.. code-block:: yaml
-
- roles:
- - zuul: opentelekomcloud-infra/system-config
-
-to your job definition to source these roles.
-
-Roles in ``playbooks/roles`` are designed to be run on the
-Infrastructure control-plane (i.e. from ``bridge.eco.tsi-dev.otc-service.com``).
-These roles are not available to be shared with Zuul jobs.
-
-Role documentation
-------------------
-
-
-.. zuul:autoroles::
diff --git a/doc/source/swift.rst b/doc/source/swift.rst
deleted file mode 100644
index fea01a6..0000000
--- a/doc/source/swift.rst
+++ /dev/null
@@ -1,161 +0,0 @@
-:title: Swift
-
-OpenStack Swift
-###############
-
-Open Telekom Cloud Swift is not matching the OpenStack software. As an attempt
-to overcome compatibility issues a real upstream software can be used with no
-code changes.
-
-At a Glance
-===========
-
-:Hosts:
- * https://swift.eco.tsi-dev.otc-service.com
-:Projects:
- * https://opendev.org/openstack/swift
- * https://github.com/opentelekomcloud-infra/validatetoken
-:Configuration:
-:Bugs:
-:Resources:
- * `OpenStack Swift documentation`_
-
-Overview
-========
-
-Upstream OpenStack Swift software is deployed in an isolated Open Telekom Cloud
-project and is exposed using the Cloud Load Balancer.
-
-
-Software Architecture
-=====================
-
-Software components
--------------------
-
-* OpenStack Swift Proxy service - Authorization and API handling
-* OpenStack Swift Storage services - Data storage
-* Keystone authentication middleware (validatetoken) - oslo middleware to
- verify token information
-
-Network setup
--------------
-
-* external network (API handling)
-* storage network (communication between proxy services and storage nodes)
-* replication network (data synchronization between storage nodes)
-* management network (used to provision software)
-* cloud load balancer is using the external network to communicate with Swift
- proxy servers
-
-Security Design
-===============
-
-Swift is not having any authentication database. In order to verify validity of
-the API request it sends API request to the Keystone (IAM) for the verification
-of the passed token. When the positive information is received Swift decides
-further on whether the user is authorized to do the action. This is happening
-based on the roles the user has and does not require any additional (local)
-information.
-
-Software is deployed in an isolated Project of the Open Telekom Cloud public Domain and does not share the infrastructure with any other components. Management of the installation is achieved using the vpc peering between management network of the installation and the :ref:`bridge`.
-
-User data is stored on the Storage nodes not encrypted. Technically it is
-possible to enable `encryption `_, but due to
-the absense of any customer or in any other way sensitive data it is not
-enabled.
-
-Separation
-----------
-
-* Software is deployed in an isolated project
-* Hosts to run the software has multiple networking interfaces and only
- required traffic is allowed to run (default - drop)
-
-Interface Descritpion
----------------------
-
-Service is exposed to the internet only through the load balancer HTTPS port.
-This implements `REST API `.
-Authorization requires passing `X-Auth-Token` header with a valid Identity
-token.
-
-Tenant Security
----------------
-
-An isolated project and isolated management user is used.
-
-O&M Access Control
-------------------
-
-Only users enabled in the :git_file:`inventory/base/group_vars/all.yaml` are
-able to login to the underlaying infrastructure.
-
-
-Logging and Monitoring
-----------------------
-
-There are 2 sets of logs available:
-
-* proxy logs (on the proxy VMs)
-* account/container/object service log (on the storage VMs)
-
-Certificate Handling
---------------------
-
-SSL Certificates are obtained using Let's Encrypt Certificate authority
-(:git_file:`playbooks/acme-certs.yaml`). Certificate for Swift is generated on
-the :ref:`bridge` host and is uploaded to the Cloud Load Balancer service after
-rotation.
-
-Backup and Restore
-------------------
-
-No Backup and Restore functionality is currently implemented.
-
-User and Account management
----------------------------
-
-Official Open Telekon Cloud Identity Service (IAM) is used for user and account
-management. No related data is stored in Swift.
-
-Communication Matrix
---------------------
-
-.. list-table:: External communication matrix
-
- * - From/To
- - Swift
- - elb
- * - Swift
- - N/A
- - N/A
- * - elb
- - HTTP(8080)
- - N/A
-
-
-.. list-table:: Internal communication matrix
-
- * - From/To
- - bridge
- - proxy
- - storage
- * - bridge
- - SSH
- - SSH
- - SSH
- * - proxy
- - N/A
- - N/A
- - TCP(6200,6201,6202)
- * - storage
- - N/A
- - N/A
- - Rsync
-
-Deployment
-==========
-
-
-.. _OpenStack Swift Documentation: https://docs.openstack.org/swift/latest/overview_architecture.html
diff --git a/doc/source/systems.rst b/doc/source/systems.rst
deleted file mode 100644
index 1f5644d..0000000
--- a/doc/source/systems.rst
+++ /dev/null
@@ -1,16 +0,0 @@
-:title: Major Systems
-
-Major Systems
-#############
-
-.. toctree::
- :maxdepth: 2
-
- bridge
- zuul
- docsportal
- matrix
- helpcenter
- swift
- proxy
- gitcontrol
diff --git a/doc/source/zuul.rst b/doc/source/zuul.rst
deleted file mode 100644
index e6158fa..0000000
--- a/doc/source/zuul.rst
+++ /dev/null
@@ -1,458 +0,0 @@
-:title: Zuul CI/CD
-
-.. _Zuul:
-
-Zuul CI/CD
-##########
-
-Zuul is a pipeline-oriented project gating system. It facilitates
-running tests and automated tasks in response to Code Review events.
-
-At a Glance
-===========
-
-:Hosts:
- * https://zuul.otc-service.com
-:Projects:
- * https://opendev.org/zuul/zuul
-:Configuration:
- * :git_file:`inventory/service/group_vars/zuul.yaml`
-:Bugs:
-:Resources:
- * `Zuul Reference Manual`_
-:Chat:
- * #zuul:matrix.otc-service.com Matrix room
-
-Overview
-========
-
-The Open Telekom Cloud project uses a number of pipelines in Zuul:
-
-**check**
- Newly uploaded patchsets enter this pipeline to receive an initial
- +/-1 Verified vote.
-
-**gate**
- Changes that have been approved by core reviewers are enqueued in
- order in this pipeline, and if they pass tests, will be merged.
-
-**post**
- This pipeline runs jobs that operate after each change is merged.
-
-**release**
- When a commit is tagged as a release, this pipeline runs jobs that
- publish archives and documentation.
-
-**tag**
- When a commit is tagged as a release (non semantic naming scheme), this
- pipeline runs jobs that publish archives and documentation.
-
-**periodic**
- This pipeline has jobs triggered on a timer for e.g. testing for
- environmental changes daily.
-
-**promote**
- This pipeline runs jobs that operate after each change is merged
- in order to promote artifacts generated in the gate
- pipeline.
-
-The **gate** pipeline uses speculative execution to improve
-throughput. Changes are tested in parallel under the assumption that
-changes ahead in the queue will merge. If they do not, Zuul will
-abort and restart tests without the affected changes. This means that
-many changes may be tested in parallel while continuing to assure that
-each commit is correctly tested.
-
-Zuul's current status may be viewed at
-``_.
-
-Software Architecture
-=====================
-
-Please refer to `zuul`_ documentation for detailed explanation on how Zuul is designed.
-
-.. raw:: html
-
-
-
-Security Design
----------------
-
-Security Architecture
-~~~~~~~~~~~~~~~~~~~~~
-
-.. raw:: html
-
-
-
-Separation
-~~~~~~~~~~
-
-Zuul consists of the following major components:
-
-* nodepool-launcher
-
- * The main nodepool component is named nodepool-launcher and is responsible
- for managing cloud instances launched from the images created and uploaded
- by nodepool-builder.
-
-* nodepool-builder
-
- * The nodepool-builder builds and uploads images to providers.
-
-* zuul-executor
-
- * Executors are responsible for running jobs. At the start of each job, an
- executor prepares an environment in which to run Ansible which contains all
- of the git repositories specified by the job with all dependent changes
- merged into their appropriate branches.
-
-* zuul-scheduler
-
- * The scheduler is the primary component of Zuul. It receives events from any
- connections to remote systems which have been configured, enqueues items
- into pipelines, distributes jobs to executors, and reports results.
-
-* zuul-merger
-
- * Zull performs log of git operations, often needs to perform a speculative
- merge in order to determine whether it needs to perform any further
- actions Standalone merger reduces the load from executors.
-
-* zuul-web
-
- * The Zuul web server serves as the single process handling all HTTP
- interactions with Zuul. This includes the websocket interface for live log
- streaming, the REST API and the html/javascript dashboard.
-
-In addition to the components of Zuul itself following external components
-are used:
-
-* zookeeper
-* SQL database
-* cloud resources (for spinning VMs or containers for job executions)
-
-None of the components of Zuul are communicating directly with each other and
-instead rely on external Zookeeper with TLS encryption for exchanging
-information. Components are using TLS certificates to authorize to Zookeeper.
-
-Details can be found at `Zuul Components`_.
-
-Interface Description
-~~~~~~~~~~~~~~~~~~~~~
-
-Zuul system is implementing following interfaces for the communication with
-the outside systems:
-
-* Web component (managed by zuul-web component):
-
- * Web UI interface (gives user information on job status)
- * REST API (allows R/O operations for querying status)
- * Webhook listener (listens for events from git hosting backends)
-
-In addition to that Zuul accesses following systems:
-
-* Zookeeper (for internal communication)
-
- * protected with TLS and TLS client certificates
-
-* SQL Database (for storing job results)
-
- * protected with TLS and username/password
-
-* External Log Storage (Swift for storing job logs)
-
- * protected with TLS and username/password/token
-
-* Git hosting (for read and write operations)
-
- * Relies on the SSH access protected with SSH key
-
-* Cloud resources (for performing required test)
-
- * protected according to the requirements of the particular cloud provider
- (username/password, token, client certificate). In general TLS is used for
- API invocation (for provisioning resources) and afterwards SSH with private
- key to further execute Ansible on the resource. Once the resource is not
- used anymore, API request is sent to the cloud provider via TLS to
- decommission it.
-
-Further details can be found `Zuul Admin Reference`_.
-
-Tenant Security
-~~~~~~~~~~~~~~~
-
-Every tenant of Zuul is configured through the `zuul-config`_ repository.
-Every tenant includes list of projects which are allowed to use system. Git
-projects not configured are ignored. In addition to that only events from git
-projects with enabled branch protections are respected by Zuul.
-
-During job execution by `zuul-executor
-`_
-projects are being tested in a completely isolated context guaranteeing both
-isolation of projects as well as protection of the system from potential
-vulnerabilities or malicious actions by the projects themselves).
-
-Zuul jobs triggered upon corresponding git actions are executed either in
-isolated dedicated VMs provisioned in the cloud or in Kubernetes pods in
-isolated namespaces.
-
-Further details can be found `Zuul Tenant Configuration`_.
-
-O&M Access Control
-~~~~~~~~~~~~~~~~~~
-
-Zuul administrators are having access to any component of the Zuul system.
-This gives possibility to access execution logs of test jobs (which are
-anyway published at the end of the excution), as well as enqueue/dequeue
-particular pipelines for the project pull/merge request. This access,
-however, does not give any possibility to bypass project set requirements on
-code merging (Zuul administrator is not able to enforce pull/merge request
-merging), this can be done only by people with direct git hosting admin or
-write access.
-
-Logging and Monitoring
-~~~~~~~~~~~~~~~~~~~~~~
-
-Zuul is logging all jobs being performed. This information is made public so
-that pull request initiators are able to know status of the test. It must be
-noted, however, that every Zuul tenant is reponsible for defining base jobs
-which are either making logs publicly available or not. In general those jobs
-are themselves responsible for maintaining the log files (whether to put them
-on some external log hosting or discard them immediately).
-
-Zuul internal logging is done completely independently and is produced on the
-systems running Zuul components themselves. These logs are maintained
-corresponsing to the requirements of the Zuul installation.
-
-In addition to the Zuul components logging, it also supports metric emitting.
-It supports StatsD metrics pushing and Prometheus metric fetching. More details
-`Zuul Monitoring`_.
-
-Patch Management
-~~~~~~~~~~~~~~~~
-
-Zuul administrators are responsible for updating Zuul software and taking care
-of the platform where those components are running.
-
-Hardening
-~~~~~~~~~
-
-As a means of hardening of the Zuul installation following can be mentioned:
-
-* Zuul is deployed in a dedicated Kubernetes cluster and every component is
- running as a container.
-
-* Access to the Zuul UI and REST API is implemented through the Cloud Load
- Balancer and K8 Ingress controller attached to it
-
-* Secret data used in Zuul is stored in Vault and can be easily rotated with
- required frequency.
-
-* Cloud resources used by Zuul are protected by security groups. Moreover
- connection is implemented by the means of internal VPC peering connections
- with no direct access using public IP addresses.
-
-* Zookeeper instance used by Zuul is a dedicated instance with no external
- access.
-
-* SQL DB used by Zuul is a dedicated instance with no public IP address.
-
-* API and SSH access to git hosting can be additionally protected by the
- whitelisting of Zuul external IP address.
-
-Backup and Restore
-~~~~~~~~~~~~~~~~~~
-
-Zuul is build on the principles of storing all required information in git.
-This is applicable for the configuration of which jobs are executed for which
-project, as well as what is the Zuul configuration. This makes Backup more or
-less obsolete. Of course there are some parts of the installation that
-require backups:
-
-* private/public keys for the project secrets (private keys are in addition
- protected by password).
-
-Details on the methods can be found `here
-`_.
-
-Certificate Handling
-~~~~~~~~~~~~~~~~~~~~~
-
-There are few types of certificates used in Zuul:
-
-* Zookeeper client TLS certificates
-* TLS certificates for the API/UI (Web access)
-* API keys and private certificates for SSH and API access to git hoster.
-
-Those certificates must be maintained according to the security
-requirements and deployment specifics. In general it is preferred to use
-short-lived self-signed certificates for the Zookeeper cluster as well as
-LetsEncrypt certificates for Web access.
-
-User and account Management
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Generally Zuul does not support user accounts. It mainly communicates with
-git hosting systems with appropriate credentials and has no information about
-particular users proposing changes there.
-
-Zuul supports optional `Tenant Scoped REST API
-`_, but
-this is currently not enabled in the current installation.
-
-Operational accounts
-^^^^^^^^^^^^^^^^^^^^
-
-There are not granular operator accounts in Zuul installation. There is only
-one account allowing operate the system.
-
-Technical and M2M accounts
-^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-Every component of Zuul only communicates to Zookeeper. For this Zookeeper
-client TLS certificate is used. No other technical or M2M accounts exist on
-the system.
-
-Communication Matrix (internal)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-As mentioned above Zuul components communicate with each other only through
-Zookeeper. When one component need to communicate with another one it places
-the request in Zookeeper.
-
-.. list-table::
-
- * - From \\ To
- - zookeeper
- - vault
- * - nodepool-builder
- - TLS(2281)
- - TLS(8200)
- * - nodepool-launcher
- - TLS(2281)
- - TLS(8200)
- * - zuul-web
- - TLS(2281)
- - TLS(8200)
- * - zuul-merger
- - TLS(2281)
- - TLS(8200)
- * - zuul-executor
- - TLS(2281)
- - TLS(8200)
- * - zuul-scheduler
- - TLS(2281)
- - TLS(8200)
- * - zookeeper
- - TLS(2888,3888)
- - TLS(8200)
-
-Zookeeper protocol details can be found at `Zookeeper Internals
-`_.
