Merge branch 'main' into feat/secure-communication

Author: anjastrunk

.github/scs-compliance-check/openstack/clouds.yaml

@@ -89,6 +89,14 @@ clouds:
     auth:
       auth_url: https://identity.l1a.cloudandheat.com/v3
       application_credential_id: "7ab4e3339ea04255bc131868974cfe63"
+  scaleup-occ2:
+    auth_type: v3applicationcredential
+    auth:
+      auth_url: https://keystone.occ2.scaleup.cloud
+      application_credential_id: "5d2eea4e8bf8448092490b4190d4430a"
+    region_name: "RegionOne"
+    interface: "public"
+    identity_api_version: 3
   syseleven-dus2:
     interface: public
     identity_api_verion: 3

.github/workflows/check-scaleup-occ2-v4.yml

@@ -0,0 +1,23 @@
+name: "Compliance IaaS v4 of scaleup-occ2"
+
+on:
+  # Trigger compliance check every day at 4:30 UTC
+  schedule:
+    - cron:  '30 4 * * *'
+  # Trigger compliance check after Docker image has been built
+  workflow_run:
+    workflows: [Build and publish scs-compliance-check Docker image]
+    types:
+      - completed
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+  
+jobs:
+  check-scaleup-occ2:
+    uses: ./.github/workflows/scs-compliance-check-with-application-credential.yml
+    with:
+      version: v4
+      layer: iaas
+      cloud: scaleup-occ2
+      secret_name: OS_PASSWORD_SCALEUP_OCC2
+    secrets: inherit

.zuul.d/secure.yaml

@@ -233,6 +233,28 @@
           VCsXjf0qBBMrzz6HP9z95Bk44fiJ3L/LkA3Iij961dYrQXbZKDrKOiX/QPwrcSrVmjmew
           UbPexJFHgvTCqjadoLejSt9cUd9lVzhuzLJ8CS+CcCMbZOno6qathrd2B88riQaPNIGNu
           gfkNT9R63ZzKB1qIA2n5RZi7SH9DPIUd0AwLMn2bhp3uok5pNAPP/4/1RkQiCA=
+      scaleup_occ2_ac_id: !encrypted/pkcs1-oaep
+        - N2duwkcMdOXw6wF0deE/0BPM1M/URt3eWmrnBJ89VHeCDENGfTfDHcWPYs3wW4rSRCG6t
+          gqgNuA049OvOhL7rtjNHZ6yIj6xEHH/YdqT4UxjXPS9GFwoJXDtE8rIGjK3KU8GfUgKnG
+          DLplyyzGzx5j39rJAS628InmC56aip47rO1J4HQE9Ku25Wb06R7ykx+0ZOWr0HXjV/VsV
+          uwfyL+DPgewbL+4u8/XkcI0FwAM9/KkF/CcYUq5aVMdQS2foatTQW0C2idg+pffSTRaau
+          VF44rkVfzsCOz4MYAFpLIaL9Zxx1FifaPOd0oi6rEFjGd6vFtFCHk1BRpKmOITLyx3Te5
+          zVffSkQAsqpn/4er8800bjQzxXvqmQmR0QwPM7dhvRnrNbTSCA/Awm5BPaUgeCZFN3MPN
+          Mc0XIaEwjuJvDK6fqj5tJrVIs5bxAmqRDj8d76AlJcOdDxHicTHgR3aUG4AKOWkUsskgQ
+          3xR8lPh31O/HgzG9tq6o/DCPA1O9wyyOyT7KwJAaRASPCA1O80ZAzhZUNUVyut6dYEwaS
+          QXP4IaEJOxP8EkxR7FDEuO99UFZ7TXQ1CF7ots4wIs5tEpQvcdLnvBjJckp0fNBFTuGMm
+          FCvhgBK30NC93U4DxQv6xZBhqtvHYjHcTOXvz2fryRJT2teMN+eI+RDdV1Jj8Y=
+      scaleup_occ2_ac_secret: !encrypted/pkcs1-oaep
+        - LfUHhslK41JDp3CpslWGGA4bZ3udZh4KnytcXohkdbchb8QVt8eNc4nD0ti0/XS18YKwq
+          DlHOWw2rDJZ8RGIXENVUYzDbECoBErE8IAqQE0q3oS/8Oq0NYOFTGvvlKuue7U4s87Pwi
+          YFi+Q0Rv7vO8cWFVtbRHK+Hw6pC42Biq2T+tuVBCLqylIMViXpuEy9UpFLEv59zr6EHa9
+          uB3xkjnpWuabe7vrG+LQHc0pJ5tNhcLiOnJggU5Ef02FBy+t6xvuJW8f6cXCnRRj1q0fl
+          D/vTmC7avwHnWC+J4WLL69HCwW05I7iHftVSWOXQgRzMBd4D4ND2OXfsWElu0eOV5XG6X
+          JsQH8lDnVN/lqaDAOYR4fk4+9yt3RURwvNL5FUnDK1t7LAI4X0gcvLrQAfzgOlpBYDXSK
+          0kbUzqwivuw1v2zO/gxQU+J28PsOfZaKf/7ZZyj3e/tiq4wBpvPb0mVBwWXigKqzr+QED
+          Iy2u/g3x2qdcTpXR/RPq+xiXM2B2rw1V5gdkscdL+avXtTF7hT9HrcayHx3HDZ/h6aGPD
+          RWIJ8bstl+x2Q4zExgR13amWM8ZR1iLGCN20U/ZAaqANCqjDbrSVSTjTPzYtNFwAXwxkB
+          3NHhPDHZ1MIdr6IJE4IZ4TCMsIeTA2UHNfF4RCzeDSIJ+CXOQxUFWOxZkf97WY=
       syseleven_dus2_ac_id: !encrypted/pkcs1-oaep
         - SjwtIvJO7DkLJDmS+T/Z5utFBa22hmPRBd8mzonJHGgURB2W7fmXFreD9NPrLfbt7ujKi
           KNqJm8k1Vr1F3Mu+Osr0BWSnq5makwVt2ikBY4qPbL8iyVXsByaT/HNPLCOokqy+REpfu

