30279610b6
Upgrade Gitea to 1.21.3. The changelogs for this release can be found here: https://github.com/go-gitea/gitea/blob/v1.21.3/CHANGELOG.md I have attempted to collect the interesting bits in this commit message as well as information on why we do or don't make changes to address these items. 1.21.0 * BREAKING * Restrict certificate type for builtin SSH server (https://github.com/go-gitea/gitea/pull/26789) * We don't use the builtin SSH server and don't use certificates for auth. Nothing to do here. * Refactor to use urfave/cli/v2 (https://github.com/go-gitea/gitea/pull/25959) * The major change here updated `gitea` to stop accepting `gitea web`'s command options. Our dockerfile is set up to use `CMD ["/usr/local/bin/gitea", "web"]` so we are not affected. * Move public asset files to the proper directory (https://github.com/go-gitea/gitea/pull/25907) * We update the testinfra test for robots.txt to more robustly check file contents. Previously it checked a very generic prefix which may indicate a generic file being served. * We move custom/public/img into custom/public/assets/img. Screenshots should be used to confirm this works as expected. * Remove commit status running and warning to align GitHub (https://github.com/go-gitea/gitea/pull/25839) (partially reverted: Restore warning commit status (https://github.com/go-gitea/gitea/pull/27504) (https://github.com/go-gitea/gitea/pull/27529)) * We don't rely on commit statuses as this is a read only replica of Gerrit. * Remove "CHARSET" config option for MySQL, always use "utf8mb4" (https://github.com/go-gitea/gitea/pull/25413) * We don't set [database].CHARSET. Doesn't affect us. * Set SSH_AUTHORIZED_KEYS_BACKUP to false (https://github.com/go-gitea/gitea/pull/25412) * We don't set this value explicitly so the default will flip from true to false for us. I don't think this is an issue because we keep track of our pubkeys in git. * SECURITY * Dont leak private users via extensions (https://github.com/go-gitea/gitea/pull/28023) (https://github.com/go-gitea/gitea/pull/28029) * We don't use private users. * Expanded minimum RSA Keylength to 3072 (https://github.com/go-gitea/gitea/pull/26604) * We have rotated keys used to replicate from gerrit to gitea to work around this. Now are keys are long enough to make gitea happy. * BUILD * Dockerfile small refactor (https://github.com/go-gitea/gitea/pull/27757) (https://github.com/go-gitea/gitea/pull/27826) * I've updated our Dockerfile to mimic these changes. Comment whitespace as well as how things are copied and chmoded in the build image have been updated. * TODO the file copies aren't working for us. I think due to how we ultimately clone the git repo. We use RUN but upstream is using COPY against the local build dir. I've aligned as best as I can, but we should see if we can do a similar COPY on our end. * Fix build errors on BSD (in BSDMakefile) (#27594) (#27608) * We don't run on BSD. * Fully replace drone with actions (#27556) (#27575) * This is how upstream builds their images. Doesn't affect our builds. * Enable markdownlint no-duplicate-header (#27500) (#27506) * Build time linters are somethign we don't care too much about on our end. * Enable production source maps for index.js, fix CSS sourcemaps (https://github.com/go-gitea/gitea/pull/27291) (https://github.com/go-gitea/gitea/pull/27295) * This emits a source map for index.js which can be used for in browser debugging. Don't think this is anything we need to take action on. * Update snap package (#27021) * We don't use a snap package. * Bump go to 1.21 (https://github.com/go-gitea/gitea/pull/26608) * Our go version is updated in the Dockerfile. * Bump xgo to go-1.21.x and node to 20 in release-version (https://github.com/go-gitea/gitea/pull/26589) * Our node version is updated in the Dockerfile. * Add template linting via djlint (#25212) * Build time linters are somethign we don't care too much about on our end. 1.21.1 * SECURITY * Fix comment permissions (https://github.com/go-gitea/gitea/pull/28213) (https://github.com/go-gitea/gitea/pull/28216) * This affects disclosure of private repo content. We don't have private repos so shouldn't be affected. 1.21.2 * SECURITY * Rebuild with recently released golang version * We'll automatically rebuild with newer golang too. * Fix missing check (https://github.com/go-gitea/gitea/pull/28406) (https://github.com/go-gitea/gitea/pull/28411) * There is minimal info here but it appears to be related to issues. We don't use issues so shouldn't affect us. * Do some missing checks (https://github.com/go-gitea/gitea/pull/28423) (https://github.com/go-gitea/gitea/pull/28432) * There is minimal info here but it appears to be related to checks around private repos. We don't use private repos so this shouldn't affect us. 1.21.3 * SECURITY * Update golang.org/x/crypto (https://github.com/go-gitea/gitea/pull/28519) * This addresses recent concerns found in ssh for gitea's built in ssh implementation. We use openssh as provided by debian so will rely on our distro to provide fixes. Finally 1.21.x broke rendering of code search templates. The issue is here: https://github.com/go-gitea/gitea/issues/28607. To address this I've vendored the two fixed template files (https://github.com/go-gitea/gitea/pull/28576/files)into our custom template dirs. Once upstream makes a release with these fixes we can drop the custom files entirely as we don't override anything special in them. Change-Id: Id714826a9bc7682403afcf90f2761db8c84eacbf |
||
|---|---|---|
| assets | ||
| doc | ||
| docker | ||
| hiera | ||
| inventory | ||
| kubernetes | ||
| launch | ||
| manifests | ||
| modules/openstack_project | ||
| playbooks | ||
| roles | ||
| roles-test | ||
| testinfra | ||
| tools | ||
| zuul.d | ||
| .gitignore | ||
| .gitreview | ||
| bindep.txt | ||
| COPYING.GPL | ||
| Gemfile | ||
| install_modules.sh | ||
| install_puppet.sh | ||
| modules.env | ||
| Rakefile | ||
| README.rst | ||
| run_k8s_ansible.sh | ||
| run_puppet.sh | ||
| setup.cfg | ||
| setup.py | ||
| tox.ini | ||
OpenDev System Configuration
This is the machinery that drives the configuration, testing, continuous integration and deployment of services provided by the OpenDev project.
Services are driven by Ansible playbooks and associated roles stored
here. If you are interested in the configuration of a particular
service, starting at playbooks/service-<name>.yaml
will show you how it is configured.
Most services are deployed via containers; many of them are built or
customised in this repository; see docker/.
A small number of legacy services are still configured with Puppet.
Although the act of running puppet on these hosts is managed by Ansible,
the actual core of their orchestration lives in manifests
and modules.
The files in this repository are provided as an opinionated example service deployment, and to allow the OpenDev Collaboratory to use public software development workflows in order to coordinate changes and improvements to the systems it runs. This repository is not intended as a reconsumable project on its own, and anyone wishing to adjust it to suit their own needs should do so with a fork. The system-config reviewers are unable to evaluate and support use cases for the contents here other than their own.
Testing
OpenDev infrastructure runs a complete testing and continuous-integration environment, powered by Zuul.
Any changes to playbooks, roles or containers will trigger jobs to thoroughly test those changes.
Tests run the orchestration for the modified services on test nodes
assigned to the job. After the testing deployment is configured
(validating the basic environment at least starts running), specific
tests are configured in the testinfra directory to validate
functionality.
Continuous Deployment
Once changes are reviewed and committed, they will be applied
automatically to the production hosts. This is done by Zuul jobs running
in the deploy pipeline. At any one time, you may see these
jobs running live on the status page or
you could check historical runs on the pipeline
results (note there is also an opendev-prod-hourly
pipeline, which ensures things like upstream package updates or
certificate renewals are incorporated in a timely fashion).
Contributing
Contributions are welcome!
You do not need any special permissions to make contributions, even those that will affect production services. Your changes will be automatically tested, reviewed by humans and, once accepted, deployed automatically.
Bug fixes or modifications to existing code are great places to start, and you will see the results of your changes in CI testing. Please remember that this repository consists of configuration and orchestration for OpenDev Collaboratory production systems, so contributions to it will be evaluated on the basis of whether they're useful or applicable to OpenDev's services. Changes intended to make the contents more easily reusable outside OpenDev itself are not in scope, and so will be rejected by reviewers.
You can develop all the playbooks, roles, containers and testing required for a new service just by uploading a change. Using a similar service as a template is generally a good place to start. If deploying to production will require new compute resources (servers, volumes, etc.) these will have to be deployed by an OpenDev administrator before your code is committed. Thus if you know you will need new resources, it is best to coordinate this before review.
The #opendev IRC on OFTC channel is the main place for interactive discussion. Feel free to ask any questions and someone will try to help ASAP. The OpenDev meeting is a co-ordinated time to synchronize on infrastructure issues. Issues should be added to the agenda for discussion; even if you can not attend, you can raise your issue and check back on the logs later. There is also the service-discuss mailing list where you are welcome to send queries or questions.
Documentation
The latest documentation is available at https://docs.opendev.org/opendev/system-config/latest/
That documentation is generated from this repository. You can geneate
it yourself with tox -e docs.