-
-Communication Matrix (external)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-.. list-table::
-
- * - From \\ To
- - SQL DB
- - Git hosting
- - Cloud
- * - nodepool-builder
- - N/A
- - N/A
- - [CLOUD_TLS]_
- * - nodepool-launcher
- - N/A
- - N/A
- - [CLOUD_TLS]_
- * - zuul-web
- - [DB_TLS]_
- - [TLS]_
- - N/A
- * - zuul-merger
- - N/A
- - [SSH]_
- - N/A
- * - zuul-executor
- - N/A
- - [SSH]_
- - [SSH]_
- * - zuul-scheduler
- - N/A
- - N/A
- - N/A
-
-.. [TLS] HTTPS encrypted (TLS) on port 443
-.. [SSH] SSH encrypted on custom port (depends on the git provider)
-.. [CLOUD_TLS] HTTPS encrypted (TLS) on port 443
-.. [DB_TLS] Database protocol, encrypted (TLS) (port depends on conrete DB type)
-
-Deployment Design
-=================
-
-Zuul is installed in an isolated Kubernetes cluster. As a mean of further
-security isolation SQL database and Zookeeper must be installaled dedicated
-exclusively to the Zuul instance.
-
-Secrets required for Zuul operation are fetched by the components from the
-`Vault`_ instance. This is achieved by relying on the following items:
-
-* https://www.vaultproject.io/docs/auth/kubernetes
-
- * Service account of the Zuul user is registered in the Vault for the
- corresponding K8 cluster and namespace.
-
-* https://www.vaultproject.io/docs/secrets/kv/kv-v2
-
- * Strict policy is granted to the user giving read only access to the
- required secrets.
-
-* https://www.vaultproject.io/docs/agent
-
- * Vault agent is deployed as a sidecar container for Zuul components which
- is reponsible for fetching required secrets from Vault and rendering them
- into the corresponding config files.
-
-* Vault instance is not accessible publicly (has no public IP address)
-
-.. raw:: html
-
-
-
-Network Deployment Design
--------------------------
-
-Zuul components are installed inside of the single Kubernetes cluster. This
-means all components are placed in dedicated virtual networks of the
-Kubernetes. Communication with Zookeeper happens through the Kubernetes
-Service.
-
-Software Deployment Design
---------------------------
-
-* nodepool-builder is deployed using
- :git_file:`playbooks/roles/zuul_k8s/tasks/nodepool.yaml`
-* nodepool-launcher is deployed using
- :git_file:`playbooks/roles/zuul_k8s/tasks/nodepool.yaml`
-* zuul-web component is deployed using
- :git_file:`playbooks/roles/zuul_k8s/tasks/zuul-web.yaml`
-* zuul-merger component is deployed using
- :git_file:`playbooks/roles/zuul_k8s/tasks/zuul-merger.yaml`
-* zuul-executor component is deployed using
- :git_file:`playbooks/roles/zuul_k8s/tasks/zuul-executor.yaml`
-* zuul-scheduler component is deployed using
- :git_file:`playbooks/roles/zuul_k8s/tasks/zuul-scheduler.yaml`
-* zookeeper is deployed using
- :git_file:`playbooks/roles/zookeeper/tasks/k8s.yaml`
-
-.. _Zuul Reference Manual: https://zuul-ci.org/docs/zuul
-.. _Zuul Status Page: http://zuul.otc-service.com
-.. _zuul-config: https://github.com/opentelekomcloud-infra/zuul-config
-.. _Zuul Admin Reference: https://zuul-ci.org/docs/zuul/reference/admin.html
-.. _Zuul Tenant Configuration: https://zuul-ci.org/docs/zuul/reference/tenants.html
-.. _Zuul Components: https://zuul-ci.org/docs/zuul/discussion/components.html
-.. _Zuul Monitoring: https://zuul-ci.org/docs/zuul/reference/monitoring.html
-.. _Vault: https://www.vaultproject.io/
diff --git a/inventory/base/group_vars/all.yaml b/inventory/base/group_vars/all.yaml
deleted file mode 100644
index 8165025..0000000
--- a/inventory/base/group_vars/all.yaml
+++ /dev/null
@@ -1,72 +0,0 @@
-ansible_python_interpreter: python3
-silence_synchronize: true
-
-distro_lookup_path:
- - "{{ ansible_facts.distribution }}.{{ ansible_facts.lsb.codename|default() }}.{{ ansible_facts.architecture }}.yaml"
- - "{{ ansible_facts.distribution }}.{{ ansible_facts.lsb.codename|default() }}.yaml"
- - "{{ ansible_facts.distribution }}.{{ ansible_facts.architecture }}.yaml"
- - "{{ ansible_facts.distribution }}.yaml"
- - "{{ ansible_facts.os_family }}.yaml"
- - default.yaml
-
-iptables_base_allowed_hosts: []
-iptables_extra_allowed_hosts: []
-iptables_allowed_hosts: "{{ iptables_base_allowed_hosts + iptables_extra_allowed_hosts }}"
-
-iptables_base_allowed_groups: []
-iptables_extra_allowed_groups: []
-iptables_allowed_groups: "{{ iptables_base_allowed_groups + iptables_extra_allowed_groups }}"
-
-iptables_base_public_tcp_ports: []
-iptables_extra_public_tcp_ports: []
-firewalld_base_ports_enable: []
-firewalld_extra_ports_enable: []
-firewalld_base_services_enable: ['ssh']
-firewalld_extra_services_enable: []
-# iptables_test_public_tcp_ports is here only to allow the test
-# framework to inject an iptables rule to allow zuul console
-# streaming. Do not use it otherwise.
-firewalld_ports_enable: "{{ firewalld_test_ports_enable|default([]) + firewalld_base_ports_enable + firewalld_extra_ports_enable }}"
-firewalld_services_enable: "{{ firewalld_base_services_enable + firewalld_extra_services_enable }}"
-
-iptables_base_public_udp_ports: []
-iptables_extra_public_udp_ports: []
-iptables_public_udp_ports: "{{ iptables_base_public_udp_ports + iptables_extra_public_udp_ports }}"
-
-unbound_forward_zones: []
-
-# When adding new users, always pick a UID larger than the last UID, do not
-# fill in holes in the middle of the range.
-all_users:
- gtema:
- comment: Artem Goncharov
- key: |
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBBVL8LJ14SfFPK2zNeuO8rglURUJ32LFQXn0IzinZ7Y3ic8vtmF+UBvg+h8th56GZ3/DR9b+zcXfbA+0cdfTr+BWlDCYwcLab2vgU/S9FyQBzYr7ZWxtEFOmb5ztVp2b5wFt/DD7YBfyJNzM9SpVQDO4furwNZDq5af0+D67KOsV2BPLXL4/zMGkLR3TSFNzdJCSLrWML96NWK1FvpEjDroyKXFTVVcLBTgtBnFtpjpUzmlJSntaUxTQq1htiWLTGQL3ApLqx7YYctxDDkeBrWGSQPZgFppqhk5U8sWE9ieGztGuVyYzAhvz8YO9nm8M26izVebjwe+9u1hqa3Pk9 artem.goncharov
- sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFhfujbhx20AzKf2okw9WnduPe2keIWkFDhsSLNlvMd6AAAABHNzaDo= gtema@yubikey
- uid: 2000
- gid: 2000
-
- zuul:
- comment: Zuul CICD
- key: |
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqO/dXXqmBr1RP8+En5iuLDkPtk7S1jbqjD6QppHo3eKe0WDXeENydPQrXrYf1wJcRa9a8Mdxx2tSxVNqyNVLmlyzPzPc9K2TM6shtHoc3Jzd1HlmfB9MJU2amKuqePwAptCgsxxLBvK+mvh0kXmKnkfMSItCpjOyj6udwwFChJFU/2LB3X9FqLCQB7n3FYKwvbrFDtcIa1COo2h8TychwqWAPKj0Fh7M+mjaF41vcBcmz+uaNk5czC0c7b03TVjKTpYFEmZNtoc0taLP6Ya2exYdHo2uiPYmFiPdVFuv6AMpRnO9CRZzQv+1tlcEPVfsp8gHJVOI47NTx5c5PRTMl system-config
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKiyOg0fZzcJtk2OGmEH279Hyur9714hbyZetMV01/iMrMtxpZn0AlBVUjJlOI83Da75bRHLdTG0W4xrax8b+DFsskuuEWo/xVwli9BOYuh5yKgW1Wx/vs4OsYIkFoQIColACGIEqO/ts7xdTUdGnp2nWjBauBocgL/2uc2ytT2PjlsJPZkvDd93nZsryEyFkTKjykS/OgnYfYUcOoI5Agn4cWZSaiGWzLbSp/ebe46g4cAzrOfgYgbPFw1rfooKjyjELdvfFot7Mxj28WsTv+FIGc+vU+KMejJmD00eNBSPbZJl0ogeD0YNEq3MSuhPqOYA6WJs5Sl8tZGNTMt2hB gl-ecosystem-system-config-20220110
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUM1QR8n5e20dmEjd4m556Ej6Spo4WTBI2OVzO4Rr63tylrHLEXkuzxTSPb87aBgmWulFND1+LBsivaFKdL12WF8elyy0T54cdW+O21isOLCVjRbSfjM0e8sme1lMoJXiupdAzWa3XD7cBCdRog79O/DYB/CLHq6gQuQt0a0+p0rea4dSAiXu5VYJ2IlH9hj3vmstuN8cDsGUNuqwyzFUWOgEQT0KMAjvPwoQ8Aft1LPDnEMhOk82JuQzLS8L3Vvpcwb00VqfC9eBGqBL/Rt6yWWERVxtHtdtGxzWz+5wMtUe6CK1lpa9TG2TbtBoSPoQjka8qh31M1TMRQbNvA4ap zuul-gitstyring-key-20210531
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrm6Bl1RgJ76JwwN9TBoh0FzpcwHtYOuXA3Q5XVx7hZdo8vx+/djQ0wp/LNoE+OtW9yhsZstCcLXLk1Qt28Ce4KDY4eVrj0XhuMPQ8QLSPKqNYHoI0I8/fM/iDPln47KgV59o1kb5dQ4OcGgKcCWHN4fehYLPLi9BBJ+UK5Lrf7FNzCWz9UJBZ00xpjOKOKKFKLGNo+lVIUbj6Ay1OWfa1FxaQemG22rxJU6eI/nt2CWvq8FTt2Bpe0tnnJhvbgyf7o4kE6Rb1VORxzryvN31ruR8jMDI1arW5M2qKbgbNMz/zFhSaY+ophQKbOZVEyLRxDyKCOJpSVvYal03beJGZ zuul-gitstyring2-key-20211103
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1tOTit52KNxZ74KYFy8P6lLvaPy48zvCIWatfN1TcS+buj3L5abA6Vrb9JPXyIBlRW7dBUy259yTX0RLd/f7uysoXMvTAaUBNG54K+fI6HfXxhrQOEaR0dgPHLMjVucZ+Vay3SPtntwci1A6Zq9GJOeC9iBzLlu5W6Q2Eyko7tA+aB4IVVXTKbAigIsgS0bwOoBDh7nA3xbeGsQnnzvcFTXEvLpoe/e+hIS+olsNTiT6CeTjyOTDZsbZqAG9YncZzWi+KXe31EJ2y13S9zWXnwhcZY0VdJHEZFjrEsYSjjOSeaV08sl/VWtRBP9H4hREw+JwcB2MrGaoAKOSzrkLT zuul-octavia-proxy-key-20211012
- uid: 2031
- gid: 2031
-
-# List of users to install on all hosts
-base_users:
- - gtema
-# Default empty list of users to install on specific hosts or groups
-extra_users: []
-# Users who should be removed
-disabled_users: []
-# Default distro cloud image names to remove
-disabled_distro_cloud_users:
- - ubuntu
- - linux
- - centos
- - admin
diff --git a/inventory/base/hosts.yaml b/inventory/base/hosts.yaml
deleted file mode 100644
index 9cd5d1a..0000000
--- a/inventory/base/hosts.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-all:
- hosts:
- bastion.scs.otc-service.com:
- ansible_host: 10.0.20.232
- ansible_user: automation
- public_v4: 10.0.20.232
- host_keys:
- - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO3RHfleGRMVSNHSBg634EJwM1jYMrbsHTibECPttH1xc6Hdq5XSk/LWYYAeR8g3otMjxxwCVS13e/nMQNMlYvo='
- vault1.scs.otc-service.com:
- ansible_host: 10.10.0.210
- ansible_user: automation
- public_v4: 10.10.0.210
- host_keys:
- - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFfXq60z37tRXjTmwWlnLHFk/Udn1R2MbYe4jNo1DVDEf1lE44DzMDUkyTYo0lcDKSRTx6D/UlH0J4X/PN24Vp4='
- vault2.scs.otc-service.com:
- ansible_host: 10.10.0.231
- ansible_user: automation
- public_v4: 10.10.0.231
- host_keys:
- - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2ZcNK0OswZFCGc/hhEcLrZwaNng9qd+NAMFgCI+Z2en66n+nlonBlEmP9fbws84G0oBWfZ/+Z68dtAaMNVKZw='
- vault3.scs.otc-service.com:
- ansible_host: 10.10.0.251
- ansible_user: automation
- public_v4: 10.10.0.251
- host_keys:
- - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAEHeofBIUQPW54/0B/p6Zmrxjfk6VqZYaCtWzfUMH4HqPZO/dFbza8MulKNprDSEDK4+KK2+9HvYunEYmvDvms='
- gitea1.scs.otc-service.com:
- ansible_host: 10.10.0.107
- ansible_user: automation
- public_v4: 10.10.0.107
- host_keys:
- - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIKrZwdNgGFNSozidYBIyFTla9Ho6ZksBQZja3jBhtnMabm2eUk0ITvaIvAhhhXGk2XeiRzvWpc/WtroIMLm+w0='
diff --git a/inventory/service/all.yaml b/inventory/service/all.yaml
index 8a8b38b..c039706 100644
--- a/inventory/service/all.yaml
+++ b/inventory/service/all.yaml
@@ -1,13 +1,35 @@
---
all:
vars:
- ansible_ssh_user: ubuntu
- ansible_ssh_private_key_file: /root/.ssh/id_rsa_scs
+ # ansible_ssh_user: ubuntu
+ ansible_ssh_private_key_file: ~/id_rsa.scs-muneeb-general
+ #/root/.ssh/id_rsa_scs
+ hosts:
+ localhost:
+ ansible_connection: local
+ bastion.scs.otc-service.com:
+ ansible_host: 10.0.20.232
+ ansible_user: automation
+ public_v4: 10.0.20.232
+ vault1.scs.otc-service.com:
+ ansible_host: 10.10.0.24
+ public_v4: 10.10.0.24
+ vault2.scs.otc-service.com:
+ ansible_host: 10.10.0.223
+ public_v4: 10.10.0.223
+ vault3.scs.otc-service.com:
+ ansible_host: 10.10.0.234
+ public_v4: 10.10.0.234
+ # gitea1.scs.otc-service.com:
+ # ansible_host: 10.10.0.107
+ # ansible_user: automation
+ # public_v4: 10.10.0.107
+ # host_keys:
+ # - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIKrZwdNgGFNSozidYBIyFTla9Ho6ZksBQZja3jBhtnMabm2eUk0ITvaIvAhhhXGk2XeiRzvWpc/WtroIMLm+w0='
children:
bastion:
hosts:
bastion*.scs.otc-service.com:
- bridge*.scs.otc-service.com:
ssl_certs:
hosts:
@@ -15,7 +37,7 @@ all:
vault1.scs.otc-service.com:
vault2.scs.otc-service.com:
vault3.scs.otc-service.com:
- gitea1.scs.otc-service.com:
+ # gitea1.scs.otc-service.com:
k8s-controller:
hosts:
@@ -29,14 +51,10 @@ all:
vault-controller:
hosts:
- bridge.scs.otc-service.com:
+ localhost:
gitea:
hosts:
gitea1.scs.otc-service.com:
- prod_bastion:
- hosts:
- bridge.scs.otc-service.com:
-
disabled: []
diff --git a/inventory/service/group_vars/all.yaml b/inventory/service/group_vars/all.yaml
index 408bb06..e1e294a 100644
--- a/inventory/service/group_vars/all.yaml
+++ b/inventory/service/group_vars/all.yaml
@@ -1,2 +1,12 @@
vault_image_stable: quay.io/opentelekomcloud/vault:change_668_latest
vault_image_latest: quay.io/opentelekomcloud/vault:change_668_latest
+
+distro_lookup_path:
+ - "{{ ansible_facts.distribution }}.{{ ansible_facts.lsb.codename|default() }}.{{ ansible_facts.architecture }}.yaml"
+ - "{{ ansible_facts.distribution }}.{{ ansible_facts.lsb.codename|default() }}.yaml"
+ - "{{ ansible_facts.distribution }}.{{ ansible_facts.architecture }}.yaml"
+ - "{{ ansible_facts.distribution }}.yaml"
+ - "{{ ansible_facts.os_family }}.yaml"
+ - "default.yaml"
+
+
diff --git a/inventory/service/group_vars/vault-controller.yaml b/inventory/service/group_vars/vault-controller.yaml