Drafts/node-to-node-encryption.md

@@ -53,13 +53,13 @@ of a GPU) result in what GPU part of the flavor name.
 
 #### Nvidia (`N`)
 
-We show the most popular recent generations here. older one are of course possible as well.
+We show the most popular recent generations here. Older one are of course possible as well.
 
 ##### Ampere (`a`)
 
 One Streaming Multiprocessor on Ampere has 64 (A30, A100) or 128 Cuda Cores (A10, A40).
 
-GPUs without MIG (one SM has 128 Cude Cores and 4 Tensor Cores):
+GPUs without MIG (one SM has 128 Cuda Cores and 4 Tensor Cores):
 
 | Nvidia GPU | Tensor C | Cuda Cores | SMs | VRAM      | SCS name piece |
 |------------|----------|------------|-----|-----------|----------------|
@@ -138,14 +138,14 @@ Cores and 64 Stream Processors per CU.
 
 #### intel Xe (`I`)
 
-##### Xe-HPC (Ponte Vecchio) (`12.7`)
+##### Xe-HPC (Ponte Vecchio) (`3`)
 
 1 EU corresponds to one Tensor Core and contains 128 Shading Units.
 
-| intel DC GPU | Tensor C | Shading U | EUs | VRAM       | SCS name piece    |
-|--------------|----------|-----------|-----|------------|-------------------|
-| Max 1100     |  56      |  7168     |  56 |  48G HBM2e | `GI12.7-56-48h`   |
-| Max 1550     | 128      | 16384     | 128 | 128G HBM2e | `GI12.7-128-128h` |
+| intel DC GPU | Tensor C | Shading U | EUs | VRAM       | SCS name part  |
+|--------------|----------|-----------|-----|------------|----------------|
+| Max 1100     |  56      |  7168     |  56 |  48G HBM2e | `GI3-56-48h`   |
+| Max 1550     | 128      | 16384     | 128 | 128G HBM2e | `GI3-128-128h` |
 
 ## Automated tests
 

Standards/scs-0100-w1-flavor-naming-implementation-testing.md

@@ -25,7 +25,7 @@ Administrator (abbr. Admin)
 
 ### Default Security Groups, Custom Security Groups and default Security Group Rules
 
-To properly understand the concepts in this standard and avoid ambiguity, is very important to distinguish between the following similar-sounding but different resources in the OpenStack Networking API:
+To properly understand the concepts in this standard and avoid ambiguity, it is very important to distinguish between the following similar-sounding but different resources in the OpenStack Networking API:
 
 1. default Security Group
 2. custom Security Group
@@ -59,10 +59,10 @@ Therefore, this standard proposes default Security Group rules that MUST be set
 
 ## Design Considerations
 
-Up to the 2023.1 release (antelope) the default Security Group rules are hardcoded in the OpenStack code.
-We should not require to change this behavior through code changes in deployments.
+Up to the 2023.1 release (Antelope) the default Security Group rules are defined in the OpenStack code.
+We should not require changing this behavior through code changes in deployments.
 
-Beginning with the 2023.2 release (bobcat) the default Security Group rules can now be edited by administrators through an API.
+Beginning with the 2023.2 release (Bobcat) the default Security Group rules can now be edited by administrators through an API.
 All rules that should be present as default in Security Groups have to be configured by admins through this API.
 
 There are two ways to approach a standard for the default rules of Security Groups.

Standards/scs-0115-v1-default-rules-for-security-groups.md

@@ -44,6 +44,11 @@ This can be done with a small change in the policy.yaml file. The `creator` has
 The check for the presence of a Key Manager is done with a test script, that checks the presence of a Key Manager service in the catalog endpoint of Openstack.
 This check can eventually be moved to the checks for the mandatory an supported service/API list, in case of a promotion of the Key Manager to the mandatory list.
 
