diff --git a/.automation b/.automation index 7eefdb99f..7676aa89f 160000 --- a/.automation +++ b/.automation @@ -1 +1 @@ -Subproject commit 7eefdb99fe60df8eeac63004878ab4d44eb6d6ba +Subproject commit 7676aa89f0fde7291a846179c8820a8acc5c69ce diff --git a/.automation.conf/run-books/pulp-sync-content.sh b/.automation.conf/run-books/pulp-sync-content.sh new file mode 100755 index 000000000..97ff18e9f --- /dev/null +++ b/.automation.conf/run-books/pulp-sync-content.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +set -euE +set -o pipefail + +PARENT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +KAYOBE_AUTOMATION_DIR="$(realpath "${PARENT}/../../.automation")" + +function main { + if [ "${PULP_DO_CONTAINER_SYNC:-}" = true ]; then + ${KAYOBE_AUTOMATION_DIR}/scripts/playbook-run.sh '$KAYOBE_CONFIG_PATH/ansible/pulp-container-sync.yml' -e stackhpc_pulp_images_kolla_filter="${PULP_KOLLA_FILTER:-}" + fi + if [ "${PULP_DO_CONTAINER_PUBLISH:-}" = true ]; then + ${KAYOBE_AUTOMATION_DIR}/scripts/playbook-run.sh '$KAYOBE_CONFIG_PATH/ansible/pulp-container-publish.yml' -e stackhpc_pulp_images_kolla_filter="${PULP_KOLLA_FILTER:-}" + fi + if [ "${PULP_DO_REPO_SYNC:-}" = true ]; then + ${KAYOBE_AUTOMATION_DIR}/scripts/playbook-run.sh '$KAYOBE_CONFIG_PATH/ansible/pulp-repo-sync.yml' + fi + if [ "${PULP_DO_REPO_PUBLISH:-}" = true ]; then + ${KAYOBE_AUTOMATION_DIR}/scripts/playbook-run.sh '$KAYOBE_CONFIG_PATH/ansible/pulp-repo-publish.yml' + fi + if [ "${PULP_DO_REPO_PROMOTE:-}" = true ]; then + ${KAYOBE_AUTOMATION_DIR}/scripts/playbook-run.sh '$KAYOBE_CONFIG_PATH/ansible/pulp-repo-promote-production.yml' + fi +} + +if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then + main +fi diff --git a/.github/workflows/overcloud-host-image-build.yml b/.github/workflows/overcloud-host-image-build.yml index a041b4f33..ee106cc5f 100644 --- a/.github/workflows/overcloud-host-image-build.yml +++ b/.github/workflows/overcloud-host-image-build.yml @@ -32,6 +32,13 @@ jobs: runs-on: arc-skc-host-image-builder-runner permissions: {} steps: + - name: Validate inputs + run: | + if [[ ${{ inputs.rocky9 }} == 'false' && ${{ inputs.ubuntu-jammy }} == 'false' ]]; then + echo "At least one distribution must be selected" + exit 1 + fi + - name: Install Package uses: ConorMacBride/install-package@main with: diff --git a/.github/workflows/overcloud-host-image-promote.yml b/.github/workflows/overcloud-host-image-promote.yml index 06879459f..7b06b90d7 100644 --- a/.github/workflows/overcloud-host-image-promote.yml +++ b/.github/workflows/overcloud-host-image-promote.yml @@ -23,6 +23,13 @@ jobs: if: github.repository == 'stackhpc/stackhpc-kayobe-config' runs-on: ubuntu-22.04 steps: + - name: Validate inputs + run: | + if [[ ${{ inputs.rocky9 }} == 'false' && ${{ inputs.ubuntu-jammy }} == 'false' ]]; then + echo "At least one distribution must be selected" + exit 1 + fi + - uses: actions/checkout@v4 with: path: src/kayobe-config diff --git a/.github/workflows/overcloud-host-image-upload.yml b/.github/workflows/overcloud-host-image-upload.yml index 7aceddd16..505a4b194 100644 --- a/.github/workflows/overcloud-host-image-upload.yml +++ b/.github/workflows/overcloud-host-image-upload.yml @@ -34,6 +34,13 @@ jobs: runs-on: arc-skc-host-image-builder-runner permissions: {} steps: + - name: Validate inputs + run: | + if [[ ${{ inputs.rocky9 }} == 'false' && ${{ inputs.ubuntu-jammy }} == 'false' ]]; then + echo "At least one distribution must be selected" + exit 1 + fi + - name: Install package dependencies run: | sudo apt update diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml index e8d83492f..2642b90b6 100644 --- a/.github/workflows/stackhpc-container-image-build.yml +++ b/.github/workflows/stackhpc-container-image-build.yml @@ -9,12 +9,12 @@ on: required: false default: "" overcloud: - description: Build overcloud images? + description: Build container images for overcloud services? type: boolean required: false default: true seed: - description: Build seed images? + description: Build container images for seed services? type: boolean required: false default: false @@ -52,6 +52,17 @@ jobs: matrix: ${{ steps.set-matrix.outputs.matrix }} openstack_release: ${{ steps.openstack_release.outputs.openstack_release }} steps: + - name: Validate inputs + run: | + if [[ ${{ inputs.rocky-linux-9 }} == 'false' && ${{ inputs.ubuntu-jammy }} == 'false' ]]; then + echo "At least one distribution must be selected" + exit 1 + fi + if [[ ${{ inputs.overcloud }} == 'false' && ${{ inputs.seed }} == 'false' ]]; then + echo "At least one of overcloud or seed must be selected" + exit 1 + fi + - name: Checkout uses: actions/checkout@v4 diff --git a/doc/source/contributor/environments/ci-multinode.rst b/doc/source/contributor/environments/ci-multinode.rst index 28dc94de4..165ef5120 100644 --- a/doc/source/contributor/environments/ci-multinode.rst +++ b/doc/source/contributor/environments/ci-multinode.rst @@ -35,8 +35,15 @@ is not enabled by default. To enable it, set the following in kolla_enable_manila: true kolla_enable_manila_backend_cephfs_native: true -And re-run ``kayobe overcloud service deploy`` if you are working on an existing -deployment. +If you are working on an existing deployment, you need to do the following first. + +1. Create CephFS pools: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-pools.yml`` +2. Create cephx key for Manila: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-keys.yml`` +3. Run Manila related Ceph commands: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-commands-post.yml`` +4. Gather Ceph configuration and keyring for Manila: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-gather-keys.yml`` +5. Configure Storage network on Seed node: ``kayobe seed host configure -t network,ip-allocation,snat`` + +Then, run ``kayobe overcloud service deploy`` to deploy Manila. To test it, you will need two virtual machines. Cirros does not support the Ceph kernel client, so you will need to use a different image. Any regular Linux @@ -108,35 +115,35 @@ Then create a share type and share: .. code-block:: bash - manila type-create cephfs-type false --is_public true - manila type-key cephfs-type set vendor_name=Ceph storage_protocol=CEPHFS - manila create --name test-share --share-type cephfs-type CephFS 2 + openstack share type create cephfs-type false --public true + openstack share type set cephfs-type --extra-specs vendor_name=Ceph, storage_protocol=CEPHFS + openstack share create --name test-share --share-type cephfs-type --public true CephFS 2 Wait until the share is available: .. code-block:: bash - manila list + openstack share list Then allow access to the shares to two users: .. code-block:: bash - manila access-allow test-share cephx alice - manila access-allow test-share cephx bob + openstack share access create test-share cephx alice + openstack share access create test-share cephx bob Show the access list to make sure the state of both entries is ``active`` and take note of the access keys: .. code-block:: bash - manila access-list test-share + openstack share access list test-share And take note of the path to the share: .. code-block:: bash - manila share-export-location-list test-share + openstack share export location list test-share SSH into the first instance, create a directory for the share, and mount it: diff --git a/etc/kayobe/ansible/requirements.yml b/etc/kayobe/ansible/requirements.yml index 589068d72..72d083a61 100644 --- a/etc/kayobe/ansible/requirements.yml +++ b/etc/kayobe/ansible/requirements.yml @@ -11,7 +11,7 @@ collections: - name: stackhpc.hashicorp version: 2.5.1 - name: stackhpc.kayobe_workflows - version: 1.0.3 + version: 1.1.0 roles: - src: stackhpc.vxlan - name: ansible-lockdown.ubuntu22_cis diff --git a/releasenotes/notes/fix-octavia-tls-terminated-pkcs12-4f7e32a6f5ca0143.yaml b/releasenotes/notes/fix-octavia-tls-terminated-pkcs12-4f7e32a6f5ca0143.yaml new file mode 100644 index 000000000..ee5167ce9 --- /dev/null +++ b/releasenotes/notes/fix-octavia-tls-terminated-pkcs12-4f7e32a6f5ca0143.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes creation and failover of Octavia TLS-terminated load balancers when + storing the certificate and key as a PKCS12 bundle in Barbican. diff --git a/releasenotes/notes/update-kayobe-automation-55fc9c5c380d819c.yaml b/releasenotes/notes/update-kayobe-automation-55fc9c5c380d819c.yaml new file mode 100644 index 000000000..f8e2e32a3 --- /dev/null +++ b/releasenotes/notes/update-kayobe-automation-55fc9c5c380d819c.yaml @@ -0,0 +1,23 @@ +--- +features: + - | + Upgrades kayobe-automation submodule to ``7676aa8``. + + Upgrades kayobe-workflows collection to ``v1.1.0``. + + Kayobe-automation config-diff now runs in parallel and generates both + the old and new configuration at the same time. This should improve + config-diff wait times. + + Add support for the `pulp-sync-content` run book. +deprecations: + - | + Kayobe-automation will now automatically detect vaulted files for the + purpose of config-diff therefore, ``KAYOBE_CONFIG_SECRET_PATHS_EXTRA`` and + ``KAYOBE_CONFIG_VAULTED_FILES_PATHS_EXTRA`` are no longer used +security: + - | + The upgraded kayobe-workflows collection increases the version of various + Actions and containers used within GitHub based workflows, including increasing + Docker in Docker to version ``27.3.1`` thus removing the vunerabilities present + in ``24.0-git``. diff --git a/tools/scan-images.sh b/tools/scan-images.sh index 3ee7d3edf..d71aec4b2 100755 --- a/tools/scan-images.sh +++ b/tools/scan-images.sh @@ -54,6 +54,10 @@ for image in $images; do --severity HIGH,CRITICAL \ --output image-scan-output/${filename}.json \ --ignore-unfixed \ + --db-repository ghcr.io/aquasecurity/trivy-db:2 \ + --db-repository public.ecr.aws/aquasecurity/trivy-db \ + --java-db-repository ghcr.io/aquasecurity/trivy-java-db:1 \ + --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db \ $image); then # Clean up the output file for any images with no vulnerabilities rm -f image-scan-output/${filename}.json