index adece15..2678582 100644
--- a/inventory/service/group_vars/vault-controller.yaml
+++ b/inventory/service/group_vars/vault-controller.yaml
@@ -34,16 +34,6 @@ vault_policies_main:
definition: |
path "auth/+/role/*" { capabilities = ["read", "list", "create", "update", "delete"] }
- # bridge playbooks to fetch inventory
- - name: "k8-configs-ro"
- definition: |
- path "secret/data/kubernetes/*" { capabilities = ["read", "list"] }
-
- # ci cluster admin access for Zuul
- - name: "ci-k8-config-ro"
- definition: |
- path "secret/data/kubernetes/otcci_k8s" { capabilities = ["read"] }
-
# Zuul checking whether requested approle exists
- name: "approle-zuul-roles-read"
definition: |
@@ -80,11 +70,6 @@ vault_policies_main:
path "secret/data/clouds/otcci_nodepool*" { capabilities = ["read"] }
path "secret/metadata/clouds/otcci_nodepool*" { capabilities = ["read"] }
- # Zuul want to get github token
- - name: "otcci-gh-zuul"
- definition: |
- path "github_zuul/token" { capabilities = ["read", "create", "update"] }
-
# zuul itself
- name: "zuul-app-ro"
definition: |
@@ -151,17 +136,13 @@ vault_policies_main:
path "secret/data/gitea" { capabilities = ["read"] }
path "secret/metadata/gitea" { capabilities = ["read"] }
-vault_approles_main:
- # This approle is used by bridge to provision systems
- - name: "system-config-bridge"
- token_policies: ["sys-mounts-cru", "sys-auth-ru", "policies-acl-rw", "approle-rw", "k8auth-rw", "k8role-rw", "cloud-users-all-ro", "tls-rw", "pki-int-zuul-rw", "k8-configs-ro", "tmp-db-ro", "grafana-config-ro", "alerta-config-ro", "oauth-ro", "ldap-ro", "database-ro", "ssh-ro", "promtail-ro", "opensearch-ro", "influxdb-ro", "swift-ro", "openstack-rw", "pwd-policy-rw", "sys-leases-revoke", "gitea-ro", "smtp-gw-ro", "keycloak-ro", "prometheus-ro", "argocd-ro"]
- token_ttl: "2h"
+vault_approles_main: []
vault_k8roles_main:
# Zuul otcci auth
- name: "zuul"
- auth_path: "kubernetes_otcci"
- policies: ["tls-zuul-ro", "zuul-app-ro", "cloud-users-zuul-ro", "database-ro", "ci-k8-config-ro", "smtp-gw-ro"]
+ auth_path: "kubernetes_scs"
+ policies: ["zuul-app-ro", "cloud-users-zuul-ro"]
bound_service_account_names: ["zuul"]
bound_service_account_namespaces: ["zuul-ci"]
token_ttl: "3h"
@@ -187,25 +168,24 @@ vault_pwd_policies_main:
min-chars = 1
}
-vault_os_clouds_main:
-vault_os_roles_main:
-vault_os_static_roles_main:
+vault_os_clouds_main: []
+vault_os_roles_main: []
+vault_os_static_roles_main: []
vault_instances:
# main redundancy cluster
main:
vault_addr: "https://vault-lb.scs.otc-service.com:8200"
- vault_token: "{{ lookup('community.hashi_vault.hashi_vault', 'auth/token/lookup-self').id }}"
+ vault_token: "{{ ansible_hashi_vault_token }}"
+ # vault_token: "{{ lookup('community.hashi_vault.hashi_vault', 'auth/token/lookup-self').id }}"
policies: "{{ vault_policies_main }}"
approle:
roles: "{{ vault_approles_main }}"
kubernetes:
auths:
- - path: "kubernetes_otcci"
- kubernetes_host: "{{ otcci_k8s.server }}"
- kubernetes_ca_cert: "{{ otcci_k8s.secrets['ca.crt'] }}"
+ - path: "kubernetes_scs"
+ kubernetes_host: "{{ scs_k8s.server }}"
+ kubernetes_ca_cert: "{{ scs_k8s.secrets['ca.crt'] }}"
roles: "{{ vault_k8roles_main }}"
- github:
- auths: []
pki:
# Admin settings
# Secret engines
@@ -222,7 +202,7 @@ vault_instances:
- path: "approle"
type: "approle"
description: "AppRole authorization"
- - path: "kubernetes_otcci"
+ - path: "kubernetes_scs"
type: "kubernetes"
description: "OTC CI K8 cluster authorization"
pwd_policies: "{{ vault_pwd_policies_main }}"
diff --git a/inventory/service/group_vars/vault.yaml b/inventory/service/group_vars/vault.yaml
index 5f27ce0..ac4173d 100644
--- a/inventory/service/group_vars/vault.yaml
+++ b/inventory/service/group_vars/vault.yaml
@@ -1,16 +1,19 @@
# Vault settings
vault_plugins:
- - url: "https://github.com/opentelekomcloud-infra/vault-plugin-secrets-github/releases/download/v1.2.1/vault-plugin-secrets-github_1.2.1_linux_amd64.zip"
- sha256: "9acd271a264a48cb8dfac055bb9849b3938fe8afbc794a2d81d14be1357cbcf5"
- name: "vault-plugin-secrets-github"
- type: "secret"
- paths:
- - "github"
- - "github_otcbot"
- - "github_zuul"
- - url: "https://github.com/opentelekomcloud/vault-plugin-secrets-openstack/releases/download/v1.3.0/vault-plugin-secrets-openstack_1.3.0_linux_amd64.tar.gz"
- sha256: "2f48d3011a0cc0ce4726e889f5d4103446eb820cdcc0ecb89deb03757e42568e"
- name: "vault-plugin-secrets-openstack"
- type: "secret"
- paths:
- - "openstack"
+ # - url: "https://github.com/opentelekomcloud-infra/vault-plugin-secrets-github/releases/download/v1.2.1/vault-plugin-secrets-github_1.2.1_linux_amd64.zip"
+ # sha256: "9acd271a264a48cb8dfac055bb9849b3938fe8afbc794a2d81d14be1357cbcf5"
+ # name: "vault-plugin-secrets-github"
+ # type: "secret"
+ # paths:
+ # - "github"
+ # - "github_otcbot"
+ # - "github_zuul"
+ # - url: "https://github.com/opentelekomcloud/vault-plugin-secrets-openstack/releases/download/v1.3.0/vault-plugin-secrets-openstack_1.3.0_linux_amd64.tar.gz"
+ # sha256: "2f48d3011a0cc0ce4726e889f5d4103446eb820cdcc0ecb89deb03757e42568e"
+ # name: "vault-plugin-secrets-openstack"
+ # type: "secret"
+ # paths:
+ # - "openstack"
+certs_path: "../certs"
+vault_tls_cert_content: "{{ lookup('ansible.builtin.file', certs_path + '/' + vault_cert + '-fullchain.crt') | default(omit) }}"
+vault_tls_key_content: "{{ lookup('ansible.builtin.file', certs_path + '/' + vault_cert + '.pem') }}"
diff --git a/inventory/service/groups.yaml b/inventory/service/groups.yaml
deleted file mode 100644
index a9d1d0e..0000000
--- a/inventory/service/groups.yaml
+++ /dev/null
@@ -1,42 +0,0 @@
-plugin: yaml
-all:
- vars:
- ansible_ssh_user: ubuntu
- ansible_ssh_private_key_file: /root/.ssh/id_rsa_scs
- children:
- bastion:
- hosts:
- bastion*.scs.otc-service.com:
- bridge*.scs.otc-service.com:
-
- ssl_certs:
- hosts:
- bridge.scs.otc-service.com:
- vault1.scs.otc-service.com:
- vault2.scs.otc-service.com:
- vault3.scs.otc-service.com:
- gitea1.scs.otc-service.com:
-
- k8s-controller:
- hosts:
- bridge.scs.otc-service.com:
-
- vault:
- hosts:
- vault1.scs.otc-service.com:
- vault2.scs.otc-service.com:
- vault3.scs.otc-service.com:
-
- vault-controller:
- hosts:
- bridge.scs.otc-service.com:
-
- gitea:
- hosts:
- gitea1.scs.otc-service.com:
-
- prod_bastion:
- hosts:
- bridge.scs.otc-service.com:
-
- disabled: []
diff --git a/inventory/service/host_vars/vault1.scs.otc-service.com.yaml b/inventory/service/host_vars/vault1.scs.otc-service.com.yaml
index 3fe6346..e294c3c 100644
--- a/inventory/service/host_vars/vault1.scs.otc-service.com.yaml
+++ b/inventory/service/host_vars/vault1.scs.otc-service.com.yaml
@@ -1,10 +1,13 @@
+---
ssl_certs:
vault:
- "vault1.scs.otc-service.com"
vault_cert: "vault1"
+vault_node_id: "vault-eu-de-01-Instance-01"
-vault_proxy_protocol_behavior: "allow_authorized"
-# vault_proxy_protocol_authorized_addrs: "192.168.110.151,192.168.110.160"
-# vault_x_forwarded_for_authorized_addrs: "192.168.110.151,192.168.110.160"
+vault_cluster_nodes:
+ - vault1.scs.otc-service.com
+ - vault2.scs.otc-service.com
+ - vault3.scs.otc-service.com
firewalld_extra_ports_enable: ['8200/tcp', '8201/tcp']
diff --git a/inventory/service/host_vars/vault2.scs.otc-service.com.yaml b/inventory/service/host_vars/vault2.scs.otc-service.com.yaml
index 09cf905..a5089c6 100644
--- a/inventory/service/host_vars/vault2.scs.otc-service.com.yaml
+++ b/inventory/service/host_vars/vault2.scs.otc-service.com.yaml
@@ -1,10 +1,13 @@
+---
ssl_certs:
- vault:
+ vault2:
- "vault2.scs.otc-service.com"
-vault_cert: "vault"
+vault_cert: "vault2"
+vault_node_id: "vault-eu-de-02-Instance-01"
-vault_proxy_protocol_behavior: "allow_authorized"
-# vault_proxy_protocol_authorized_addrs: "192.168.110.151,192.168.110.160"
-# vault_x_forwarded_for_authorized_addrs: "192.168.110.151,192.168.110.160"
+vault_cluster_nodes:
+ - vault1.scs.otc-service.com
+ - vault2.scs.otc-service.com
+ - vault3.scs.otc-service.com
firewalld_extra_ports_enable: ['8200/tcp', '8201/tcp']
diff --git a/inventory/service/host_vars/vault3.scs.otc-service.com.yaml b/inventory/service/host_vars/vault3.scs.otc-service.com.yaml
index 9583a6b..578df76 100644
--- a/inventory/service/host_vars/vault3.scs.otc-service.com.yaml
+++ b/inventory/service/host_vars/vault3.scs.otc-service.com.yaml
@@ -1,10 +1,13 @@
+---
ssl_certs:
vault:
- "vault3.scs.otc-service.com"
-vault_cert: "vault"
+vault_cert: "vault3"
+vault_node_id: "vault-eu-de-03-Instance-01"
-vault_proxy_protocol_behavior: "allow_authorized"
-# vault_proxy_protocol_authorized_addrs: "192.168.110.151,192.168.110.160"
-# vault_x_forwarded_for_authorized_addrs: "192.168.110.151,192.168.110.160"
+vault_cluster_nodes:
+ - vault1.scs.otc-service.com
+ - vault2.scs.otc-service.com
+ - vault3.scs.otc-service.com
firewalld_extra_ports_enable: ['8200/tcp', '8201/tcp']
diff --git a/kubernetes/zuul/base/ca.yaml b/kubernetes/zuul/base/ca.yaml
deleted file mode 100644
index 0b3af44..0000000
--- a/kubernetes/zuul/base/ca.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
- name: selfsigned-issuer
-spec:
- selfSigned: {}
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- name: ca-cert
-spec:
- # Secret names are always required.
- secretName: ca-cert
- duration: 87600h # 10y
- renewBefore: 360h # 15d
- isCA: true
- privateKey:
- size: 2048
- algorithm: RSA
- encoding: PKCS1
- commonName: cacert
- # At least one of a DNS Name, URI, or IP address is required.
- dnsNames:
- - caroot
- # Issuer references are always required.
- issuerRef:
- name: selfsigned-issuer
----
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
- name: ca-issuer
-spec:
- ca:
- secretName: ca-cert
diff --git a/kubernetes/zuul/base/cert.yaml b/kubernetes/zuul/base/cert.yaml
deleted file mode 100644
index 84df7d0..0000000
--- a/kubernetes/zuul/base/cert.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- name: zookeeper-client
- labels:
- app.kubernetes.io/name: zookeeper-client-certificate
- app.kubernetes.io/part-of: zuul
- app.kubernetes.io/component: zookeeper-client-certificate
-spec:
- privateKey:
- encoding: PKCS8
- secretName: zookeeper-client-tls
- commonName: client
- usages:
- - digital signature
- - key encipherment
- - server auth
- - client auth
- issuerRef:
- name: ca-issuer
- kind: Issuer
diff --git a/kubernetes/zuul/base/configs/zuul.conf b/kubernetes/zuul/base/configs/zuul.conf
deleted file mode 100644
index 1fae2fe..0000000
--- a/kubernetes/zuul/base/configs/zuul.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-[zookeeper]
-hosts=zookeeper.zuul.svc.cluster.local:2281
-tls_cert=/tls/client/zk.crt
-tls_key=/tls/client/zk.key
-tls_ca=/tls/client/ca.crt
-session_timeout=40
-
-[scheduler]
-tenant_config=/etc/zuul-config/zuul/main.yaml
-state_dir=/var/lib/zuul
-relative_priority=true
-prometheus_port=9091
-
-[web]
-listen_address=0.0.0.0
-port=9000
-prometheus_port=9091
-
-[fingergw]
-port=9079
-user=zuul
diff --git a/kubernetes/zuul/base/kustomization.yaml b/kubernetes/zuul/base/kustomization.yaml
deleted file mode 100644
index bdd853c..0000000
--- a/kubernetes/zuul/base/kustomization.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-components:
- - ../components/ca
- - ../components/zookeeper
- - ../components/zuul-config
- - ../components/zuul-executor
- - ../components/zuul-scheduler
- - ../components/zuul-web
- - ../components/nodepool-launcher
-
-configMapGenerator:
- - name: "zuul-instance-config"
- literals:
- - ZUUL_CONFIG_REPO=https://gitea.eco.tsi-dev.otc-service.com/scs/zuul-config.git
- - name: "zuul-executor-vars"
- literals: []
-
-labels:
- - includeSelectors: true
- pairs:
- app.kubernetes.io/instance: "base"
- app.kubernetes.io/managed-by: "kustomize"
-
-# images:
-
-resources:
- - sa.yaml
- - cert.yaml
-
-secretGenerator:
- - name: "zuul-config"
- files:
- - "configs/zuul.conf"
- - name: "nodepool-config"
- files: []
diff --git a/kubernetes/zuul/base/sa.yaml b/kubernetes/zuul/base/sa.yaml
deleted file mode 100644
index 85ff9fc..0000000
--- a/kubernetes/zuul/base/sa.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: zuul
diff --git a/kubernetes/zuul/components/ca/all.yaml b/kubernetes/zuul/components/ca/all.yaml
deleted file mode 100644
index c079bad..0000000
--- a/kubernetes/zuul/components/ca/all.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
- name: selfsigned-issuer
-spec:
- selfSigned: {}
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- name: ca-cert
-spec:
- # Secret names are always required.