+### Implementation
+
+The script [`check-for-key-manager.py`](https://github.com/SovereignCloudStack/standards/blob/main/Tests/iaas/key-manager/check-for-key-manager.py)
+connects to OpenStack and performs the checks described in this section.
+
 ## Manual Tests
 
 It is not possible to check a deployment for a correctly protected Master KEK automatically from the outside.

Standards/scs-0116-w1-key-manager-implementation-testing.md

@@ -26,6 +26,7 @@ subjects = [
     "poc-kdo",
     "poc-wgcloud",
     "regio-a",
+    "scaleup-occ2",
     "syseleven-dus2",
     "syseleven-ham1",
     "wavestack",

Tests/config.toml

@@ -86,6 +86,9 @@ def main(argv):
         nm2 = _fnmck.outname(ret2)
         if nm1 != nm2:
             print(f"WARNING: {nm1} != {nm2}")
+        snm = _fnmck.outname(ret.shorten())
+        if snm != nm1:
+            print(f"Shortened name: {snm}")
         argv = argv[1:]
         scs = 1
 

Tests/iaas/flavor-naming/flavor-name-check.py

@@ -162,6 +162,9 @@ class Main:
     raminsecure = BoolAttr("?no ECC", letter="u")
     ramoversubscribed = BoolAttr("?RAM Over", letter="o")
 
+    def shorten(self):
+        return self
+
 
 class Disk:
     """Class representing the disk part"""
@@ -171,20 +174,29 @@ class Disk:
     disksize = OptIntAttr("#.GB Disk")
     disktype = TblAttr("Disk type", {'': '(unspecified)', "n": "Networked", "h": "Local HDD", "s": "SSD", "p": "HiPerf NVMe"})
 
+    def shorten(self):
+        return self
+
 
 class Hype:
     """Class repesenting Hypervisor"""
     type = "Hypervisor"
     component_name = "hype"
     hype = TblAttr(".Hypervisor", {"kvm": "KVM", "xen": "Xen", "hyv": "Hyper-V", "vmw": "VMware", "bms": "Bare Metal System"})
 
+    def shorten(self):
+        return None
+
 
 class HWVirt:
     """Class repesenting support for hardware virtualization"""
     type = "Hardware/NestedVirtualization"
     component_name = "hwvirt"
     hwvirt = BoolAttr("?HardwareVirt", letter="hwv")
 
+    def shorten(self):
+        return None
+
 
 class CPUBrand:
     """Class repesenting CPU brand"""
@@ -206,6 +218,12 @@ def __init__(self, cpuvendor="i", cpugen=0, perf=""):
         self.cpugen = cpugen
         self.perf = perf
 
+    def shorten(self):
+        # For non-x86-64, don't strip out CPU brand for short name, as it contains the architecture
+        if self.cpuvendor in ('i', 'z'):
+            return None
+        return CPUBrand(self.cpuvendor)
+
 
 class GPU:
     """Class repesenting GPU support"""
@@ -226,13 +244,29 @@ class GPU:
     vram = OptIntAttr("#.V:GiB VRAM")
     vramperf = TblAttr("Bandwidth", {"": "Std BW {<~1GiB/s)", "h": "High BW", "hh": "Very High BW"})
 
+    def __init__(self, gputype="g", brand="N", gen='', cu=None, perf='', vram=None, vramperf=''):
+        self.gputype = gputype
+        self.brand = brand
+        self.gen = gen
+        self.cu = cu
+        self.perf = perf
+        self.vram = vram
+        self.vramperf = vramperf
+
+    def shorten(self):
+        # remove h modifiers
+        return GPU(gputype=self.gputype, brand=self.brand, gen=self.gen, cu=self.cu, vram=self.vram)
+
 
 class IB:
     """Class representing Infiniband"""
     type = "Infiniband"
     component_name = "ib"
     ib = BoolAttr("?IB")
 
+    def shorten(self):
+        return self
+
 
 class Flavorname:
     """A flavor name; merely a bunch of components"""
@@ -250,14 +284,15 @@ def __init__(
 
     def shorten(self):
         """return canonically shortened name as recommended in the standard"""
-        if self.hype is None and self.hwvirt is None and self.cpubrand is None:
-            return self
-        # For non-x86-64, don't strip out CPU brand for short name, as it contains the architecture
-        if self.cpubrand and self.cpubrand.cpuvendor not in ('i', 'z'):
-            return Flavorname(cpuram=self.cpuram, disk=self.disk,
-                              cpubrand=CPUBrand(self.cpubrand.cpuvendor),
-                              gpu=self.gpu, ib=self.ib)
-        return Flavorname(cpuram=self.cpuram, disk=self.disk, gpu=self.gpu, ib=self.ib)
+        return Flavorname(
+            cpuram=self.cpuram and self.cpuram.shorten(),
+            disk=self.disk and self.disk.shorten(),
+            hype=self.hype and self.hype.shorten(),
+            hwvirt=self.hwvirt and self.hwvirt.shorten(),
+            cpubrand=self.cpubrand and self.cpubrand.shorten(),
+            gpu=self.gpu and self.gpu.shorten(),
+            ib=self.ib and self.ib.shorten(),
+        )
 
 
 class Outputter: