opendev/system-config
Code Issues Proposed changes
system-config/zuul.d/project.yaml
James E. Blair e79dbbe6bb Add a keycloak server 
This adds a keycloak server so we can start experimenting with it.

It's based on the docker-compose file Matthieu made for Zuul
(see https://review.opendev.org/819745 )

We should be able to configure a realm and federate with openstackid
and other providers as described in the opendev auth spec.  However,
I am unable to test federation with openstackid due its inability to
configure an oauth app at "localhost".  Therefore, we will need an
actual deployed system to test it.  This should allow us to do so.

It will also allow use to connect realms to the newly available
Zuul admin api on opendev.

It should be possible to configure the realm the way we want, then
export its configuration into a JSON file and then have our playbooks
or the docker-compose file import it.  That would allow us to drive
change to the configuration of the system through code review.  Because
of the above limitation with openstackid, I think we should regard the
current implementation as experimental.  Once we have a realm
configuration that we like (which we will create using the GUI), we
can chose to either continue to maintain the config with the GUI and
appropriate file backups, or switch to a gitops model based on an
export.

My understanding is that all the data (realms configuration and session)
are kept in an H2 database.  This is probably sufficient for now and even
production use with Zuul, but we should probably switch to mariadb before
any heavy (eg gerrit, etc) production use.

This is a partial implementation of https://docs.opendev.org/opendev/infra-specs/latest/specs/central-auth.html

We can re-deploy with a new domain when it exists.

Change-Id: I2e069b1b220dbd3e0a5754ac094c2b296c141753
Co-Authored-By: Matthieu Huin <mhuin@redhat.com>
2021-12-03 14:17:23 -08:00