- secretName: ca-cert
- duration: 87600h # 10y
- renewBefore: 360h # 15d
- isCA: true
- privateKey:
- size: 2048
- algorithm: RSA
- encoding: PKCS1
- commonName: cacert
- # At least one of a DNS Name, URI, or IP address is required.
- dnsNames:
- - caroot
- # Issuer references are always required.
- issuerRef:
- name: selfsigned-issuer
----
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
- name: ca-issuer
-spec:
- ca:
- secretName: ca-cert
diff --git a/kubernetes/zuul/components/ca/kustomization.yaml b/kubernetes/zuul/components/ca/kustomization.yaml
deleted file mode 100644
index b883c4c..0000000
--- a/kubernetes/zuul/components/ca/kustomization.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Component
-
-labels:
- - includeSelectors: true
- pairs:
- app.kubernetes.io/name: "ca"
-
-resources:
- - all.yaml
diff --git a/kubernetes/zuul/components/nodepool-builder/kustomization.yaml b/kubernetes/zuul/components/nodepool-builder/kustomization.yaml
deleted file mode 100644
index 61f0ad9..0000000
--- a/kubernetes/zuul/components/nodepool-builder/kustomization.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Component
-
-resources:
- - statefulset.yaml
diff --git a/kubernetes/zuul/components/nodepool-builder/statefulset.yaml b/kubernetes/zuul/components/nodepool-builder/statefulset.yaml
deleted file mode 100644
index a54c9e1..0000000
--- a/kubernetes/zuul/components/nodepool-builder/statefulset.yaml
+++ /dev/null
@@ -1,108 +0,0 @@
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
- name: nodepool-builder
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "nodepool-builder"
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "nodepool-builder"
- serviceName: "nodepool-builder"
- template:
- metadata:
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "nodepool-builder"
- spec:
- containers:
- - name: "nodepool"
- image: "zuul/nodepool-builder"
- command:
- - "/usr/local/bin/nodepool-builder"
- - "-f"
- - "-d"
- - "-c"
- - "/data/nodepool/nodepool.yaml"
-
- resources:
- limits:
- cpu: "300m"
- memory: "512Mi"
- requests:
- cpu: "100m"
- memory: "256Mi"
-
- securityContext:
- privileged: true
- # runAsUser: 10001
- # runAsGroup: 10001
-
- volumeMounts:
- - name: "dev"
- mountPath: "/dev"
-
- - name: "dib-tmp"
- mountPath: "/opt/dib_tmp"
-
- - name: "dib-cache"
- mountPath: "/opt/dib_cache"
-
- - name: "nodepool-images-dir"
- mountPath: "/opt/nodepool/images"
-
- # Podman need non-overlayfs
- - name: "nodepool-containers"
- mountPath: "/var/lib/containers"
-
- - name: "zookeeper-client-tls"
- mountPath: "/tls/client"
- readOnly: true
-
- - name: "zuul-config-data"
- mountPath: "/data"
-
- serviceAccountName: "zuul"
- volumes:
- - name: "nodepool-config"
- secret:
- secretName: "nodepool-config"
-
- - name: "dev"
- hostPath:
- path: "/dev"
-
- - name: "dib-cache"
- emptyDir: {}
-
- - name: "dib-tmp"
- emptyDir: {}
-
- - name: "nodepool-containers"
- emptyDir: {}
-
- - name: "zookeeper-client-tls"
- secret:
- secretName: "zookeeper-client-tls"
-
- - name: "zuul-config-data"
- persistentVolumeClaim:
- claimName: "zuul-config"
-
- volumeClaimTemplates:
- - metadata:
- name: "nodepool-images-dir"
- spec:
- accessModes:
- - "ReadWriteOnce"
- storageClassName: "csi-disk"
- resources:
- requests:
- storage: "80G"
diff --git a/kubernetes/zuul/components/nodepool-launcher/deployment.yaml b/kubernetes/zuul/components/nodepool-launcher/deployment.yaml
deleted file mode 100644
index cfeb6e2..0000000
--- a/kubernetes/zuul/components/nodepool-launcher/deployment.yaml
+++ /dev/null
@@ -1,73 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: nodepool-launcher
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: zuul
- app.kubernetes.io/component: "nodepool-launcher"
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "nodepool-launcher"
- template:
- metadata:
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "nodepool-launcher"
- spec:
- containers:
- - name: "nodepool"
- image: "zuul/nodepool-launcher"
- command:
- - "/usr/local/bin/nodepool-launcher"
- - "-f"
- - "-d"
- - "-c"
- - "/data/nodepool/nodepool.yaml"
-
- resources:
- limits:
- cpu: "100m"
- memory: "500Mi"
- requests:
- cpu: "50m"
- memory: "200Mi"
-
- securityContext:
- runAsUser: 10001
- runAsGroup: 10001
-
- volumeMounts:
- - name: "zookeeper-client-tls"
- mountPath: "/tls/client"
- readOnly: true
-
- - name: "zuul-config-data"
- mountPath: "/data"
-
- - name: "nodepool-lib"
- mountPath: "/var/lib/nodepool"
-
- serviceAccountName: "zuul"
- volumes:
- - name: "nodepool-config"
- secret:
- secretName: "nodepool-config"
-
- - name: "zookeeper-client-tls"
- secret:
- secretName: "zookeeper-client-tls"
-
- - name: "zuul-config-data"
- persistentVolumeClaim:
- claimName: "zuul-config"
-
- - name: "nodepool-lib"
- emptyDir: {}
- revisionHistoryLimit: 2
diff --git a/kubernetes/zuul/components/nodepool-launcher/hpa.yaml b/kubernetes/zuul/components/nodepool-launcher/hpa.yaml
deleted file mode 100644
index 363cc72..0000000
--- a/kubernetes/zuul/components/nodepool-launcher/hpa.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-apiVersion: autoscaling/v2
-kind: "HorizontalPodAutoscaler"
-metadata:
- name: "nodepool-launcher"
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "nodepool-launcher"
-spec:
- scaleTargetRef:
- kind: "Deployment"
- name: "nodepool-launcher"
- apiVersion: "apps/v1"
- minReplicas: 1
- maxReplicas: 2
- metrics:
- - type: "Resource"
- resource:
- name: "cpu"
- target:
- type: "Utilization"
- averageUtilization: 70
diff --git a/kubernetes/zuul/components/nodepool-launcher/kustomization.yaml b/kubernetes/zuul/components/nodepool-launcher/kustomization.yaml
deleted file mode 100644
index 65e6931..0000000
--- a/kubernetes/zuul/components/nodepool-launcher/kustomization.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Component
-
-resources:
- - deployment.yaml
- - hpa.yaml
diff --git a/kubernetes/zuul/components/restarter/README.md b/kubernetes/zuul/components/restarter/README.md
deleted file mode 100644
index 22f9bd2..0000000
--- a/kubernetes/zuul/components/restarter/README.md
+++ /dev/null
@@ -1,8 +0,0 @@
-# Zuul restarter
-
-Sometimes credentials stored in Vault are rotated outside of Zuul. Since Zuul
-itself is not capable of reloading its general configration it is better to
-simply periodically restart certain parts of it.
-
-This component is implementing K8 ServiceAccount with role and few CronJobs
-that restart some Zuul components.
diff --git a/kubernetes/zuul/components/restarter/crb.yaml b/kubernetes/zuul/components/restarter/crb.yaml
deleted file mode 100644
index fb4d677..0000000
--- a/kubernetes/zuul/components/restarter/crb.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: "restart-deployment"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: "restart-deployment"
-subjects:
- - kind: "ServiceAccount"
- name: "restart-deployment"
diff --git a/kubernetes/zuul/components/restarter/job-restart-nodepool-launcher.yaml b/kubernetes/zuul/components/restarter/job-restart-nodepool-launcher.yaml
deleted file mode 100644
index 2fc2b48..0000000
--- a/kubernetes/zuul/components/restarter/job-restart-nodepool-launcher.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: "restart-nodepool-launcher"
-spec:
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 2
- concurrencyPolicy: Forbid
- schedule: '15 22 * * *'
- jobTemplate:
- spec:
- backoffLimit: 2
- activeDeadlineSeconds: 600
- template:
- spec:
- serviceAccountName: "restart-deployment"
- restartPolicy: Never
- containers:
- - name: "kubectl"
- image: "bitnami/kubectl"
- command:
- - "bash"
- - "-c"
- - >-
- kubectl rollout restart deployment/nodepool-launcher &&
- kubectl rollout status deployment/nodepool-launcher
diff --git a/kubernetes/zuul/components/restarter/job-restart-zuul-web.yaml b/kubernetes/zuul/components/restarter/job-restart-zuul-web.yaml
deleted file mode 100644
index fd2b188..0000000
--- a/kubernetes/zuul/components/restarter/job-restart-zuul-web.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: "restart-zuul-web"
-spec:
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 2
- concurrencyPolicy: Forbid
- schedule: '0 0 * * *'
- jobTemplate:
- spec:
- backoffLimit: 2
- activeDeadlineSeconds: 600
- template:
- spec:
- serviceAccountName: "restart-deployment"
- restartPolicy: Never
- containers:
- - name: "kubectl"
- image: "bitnami/kubectl"
- command:
- - "bash"
- - "-c"
- - >-
- kubectl rollout restart deployment/zuul-web &&
- kubectl rollout status deployment/zuul-web
diff --git a/kubernetes/zuul/components/restarter/kustomization.yaml b/kubernetes/zuul/components/restarter/kustomization.yaml
deleted file mode 100644
index cca5722..0000000
--- a/kubernetes/zuul/components/restarter/kustomization.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Component
-
-resources:
- - sa.yaml
- - role.yaml
- - crb.yaml
- - job-restart-zuul-web.yaml
- - job-restart-nodepool-launcher.yaml
diff --git a/kubernetes/zuul/components/restarter/role.yaml b/kubernetes/zuul/components/restarter/role.yaml
deleted file mode 100644
index 84d9e7d..0000000
--- a/kubernetes/zuul/components/restarter/role.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: "restart-deployment"
-rules:
- - apiGroups: ["apps"]
- resources: ["deployments"]
- # resourceNames: ["test-pod"]
- verbs: ["get", "patch", "list", "watch"]
diff --git a/kubernetes/zuul/components/restarter/sa.yaml b/kubernetes/zuul/components/restarter/sa.yaml
deleted file mode 100644
index 2a7426c..0000000
--- a/kubernetes/zuul/components/restarter/sa.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-kind: ServiceAccount
-apiVersion: v1
-metadata:
- name: "restart-deployment"
diff --git a/kubernetes/zuul/components/zookeeper/cert.yaml b/kubernetes/zuul/components/zookeeper/cert.yaml
deleted file mode 100644
index da205e9..0000000
--- a/kubernetes/zuul/components/zookeeper/cert.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- name: zookeeper-server
-spec:
- privateKey:
- encoding: PKCS8
- secretName: zookeeper-server-tls
- commonName: server
- usages:
- - digital signature
- - key encipherment
- - server auth
- - client auth
- dnsNames:
- - zookeeper-0.zookeeper-headless.zuul-ci.svc.cluster.local
- - zookeeper-0
- - zookeeper-1.zookeeper-headless.zuul-ci.svc.cluster.local
- - zookeeper-1
- - zookeeper-2.zookeeper-headless.zuul-ci.svc.cluster.local
- - zookeeper-2
- issuerRef:
- name: ca-issuer
- kind: Issuer
diff --git a/kubernetes/zuul/components/zookeeper/kustomization.yaml b/kubernetes/zuul/components/zookeeper/kustomization.yaml
deleted file mode 100644
index b622376..0000000
--- a/kubernetes/zuul/components/zookeeper/kustomization.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Component
-
-configMapGenerator:
- - name: "zookeeper-config"
- files:
- - scripts/ok
- - scripts/run
- - scripts/ready
-
-labels:
- - includeSelectors: true
- pairs:
- app.kubernetes.io/name: "zookeeper"
- app.kubernetes.io/version: "3.8.0"
- app.kubernetes.io/part-of: "zuul"
-
-images:
- - name: "zookeeper"
- newName: "quay.io/opentelekomcloud/zookeeper"
- newTag: "3.8.1"
-
-resources:
- - cert.yaml
- - sa.yaml
- - service.yaml
- - statefulset.yaml
- - pdb.yaml
diff --git a/kubernetes/zuul/components/zookeeper/pdb.yaml b/kubernetes/zuul/components/zookeeper/pdb.yaml
deleted file mode 100644
index 19c17bf..0000000
--- a/kubernetes/zuul/components/zookeeper/pdb.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- name: zookeeper
