Merge branch 'main' into dependabot/go_modules/Tests/kaas/kaas-sonobuoy-tests/go_modules-232a611e2d

Author: garloff

.github/scs-compliance-check/openstack/clouds.yaml

@@ -1,12 +1,10 @@
 clouds:
-  gx-scs:
+  scs2:
+    auth_type: "v3applicationcredential"
     auth:
-      auth_url: https://api.gx-scs.sovereignit.cloud:5000
-      username: "u500924-svc-standards"
-      project_id: 3829cc7c8f034fc985f5055a1df6f247
-      project_name: "p500924-scs-healthmonitor"
-      user_domain_name: "d500924"
-    region_name: "RegionOne"
+      auth_url: https://scs2.api.pco.get-cloud.io:5000
+      application_credential_id: "f8f301ccf04047589afac62665227edd"
+    region_name: "scs2"
     interface: "public"
     identity_api_version: 3
   pco-prod1:

.github/workflows/check-gx-scs-v4.yml .github/workflows/check-scs2-v4.yml.github/workflows/check-gx-scs-v4.yml renamed to .github/workflows/check-scs2-v4.yml

@@ -1,9 +1,9 @@
-name: "Compliance IaaS v4 of gx-scs"
+name: "Compliance IaaS v4 of scs2"
 
 on:
-  # Trigger compliance check every day at 4:30 UTC
+  # Trigger compliance check every day at 4:45 UTC
   schedule:
-    - cron:  '30 4 * * *'
+    - cron:  '45 4 * * *'
   # Trigger compliance check after Docker image has been built
   workflow_run:
     workflows: [Build and publish scs-compliance-check Docker image]
@@ -13,11 +13,11 @@ on:
   workflow_dispatch:
 
 jobs:
-  check-gx-scs:
-    uses: ./.github/workflows/scs-compliance-check.yml
+  check-scs2:
+    uses: ./.github/workflows/scs-compliance-check-with-application-credential.yml
     with:
       version: v4
       layer: iaas
-      cloud: "gx-scs"
-      secret_name: "OS_PASSWORD_GXSCS"
+      cloud: "scs2"
+      secret_name: "OS_ACSECRET_SCS2"
     secrets: inherit

.github/workflows/check-gx-scs-v3.yml .github/workflows/check-scs2-v5.yml.github/workflows/check-gx-scs-v3.yml renamed to .github/workflows/check-scs2-v5.yml

@@ -1,9 +1,9 @@
-name: "Compliance IaaS v3 of gx-scs"
+name: "Compliance IaaS v5 of scs2"
 
 on:
-  # Trigger compliance check every day at 4:30 UTC
+  # Trigger compliance check every day at 4:25 UTC
   schedule:
-    - cron:  '30 4 * * *'
+    - cron:  '25 4 * * *'
   # Trigger compliance check after Docker image has been built
   workflow_run:
     workflows: [Build and publish scs-compliance-check Docker image]
@@ -13,11 +13,11 @@ on:
   workflow_dispatch:
 
 jobs:
-  check-gx-scs:
-    uses: ./.github/workflows/scs-compliance-check.yml
+  check-scs2:
+    uses: ./.github/workflows/scs-compliance-check-with-application-credential.yml
     with:
-      version: v3
+      version: v5
       layer: iaas
-      cloud: "gx-scs"
-      secret_name: "OS_PASSWORD_GXSCS"
+      cloud: "scs2"
+      secret_name: "OS_ACSECRET_SCS2"
     secrets: inherit

.zuul.d/config.yaml

@@ -8,10 +8,10 @@
         - scs-check-all
     periodic-hourly:
       jobs:
-        - scs-check-gx-scs-main
+        - scs-check-scs2-main
     post:
       jobs:
-        - scs-check-gx-scs
+        - scs-check-scs2
     check:
       jobs:
         - scs-check-adr-syntax
@@ -22,7 +22,7 @@
     pre-run: playbooks/pre.yaml
     run: playbooks/adr_syntax.yaml
 - job:
-    name: scs-check-gx-scs
+    name: scs-check-scs2
     parent: base
     secrets:
      - name: clouds_conf
@@ -35,11 +35,11 @@
      - playbooks/pre_cloud.yaml
     run: playbooks/compliance_check.yaml
 - job:
-    name: scs-check-gx-scs-main
-    parent: scs-check-gx-scs
+    name: scs-check-scs2-main
+    parent: scs-check-scs2
     branches: main
 - job:
     name: scs-check-all
-    parent: scs-check-gx-scs-main
+    parent: scs-check-scs2-main
     vars:
       preset: all

