From e66eeb8c3c4cd3dcc1c651fccd3ed9fab1a76951 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Fri, 2 Aug 2024 09:21:11 -0700 Subject: [PATCH] Remove most linaro cloud resources This removes ansible configuration for the linaro cloud itself and the linaro cloud mirror. This cloud is in the process of going away and having these nodes in our inventory is creating base jobs failures due to unreachable nodes. This then dominoes into not running the LE refresh job and now some certs are not getting renewed. Clean this all up so that the rest of our systems are happy. Note that we don't fully clean up the idea of an unmanaged group as there may be other locations we want to do something similar (OpenMetal perhaps?). We also don't remove the openstack clouds.yaml entries for the linaro cloud yet. It isn't entirely clear when things will go offline, but it may be as late as August 10 so we keep those credentials around as they may be useful until then. Change-Id: Idd6b455de8da2aa9901bf989b1d131f1f4533420 --- doc/source/letsencrypt.rst | 47 ------------------- inventory/base/hosts.yaml | 23 --------- inventory/service/group_vars/bastion.yaml | 15 ------ inventory/service/groups.yaml | 3 +- ...mirror01.regionone.linaro.opendev.org.yaml | 11 ----- playbooks/group_vars/certcheck.yaml | 1 - .../test-fixtures/results.yaml | 2 +- .../handlers/main.yaml | 3 -- playbooks/service-cloud-linaro.yaml | 6 --- zuul.d/infra-prod.yaml | 11 ----- zuul.d/project.yaml | 6 --- 11 files changed, 2 insertions(+), 126 deletions(-) delete mode 100644 inventory/service/host_vars/mirror01.regionone.linaro.opendev.org.yaml delete mode 100644 playbooks/service-cloud-linaro.yaml diff --git a/doc/source/letsencrypt.rst b/doc/source/letsencrypt.rst index 7d95af177d..48757475c2 100644 --- a/doc/source/letsencrypt.rst +++ b/doc/source/letsencrypt.rst @@ -151,50 +151,3 @@ the next Ansible pulse to renew. # tail -f /var/log/acme.sh/acme.sh.log ... watch and should be renewed on next pulse # rm *.conf.old - -Linaro ARM64 Cloud Cert Renewal -=============================== - -The Linaro ARM64 cloud relies on Let's Encrypt certs for API endpoints, -but these certs are not automatically provisioned. The reason for this -is that cloud is not completely enrolled into our Ansible automation -(we share management of this install with Linaro and full integration -has not be done). We can manually refresh the SSL certs in this cloud -though. - -To access the cloud backend ssh via bridge as root to -``openinfraci.linaro.cloud``. - -First we provision a new certificate using acme.sh on the cloud node: - -.. code-block:: console - - /root/acme.sh/acme.sh --server letsencrypt --issue \ - --dns dns_aws -d openinfraci.linaro.cloud - -Next backup the old cert: - -.. code-block:: console - - cp /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem \ - /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem.$DATE - -Copy the new cert into the kolla-ansible secrets: - -.. code-block:: console - - cat /root/.acme.sh/openinfraci.linaro.cloud/openinfraci.linaro.cloud.key \ - /root/.acme.sh/openinfraci.linaro.cloud/fullchain.cer \ - > /root/us.linaro.cloud/secret/openinfraci.linaro.cloud.pem - -Activate the kolla-ansible virtualenv to run ansible: - -.. code-block:: console - - source /root/venv3/bin/activate - -Run kolla-ansible to deploy the cert: - -.. code-block:: console - - /root/venv3/bin/kolla-ansible -i ~/all-in-one deploy diff --git a/inventory/base/hosts.yaml b/inventory/base/hosts.yaml index 9eae26e2e1..1f8ae1ba25 100644 --- a/inventory/base/hosts.yaml +++ b/inventory/base/hosts.yaml @@ -395,16 +395,6 @@ all: - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCVcT1kdEvQz9+baAg8kTJ3UyIdSuH7U1fu++QXWgm0yAMkwktljytgQA8AgjclFrdsgme7CSxmGQ8xFie5r4sfWiO+TP4WRi4ylAAoRPX8xR5nrrVU4JiOiI74/5WONTRlK5MonAzA1qbtZJtKaSJcGdxC1pryyeSjqUf3QdGliKD1xh5NzmlPeQ4z/UUJlR8xyYpqqXUOcVmEx5R32WIeNWxCzwNNhBy5+e2NoQHqGucRSlNq/OuoG7AiNKixz4mjsAgxJ4cDYoBraYhKT5z9BIV+pJ8kDF4zgQVqgTfTwomEafcl2za1QnJG0nx9+l2kosn2y4YIh0U7lWnnpfskePxkhoFdKk6g3TGHRHg5yGTGGf0i+NBVrFpFgvy+6SuoonxPdUN+NwNoIgXauKe67rxPY+XzLbFw95xH/j6Bg6aswTGnuUZh+HNk0HVtHp9Bittg+GgwXkR+80m7LvXxfpSDuYM0RdK6ckUZQmrklfXXTKqP2tygMwk9HG9MBcM=' - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGmfQrjbtpQLaOzQWgfmkDAWMxUyr+gHwcKXzuHzGpjqzWUsBpAw2LQw1DIbnpIF2c2nAr7BEg8Fi6Q9Fe1FMUE=' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINA8ajkyUlXiclmsCD9pEdAL2HW+ns2eIj5BWctByaiF' - mirror01.regionone.linaro.opendev.org: - ansible_host: 147.28.149.111 - location: - cloud: opendevci-linaro - region_name: RegionOne - public_v4: 147.28.149.111 - host_keys: - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDE+Ivd+4A7P3uYxymn1AdcunE94llD7ZOm7RIWfoL6paAFqX/ySbtZ3OGQICr7z2BEvKkD9SW+O2J1g7jj/BONkCJ9GjdjpRyqO/o8DaNJIu3ZTlrIiRWsVqO6nsgac4q7XMF5exEJRU7vwTjH7UfxuBuaZ+s9s8WcrsWReYyIuGZ1M8a+HfF7abmRNQBr4A85dD5EnqKqrCYgTgxtmqi9PPBJLRJrE666aRs50427wdQ64qXFhhgAsmiKEjIIjUlciKA4EMtJmdfKoNF8MvgmxHELELA4fRoeXD7zQ4Poa+Dxd3JP/sXg64AHlnmgbZ2Ul4xPspdlsnuPUB7/w4i2AthDlqT61wNJUpnBYuB8W4gRnkhH0m0EgYA9G1GJ2NTC6WvGHCCFV3YHbSz1N2RTGSzg5oH56b90toLYltPHqAdVl1xtnIx2gykX+FTKQbmM0PlfKPL3wTF52hBDJlnJIfShG/9igRw+6W7wnHqcvSgPsZBxTvsEEJRrMznzm3U=' - - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKcrLy5+mi4FzqL3jqj9VZc+CF9dUf58HJMFx8nC2+4TJDc2VH6c3Udq3oAVyTKqViuqRqGfYIVdAhID6aE7P38=' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1ydhnETmFh9UPeRStC0ZMcvWju3HJ9P4R4nezY+4RK' mirror02.ord.rax.opendev.org: ansible_host: 23.253.20.59 location: @@ -964,16 +954,3 @@ all: - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKLGqwSmj46QBLtpBdEX2S8l78FKnOdNqdtQwDG5LJr0Lo6+OaFIU1DX5ebRac2vQuH1kqyIfI5kiMBE4AHkTrY= - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDvQQdj/ivFSVWHcdzlsjMwbn5lD4Mm+ZW2VIHZQvcCP2EI6x/HDdtsi6a6aMwW6v0jd2leaO1Q0MPel3b1FcQshyEfSNYq9DqgMV1Hpc6Xaa9YeJUe+yosxXAPktpNR6qBUFJcLajiKT7LVmMwq35EzoqxK1KM3JYfTPFHWQ9dSeVPlJ+fL4f1gyVyonBC6u9YA+QzyEFFzqLhMQxj4wGE/RNr/jMBaxCwWFJ7tLxlskxw1nT7S+6wzUkNrSlSpg1oPDLZcM1s5xWO2515nzOkkJ4RIju1+FVrwiWYzJW0FJg0b8R6BhjKcthXb9c9fBrqZG9gQsSnz+3z2QzCS6oAIvv/TMjodaIpBmqKypbt8ZCPKUDD+jiFp7AZNfn1Wbr673JdNjkoETJaD1oWcKX1M3s3xSV+DbgGghdGaBtdWQUvHMcQZpsqFxt07kyHrLaCD7DjcCc7dJsWehmlCccxbwN3F9LK+Mr2zIdoRPk/20bJDOoiER6hOzetnN8JZc= - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJv4rnJCRwIkPHSYWO9Fg7Uc5nioX62YpzmQfT3YfWeU - # NOTE - the following hosts are "partially managed" in that we - # don't run the full base deployment on them, but rather a - # specific subset of hand-picked roles, etc. - openinfraci.linaro.cloud: - ansible_host: 147.75.35.206 - location: - cloud: opendevci-linaro - region_name: RegionOne - public_v4: 147.75.35.206 - host_keys: - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4VJyWg7kQTXQ+j2J2U1yrh61VAeZTTIerpc5tu5R+I+ebxZzcE9AAvqDLgflaCGDfv02Ds5BRGsD43sUHNzr/RtxNREqkTe713+dZGFuIdhDJSIz56iOzKmT6woc1n4wh4r8JEjTyiEGFimJYclkIHHx3RZyQroy/ntMr7lQSMfYeMr65LIahJzxOLHM1SEa/fMaMBqerdPsit56tnqfPxEM4iEUkN/Rfc8t94JgtB52VzqKWtvpFHy5DIP0MilrPI2xf/2PMycl1hj+LL4AO+mgSqRtv5TmPjv4KTH6ro0edFXm7vWZEl+8OXCUOErmPwSHFwLVIyuCsV4vI/nUGIZ7ttxUv8ZsKTC8yrzZBZen/0xF+kcLKhm3A3poR/KN8yqoCO542Wl+zwDcXiYvdDVS908796JSlfqf59mMnmuDg4gGGRYGEeRmPkdwwm1Lm8tgkwJX3HAx7ziEZbZ2hu1v3yg2DKI+K1OEhp+eucL0OkaBmdvAAvVMQEn1FbJ8=' - - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGnFxrjQah1S64D3hNzdWl8FmQR93gkw4zsgkCE+ZY1Bc5bdrfS/xQeTuxIpBP6L/7UlCe8ks48qc8caJ5vmy+0=' - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5xRCcYInStxHXEhkVws5RmqzUc0S/4wi1zOtd6zlUB' diff --git a/inventory/service/group_vars/bastion.yaml b/inventory/service/group_vars/bastion.yaml index bd4e8c48e0..d075ad975f 100644 --- a/inventory/service/group_vars/bastion.yaml +++ b/inventory/service/group_vars/bastion.yaml @@ -213,21 +213,6 @@ cloud_launcher_clouds: profiles: - openstackci-keypairs - # Linaro - - name: opendevci-linaro - oscc_cloud: opendevci-linaro - region_name: RegionOne - profiles: - - openstackci-keypairs - - openstackci-security - - - name: opendevzuul-linaro - oscc_cloud: opendevzuul-linaro - region_name: RegionOne - profiles: - - openstackci-keypairs - - openstackci-security - # OSUOSL - name: opendevci-osuosl oscc_cloud: opendevci-osuosl diff --git a/inventory/service/groups.yaml b/inventory/service/groups.yaml index f6dc3419fb..79fb5f624a 100644 --- a/inventory/service/groups.yaml +++ b/inventory/service/groups.yaml @@ -155,8 +155,7 @@ groups: translate: - translate[0-9]*.open*.org # This group does not run the base jobs - unmanaged: - - openinfraci.linaro.cloud + unmanaged: [] webservers: - cacti[0-9]*.open*.org - codesearch[0-9]*.opendev.org diff --git a/inventory/service/host_vars/mirror01.regionone.linaro.opendev.org.yaml b/inventory/service/host_vars/mirror01.regionone.linaro.opendev.org.yaml deleted file mode 100644 index 3177eb2ec3..0000000000 --- a/inventory/service/host_vars/mirror01.regionone.linaro.opendev.org.yaml +++ /dev/null @@ -1,11 +0,0 @@ -letsencrypt_certs: - mirror01-regionone-linaro-main: - - mirror01.regionone.linaro.opendev.org - - mirror.regionone.linaro.opendev.org - -# Allocated 100GB volume for this mirror, so openafs cache has to be < -# 95%; we go for 45gb -afs_client_cache_size: '45000000' -# Simiarly we need to limit the size of the apache mirror to < 50GB -# and the default is 60000M. -mirror_apache_cache_limit: '40000M' diff --git