- labels:
- app.kubernetes.io/name: "zookeeper"
- app.kubernetes.io/component: "server"
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/name: "zookeeper"
- app.kubernetes.io/component: "server"
- maxUnavailable: 1
diff --git a/kubernetes/zuul/components/zookeeper/sa.yaml b/kubernetes/zuul/components/zookeeper/sa.yaml
deleted file mode 100644
index 0cb7f33..0000000
--- a/kubernetes/zuul/components/zookeeper/sa.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: zookeeper
diff --git a/kubernetes/zuul/components/zookeeper/scripts/ok b/kubernetes/zuul/components/zookeeper/scripts/ok
deleted file mode 100644
index fd8de36..0000000
--- a/kubernetes/zuul/components/zookeeper/scripts/ok
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-if [ -f /tls/client/ca.crt ]; then
- echo "srvr" | openssl s_client -CAfile /tls/client/ca.crt -cert /tls/client/tls.crt -key /tls/client/tls.key -connect 127.0.0.1:${1:-2281} -quiet -ign_eof 2>/dev/null | grep Mode
-else
- zkServer.sh status
-fi
diff --git a/kubernetes/zuul/components/zookeeper/scripts/ready b/kubernetes/zuul/components/zookeeper/scripts/ready
deleted file mode 100644
index 3035bed..0000000
--- a/kubernetes/zuul/components/zookeeper/scripts/ready
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-if [ -f /tls/client/ca.crt ]; then
- echo "ruok" | openssl s_client -CAfile /tls/client/ca.crt -cert /tls/client/tls.crt -key /tls/client/tls.key -connect 127.0.0.1:${1:-2281} -quiet -ign_eof 2>/dev/null
-else
- echo ruok | nc 127.0.0.1 ${1:-2181}
-fi
diff --git a/kubernetes/zuul/components/zookeeper/scripts/run b/kubernetes/zuul/components/zookeeper/scripts/run
deleted file mode 100644
index c971582..0000000
--- a/kubernetes/zuul/components/zookeeper/scripts/run
+++ /dev/null
@@ -1,115 +0,0 @@
-#!/bin/bash
-
-set -a
-ROOT=$(echo /apache-zookeeper-*)
-
-ZK_USER=${ZK_USER:-"zookeeper"}
-ZK_LOG_LEVEL=${ZK_LOG_LEVEL:-"INFO"}
-ZK_DATA_DIR=${ZK_DATA_DIR:-"/data"}
-ZK_DATA_LOG_DIR=${ZK_DATA_LOG_DIR:-"/data/log"}
-ZK_CONF_DIR=${ZK_CONF_DIR:-"/conf"}
-ZK_CLIENT_PORT=${ZK_CLIENT_PORT:-2181}
-ZK_SSL_CLIENT_PORT=${ZK_SSL_CLIENT_PORT:-2281}
-ZK_SERVER_PORT=${ZK_SERVER_PORT:-2888}
-ZK_ELECTION_PORT=${ZK_ELECTION_PORT:-3888}
-ZK_TICK_TIME=${ZK_TICK_TIME:-2000}
-ZK_INIT_LIMIT=${ZK_INIT_LIMIT:-10}
-ZK_SYNC_LIMIT=${ZK_SYNC_LIMIT:-5}
-ZK_HEAP_SIZE=${ZK_HEAP_SIZE:-2G}
-ZK_MAX_CLIENT_CNXNS=${ZK_MAX_CLIENT_CNXNS:-60}
-ZK_MIN_SESSION_TIMEOUT=${ZK_MIN_SESSION_TIMEOUT:- $((ZK_TICK_TIME*2))}
-ZK_MAX_SESSION_TIMEOUT=${ZK_MAX_SESSION_TIMEOUT:- $((ZK_TICK_TIME*20))}
-ZK_SNAP_RETAIN_COUNT=${ZK_SNAP_RETAIN_COUNT:-3}
-ZK_PURGE_INTERVAL=${ZK_PURGE_INTERVAL:-0}
-ID_FILE="$ZK_DATA_DIR/myid"
-ZK_CONFIG_FILE="$ZK_CONF_DIR/zoo.cfg"
-LOG4J_PROPERTIES="$ZK_CONF_DIR/log4j.properties"
-HOST=$(hostname)
-DOMAIN=`hostname -d`
-JVMFLAGS="-Xmx$ZK_HEAP_SIZE -Xms$ZK_HEAP_SIZE"
-
-APPJAR=$(echo $ROOT/*jar)
-CLASSPATH="${ROOT}/lib/*:${APPJAR}:${ZK_CONF_DIR}:"
-
-if [[ $HOST =~ (.*)-([0-9]+)$ ]]; then
- NAME=${BASH_REMATCH[1]}
- ORD=${BASH_REMATCH[2]}
- MY_ID=$((ORD+1))
-else
- echo "Failed to extract ordinal from hostname $HOST"
- exit 1
-fi
-
-mkdir -p $ZK_DATA_DIR
-mkdir -p $ZK_DATA_LOG_DIR
-echo $MY_ID >> $ID_FILE
-
-if [[ -f /tls/server/ca.crt ]]; then
- cp /tls/server/ca.crt /data/server-ca.pem
- cat /tls/server/tls.crt /tls/server/tls.key > /data/server.pem
-fi
-if [[ -f /tls/client/ca.crt ]]; then
- cp /tls/client/ca.crt /data/client-ca.pem
- cat /tls/client/tls.crt /tls/client/tls.key > /data/client.pem
-fi
-
-echo "dataDir=$ZK_DATA_DIR" >> $ZK_CONFIG_FILE
-echo "dataLogDir=$ZK_DATA_LOG_DIR" >> $ZK_CONFIG_FILE
-echo "tickTime=$ZK_TICK_TIME" >> $ZK_CONFIG_FILE
-echo "initLimit=$ZK_INIT_LIMIT" >> $ZK_CONFIG_FILE
-echo "syncLimit=$ZK_SYNC_LIMIT" >> $ZK_CONFIG_FILE
-echo "maxClientCnxns=$ZK_MAX_CLIENT_CNXNS" >> $ZK_CONFIG_FILE
-echo "minSessionTimeout=$ZK_MIN_SESSION_TIMEOUT" >> $ZK_CONFIG_FILE
-echo "maxSessionTimeout=$ZK_MAX_SESSION_TIMEOUT" >> $ZK_CONFIG_FILE
-echo "autopurge.snapRetainCount=$ZK_SNAP_RETAIN_COUNT" >> $ZK_CONFIG_FILE
-echo "autopurge.purgeInterval=$ZK_PURGE_INTERVAL" >> $ZK_CONFIG_FILE
-echo "4lw.commands.whitelist=*" >> $ZK_CONFIG_FILE
-
-# Client TLS configuration
-if [[ -f /tls/client/ca.crt ]]; then
- echo "secureClientPort=$ZK_SSL_CLIENT_PORT" >> $ZK_CONFIG_FILE
- echo "ssl.keyStore.location=/data/client.pem" >> $ZK_CONFIG_FILE
- echo "ssl.trustStore.location=/data/client-ca.pem" >> $ZK_CONFIG_FILE
-else
- echo "clientPort=$ZK_CLIENT_PORT" >> $ZK_CONFIG_FILE
-fi
-
-# Server TLS configuration
-if [[ -f /tls/server/ca.crt ]]; then
- echo "serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory" >> $ZK_CONFIG_FILE
- echo "sslQuorum=true" >> $ZK_CONFIG_FILE
- echo "ssl.quorum.keyStore.location=/data/server.pem" >> $ZK_CONFIG_FILE
- echo "ssl.quorum.trustStore.location=/data/server-ca.pem" >> $ZK_CONFIG_FILE
-fi
-
-for (( i=1; i<=$ZK_REPLICAS; i++ ))
-do
- echo "server.$i=$NAME-$((i-1)).$DOMAIN:$ZK_SERVER_PORT:$ZK_ELECTION_PORT" >> $ZK_CONFIG_FILE
-done
-
-rm -f $LOG4J_PROPERTIES
-
-echo "zookeeper.root.logger=$ZK_LOG_LEVEL, CONSOLE" >> $LOG4J_PROPERTIES
-echo "zookeeper.console.threshold=$ZK_LOG_LEVEL" >> $LOG4J_PROPERTIES
-echo "zookeeper.log.threshold=$ZK_LOG_LEVEL" >> $LOG4J_PROPERTIES
-echo "zookeeper.log.dir=$ZK_DATA_LOG_DIR" >> $LOG4J_PROPERTIES
-echo "zookeeper.log.file=zookeeper.log" >> $LOG4J_PROPERTIES
-echo "zookeeper.log.maxfilesize=256MB" >> $LOG4J_PROPERTIES
-echo "zookeeper.log.maxbackupindex=10" >> $LOG4J_PROPERTIES
-echo "zookeeper.tracelog.dir=$ZK_DATA_LOG_DIR" >> $LOG4J_PROPERTIES
-echo "zookeeper.tracelog.file=zookeeper_trace.log" >> $LOG4J_PROPERTIES
-echo "log4j.rootLogger=\${zookeeper.root.logger}" >> $LOG4J_PROPERTIES
-echo "log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender" >> $LOG4J_PROPERTIES
-echo "log4j.appender.CONSOLE.Threshold=\${zookeeper.console.threshold}" >> $LOG4J_PROPERTIES
-echo "log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout" >> $LOG4J_PROPERTIES
-echo "log4j.appender.CONSOLE.layout.ConversionPattern=%d{ISO8601} [myid:%X{myid}] - %-5p [%t:%C{1}@%L] - %m%n" >> $LOG4J_PROPERTIES
-
-if [ -n "$JMXDISABLE" ]
-then
- MAIN=org.apache.zookeeper.server.quorum.QuorumPeerMain
-else
- MAIN="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=$JMXPORT -Dcom.sun.management.jmxremote.authenticate=$JMXAUTH -Dcom.sun.management.jmxremote.ssl=$JMXSSL -Dzookeeper.jmx.log4j.disable=$JMXLOG4J org.apache.zookeeper.server.quorum.QuorumPeerMain"
-fi
-
-set -x
-exec java -cp "$CLASSPATH" $JVMFLAGS $MAIN $ZK_CONFIG_FILE
diff --git a/kubernetes/zuul/components/zookeeper/service.yaml b/kubernetes/zuul/components/zookeeper/service.yaml
deleted file mode 100644
index 8d66781..0000000
--- a/kubernetes/zuul/components/zookeeper/service.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- name: zookeeper-headless
- labels:
- app.kubernetes.io/name: "zookeeper"
- app.kubernetes.io/component: "server"
-spec:
- clusterIP: None
- ports:
- - name: client
- port: 2281
- protocol: TCP
- targetPort: client
- - name: server
- port: 2888
- protocol: TCP
- targetPort: server
- - name: election
- port: 3888
- protocol: TCP
- targetPort: election
- selector:
- app.kubernetes.io/name: "zookeeper"
- app.kubernetes.io/component: "server"
- publishNotReadyAddresses: true
----
-apiVersion: v1
-kind: Service
-metadata:
- name: zookeeper
- labels:
- app.kubernetes.io/name: "zookeeper"
- app.kubernetes.io/component: "server"
-spec:
- ports:
- - name: client
- port: 2281
- protocol: TCP
- targetPort: client
- selector:
- app.kubernetes.io/name: "zookeeper"
- app.kubernetes.io/component: "server"
- type: ClusterIP
diff --git a/kubernetes/zuul/components/zookeeper/statefulset.yaml b/kubernetes/zuul/components/zookeeper/statefulset.yaml
deleted file mode 100644
index 9c98896..0000000
--- a/kubernetes/zuul/components/zookeeper/statefulset.yaml
+++ /dev/null
@@ -1,145 +0,0 @@
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
- name: "zookeeper"
- labels:
- app.kubernetes.io/name: "zookeeper"
- app.kubernetes.io/component: "server"
-spec:
- podManagementPolicy: "Parallel"
- replicas: 1
- serviceName: "zookeeper-headless"
- template:
- metadata:
- labels:
- app.kubernetes.io/component: "server"
- spec:
- affinity:
- podAntiAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- - weight: 100
- podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key: "app.kubernetes.io/name"
- operator: In
- values:
- - "zookeeper"
- - key: "app.kubernetes.io/component"
- operator: In
- values:
- - "server"
- topologyKey: "kubernetes.io/hostname"
-
- terminationGracePeriodSeconds: 1800
- serviceAccountName: "zookeeper"
- containers:
- - name: "zookeeper"
- securityContext:
- runAsUser: 1000
- runAsGroup: 1000
- image: "zookeeper"
- command:
- - "/bin/bash"
- - "-xec"
- - "/config-scripts/run"
- ports:
- - containerPort: 2281
- name: "client"
- - containerPort: 2888
- name: "server"
- - containerPort: 3888
- name: "election"
- livenessProbe:
- exec:
- command:
- - sh
- - /config-scripts/ok
- initialDelaySeconds: 20
- periodSeconds: 30
- timeoutSeconds: 5
- failureThreshold: 2
- successThreshold: 1
- readinessProbe:
- exec:
- command:
- - sh
- - /config-scripts/ready
- initialDelaySeconds: 20
- periodSeconds: 30
- timeoutSeconds: 5
- failureThreshold: 2
- successThreshold: 1
- env:
- - name: ZK_REPLICAS
- value: "3"
- - name: JMXAUTH
- value: "false"
- - name: JMXDISABLE
- value: "false"
- - name: JMXPORT
- value: "1099"
- - name: JMXSSL
- value: "false"
- - name: ZK_SYNC_LIMIT
- value: "10"
- - name: ZK_TICK_TIME
- value: "2000"
- - name: ZK_PURGE_INTERVAL
- value: "6"
- - name: ZK_SNAP_RETAIN_COUNT
- value: "3"
- - name: ZOO_INIT_LIMIT
- value: "5"
- - name: ZOO_MAX_CLIENT_CNXNS
- value: "60"
- - name: ZOO_PORT
- value: "2181"
- - name: ZOO_STANDALONE_ENABLED
- value: "false"
- - name: ZOO_TICK_TIME
- value: "2000"
-
- resources:
- limits:
- cpu: "100m"
- memory: "2Gi"
- requests:
- cpu: "20m"
- memory: "1Gi"
-
- volumeMounts:
- - name: data
- mountPath: /data
- - name: zookeeper-server-tls
- mountPath: /tls/server
- readOnly: true
- - name: zookeeper-client-tls
- mountPath: /tls/client
- readOnly: true
- - name: config
- mountPath: /config-scripts
-
- volumes:
- - name: config
- configMap:
- name: zookeeper-config
- defaultMode: 0555
- - name: zookeeper-server-tls
- secret:
- secretName: zookeeper-server-tls
- - name: zookeeper-client-tls
- secret:
- secretName: zookeeper-server-tls
-
- updateStrategy:
- type: "RollingUpdate"
- volumeClaimTemplates:
- - metadata:
- name: "data"
- spec:
- accessModes: ["ReadWriteOnce"]
- resources:
- requests:
- storage: "1Gi"
diff --git a/kubernetes/zuul/components/zuul-client/deployment.yaml b/kubernetes/zuul/components/zuul-client/deployment.yaml
deleted file mode 100644
index 910be03..0000000
--- a/kubernetes/zuul/components/zuul-client/deployment.yaml
+++ /dev/null
@@ -1,69 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: zuul-client
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/component: "zuul-client"
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/component: "zuul-client"
- template:
- metadata:
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/component: "zuul-client"
- spec:
- serviceAccountName: "zuul"
-
- containers:
- # Zuul-client is a regular zuul-web image doing nothing.
- # We use it only to have completely independent pod serving as
- # zuul client for i.e. maintenance.
- - name: "zuul"
- image: "zuul/zuul-web"
- command:
- - "sh"
- - "-c"
- - "while :; do sleep 60; done"
-
- resources:
- limits:
- cpu: "50m"
- memory: "128Mi"
- requests:
- cpu: "10m"
- memory: "32Mi"
-
- securityContext:
- runAsUser: 10001
- runAsGroup: 10001
-
- volumeMounts:
- - name: "zuul-cfg"
- mountPath: "/etc/zuul"
- readOnly: true
- - name: "zookeeper-client-tls"
- mountPath: "/tls/client"
- readOnly: true
- - name: "zuul-config-data"
- mountPath: "/etc/zuul-config"
-
- volumes:
- - name: "zuul-cfg"
- secret:
- secretName: "zuul-config"
-
- - name: "zookeeper-client-tls"
- secret:
- secretName: "zookeeper-client-tls"
-
- - name: "zuul-config-data"
- persistentVolumeClaim:
- claimName: "zuul-config"
-
- revisionHistoryLimit: 2
diff --git a/kubernetes/zuul/components/zuul-client/kustomization.yaml b/kubernetes/zuul/components/zuul-client/kustomization.yaml
deleted file mode 100644
index fbc3362..0000000
--- a/kubernetes/zuul/components/zuul-client/kustomization.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Component
-
-resources:
- - deployment.yaml
diff --git a/kubernetes/zuul/components/zuul-config/deployment.yaml b/kubernetes/zuul/components/zuul-config/deployment.yaml
deleted file mode 100644
index 7b0a2fd..0000000
--- a/kubernetes/zuul/components/zuul-config/deployment.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: "zuul-config"
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/component: "zuul-config"
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/component: "zuul-config"
- template:
- metadata:
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/component: "zuul-config"
- spec:
- initContainers:
-
- - name: "git-fetcher"
- image: "zuul/nodepool-builder"
- args:
- - "cd /data && git clone $ZUUL_CONFIG_REPO . || true"
- command: ["/bin/sh", "-ec"]
- env:
- - name: "ZUUL_CONFIG_REPO"
- valueFrom:
- configMapKeyRef:
- name: "zuul-instance-config"
- key: "ZUUL_CONFIG_REPO"
- volumeMounts:
- - name: "zuul-config-data"
- mountPath: "/data"
-
- containers:
-
- - name: "git-syncer"
- args:
- - "while :; do cd /data/; git pull; sleep 60; done"
- command: ["/bin/sh", "-ec"]
- image: "zuul/nodepool-builder"
- resources:
- limits:
- cpu: "50m"
- memory: "64Mi"
- requests:
- cpu: "10m"
- memory: "5Mi"
-
- volumeMounts:
- - name: "zuul-config-data"
- mountPath: "/data"
-
- volumes:
- - name: "zuul-instance-config"
- secret:
- secretName: "zuul-instance-config"
-
- - name: "zuul-config-data"
- persistentVolumeClaim:
- claimName: "zuul-config"
-
- revisionHistoryLimit: 2
diff --git a/kubernetes/zuul/components/zuul-config/kustomization.yaml b/kubernetes/zuul/components/zuul-config/kustomization.yaml
deleted file mode 100644
index a5bb0ad..0000000
--- a/kubernetes/zuul/components/zuul-config/kustomization.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Component
-
-resources:
- - pvc.yaml
- - deployment.yaml
diff --git a/kubernetes/zuul/components/zuul-config/pvc.yaml b/kubernetes/zuul/components/zuul-config/pvc.yaml
deleted file mode 100644
index 1fb12bc..0000000
--- a/kubernetes/zuul/components/zuul-config/pvc.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: "v1"
-kind: "PersistentVolumeClaim"
-metadata:
- name: zuul-config
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/component: "zuul-config"
-spec:
- storageClassName: "csi-nas"
- accessModes:
- - ReadWriteMany
- resources:
- requests:
- storage: 1Gi
diff --git a/kubernetes/zuul/components/zuul-executor/kustomization.yaml b/kubernetes/zuul/components/zuul-executor/kustomization.yaml
deleted file mode 100644
index 4c429a2..0000000
--- a/kubernetes/zuul/components/zuul-executor/kustomization.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Component
-
-resources:
- - service.yaml
- - statefulset.yaml
diff --git a/kubernetes/zuul/components/zuul-executor/service.yaml b/kubernetes/zuul/components/zuul-executor/service.yaml
deleted file mode 100644
index 67ee401..0000000
--- a/kubernetes/zuul/components/zuul-executor/service.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- name: zuul-executor
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-executor"
-spec:
- type: "ClusterIP"
- clusterIP: None
- ports:
- - name: "logs"
- port: 7900
- protocol: "TCP"
- targetPort: "logs"
- selector:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-executor"
diff --git a/kubernetes/zuul/components/zuul-executor/statefulset.yaml b/kubernetes/zuul/components/zuul-executor/statefulset.yaml
deleted file mode 100644
index 384460e..0000000
--- a/kubernetes/zuul/components/zuul-executor/statefulset.yaml
+++ /dev/null
@@ -1,131 +0,0 @@
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
- name: zuul-executor
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-executor"
-spec:
- replicas: 1
- serviceName: "zuul-executor"
- selector:
- matchLabels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-executor"
- template:
- metadata:
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-executor"
- spec:
- affinity:
- podAntiAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- - weight: 100
- podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key: "app.kubernetes.io/name"
- operator: In
- values:
- - "zuul"
- - key: "app.kubernetes.io/component"
- operator: In
- values:
- - "zuul-executor"
- topologyKey: "kubernetes.io/hostname"
-
- containers:
- - name: "zuul"
- image: "zuul/zuul-executor"
- args: ["/usr/local/bin/zuul-executor", "-f", "-d"]
- env:
- - name: "ZUUL_EXECUTOR_SIGTERM_GRACEFUL"
- value: "1"
-
- lifecycle:
- preStop:
- exec:
- command: [
- "/usr/local/bin/zuul-executor", "graceful"
- ]
-
- ports:
- - containerPort: 7900
- name: "logs"
- protocol: "TCP"
- - containerPort: 9091
- name: "prometheus"
- protocol: "TCP"
-
- # readinessProbe:
- # httpGet:
- # path: "/health/ready"
- # port: "prometheus"
- # failureThreshold: 20
- # periodSeconds: 10
- # livenessProbe:
- # httpGet:
- # path: "/health/live"
- # port: "prometheus"
- # initialDelaySeconds: 120
- # failureThreshold: 10
- # periodSeconds: 5
- # timeoutSeconds: 5
-
- resources:
- limits:
- cpu: "2000m"
- memory: "8G"
- requests:
- cpu: "500m"
- memory: "1G"
-
- securityContext:
- privileged: true
-
- volumeMounts:
- - name: "zuul-config"
- mountPath: "/etc/zuul"
- readOnly: true
- - name: "zookeeper-client-tls"
- mountPath: "/tls/client"
- readOnly: true
- - name: "zuul-config-data"
- mountPath: "/etc/zuul-config"
- - name: "zuul-var"
- mountPath: "/var/lib/zuul"
- - name: "zuul-vars"
- mountPath: "/var/run/zuul/vars"
- - name: "zuul-trusted-ro"
- mountPath: "/var/run/zuul/trusted-ro"
- readOnly: true
-
- serviceAccountName: "zuul"
- terminationGracePeriodSeconds: 120
- volumes:
- - name: "zuul-config"
- secret:
- secretName: "zuul-config"
-
- - name: "zookeeper-client-tls"
- secret:
- secretName: "zookeeper-client-tls"
-
- - name: "zuul-config-data"
- persistentVolumeClaim:
- claimName: "zuul-config"
-
- - name: "zuul-vars"
- configMap:
- name: "zuul-executor-vars"
-
- - name: "zuul-trusted-ro"
- emptyDir: {}
-
- - name: "zuul-var"
- emptyDir: {}
diff --git a/kubernetes/zuul/components/zuul-merger/deployment.yaml b/kubernetes/zuul/components/zuul-merger/deployment.yaml
deleted file mode 100644
index 04a5713..0000000
--- a/kubernetes/zuul/components/zuul-merger/deployment.yaml
+++ /dev/null
@@ -1,107 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: "zuul-merger"
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-merger"
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-merger"
- template:
- metadata:
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-merger"
- spec:
- affinity:
- podAntiAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- - weight: 100
- podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key: "app.kubernetes.io/name"
- operator: "In"
- values:
- - "zuul"
- - key: "app.kubernetes.io/component"
- operator: "In"
- values:
- - "zuul-merger"
- topologyKey: "kubernetes.io/hostname"
-
- containers:
- - name: "zuul"
- image: "zuul/zuul-merger"
- args: ["/usr/local/bin/zuul-merger", "-f", "-d"]
-
- ports:
- - containerPort: 9091
- name: "prometheus"
- protocol: "TCP"
-
- readinessProbe:
- httpGet:
- path: "/health/ready"
- port: "prometheus"
- failureThreshold: 20
- periodSeconds: 10
- livenessProbe:
- httpGet:
- path: "/health/live"
- port: "prometheus"
- initialDelaySeconds: 120
- failureThreshold: 10
- periodSeconds: 5
- timeoutSeconds: 5
-
- resources:
- limits:
- cpu: "200m"
- memory: "600Mi"
- requests:
- cpu: "50m"
- memory: "100Mi"
-
- securityContext:
- runAsUser: 10001
- runAsGroup: 10001
-
- volumeMounts:
- - name: "zuul-config"
- mountPath: "/etc/zuul"
- readOnly: true
- - name: "zookeeper-client-tls"
- mountPath: "/tls/client"
- readOnly: true
- - name: "zuul-config-data"
- mountPath: "/etc/zuul-config"
- - name: "zuul-var"
- mountPath: "/var/lib/zuul"
-
- serviceAccountName: "zuul"
- terminationGracePeriodSeconds: 120
- volumes:
- - name: "zuul-config"
- secret:
- secretName: "zuul-config"
-
- - name: "zookeeper-client-tls"
- secret:
- secretName: "zookeeper-client-tls"
-
- - name: "zuul-config-data"
- persistentVolumeClaim:
- claimName: "zuul-config"
-
- - name: "zuul-var"
- emptyDir: {}
- revisionHistoryLimit: 2
diff --git a/kubernetes/zuul/components/zuul-merger/hpa.yaml b/kubernetes/zuul/components/zuul-merger/hpa.yaml
deleted file mode 100644
index 20d9a9d..0000000
--- a/kubernetes/zuul/components/zuul-merger/hpa.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-apiVersion: autoscaling/v2
-kind: "HorizontalPodAutoscaler"
-metadata:
- name: "zuul-merger"
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-merger"
-spec:
- scaleTargetRef:
- kind: "Deployment"
- name: "zuul-merger"
- apiVersion: "apps/v1"
- minReplicas: 1
- maxReplicas: 4
- metrics:
- - type: "Resource"
- resource:
- name: "cpu"
- target:
- type: "Utilization"
- averageUtilization: 70
diff --git a/kubernetes/zuul/components/zuul-merger/kustomization.yaml b/kubernetes/zuul/components/zuul-merger/kustomization.yaml
deleted file mode 100644
index 65e6931..0000000
--- a/kubernetes/zuul/components/zuul-merger/kustomization.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Component
-
-resources:
- - deployment.yaml
- - hpa.yaml
diff --git a/kubernetes/zuul/components/zuul-merger/statefulset.yaml b/kubernetes/zuul/components/zuul-merger/statefulset.yaml
deleted file mode 100644
index 4fca57d..0000000
--- a/kubernetes/zuul/components/zuul-merger/statefulset.yaml
+++ /dev/null
@@ -1,87 +0,0 @@
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
- name: "zuul-merger"
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-merger"
-spec:
- replicas: 1
- serviceName: "zuul-merger"
- selector:
- matchLabels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-merger"
- template:
- metadata:
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-merger"
- spec:
- affinity:
- podAntiAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- - weight: 100
- podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key: "app.kubernetes.io/name"
- operator: "In"
- values:
- - "zuul"
- - key: "app.kubernetes.io/component"
- operator: "In"
- values:
- - "zuul-merger"
- topologyKey: "kubernetes.io/hostname"
-
- containers:
- - name: "merger"
- image: "zuul/zuul-merger"
- args: ["/usr/local/bin/zuul-merger", "-f", "-d"]
-
- resources:
- limits:
- cpu: "200m"
- memory: "400Mi"
- requests:
- cpu: "50m"
- memory: "200Mi"
-
- securityContext:
- runAsUser: 10001
- runAsGroup: 10001
-
- volumeMounts:
- - name: "zuul-config"
- mountPath: "/etc/zuul"
- readOnly: true
- - name: "zookeeper-client-tls"
- mountPath: "/tls/client"
- readOnly: true
- - name: "zuul-config-data"
- mountPath: "/etc/zuul-config"
- - name: "zuul-var"
- mountPath: "/var/lib/zuul"
-
- serviceAccountName: "zuul"
- terminationGracePeriodSeconds: 120
- volumes:
- - name: "zuul-config"
- secret:
- secretName: "zuul-config"
-
- - name: "zookeeper-client-tls"
- secret:
- secretName: "zookeeper-client-tls"
-
- - name: "zuul-config-data"
- persistentVolumeClaim:
- claimName: "zuul-config"
-
- - name: "zuul-var"
- emptyDir: {}
diff --git a/kubernetes/zuul/components/zuul-scheduler/deployment.yaml b/kubernetes/zuul/components/zuul-scheduler/deployment.yaml
deleted file mode 100644
index 1b01447..0000000
--- a/kubernetes/zuul/components/zuul-scheduler/deployment.yaml
+++ /dev/null
@@ -1,110 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: zuul-scheduler
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-scheduler"
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-scheduler"
- template:
- metadata:
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-scheduler"
- spec:
- affinity:
- podAntiAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- - weight: 100
- podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key: "app.kubernetes.io/name"
- operator: In
- values:
- - "zuul"
- - key: "app.kubernetes.io/component"
- operator: In
- values:
- - "zuul-scheduler"
- topologyKey: "kubernetes.io/hostname"
-
- containers:
- - name: "zuul"
- image: "zuul/zuul-scheduler"
- args: ["/usr/local/bin/zuul-scheduler", "-f", "-d"]
-
- ports:
- - containerPort: 9091
- name: "prometheus"
- protocol: "TCP"
-
- readinessProbe:
- httpGet:
- path: "/health/ready"
- port: "prometheus"
- failureThreshold: 20
- periodSeconds: 10
- livenessProbe:
- httpGet:
- path: "/health/live"
- port: "prometheus"
- initialDelaySeconds: 120
- failureThreshold: 10
- periodSeconds: 5
- timeoutSeconds: 5
-
- resources:
- limits:
- cpu: "2"
- memory: "2G"
- requests:
- cpu: "100m"
- memory: "200Mi"
-
- securityContext:
- runAsUser: 10001
- runAsGroup: 10001
-
- volumeMounts:
- - name: "zuul-config"
- mountPath: "/etc/zuul"
- readOnly: true
- - name: "zookeeper-client-tls"
- mountPath: "/tls/client"
- readOnly: true
- - name: "zuul-config-data"
- mountPath: "/etc/zuul-config"
- - name: "zuul-var-lib"
- mountPath: "/var/lib/zuul"
- - name: "zuul-var-run"
- mountPath: "/var/run/zuul"
-
- serviceAccountName: "zuul"
- volumes:
- - name: "zuul-config"
- secret:
- secretName: "zuul-config"
-
- - name: "zookeeper-client-tls"
- secret:
- secretName: "zookeeper-client-tls"
-
- - name: "zuul-config-data"
- persistentVolumeClaim:
- claimName: "zuul-config"
-
- - name: "zuul-var-lib"
- emptyDir: {}
-
- - name: "zuul-var-run"
- emptyDir: {}
diff --git a/kubernetes/zuul/components/zuul-scheduler/kustomization.yaml b/kubernetes/zuul/components/zuul-scheduler/kustomization.yaml
deleted file mode 100644
index fbc3362..0000000
--- a/kubernetes/zuul/components/zuul-scheduler/kustomization.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Component
-
-resources:
- - deployment.yaml
diff --git a/kubernetes/zuul/components/zuul-scheduler/statefulset.yaml b/kubernetes/zuul/components/zuul-scheduler/statefulset.yaml
deleted file mode 100644
index 6292079..0000000
--- a/kubernetes/zuul/components/zuul-scheduler/statefulset.yaml
+++ /dev/null
@@ -1,91 +0,0 @@
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
- name: zuul-scheduler
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/component: "zuul-scheduler"