.zuul.d/secure.yaml

@@ -35,28 +35,6 @@
           JWvUvQl33JFC1jzIoQ7Rph6c660fRmz377jwjqx9/+bkHwLozGCP/9XrZVcizefEJM6jD
           eHRcpMpjuyFJLyNKnEF1lp58sfVQoJfVHTIvmzS9erVJhU/zjyeDFPsrLFweV7/5QzRvI
           lDiXrfj+X40EQvPrkSBJj/BIBYl+RuF8PfYnV4jqaQBwFNNBQoL/hGEotZa5h4=
-      gx_scs_ac_id: !encrypted/pkcs1-oaep
-        - uTdKdJXEzdx0pFAOAxR3054IdWqY1Hpjo/HQoNTJrXwT1yKFS2lkXk4LZWfVy2pnkk+I8
-          T3vpvonxb8hwkZQLZRbauzLmuCrjWpM6u2Nu2aY6bppFkj26t/VZ2/ovFjWmKL2isd7qx
-          iZPaVcniFLG/nEUeH3Jaq0dnGgoE1k8jRj+ke4tw8gy+KVVy51Ok9g1dq4AtTAtl04KkR
-          Xcu9O2gFQaN6aikbbr5Nh4tJJAlbybSk0pbPD9e5Kj9aamls7rHLaJCzdh2BBAYfdBejp
-          iuCcY15cauNiwYCAHVmnz+E0gDA4IfIH224Id8LrlO8xp5r0+hd1nWZw48jjk5ozZLIFv
-          Ud7DsPoTKs8zhME7tIglbdzVFllc5L3IF5mSpvc5mKfvT8b4bNN5T7fOgpsUYyorpzE0G
-          5oWNW5dG0YsK+6UkbUGIgHFHOBQbZ1qhthb+QQ7bvFUiMEft6Sbga1p1DXi6P++b8tsCQ
-          L9e0LdDMqK5vWlbcM1xYbjqhuYYSHwPqqMrAYVc5/rlLIsXJEHEt8s/D4/0rX20VAE/Ii
-          1CQMRyU7sgVQqaS9YPoVyGFdaL8FoVAbyageQxWSTjFVXZ4EUmrsncOcxAVrVmWOZmIZn
-          wrZYNjAYSkHWnHIO2gFoC8QtnThb0i4htmRf1Nv2YGWWyUxA32JbIyliS2O57k=
-      gx_scs_ac_secret: !encrypted/pkcs1-oaep
-        - QmUbdGH6ZrkVaL7qV8P0lxKn/kvpEREmf8MffxWvQb+zeWs4y2O8A4TNl/tGRjmJzV7Vk
-          tkte+bdazt7fG665WxKaUI8exkuLYCA3fPPp00/7CyhYDc24bWG/BH0ypEWpjfzInxv3Q
-          waqjvC4O3tp2oNX9wIicrZuDVfdDywCHgkEdApQpjJZqe0VifjZ4/Arj3m4sCA9yCj3gW
-          PUa8kDgGheYYqyIETAbKAskcUbRNUrKGkDZBMfYqXSuXLRDbjk4G2RZK74E56s7iZcW51
-          FLBVFrdfU+EV/haAIkLPacQ05xbtsLJ9tUdmy4gjd2lzA7CQxtZ3Kf6p9lWXk/xvnHvdv
-          SLvQPsWV1/6WeLaBq+m2ncajWrJW2WyltxEfUF4jYTroM1bw+b4OiYOhSwFDipzyYpTwY
-          zxFSwfmhHvkwPdeinjK2s04XmDLBGjfYFGvGwMKpEIYC9/hoBNQcSV26k2CKIPMX2Wb+z
-          TW7x5U3evZ22RResSQrIxZGt1xOvYFVw8KK8n243pL1tk0VtRtlEpNNVLbY7Zm8dUj9mU
-          ogEUIbRB2NVl904YLtqD1u/jasBYsvdvB7HmcXQmh+8/lybh5ouBP2ZTdSNnPy2tZDTTB
-          aqdJ+oJYtAwnm+e5fR8ddqvfcEW6eq8D7ouahjNYcbWT7K2ZjWlR2HxrqJJRxs=
       cc_rrze_ac_id: !encrypted/pkcs1-oaep
         - DUgJ7ozJOzJq1TSmBE6P8RGAW6C+s9LDRbW6mHIbAQlAX3+21d/KgoLk9zEyDdOanK1yd
           QaEZJDjURsIAcHJh7vh9w/2Z948XKDybxIOb1tcJGJU1LsEmYoNAQXM5G3+l8Z66Crpgw
@@ -321,3 +299,25 @@
           cYBWMsILDfv/7AR2lE+QTCxtL3gqPbjX5h0XlIXS/8p+xuA04pvSA6MWWCOuEUgQyt7i2
           6QnUC2DdYiVKGf54pBGuyilsBlH9Hmmcpa3UFrFQhGJjvZ1+M+8shFH3m238UYu72Q57q
           JZBtAU3zdwqDrDe5d/EfGSDE9FFLoMvColJpwLeY4zhP3XK6MrDnjwkMGMpsrE=
+      scs2_ac_id: !encrypted/pkcs1-oaep
+        - Y8BQv9PqamMnqL72LDSTxIE7qKQUz8pclYYZV2MhBbspuzBzs9/a3dMXyrOL1HyFacGZo
+          IPYnTG7BnnQLup0iwNoL2DMmsut69c0nLXIId2+hmH2/inW9GmEN12zE70nSG1jhGqAm/
+          V6q814Ef0O+bnvs8Abr06w2mWDAtbyZeAD7K7UzsQpz1SzyJKidRltQQNuI5cCpPCenkm
+          5Co9q0df8E3JeLwOa96Y1Xb4bHXmh0sfDTsc2DNGOAE3+wWc2iYMYIvCqrIvYmTUJMX+z
+          IqGJ3Ca1Py27xl7hOhlwFerJdTZTB1YZ61T5+RAbJ9LzNhP6hzQscArYLJHCMclxH7kI4
+          SH778FfSPK7nJmkAK8T6D8uFLuJmw7aNhuUPcRTIWrvMic1Pe+y12OJa2mCF3ULiaj+Ct
+          roCW3hPBVOwQPe1LsgoT2pUbhhA4Gej5vDeGSgcCqwFyZMK+9F4y6ueGeupYgaenSSNSA
+          oDvjYvE7IAceBqpm06miDNIMHRiHOfKvS7GWmN64axgoFvL8PwpjHmufOg5tvDqAPhNPo
+          ymNxEuQbPyXz6uEvqkIzXNqJD1Rso9lzDSpmuw0DGYiURINAlJ5+aIKd1I80E5jnYqWDi
+          AzoVDdcc8rs5dSv5EVUNgHAZbhoGXCrDG4Rle3W7O7OjYRhujWfPvOsZpKshus=
+      scs2_ac_secret: !encrypted/pkcs1-oaep
+        - IKyt7UBMh6ByyMYriD1348U14YAeDyshpizDi+JFRKMUTHfGOMt8ymMwvSNjZNl0lDq05
+          hj+5eihgASkXeKrDVqqB/UV1eB5romShC72AyoeenR33ydfXhpscAW6Ygsx1o1k49FDVa
+          zc7xe4T6dEcGfuXCELUcC6bl7LiOh4lX8fKUie1liq5l3yonYGgKQ00kLMTd3NkEiIzan
+          HJF6ezLq2AvJPHBeoa7x0yGUk6IwJGafL++kiYNUqbzYP1MG0JJyMbHP4svM/Fq/IiO6y
+          HBoLT0zc3owQ3JUxysQ+jDCeltLvwdwEtl7T10+xtSYsOQnsoN+/KTqW3+jrFHEAI0xDc
+          v3X81xZb9zW6aEQc75Upx0fnDOBHPnGBziHG+4m8YrIkMthJ812v0Xrwi1VH6sFac1lET
+          dOvR0LsXw1t/N8T7JbmzsJ7TTluN32iegt9mZ0syXHJyNr6DuUs3P6iDoOlRUzv+UzIJP
+          PHOVS1umROCJJi/5T78EA4ukDdFN/zdEktGauSDqUVRPASodV8Q3qvN6PgskPh1dQgxwB
+          Po9R1405It3aQtBiXnT+38eKAd1nTJkaRlC03VgbeV+XrjMI1YsMQDAt+YhMKSfys1ZhB
+          n6Dw+nc3Qi21G/CnY45rFUMLGTzevukKuHeiApf+eX4PdNQ1LPkUGrHdNnqkj8=

