This adds a keycloak server so we can start experimenting with it.
It's based on the docker-compose file Matthieu made for Zuul
(see https://review.opendev.org/819745 )
We should be able to configure a realm and federate with openstackid
and other providers as described in the opendev auth spec. However,
I am unable to test federation with openstackid due its inability to
configure an oauth app at "localhost". Therefore, we will need an
actual deployed system to test it. This should allow us to do so.
It will also allow use to connect realms to the newly available
Zuul admin api on opendev.
It should be possible to configure the realm the way we want, then
export its configuration into a JSON file and then have our playbooks
or the docker-compose file import it. That would allow us to drive
change to the configuration of the system through code review. Because
of the above limitation with openstackid, I think we should regard the
current implementation as experimental. Once we have a realm
configuration that we like (which we will create using the GUI), we
can chose to either continue to maintain the config with the GUI and
appropriate file backups, or switch to a gitops model based on an
My understanding is that all the data (realms configuration and session)
are kept in an H2 database. This is probably sufficient for now and even
production use with Zuul, but we should probably switch to mariadb before
any heavy (eg gerrit, etc) production use.
This is a partial implementation of https://docs.opendev.org/opendev/infra-specs/latest/specs/central-auth.html
We can re-deploy with a new domain when it exists.
Co-Authored-By: Matthieu Huin <email@example.com>
Now that the SKS keyserver network is no more, and there's no
convenient way to share third-party key signatures, we need to
adjust our key management and rollover process accordingly.
All the osf/ namespace Git repositories have moved into a new and
more appropriate openinfra/ namespace, so make the necessary
adjustments to RefStack's image build and operations document.
This is followon to feedback for earlier docs updates. Basically we
should always log these restarts so make that more clear that it isn't
Zuul has changed has it stores secret keys and they are in zookeeper
now. This means our old docs on decrypting things are no longer correct.
Update them with a new set of instructions that matches the modern
It was recently pointed out that our restart process for zuul is a bit
stale. Document the new modern process that deals with ansible playbooks
and docker containers.
Symlink the docs logo to the canonical assets location. It looks like
it does the sensible thing and de-references the source symlink when
building, as doc/build/html/_static/opendev.svg ends up as the actual
file, not a symlink.
The Open Infrastructure Foundation's developers who maintain the
OpenStackID software are taking over management of the site itself,
and have deployed it on new servers. DNS records have already been
updated to the new IP address, so it's time to clean up our end in
preparation for deleting the old servers we've been running.
OpenStackID is still used by some services we run, like RefStack and
Zanata, and we're still hosting the OpenStackID Git repository and
documentation, so this does not get rid of all references to it.
This update captures that we host projects outside of openstack and
intend for projects like openstack or others to do some steps on their
own. We also update this to reflect chagnes in the configuration
management and deployment tooling that we use today.
A lot of the current sections here talk about modify the Gerrit
database that no longer exists. Remove these.
Update the section on duplicate accounts to handle removing the second
account via NoteDB and the API.
We've stopped relying on jeepyb's track-upstream feature, so stop
installing the entrypoint script and cease running its cronjob.
We're happy for teams to manage their individual IRC channel access
lists through our accessbot configuration if they want, so explain
the situations in which they might choose to add channel ops or
admins, and the differences between them.
The IRC bot nick registration process had Freenode-specific examples
and references, so switch those to reflect we're now using OFTC.
Also the weechat command-line syntax was outdated and did not work
with newer versions of the client, so fix that.
The troubleshooting section of our IRC doc had examples specific to
Freenode, update those. Further, drop the bit about /etc/hosts on
eavesdrop, since OFTC offers an IPv4-only round-robin name we can
use directly in our meetbot configuration to work around the
TwistedPython+SSL+IPv6 DNS resolution bug without resorting to
hard-coding addresses on the server.
OFTC doesn't have a server-side remove command (I can't find
evidence that it even works on Freenode though I only bothered to
test on OFTC to confirm). Update this section of our IRC document
Some syntax and available commands on OFTC differ from Freenode,
adjust them were necessary. In particular, setting the channel topic
through ChanServ isn't quite the same any longer.
In order to accommodate the different permissions model on OFTC,
some changes were made to accessbot and its data structures. Correct
our documentation to reflect that.
There is no join forwarding in OFTC's network, so instead let's just
update channel topics and possibly set entry messages to let people
know when a channel has moved. In order to be considerate of the
network operators, remember to drop the old unused channel
registrations after a while.
We're moving to OFTC and this tries to capture the various types of
updates for bots and docs we'll need to do. I don't expect this to
be complete, but adds some good reminder for a few things we don't
want to miss.
This cleans up ask-staging which hasn't been a thing in a log time.
We remove some puppet stubs for nodepool builders (they are all ansible
We also cleanup the inventory file to remove corvustest, lists-dev,
pbx, mirror-update*.openstack.org (is opendev.org now), and sort the
Recent work has concluded adding OpenStack Release Manager
permissions explicitly to all openstack/ namespace projects with the
addition of inheritance from openstack/meta-config in their
individual ACLs. This made the earlier Release Manager permissions
in our global configuration redundant, so it's being removed. The
cleanup is done by hand due to how global configuration is managed
in Gerrit's All-Projects metaproject, but we're updating our
documentation to reflect it.
While here, clean up obsolete references to API-Projects inheritance
and stable/.* branch permissions which we've not applied for some
GnuPG 2.3.0 (2021-04-07) switched the default key algorithm to
ed25519/cv25519. Even though we're not currently using such a new
release, this is a good signal that we should start doing the same
for our artifact signing keys. Thankfully our current GPG version on
bridge can create them using the --expert option, so document the
slight changes to the required commands and update the example
output to more closely match its new behavior.
While we're here, the version we're using also autogenerates
revocation certificates. Take advantage of that to slightly simplify
our key generation instructions.
The Limesurvey service hosted at survey.openstack.org was a beta
which saw limited use. The platform it runs on, Xenial, is now EOL
from Ubuntu/Canonical and in order to upgrade to a newer
distribution release we would need to rewrite all the configuration
management (the version of Puppet supported by newer Ubuntu is not
backward-compatible with what we've been running).
If a similar service becomes interesting to users of our
collaboratory in the future, it will need to be reintroduced with
freshly written configuration management anyway. The old configs and
documentation remain in our Git history should anyone wish to use
them as inspiration.