-spec:
- replicas: 1
- serviceName: "zuul-scheduler"
- selector:
- matchLabels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/component: "zuul-scheduler"
- template:
- metadata:
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/component: "zuul-scheduler"
- spec:
- affinity:
- podAntiAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- - weight: 100
- podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key: "app.kubernetes.io/name"
- operator: In
- values:
- - "zuul"
- - key: "app.kubernetes.io/component"
- operator: In
- values:
- - "zuul-scheduler"
- topologyKey: "kubernetes.io/hostname"
-
- containers:
- - name: "scheduler"
- image: "zuul/zuul-scheduler"
- args: ["/usr/local/bin/zuul-scheduler", "-f", "-d"]
-
- resources:
- limits:
- cpu: "2"
- memory: "2G"
- requests:
- cpu: "100m"
- memory: "200Mi"
-
- securityContext:
- runAsUser: 10001
- runAsGroup: 10001
-
- volumeMounts:
- - name: "zuul-config"
- mountPath: "/etc/zuul"
- readOnly: true
- - name: "zookeeper-client-tls"
- mountPath: "/tls/client"
- readOnly: true
- - name: "zuul-config-data"
- mountPath: "/etc/zuul-config"
- - name: "zuul-scheduler-state-dir"
- mountPath: "/var/lib/zuul"
-
- serviceAccountName: "zuul"
- volumes:
- - name: "zuul-config"
- secret:
- secretName: "zuul-config"
-
- - name: "zookeeper-client-tls"
- secret:
- secretName: "zookeeper-client-tls"
-
- - name: "zuul-config-data"
- persistentVolumeClaim:
- claimName: "zuul-config"
-
- volumeClaimTemplates:
- - metadata:
- name: "zuul-scheduler-state-dir"
- spec:
- accessModes:
- - "ReadWriteOnce"
- storageClassName: "csi-disk"
- resources:
- requests:
- storage: "5G"
diff --git a/kubernetes/zuul/components/zuul-web/deployment.yaml b/kubernetes/zuul/components/zuul-web/deployment.yaml
deleted file mode 100644
index 8d060ca..0000000
--- a/kubernetes/zuul/components/zuul-web/deployment.yaml
+++ /dev/null
@@ -1,87 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: zuul-web
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: zuul
- app.kubernetes.io/component: "zuul-web"
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-web"
- template:
- metadata:
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-web"
- spec:
- containers:
- - name: "zuul"
- image: "zuul/zuul-web"
- args: ["/usr/local/bin/zuul-web", "-f", "-d"]
-
- ports:
- - containerPort: 9000
- name: "web"
- protocol: "TCP"
- - containerPort: 9091
- name: "prometheus"
- protocol: "TCP"
-
- readinessProbe:
- httpGet:
- path: "/health/ready"
- port: "prometheus"
- failureThreshold: 30
- periodSeconds: 10
- livenessProbe:
- httpGet:
- path: "/health/live"
- port: "prometheus"
- initialDelaySeconds: 120
- failureThreshold: 10
- periodSeconds: 5
- timeoutSeconds: 5
-
- resources:
- limits:
- cpu: "50m"
- memory: "500Mi"
- requests:
- cpu: "20m"
- memory: "200Mi"
-
- securityContext:
- runAsUser: 10001
- runAsGroup: 10001
-
- volumeMounts:
- - name: "zuul-config"
- mountPath: "/etc/zuul"
- readOnly: true
- - name: "zookeeper-client-tls"
- mountPath: "/tls/client"
- readOnly: true
- - name: "zuul-config-data"
- mountPath: "/etc/zuul-config"
-
- serviceAccountName: "zuul"
- volumes:
- - name: "zuul-config"
- secret:
- secretName: "zuul-config"
-
- - name: "zookeeper-client-tls"
- secret:
- secretName: "zookeeper-client-tls"
-
- - name: "zuul-config-data"
- persistentVolumeClaim:
- claimName: "zuul-config"
- revisionHistoryLimit: 2
diff --git a/kubernetes/zuul/components/zuul-web/hpa.yaml b/kubernetes/zuul/components/zuul-web/hpa.yaml
deleted file mode 100644
index fd7b19d..0000000
--- a/kubernetes/zuul/components/zuul-web/hpa.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-apiVersion: autoscaling/v2
-kind: "HorizontalPodAutoscaler"
-metadata:
- name: "zuul-web"
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-web"
-spec:
- scaleTargetRef:
- kind: "Deployment"
- name: "zuul-web"
- apiVersion: "apps/v1"
- minReplicas: 1
- maxReplicas: 2
- metrics:
- - type: "Resource"
- resource:
- name: "cpu"
- target:
- type: "Utilization"
- averageUtilization: 70
diff --git a/kubernetes/zuul/components/zuul-web/ingress.yaml b/kubernetes/zuul/components/zuul-web/ingress.yaml
deleted file mode 100644
index 3231654..0000000
--- a/kubernetes/zuul/components/zuul-web/ingress.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: "zuul-web"
- labels:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-web"
-spec:
- rules:
- - host: "zuul"
- http:
- paths:
- - backend:
- service:
- name: "zuul-web"
- port:
- number: 9000
- path: "/"
- pathType: "Prefix"
diff --git a/kubernetes/zuul/components/zuul-web/kustomization.yaml b/kubernetes/zuul/components/zuul-web/kustomization.yaml
deleted file mode 100644
index 845940d..0000000
--- a/kubernetes/zuul/components/zuul-web/kustomization.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Component
-
-resources:
- - service.yaml
- - deployment.yaml
- - ingress.yaml
- - hpa.yaml
diff --git a/kubernetes/zuul/components/zuul-web/service.yaml b/kubernetes/zuul/components/zuul-web/service.yaml
deleted file mode 100644
index 68eff83..0000000
--- a/kubernetes/zuul/components/zuul-web/service.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- name: zuul-web
- labels:
- app.kubernetes.io/name: zuul
- app.kubernetes.io/part-of: zuul
- app.kubernetes.io/component: zuul-web
-spec:
- type: "ClusterIP"
- clusterIP: None
- ports:
- - name: "web"
- port: 9000
- protocol: "TCP"
- targetPort: "web"
- selector:
- app.kubernetes.io/name: "zuul"
- app.kubernetes.io/part-of: "zuul"
- app.kubernetes.io/component: "zuul-web"
diff --git a/kubernetes/zuul/overlays/scs/configs/gitea.key b/kubernetes/zuul/overlays/scs/configs/gitea.key
deleted file mode 100644
index 35dfe4b..0000000
--- a/kubernetes/zuul/overlays/scs/configs/gitea.key
+++ /dev/null
@@ -1,50 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
-NhAAAAAwEAAQAAAgEArig9BW994crJrAfM3H9P/HH+yz7fJI+2SOsVaDVle+2tWD+rfpFJ
-7SNLgXG1ipv/XnA0W7S/i0+7ShPieiakRuXqHrnfZVNf5Z/smH5aweZB62CgNxIH2fCCRI
-lKJ8YbNDOdulpltbELjHieXU9mjIapYrLFx13xLjr2mcRNrkOs+N1JcHxiRoG4qez0KNlr
-dn83c3Hda5lUi8O73ZxaGPzW5a9J89GLOiX7w+J6T3eDzMHOQqGOoC4S90QIRMya1UhP2J
-8GU2FTOMav5ZlOFHTN4m+/iO0xe68rwAFuO+l0DN+nYUvEr/daK/YAAjZcDS0MvwRwpb9g
-a+V6YoUCxnBZPa0GTqFe49UBUZzuwgdwoYznUYkKi1zodp0idR/VoDFwu/XmMM2OlhS4qT
-vtDyyTRd2OJDCkVv2HHWp9vNmf8V6UIbPvvEpHwK0Ts1Z01aNMf9wmCxK3ORDdp1nrC3Uv
-OjQ+AkxooZezpRwBEgXYfZH1XVMdrJDQSeMFln2/20BTYqrum2bpdheEbRfpwIT8YFfUsu
-TiZZm4VRmDjtK+Zi+0IP4611M5Zeqpnrvxe4c4QeNJVR9/Euc8awhq78+8tfV+cOJygfu9
-3JD43eVgd3qoR3jRSRPznPMffSlPma/Nu+gXHQ1nAmU/ZmBcq4Yx9XpIUNb05AJzAsU79o
-MAAAdQ1aGCR9WhgkcAAAAHc3NoLXJzYQAAAgEArig9BW994crJrAfM3H9P/HH+yz7fJI+2
-SOsVaDVle+2tWD+rfpFJ7SNLgXG1ipv/XnA0W7S/i0+7ShPieiakRuXqHrnfZVNf5Z/smH
-5aweZB62CgNxIH2fCCRIlKJ8YbNDOdulpltbELjHieXU9mjIapYrLFx13xLjr2mcRNrkOs
-+N1JcHxiRoG4qez0KNlrdn83c3Hda5lUi8O73ZxaGPzW5a9J89GLOiX7w+J6T3eDzMHOQq
-GOoC4S90QIRMya1UhP2J8GU2FTOMav5ZlOFHTN4m+/iO0xe68rwAFuO+l0DN+nYUvEr/da
-K/YAAjZcDS0MvwRwpb9ga+V6YoUCxnBZPa0GTqFe49UBUZzuwgdwoYznUYkKi1zodp0idR
-/VoDFwu/XmMM2OlhS4qTvtDyyTRd2OJDCkVv2HHWp9vNmf8V6UIbPvvEpHwK0Ts1Z01aNM
-f9wmCxK3ORDdp1nrC3UvOjQ+AkxooZezpRwBEgXYfZH1XVMdrJDQSeMFln2/20BTYqrum2
-bpdheEbRfpwIT8YFfUsuTiZZm4VRmDjtK+Zi+0IP4611M5Zeqpnrvxe4c4QeNJVR9/Euc8
-awhq78+8tfV+cOJygfu93JD43eVgd3qoR3jRSRPznPMffSlPma/Nu+gXHQ1nAmU/ZmBcq4
-Yx9XpIUNb05AJzAsU79oMAAAADAQABAAACAEhUKdOiFDO8Frm9m5VPwpZjeaBLgj0a+mea
-So+27WjkswNdngm4qW01JVyjLvRcCVjdXMFhddOTz4Lac0qr1bokLnGIXIEmeUNSgd5rS6
-IP0PzCaoe0k1IuEswIAKY4HoA1l6IXfPpShytVxN+X5E0keCCngoBkQZAjqNr/rgtby/Cn
-ZqKy5dXGdj0MTfLRKVJTT2JAvea8DWLmbZWCI+EQ0OcfP6VlN190+vTFkGqEhlZ5fwIpOq
-THvdS3in+YQg2mNJMQqH3kg72mttKyMr1ILWGHa5Kgf9aQT6k0buWu9SWLlWZRI2S5Y9ey
-GRrSHLTUKuECJQ6RRqhI6+USvK2hifFQQGcLhPc8hjT3S1dxrbUxfrMY6/f5v19AS8Sewf
-RPLDK+NU+AigfbGj7rAqMwRfgSdvgs+7Cmx058fE5f6kIIyxpxmFloAv812Hwxc5cekDxH
-hL24Y1OrK9Ij/FWZKUjK2q97Wv34p79kouwFVK8umfCSTaZoQWp03JgkSexjwT6rw+ULih
-ChjNNMF7byWd+vBGXXbE6hAg7+cSpSmAI6vqB/29Fp4bnx3Dr7YT1guxmVlVsq0aqhWYcw
-Mh6xgRHQgjBAVV1xi597e73b0JQz3fWTyYSX5jo+GlIGrzFDRDGs69QwHj93D3WPeL1QtP
-BhmSjvKyILYLVaEPeRAAABAQDHOBm7iKv3cr4wOkHT6eUK0budnklJyVtktj0XBHjLFUpl
-Ac4ViQjw6c1ev3gZ0vB9ykkDYNcJpqjBO6EDnq5iexDmfXMm6ZlVAYdPYb/wIdHiFTa+Pe
-6Dbvcporu8ATl6EUMz1ZjZ1+752F1eybucoq3SiwgS7B0lz7lYwCH1VpocOmW1zlAPlfdd
-YsRCjf0f31INQn3JPN9lb6BBdM2AB5lknjAmpZFOo/tKYDCUrKoSPyy14gqszHT0ah5x8C
-Qvu0YhHq+uxMiadEAPwMuYXQf9K0Msd67Mh/0Z67keoLzAWz6iWsO9xuygQv2dXvdq74ww
-f250qQnVSQhslaibAAABAQDjUq8q9j+Z2XDmdhaA8U8CwvTrYioFcEjlmOD33pK5vySRtg
-XATgfzxhfrrek7LOuyK7i81lD3QMNtmxsi/c7NvqqU1av7nPKdVL25qi1KmIKbDD1PqQCE
-BvkB+wRmPXLHae3HmAjSovayD1S9K2txx5mOJ17RHJfALADhnVdJBvP1kdqNJjI+rTCNku
-cm8UcQy+TxmC8dErCy5Kh259JrrtShGMLAT0r27CEe3DDnLj46YDledj2W/3PDKSvPkDSL
-2lwmrxrLGqoWnQO7jg2tsrtGFvDrze+peVtxvEshE2cED3qC1H0PcvfC32Fbra5KY4DIkj
-4+v/VaTVANAQi/AAABAQDEIJVMCjvgL+06OeC1PbN0l/B4oDfKCkCbPwV7BlNt+6rF0Sd3
-kHfz5bi1Y/iEtuaFjG/Cdvour81m4GP8atDUqdwLSjbsC+EhLdwiuZVNfponzaLYUzs61m
-+qEA2OW276t/FvFHLmm8zpKYPHC4T6uvAiy3ZjeMUAH2DRVcPVpoTICo1ki3lb3IWJqpjz
-XnCEmo6w7zZDAPQdA95KrxEJML5bo78FM6Oh96Rvfq2MQz3iMwnPdUYlOX/F9jw3BHcFqM
-uZnLViGhuDJnFrMsgFIRDVCyUi8icB+WreLWAvY2tmmUhmzrNeL8oZl0yuBKDuz3FNmlvh
-Iv5vPJWXwl89AAAAE2ExMTc5MDU2OTRAUkRERTAzVU0BAgMEBQYH
------END OPENSSH PRIVATE KEY-----
-
diff --git a/kubernetes/zuul/overlays/scs/configs/kube.config.hcl b/kubernetes/zuul/overlays/scs/configs/kube.config.hcl
deleted file mode 100644
index 58565ae..0000000
--- a/kubernetes/zuul/overlays/scs/configs/kube.config.hcl
+++ /dev/null
@@ -1,24 +0,0 @@
-apiVersion: v1
-kind: Config
-current-context: otcci
-preferences: {}
-
-clusters:
- - name: otcci
- cluster:
- server: "https://10.10.0.32:5443"
- insecure-skip-tls-verify: true
-
-contexts:
- - name: otcci
- context:
- cluster: otcci
- user: otcci-admin
-
-users:
- - name: otcci-admin
- user:
-{{- with secret "secret/kubernetes/otcci_k8s" }}
- client-certificate-data: "{{ base64Encode .Data.data.client_crt }}"
- client-key-data: "{{ base64Encode .Data.data.client_key }}"
-{{- end }}
diff --git a/kubernetes/zuul/overlays/scs/configs/openstack/clouds.yaml.hcl b/kubernetes/zuul/overlays/scs/configs/openstack/clouds.yaml.hcl
index b7be0fd..f0b5775 100644
--- a/kubernetes/zuul/overlays/scs/configs/openstack/clouds.yaml.hcl
+++ b/kubernetes/zuul/overlays/scs/configs/openstack/clouds.yaml.hcl
@@ -13,4 +13,4 @@ cache:
server: 5
port: 5
floating-ip: 5
-clouds:
+clouds: []
diff --git a/kubernetes/zuul/overlays/scs/configs/vault-agent/config-nodepool.hcl b/kubernetes/zuul/overlays/scs/configs/vault-agent/config-nodepool.hcl
index a39b754..0085083 100644
--- a/kubernetes/zuul/overlays/scs/configs/vault-agent/config-nodepool.hcl
+++ b/kubernetes/zuul/overlays/scs/configs/vault-agent/config-nodepool.hcl
@@ -1,7 +1,13 @@
pid_file = "/home/vault/.pid"
-"auto_auth" = {
- "method" = {
- "mount_path" = "auth/kubernetes_otcci"
+vault {
+ address = "https://vault-lb.scs.otc-service.com:8200"
+ retry {
+ num_retries = 5
+ }
+}
+auto_auth {
+ method {
+ "mount_path" = "auth/kubernetes_scs"
"config" = {
"role" = "zuul"
}
@@ -14,8 +20,14 @@ pid_file = "/home/vault/.pid"
}
}
-cache {
- use_auto_auth_token = true
+api_proxy {
+ use_auto_auth_token = "true"
+ enforce_consistency = "always"
+}
+
+listener "tcp" {
+ address = "127.0.0.1:8100"
+ tls_disable = true
}
template {
@@ -23,9 +35,3 @@ template {
source = "/vault/custom/clouds.yaml.hcl"
perms = "0640"
}
-
-template {
- destination = "/vault/secrets/.kube/config"
- source = "/vault/custom/kube.config.hcl"
- perms = "0640"
-}
diff --git a/kubernetes/zuul/overlays/scs/configs/vault-agent/config-zuul.hcl b/kubernetes/zuul/overlays/scs/configs/vault-agent/config-zuul.hcl
index 9776a63..287fa6a 100644
--- a/kubernetes/zuul/overlays/scs/configs/vault-agent/config-zuul.hcl
+++ b/kubernetes/zuul/overlays/scs/configs/vault-agent/config-zuul.hcl
@@ -1,7 +1,14 @@
pid_file = "/home/vault/.pid"
-"auto_auth" = {
- "method" = {
- "mount_path" = "auth/kubernetes_otcci"
+vault {
+ address = "https://vault-lb.scs.otc-service.com:8200"
+ retry {
+ num_retries = 5
+ }
+}
+
+auto_auth {
+ method {
+ "mount_path" = "auth/kubernetes_scs"
"config" = {
"role" = "zuul"
}
@@ -14,8 +21,14 @@ pid_file = "/home/vault/.pid"
}
}
-cache {
- use_auto_auth_token = true
+api_proxy {
+ use_auto_auth_token = "true"
+ enforce_consistency = "always"
+}
+
+listener "tcp" {
+ address = "127.0.0.1:8100"
+ tls_disable = true
}
template {
@@ -25,13 +38,7 @@ template {
EOT
perms = "0600"
}
-template {
- destination = "/vault/secrets/connections/gitlab.key"
- contents = <0"
- name: Write SSL Key file
ansible.builtin.copy:
- path: "{{ vault_tls_key_file }}"
+ dest: "{{ vault_tls_key_file }}"
content: "{{ vault_tls_key_content }}"
owner: "{{ vault_owner }}"
group: "{{ vault_group }}"
- recurse: true
when: "vault_tls_key_content is defined and vault_tls_key_content|length>0"
+ notify:
+ - Reload Vault
- name: Correct certs ownership
ansible.builtin.file:
@@ -92,6 +100,8 @@
owner: "{{ vault_owner }}"
group: "{{ vault_group }}"
recurse: true
+ notify:
+ - Reload Vault
- name: Enable vault service
ansible.builtin.service:
@@ -99,11 +109,11 @@
enabled: "true"
state: "started"
-# - name: Renew transit token
-# include_tasks: "renew_transit_token.yaml"
-# vars:
-# vault_addr: "{{ vault_seal_transit_address }}"
-# transit_token: "{{ vault_seal_transit_token }}"
-# when:
-# - "vault_seal_transit_address is defined and vault_seal_transit_address | length > 0"
-# - "vault_seal_transit_token is defined and vault_seal_transit_token | length > 0"
+- name: Renew transit token
+ include_tasks: "renew_transit_token.yaml"
+ vars:
+ vault_addr: "{{ vault_seal_transit_address }}"
+ transit_token: "{{ vault_seal_transit_token }}"
+ when:
+ - "vault_seal_transit_address is defined and vault_seal_transit_address | length > 0"
+ - "vault_seal_transit_token is defined and vault_seal_transit_token | length > 0"
diff --git a/playbooks/roles/hashivault/templates/vault.hcl.j2 b/playbooks/roles/hashivault/templates/vault.hcl.j2
index cf764b2..524a394 100644
--- a/playbooks/roles/hashivault/templates/vault.hcl.j2
+++ b/playbooks/roles/hashivault/templates/vault.hcl.j2
@@ -16,9 +16,9 @@ storage "raft" {
node_id = "vault{{ vault_id | default((inventory_hostname | regex_replace('vault(\\d+)\..*$', '\\1')| int )) }}"
{% endif %}
-# Auto-join cluster
-{% for host in play_hosts -%}
-{% if host != inventory_hostname -%}
+ # Auto-join cluster
+{% for host in vault_cluster_nodes -%}
+{%- if host != inventory_hostname %}
retry_join {
leader_api_address = "http://{{ hostvars[host]['ansible_host'] }}:8200"
}
diff --git a/playbooks/service-bridge.yaml b/playbooks/service-bridge.yaml
deleted file mode 100644
index b586069..0000000
--- a/playbooks/service-bridge.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
-- hosts: bridge.eco.tsi-dev.otc-service.com:!disabled
- become: true
- name: "Bridge: configure the bastion host"
- roles:
- #- iptables
- - edit-secrets-script
- - install-docker
- tasks:
- # Skip as no arm64 support available; only used for gate testing,
- # where we can't mix arm64 and x86 nodes, so need a minimally
- # working bridge to drive the tests for mirrors/nodepool
- # etc. things.