Standards/scs-0004-v1-achieving-certification.md

@@ -1,7 +1,8 @@
 ---
 title: Regulations for achieving SCS-compatible certification
 type: Procedural
-status: Draft
+status: Stable
+stabilized_at: 2025-03-25
 track: Global
 ---
 
@@ -17,33 +18,33 @@ As operator, I want to obtain a certificate with the scope SCS-compatible IaaS o
 
 ## Regulations
 
-1. Each certificate issued pertains to a given cloud, a given scope, and a given version of that scope with a fixed expiry date. The certificate is only valid for that cloud and for the time frame that ends on that expiry date.
+0. Certificates are issued by the SCS certification assessment body. This is either the _Forum SCS-Standards_, part of the Open Source Business Alliance e.V. (OSBA), or an organization appointed by the _Forum SCS-Standards_ . An interested party has to apply for certification with this body, which in turn determines the rules that govern what parties are eligible for application (fees may apply).
 
-2. The operator MUST include the official [SCS compliance test suite](https://github.com/SovereignCloudStack/standards/tree/main/Tests) (which does not require admin privileges) in their continuous test infrastructure (e.g., Zuul). The tests MUST be run at given intervals, depending on their resource-usage classification:
+1. Each certificate issued pertains to a given combination of subject (i.e., cloud environment), scope (such as _SCS-compatible IaaS_), and version of that scope. The certificate is only valid for that combination and for the time frame that ends when the scope expires, or for six months if the expiration date for the scope is not yet fixed.
 
-    - _light_: at least nightly,
-    - _medium_: at least weekly,
-    - _heavy_: at least monthly.
+2. The operator MUST ensure that the official [SCS compliance test suite](https://github.com/SovereignCloudStack/standards/tree/main/Tests) (which does not require admin privileges) is run at regular intervals and the resulting reports transmitted to the [SCS compliance monitor](https://github.com/SovereignCloudStack/standards/tree/main/compliance-monitor).
 
-   For public clouds, it is recommended to offer the SCS project access to the infrastructure so the test suite runs can be triggered continuously by the SCS team.
+   For public clouds, the SCS certification assessment body can take on this task provided that suitable access to test subject is supplied.
 
-   Alternatively, and for non-public clouds, the results (log files) MUST be submitted to SCS (by a mechanism of SCS' choice) at least weekly, and they need to be reproduced again on request by SCS.
+   The test suite is partitioned according to resource usage; the required test intervals depend on this classification:
 
-   <!-- Initially this will probably be eMail -->
+    - _light_: at least nightly,
+    - _medium_: at least weekly,
+    - _heavy_: at least monthly.
 
-3. If the desired certificate requires manual checks, then the operator MUST offer the SCS project suitable access. Manual checks MUST be repeated once every quarter.
+3. If the desired certificate requires manual checks, then the operator MUST offer the SCS project suitable documentation. Manual checks MUST be repeated once every quarter. In addition, the SCS certification assessment body reserves the right to occasionally verify documentation on premises.
 
 4. Details on the standards achieved, as well as the current state and the history of all test and check results of the past 18 months will be displayed on a public webpage (henceforth, _certificate status page_) owned by SCS.
 
    The page will be kept online for the duration of the certificate's validity, plus at least 3 months; afterwards, it can be taken offline, either upon request or in the course of maintenance cleanup. However, the page's content won't be deleted until 12 months after the certificate's expiration, for the page will be reanimated and reused if, within this timeframe, a new certificate is issued for the same scope and the same cloud.
 
-5. The SCS certification assessment body (initially the SCS project in the OSB Alliance e.V., possibly further entities empowered to do so by the SCS trademark owner, currently the OSB Alliance e.V.) WILL review the certification application and either grant the certification, reject it or ask for further measures or information.
+5. The SCS certification assessment body WILL review the certification application and either grant the certification, reject it or ask for further measures or information.
 
 6. Once the certificate is granted by the SCS certification assessment body, the operator SHOULD use the corresponding logo and publicly state the certified "SCS compatibility" on the respective layer for the time of the validity of the certification. In case of a public cloud, this public display is even REQUIRED. In any case, the logo MUST be accompanied by a hyperlink (a QR code for printed assets) to the respective certificate status page.
 
-7. If the certificate is to be revoked for any reason, it will be included in a publicly available Certificate Revocation List (CRL). This fact will also be reflected in the certificate status page.
+7. If the certificate is to be revoked for any reason, it will be included in a publicly available Certificate Revocation List (CRL), maintained by the SCS certification assessment body. This fact will also be reflected in the certificate status page.
 
-8. If any of the automated tests or manual checks fail after the certificate has been issued, the certificate is not immediately revoked. Rather, the automated tests MUST pass 99.x % of the runs, and the operator SHALL be notified at the second failed attempt in a row at the latest. In case a manual check fails, it has to be repeated at a date to be negotiated with SCS. It MAY NOT fail more than two times in a row.
+8. If any of the automated tests or manual checks fail after the certificate has been issued, the certificate is not immediately revoked. Rather, the automated tests MUST pass 99.x % of the runs, and the operator SHALL be notified at the second failed attempt in a row at the latest. In case a manual check fails, it has to be repeated at a date to be negotiated with the SCS certification assessment body. It MAY NOT fail more than two times in a row.
 
 ## Design Considerations