658 lines
28 KiB
YAML
Raw Blame History

- project:
templates:
- system-config-zuul-role-integration
- system-config-gerrit-images
- system-config-puppet-apply-jobs
check:
jobs:
- opendev-tox-docs
- opendev-buildset-registry
- tox-linters:
timeout: 3600
- system-config-run-base
- system-config-run-base-ansible-devel:
voting: false
- system-config-run-borg-backup
- system-config-run-dns
- system-config-run-eavesdrop:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-accessbot
soft: true
- name: system-config-build-image-ircbot
soft: true
- name: system-config-build-image-matrix-eavesdrop
soft: true
- system-config-run-codesearch:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-hound
soft: true
- system-config-run-kerberos
- system-config-run-lists
- system-config-run-nodepool:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-zookeeper-statsd
soft: true
- system-config-run-meetpad
- system-config-run-mirror-x86
- system-config-run-mirror-update
- system-config-run-paste:
dependencies:
- name: opendev-buildset-registry
- system-config-run-static
- system-config-run-docker-registry
- system-config-run-etherpad:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-etherpad
soft: true
- system-config-run-gitea:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-gitea
soft: true
- name: system-config-build-image-haproxy-statsd
soft: true
- system-config-run-grafana:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-grafana
soft: true
- system-config-run-graphite
- system-config-run-keycloak
- system-config-run-review-3.3:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-gerrit-3.3
soft: true
- system-config-run-review-3.4:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-gerrit-3.4
soft: true
- system-config-upgrade-review:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-gerrit-3.3
soft: true
- name: system-config-build-image-gerrit-3.4
soft: true
- system-config-build-image-refstack
- system-config-run-refstack:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-refstack
soft: true
- system-config-run-zookeeper:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-zookeeper-statsd
soft: true
- system-config-run-zuul:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-zookeeper-statsd
soft: true
- system-config-run-zuul-preview
- system-config-run-letsencrypt
- system-config-build-image-assets
- system-config-build-image-jinja-init:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-python-base-3.7-buster
soft: true
- system-config-build-image-gitea-init:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-jinja-init
soft: true
- system-config-build-image-hound:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-python-base-3.8
soft: true
- system-config-build-image-etherpad
- system-config-build-image-gitea:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-assets
soft: true
- system-config-build-image-grafana
- system-config-build-image-haproxy-statsd:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-python-base-3.7-buster
soft: true
- system-config-build-image-zookeeper-statsd:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-python-base-3.7-buster
soft: true
- system-config-build-image-accessbot:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-python-base-3.7-buster
soft: true
- system-config-build-image-ircbot:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-python-builder-3.9-buster
soft: true
- system-config-build-image-matrix-eavesdrop:
dependencies:
- name: opendev-buildset-registry
- name: system-config-build-image-python-builder-3.9-buster
soft: true
- system-config-build-image-python-base-3.7-buster
- system-config-build-image-python-base-3.8-buster
- system-config-build-image-python-base-3.9-buster
- system-config-build-image-python-builder-3.7-buster
- system-config-build-image-python-builder-3.8-buster
- system-config-build-image-python-builder-3.9-buster
- system-config-build-image-uwsgi-base-3.7-buster
- system-config-build-image-uwsgi-base-3.8-buster
- system-config-build-image-uwsgi-base-3.9-buster
- system-config-build-image-python-base-3.7-bullseye
- system-config-build-image-python-base-3.8-bullseye
- system-config-build-image-python-base-3.9-bullseye
- system-config-build-image-python-builder-3.7-bullseye
- system-config-build-image-python-builder-3.8-bullseye
- system-config-build-image-python-builder-3.9-bullseye
- system-config-build-image-uwsgi-base-3.7-bullseye
- system-config-build-image-uwsgi-base-3.8-bullseye
- system-config-build-image-uwsgi-base-3.9-bullseye
check-arm64:
jobs:
- system-config-run-base-arm64
- system-config-run-mirror-arm64
gate:
jobs:
- opendev-tox-docs
- opendev-buildset-registry
- tox-linters:
timeout: 3600
- system-config-run-base
- system-config-run-dns
- system-config-run-eavesdrop:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-accessbot
soft: true
- name: system-config-upload-image-ircbot
soft: true
- name: system-config-upload-image-matrix-eavesdrop
soft: true
- system-config-run-codesearch:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-hound
soft: true
- system-config-run-kerberos
- system-config-run-lists
- system-config-run-nodepool:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-zookeeper-statsd
soft: true
- system-config-run-meetpad
- system-config-run-mirror-x86
- system-config-run-mirror-update
- system-config-run-paste:
dependencies:
- name: opendev-buildset-registry
- system-config-run-static
- system-config-run-docker-registry
- system-config-run-etherpad:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-etherpad
soft: true
- system-config-run-gitea:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-gitea
soft: true
- name: system-config-upload-image-haproxy-statsd
soft: true
- system-config-run-grafana:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-grafana
soft: true
- system-config-run-graphite
- system-config-run-keycloak
- system-config-run-review-3.3:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-gerrit-3.3
soft: true
- system-config-run-review-3.4:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-gerrit-3.4
soft: true
- system-config-run-refstack:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-refstack
soft: true
- system-config-run-zookeeper:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-zookeeper-statsd
soft: true
- system-config-run-zuul:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-zookeeper-statsd
soft: true
- system-config-run-zuul-preview
- system-config-run-letsencrypt
- system-config-upload-image-jinja-init:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-python-base-3.7-buster
soft: true
- system-config-upload-image-gitea-init:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-jinja-init
soft: true
- system-config-upload-image-hound
- system-config-upload-image-assets
- system-config-upload-image-etherpad
- system-config-upload-image-gitea:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-assets
soft: true
- system-config-upload-image-grafana
- system-config-upload-image-refstack
- system-config-upload-image-haproxy-statsd:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-python-base-3.7-buster
soft: true
- system-config-upload-image-zookeeper-statsd:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-python-base-3.7-buster
soft: true
- system-config-upload-image-accessbot:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-python-base-3.7-buster
soft: true
- system-config-upload-image-ircbot:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-python-builder-3.9-buster
soft: true
- system-config-upload-image-matrix-eavesdrop:
dependencies:
- name: opendev-buildset-registry
- name: system-config-upload-image-python-builder-3.9-buster
soft: true
- system-config-upload-image-python-base-3.7-buster
- system-config-upload-image-python-base-3.8-buster
- system-config-upload-image-python-base-3.9-buster
- system-config-upload-image-python-builder-3.7-buster
- system-config-upload-image-python-builder-3.8-buster
- system-config-upload-image-python-builder-3.9-buster
- system-config-upload-image-uwsgi-base-3.7-buster
- system-config-upload-image-uwsgi-base-3.8-buster
- system-config-upload-image-uwsgi-base-3.9-buster
- system-config-upload-image-python-base-3.7-bullseye
- system-config-upload-image-python-base-3.8-bullseye
- system-config-upload-image-python-base-3.9-bullseye
- system-config-upload-image-python-builder-3.7-bullseye
- system-config-upload-image-python-builder-3.8-bullseye
- system-config-upload-image-python-builder-3.9-bullseye
- system-config-upload-image-uwsgi-base-3.7-bullseye
- system-config-upload-image-uwsgi-base-3.8-bullseye
- system-config-upload-image-uwsgi-base-3.9-bullseye
promote:
jobs:
- opendev-promote-docs
deploy:
jobs:
- system-config-promote-image-assets
- system-config-promote-image-hound
- system-config-promote-image-jinja-init
- system-config-promote-image-gitea-init
- system-config-promote-image-gitea
- system-config-promote-image-grafana
- system-config-promote-image-etherpad
- system-config-promote-image-haproxy-statsd
- system-config-promote-image-zookeeper-statsd
- system-config-promote-image-accessbot
- system-config-promote-image-refstack
- system-config-promote-image-ircbot
- system-config-promote-image-matrix-eavesdrop
- system-config-promote-image-python-base-3.7-buster
- system-config-promote-image-python-base-3.8-buster
- system-config-promote-image-python-base-3.9-buster
- system-config-promote-image-python-builder-3.7-buster
- system-config-promote-image-python-builder-3.8-buster
- system-config-promote-image-python-builder-3.9-buster
- system-config-promote-image-uwsgi-base-3.7-buster
- system-config-promote-image-uwsgi-base-3.8-buster
- system-config-promote-image-uwsgi-base-3.9-buster
- system-config-promote-image-python-base-3.7-bullseye
- system-config-promote-image-python-base-3.8-bullseye
- system-config-promote-image-python-base-3.9-bullseye
- system-config-promote-image-python-builder-3.7-bullseye
- system-config-promote-image-python-builder-3.8-bullseye
- system-config-promote-image-python-builder-3.9-bullseye
- system-config-promote-image-uwsgi-base-3.7-bullseye
- system-config-promote-image-uwsgi-base-3.8-bullseye
- system-config-promote-image-uwsgi-base-3.9-bullseye
# NOTE: infra-prod-* jobs have a hierarchy below that ensure
# they can run in parallel. We are deliberately keeping their
# dependencies here rather than job definitions to help keep
# these relationships clear.
# This installs the ansible on bridge that all the infra-prod
# jobs will run with. Note the jobs use this ansible to then
# run against zuul's checkout of system-config.
- infra-prod-install-ansible
# From now on, all jobs should depend on base
- infra-prod-base: &infra-prod-base
dependencies:
- name: infra-prod-install-ansible
soft: true
# Legacy puppet hosts
- infra-prod-remote-puppet-else: &infra-prod-remote-puppet-else
dependencies:
- name: infra-prod-base
soft: true
#
# Only depends on base, or amongst themselves.
#
- infra-prod-service-bridge: &infra-prod-service-bridge
dependencies:
- name: infra-prod-base
soft: true
- infra-prod-run-cloud-launcher: &infra-prod-run-cloud-launcher
dependencies:
# depends on the cloud config written out by
# service-bridge
- name: infra-prod-service-bridge
soft: true
- infra-prod-service-kerberos: &infra-prod-service-kerberos
dependencies:
- name: infra-prod-base
soft: true
- infra-prod-service-afs: &infra-prod-service-afs
dependencies:
- name: infra-prod-base
soft: true
# NOTE(ianw) in theory we'd want auth changes before
# updating services like openafs using them. Not sure
# in practice this matters much; we very rarely change
# things here anyway.
- name: infra-prod-service-kerberos
soft: true
- infra-prod-service-nameserver: &infra-prod-service-nameserver
dependencies:
- name: infra-prod-base
soft: true
- infra-prod-service-mirror-update: &infra-prod-service-mirror-update
dependencies:
- name: infra-prod-base
soft: true
#
# Hosts using certificates and backups
#
# Hosts that backup should depend on this as this will create
# the users and deploy the keys required for the borg-backup
# role to work.
- infra-prod-service-borg-backup: &infra-prod-service-borg-backup
dependencies:
- name: infra-prod-base
soft: true
# Hosts that have letsencrypt certs should depend on this, as
# it will write out the key material before they try to start
# services that depend on it. For simplicity, we parent to
# this job.
- infra-prod-letsencrypt: &infra-prod-letsencrypt
dependencies:
- name: infra-prod-base
soft: true
- name: infra-prod-service-nameserver
soft: true
# letsencrypt depdencies. keep in alphabetical order
- infra-prod-service-codesearch: &infra-prod-service-codesearch
dependencies:
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-hound
soft: true
- infra-prod-service-eavesdrop: &infra-prod-service-eavesdrop
dependencies:
- name: infra-prod-service-borg-backup
soft: true
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-ircbot
soft: true
- name: system-config-promote-image-matrix-eavesdrop
soft: true
- infra-prod-service-etherpad: &infra-prod-service-etherpad
dependencies:
- name: infra-prod-service-borg-backup
soft: true
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-etherpad
soft: true
- infra-prod-service-gitea: &infra-prod-service-gitea
dependencies:
- name: infra-prod-service-borg-backup
soft: true
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-gitea
soft: true
- infra-prod-service-gitea-lb: &infra-prod-service-gitea-lb
dependencies:
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-haproxy-lb
soft: true
- infra-prod-service-grafana: &infra-prod-service-grafana
dependencies:
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-grafana
soft: true
- infra-prod-service-graphite: &infra-prod-service-graphite
dependencies:
- name: infra-prod-letsencrypt
soft: true
- infra-prod-service-keycloak: &infra-prod-service-keycloak
dependencies:
- name: infra-prod-letsencrypt
soft: true
- infra-prod-service-meetpad: &infra-prod-service-meetpad
dependencies:
- name: infra-prod-letsencrypt
soft: true
- infra-prod-service-lists: &infra-prod-service-lists
dependencies:
- name: infra-prod-service-borg-backup
soft: true
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-grafana
soft: true
- infra-prod-service-mirror: &infra-prod-service-mirror
dependencies:
- name: infra-prod-letsencrypt
soft: true
- infra-prod-service-nodepool: &infra-prod-service-nodepool
dependencies:
- name: infra-prod-letsencrypt
soft: true
- infra-prod-service-static: &infra-prod-service-static
dependencies:
- name: infra-prod-letsencrypt
soft: true
- infra-prod-service-paste: &infra-prod-service-paste
dependencies:
- name: infra-prod-service-borg-backup
soft: true
- name: infra-prod-letsencrypt
soft: true
- infra-prod-service-registry: &infra-prod-service-registry
dependencies:
- name: infra-prod-letsencrypt
soft: true
- infra-prod-service-refstack: &infra-prod-service-refstack
dependencies:
- name: infra-prod-service-borg-backup
soft: true
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-refstack
soft: true
- infra-prod-service-review: &infra-prod-service-review
dependencies:
- name: infra-prod-service-borg-backup
soft: true
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-gerrit-3.3
soft: true
- infra-prod-service-zookeeper: &infra-prod-service-zookeeper
dependencies:
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-zookeeper-statsd
- infra-prod-service-zuul: &infra-prod-service-zuul
dependencies:
- name: infra-prod-service-borg-backup
soft: true
- name: infra-prod-letsencrypt
soft: true
# should reconfigure after any project updates
- name: infra-prod-manage-projects
soft: true
- infra-prod-service-zuul-preview: &infra-prod-service-zuul-preview
dependencies:
- name: infra-prod-letsencrypt
soft: true
#
# Jobs that run as secondary steps
#
# accessbot should run on a setup eavesdrop host
- infra-prod-run-accessbot: &infra-prod-run-accessbot
dependencies:
- name: infra-prod-base
soft: true
- name: infra-prod-service-eavesdrop
soft: true
- name: system-config-promote-image-accessbot
soft: true
# manage-projects runs jeepyb etc. and should run on
# a setup review host. also sets up gitea
- infra-prod-manage-projects: &infra-prod-manage-projects
dependencies:
- name: infra-prod-base
soft: true
- name: infra-prod-service-review
soft: true
- name: infra-prod-service-gitea
soft: true
- name: system-config-promote-image-gerrit-3.3
soft: true
# Note that this job also runs from project-config, so we
# match system-config specific files here rather than the
# job definition.
files:
- inventory/.*
- playbooks/manage-projects.yaml
- inventory/service/group_vars/review.yaml
- inventory/service/group_vars/gitea.yaml
- inventory/service/host_vars/gitea
- inventory/service/host_vars/review
- playbooks/roles/gitea-git-repos/
- playbooks/roles/gerrit/defaults/main.yaml
- playbooks/roles/gerrit/tasks/manage-projects.yaml
periodic:
jobs:
- developer-openstack-goaccess-report
- docs-opendev-goaccess-report
- docs-openstack-goaccess-report
- docs-starlingx-goaccess-report
- governance-openstack-goaccess-report
- releases-openstack-goaccess-report
- security-openstack-goaccess-report
- specs-openstack-goaccess-report
- tarballs-opendev-goaccess-report
- zuul-ci-goaccess-report
# Nightly runs of ansible things for catchup
# Keep in order from above
- infra-prod-install-ansible
- infra-prod-base: *infra-prod-base
- infra-prod-remote-puppet-else: *infra-prod-remote-puppet-else
- infra-prod-letsencrypt: *infra-prod-letsencrypt
- infra-prod-service-bridge: *infra-prod-service-bridge
- infra-prod-run-cloud-launcher: *infra-prod-run-cloud-launcher
- infra-prod-service-kerberos: *infra-prod-service-kerberos
- infra-prod-service-afs: *infra-prod-service-afs
- infra-prod-service-nameserver: *infra-prod-service-nameserver
- infra-prod-service-mirror-update: *infra-prod-service-mirror-update
- infra-prod-service-borg-backup: *infra-prod-service-borg-backup
- infra-prod-letsencrypt: *infra-prod-letsencrypt
- infra-prod-service-codesearch: *infra-prod-service-codesearch
- infra-prod-service-eavesdrop: *infra-prod-service-eavesdrop
- infra-prod-service-etherpad: *infra-prod-service-etherpad
- infra-prod-service-gitea: *infra-prod-service-gitea
- infra-prod-service-gitea-lb: *infra-prod-service-gitea-lb
- infra-prod-service-grafana: *infra-prod-service-grafana
- infra-prod-service-graphite: *infra-prod-service-graphite
- infra-prod-service-keycloak: *infra-prod-service-keycloak
- infra-prod-service-meetpad: *infra-prod-service-meetpad
- infra-prod-service-lists: *infra-prod-service-lists
- infra-prod-service-mirror: *infra-prod-service-mirror
- infra-prod-service-nodepool: *infra-prod-service-nodepool
- infra-prod-service-static: *infra-prod-service-static
- infra-prod-service-paste: *infra-prod-service-paste
- infra-prod-service-registry: *infra-prod-service-registry
- infra-prod-service-refstack: *infra-prod-service-refstack
- infra-prod-service-review: *infra-prod-service-review
- infra-prod-service-zookeeper: *infra-prod-service-zookeeper
- infra-prod-service-zuul: *infra-prod-service-zuul
- infra-prod-service-zuul-preview: *infra-prod-service-zuul-preview
- infra-prod-run-accessbot: *infra-prod-run-accessbot
- infra-prod-manage-projects: *infra-prod-manage-projects
opendev-prod-hourly:
jobs:
- infra-prod-install-ansible
- infra-prod-service-bridge: *infra-prod-service-bridge
- infra-prod-service-nodepool: *infra-prod-service-nodepool
- infra-prod-service-registry: *infra-prod-service-registry
- infra-prod-service-zuul: *infra-prod-service-zuul
- infra-prod-service-eavesdrop: *infra-prod-service-eavesdrop
View Git Blame Copy Permalink