- - name: Install openshift/kubectl/helm
- when: ansible_architecture != 'aarch64'
- block:
- - include_role:
- name: install-osc-container
- - include_role:
- name: install-kubectl
- - include_role:
- name: configure-kubectl
- - include_role:
- name: install-helm
-
- - include_role:
- name: configure-openstacksdk
- vars:
- openstacksdk_config_template: clouds/bridge_all_clouds.yaml.j2
-
- - name: Get rid of all-clouds.yaml
- file:
- state: absent
- path: '/etc/openstack/all-clouds.yaml'
-
- - name: Install additional python packages
- ansible.builtin.pip:
- name: "{{ item }}"
- state: present
- loop:
- - hvac
diff --git a/playbooks/service-vault.yaml b/playbooks/service-vault.yaml
index 1f5536d..00a9907 100644
--- a/playbooks/service-vault.yaml
+++ b/playbooks/service-vault.yaml
@@ -1,9 +1,15 @@
---
+# Install HashiCorp Vault to the members of the
+# `vault` group.
+#
+# Read roles/hashivault/README.rst for further details
+#
+# Playbooks is enforcing serial:1 to prevent all vault
+# instances being down at the same time in the case of
+# updates.
- hosts: "vault:!disabled"
become: true
name: "Vault: configure vault instances"
serial: 1
roles:
- # Group should be responsible for defining open ports
- - firewalld
- hashivault
diff --git a/test_inventory/group_vars/apimon-clouds.yaml b/test_inventory/group_vars/apimon-clouds.yaml
deleted file mode 100644
index d53d915..0000000
--- a/test_inventory/group_vars/apimon-clouds.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apimon_all_clouds:
- otcapimon_probes1:
- profile: test-profile1
- auth:
- username: un
- password: pwd
- project_name: pn
- user_domain_name: udm
- otcapimon_probes2:
- profile: test-profile2
- auth:
- username: un
- password: pwd
- project_name: pn
- user_domain_name: udm2
diff --git a/test_inventory/group_vars/apimon-inst1.yaml b/test_inventory/group_vars/apimon-inst1.yaml
deleted file mode 100644
index 21ecc78..0000000
--- a/test_inventory/group_vars/apimon-inst1.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apimon_epmon_secure_file_location: /etc/apimon/apimon-secure.yaml
-apimon_epmon_clouds:
- - target_cloud:
- service_overrride: []
diff --git a/test_inventory/group_vars/apimon.yaml b/test_inventory/group_vars/apimon.yaml
deleted file mode 100644
index f724ec4..0000000
--- a/test_inventory/group_vars/apimon.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-apimon_epmon_secure_file_location: /etc/apimon/apimon-secure.yaml
-
diff --git a/test_inventory/host_vars/t1.yaml b/test_inventory/host_vars/t1.yaml
deleted file mode 100644
index 3b4474a..0000000
--- a/test_inventory/host_vars/t1.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-ansible_host: localhost
-ansible_connection: local
-apimon_zone: zone_t1
-apimon_clouds:
- - name: target_cloud
- cloud: otcapimon_probes1
-
diff --git a/test_inventory/host_vars/t2.yaml b/test_inventory/host_vars/t2.yaml
deleted file mode 100644
index cf4570b..0000000
--- a/test_inventory/host_vars/t2.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-ansible_host: localhost
-ansible_connection: local
-apimon_zone: zone_t2
-apimon_clouds:
- - name: target_cloud
- cloud: otcapimon_probes2
-
diff --git a/test_inventory/hosts.yaml b/test_inventory/hosts.yaml
deleted file mode 100644
index 60d4930..0000000
--- a/test_inventory/hosts.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-hosts:
- all:
- t1:
- ansible_host: localhost
- ansible_connection: local
- t2:
- ansible_host: localhost
- ansible_connection: local
- children:
- apimon-clouds:
- hosts:
- t1:
- t2:
- apimon-inst1:
- hosts:
- t1:
- t2:
- apimon-epmon:
- hosts:
- t1:
- t2:
diff --git a/testinfra/conftest.py b/testinfra/conftest.py
deleted file mode 100644
index 5270e60..0000000
--- a/testinfra/conftest.py
+++ /dev/null
@@ -1,20 +0,0 @@
-import os
-import pytest
-import yaml
-
-@pytest.fixture
-def zuul_data():
-
- data = {}
-
- with open('/home/zuul/src/github.com/opentelekomcloud-infra/system-config/inventory/base/gate-hosts.yaml') as f:
- inventory = yaml.safe_load(f)
- data['inventory'] = inventory
-
- zuul_extra_data_file = os.environ.get('TESTINFRA_EXTRA_DATA')
- if os.path.exists(zuul_extra_data_file):
- with open(zuul_extra_data_file, 'r') as f:
- extra = yaml.safe_load(f)
- data['extra'] = extra
-
- return data
diff --git a/testinfra/test_acme.py b/testinfra/test_acme.py
deleted file mode 100644
index d0efb5a..0000000
--- a/testinfra/test_acme.py
+++ /dev/null
@@ -1,21 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-testinfra_hosts = ['le1']
-
-
-def test_cert_exists(host):
- for f in ['csr', 'pem', 'crt']:
- crt_file = host.file('/etc/ssl/le1/fake-domain.%s' % f)
- assert crt_file.exists
-
- haproxy_cert = host.file('/etc/ssl/le1/haproxy/fake-domain.pem')
- assert haproxy_cert.exists
diff --git a/testinfra/test_base.py b/testinfra/test_base.py
deleted file mode 100644
index 4331819..0000000
--- a/testinfra/test_base.py
+++ /dev/null
@@ -1,120 +0,0 @@
-# Copyright 2018 Red Hat, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-import util
-
-testinfra_hosts = ['all']
-
-
-def test_firewalld(host):
-
- firewalld = host.service('firewalld')
- assert firewalld.is_running
- assert firewalld.is_enabled
- ports = util.verify_firewalld_ports(host)
- services = util.verify_firewalld_services(host)
-
- # Make sure that the zuul console stream rule is still present
- zuul = '19885/tcp'
- assert zuul in ports
-
-
-def test_ntp(host):
- package = host.package("ntp")
- if host.system_info.distribution in ['fedora', 'centos']:
- package = host.package('chrony')
- assert package.is_installed
-
- service = host.service('chronyd')
- assert service.is_running
- assert service.is_enabled
-
- else:
- assert not package.is_installed
-
- service = host.service('systemd-timesyncd')
- assert service.is_running
-
- # Focal updates the status string to just say NTP
- if host.system_info.codename == 'bionic':
- stdout_string = 'systemd-timesyncd.service active'
- else:
- stdout_string = 'NTP service: active'
- cmd = host.run("timedatectl status")
- assert stdout_string in cmd.stdout
-
-
-def test_timezone(host):
- tz = host.check_output('date +%Z')
- assert tz == "UTC"
-
-
-def test_unbound(host):
- output = host.check_output('host opendev.org')
- assert 'has address' in output
-
-
-def test_unattended_upgrades(host):
- if host.system_info.distribution in ['ubuntu', 'debian']:
- package = host.package("unattended-upgrades")
- assert package.is_installed
-
- package = host.package("mailutils")
- assert package.is_installed
-
- cfg_file = host.file("/etc/apt/apt.conf.d/10periodic")
- assert cfg_file.exists
- assert cfg_file.contains('^APT::Periodic::Enable "1"')
- assert cfg_file.contains('^APT::Periodic::Update-Package-Lists "1"')
- assert cfg_file.contains('^APT::Periodic::Download-Upgradeable-Packages "1"')
- assert cfg_file.contains('^APT::Periodic::AutocleanInterval "5"')
- assert cfg_file.contains('^APT::Periodic::Unattended-Upgrade "1"')
- assert cfg_file.contains('^APT::Periodic::RandomSleep "1800"')
-
- cfg_file = host.file("/etc/apt/apt.conf.d/50unattended-upgrades")
- assert cfg_file.contains('^Unattended-Upgrade::Mail "root"')
-
- else:
- package = host.package("dnf-automatic")
- assert package.is_installed
-
- service = host.service("crond")
- assert service.is_enabled
- assert service.is_running
-
- cfg_file = host.file("/etc/dnf/automatic.conf")
- assert cfg_file.exists
- assert cfg_file.contains('apply_updates = yes')
-
-
-def test_logrotate(host):
- '''Check for log rotation configuration files
-
- The magic number here is [0:5] of the sha1 hash of the full
- path to the rotated logfile; the role adds this for uniqueness.
- '''
- ansible_vars = host.ansible.get_variables()
- if ansible_vars['inventory_hostname'] == 'bridge.eco.tsi-dev.otc-service.com':
- cfg_file = host.file("/etc/logrotate.d/ansible.log.37237.conf")
- assert cfg_file.exists
- assert cfg_file.contains('/var/log/ansible/ansible.log')
-
-
-def test_no_recommends(host):
- if host.system_info.distribution in ['ubuntu', 'debian']:
- cfg_file = host.file("/etc/apt/apt.conf.d/95disable-recommends")
- assert cfg_file.exists
-
- assert cfg_file.contains('^APT::Install-Recommends "0"')
- assert cfg_file.contains('^APT::Install-Suggests "0"')
diff --git a/testinfra/test_bridge.py b/testinfra/test_bridge.py
deleted file mode 100644
index ae15969..0000000
--- a/testinfra/test_bridge.py
+++ /dev/null
@@ -1,81 +0,0 @@
-# Copyright 2018 Red Hat, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-import platform
-import pytest
-import yaml
-
-testinfra_hosts = ['bridge.eco.tsi-dev.otc-service.com']
-
-
-def test_zuul_data(host, zuul_data):
- # Test the zuul_data fixture that picks up things set by Zuul
- assert 'inventory' in zuul_data
- assert 'extra' in zuul_data
- assert 'zuul' in zuul_data['extra']
-
-
-def test_clouds_yaml(host):
- clouds_yaml = host.file('/etc/openstack/clouds.yaml')
- assert clouds_yaml.exists
-
- assert b'password' in clouds_yaml.content
- yaml.safe_load(clouds_yaml.content)
-
-
-def test_openstacksdk_config(host):
- f = host.file('/etc/openstack')
- assert f.exists
- assert f.is_directory
- assert f.user == 'root'
- assert f.group == 'root'
- assert f.mode == 0o750
- del f
-
-
-def test_root_authorized_keys(host):
- authorized_keys = host.file('/root/.ssh/authorized_keys')
- assert authorized_keys.exists
-
- content = authorized_keys.content.decode('utf8')
- lines = content.split('\n')
- assert len(lines) >= 2
-
-
-def test_kube_config(host):
- if platform.machine() != 'x86_64':
- pytest.skip()
- kubeconfig = host.file('/root/.kube/config')
- assert kubeconfig.exists
-
- assert b'ZmFrZV9rZXlfZGF0YQ==' in kubeconfig.content
-
-
-def test_kubectl(host):
- if platform.machine() != 'x86_64':
- pytest.skip()
- kube = host.run('kubectl help')
- assert kube.rc == 0
-
-
-def test_zuul_authorized_keys(host):
- authorized_keys = host.file('/home/zuul/.ssh/authorized_keys')
- assert authorized_keys.exists
-
- content = authorized_keys.content.decode('utf8')
- lines = content.split('\n')
- # Remove empty lines
- keys = list(filter(None, lines))
- assert len(keys) >= 2
- for key in keys:
- assert 'ssh-rsa' in key
diff --git a/testinfra/test_gitea.py b/testinfra/test_gitea.py
deleted file mode 100644
index 7e15f31..0000000
--- a/testinfra/test_gitea.py
+++ /dev/null
@@ -1,21 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-testinfra_hosts = ['gitea.focal']
-
-def test_gitea_listening(host):
- sock = host.socket("tcp://0.0.0.0:2222")
- assert sock.is_listening
-
-def test_gitea_systemd(host):
- service = host.service('gitea')
- assert service.is_enabled
diff --git a/testinfra/test_vault.py b/testinfra/test_vault.py
deleted file mode 100644
index 633fc62..0000000
--- a/testinfra/test_vault.py
+++ /dev/null
@@ -1,24 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-testinfra_hosts = ['vault1.eco.tsi-dev.otc-service.com']
-
-
-def test_vault_container_listening(host):
- sock = host.socket("tcp://0.0.0.0:8200")
- assert sock.is_listening
-
-
-def test_vault_systemd(host):
- service = host.service('vault')
- assert service.is_enabled
- assert service.is_running
diff --git a/testinfra/util.py b/testinfra/util.py
deleted file mode 100644
index 42f7709..0000000
--- a/testinfra/util.py
+++ /dev/null
@@ -1,50 +0,0 @@
-# Copyright 2018 Red Hat, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-import socket
-
-def get_ips(value, family=None):
- ret = set()
- try:
- addr_info = socket.getaddrinfo(value, None, family)
- except socket.gaierror:
- return ret
- for addr in addr_info:
- ret.add(addr[4][0])
- return ret
-
-
-def verify_firewalld_ports(host):
- ports = host.run('firewall-cmd --list-ports --zone public')
- ports = [x.strip() for x in ports.stdout.split(' ')]
-
- needed_ports = []
-
- for port in needed_ports:
- assert port in ports
-
- return ports
-
-
-def verify_firewalld_services(host):
- services = host.run('firewall-cmd --list-services --zone public')
- services = [x.strip() for x in services.stdout.split(' ')]
-
- needed_services = [
- 'ssh'
- ]
- for service in needed_services:
- assert service in services
-
- return services