a/playbooks/group_vars/certcheck.yaml b/playbooks/group_vars/certcheck.yaml index d0131428b2..5cb3decd9e 100644 --- a/playbooks/group_vars/certcheck.yaml +++ b/playbooks/group_vars/certcheck.yaml @@ -3,5 +3,4 @@ letsencrypt_certcheck_additional_domains: - wiki.openstack.org 443 - openstack.org 443 - www.openstack.org 443 - - openinfraci.linaro.cloud 5000 - download.cirros-cloud.net 443 diff --git a/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml b/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml index 3d561bc57a..e0a196e152 100644 --- a/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml +++ b/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml @@ -22,7 +22,7 @@ results: - letsencrypt - webservers - mirror01.regionone.linaro.opendev.org: + mirror01.regionone.osuosl.opendev.org: - afs-client - kerberos-client - letsencrypt diff --git a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml index 5a231d8fd4..3e39257384 100644 --- a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml +++ b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml @@ -203,9 +203,6 @@ - name: letsencrypt updated mirror03-gra1-ovh-main include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml -- name: letsencrypt updated mirror01-regionone-linaro-main - include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml - - name: letsencrypt updated mirror01-sjc1-vexxhost-main include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml diff --git a/playbooks/service-cloud-linaro.yaml b/playbooks/service-cloud-linaro.yaml deleted file mode 100644 index f35ac7a84a..0000000000 --- a/playbooks/service-cloud-linaro.yaml +++ /dev/null @@ -1,6 +0,0 @@ -- hosts: "openinfraci.linaro.cloud" - tasks: - - - name: Initial task - debug: - msg: "This is a placeholder" diff --git a/zuul.d/infra-prod.yaml b/zuul.d/infra-prod.yaml index 96d50efa19..daad46d5d0 100644 --- a/zuul.d/infra-prod.yaml +++ b/zuul.d/infra-prod.yaml @@ -673,14 +673,3 @@ files: - playbooks/run_cloud_launcher.yaml - inventory/service/group_vars/bastion.yaml - -- job: - name: infra-prod-cloud-linaro - parent: infra-prod-service-base - description: Run management tasks against Linaro - vars: - playbook_name: service-cloud-linaro.yaml - required-projects: - - opendev/system-config - files: - - playbooks/service-cloud-linaro.yaml diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 694e9afee8..6d6ec9a3c2 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -410,11 +410,6 @@ - name: infra-prod-base soft: true - - infra-prod-cloud-linaro: &infra-prod-cloud-linaro - dependencies: - - name: infra-prod-base - soft: true - # # Hosts using certificates and backups # @@ -630,7 +625,6 @@ - infra-prod-service-afs: *infra-prod-service-afs - infra-prod-service-nameserver: *infra-prod-service-nameserver - infra-prod-service-mirror-update: *infra-prod-service-mirror-update - - infra-prod-cloud-linaro: *infra-prod-cloud-linaro - infra-prod-service-borg-backup: *infra-prod-service-borg-backup - infra-prod-letsencrypt: *infra-prod-letsencrypt - infra-prod-service-codesearch: *infra-prod-service-codesearch