We don't manage the openmetal.us-east.opendev.org HTTPS certificate
with our usual Ansible/DNS/acme.sh process, so explicitly add it to
the certcheck list.
Change-Id: Icbcedb546036e7dadded352a9bdda91f57aa157f
This removes ansible configuration for the linaro cloud itself and the
linaro cloud mirror. This cloud is in the process of going away and
having these nodes in our inventory is creating base jobs failures due
to unreachable nodes. This then dominoes into not running the LE refresh
job and now some certs are not getting renewed. Clean this all up so
that the rest of our systems are happy.
Note that we don't fully clean up the idea of an unmanaged group as
there may be other locations we want to do something similar (OpenMetal
perhaps?). We also don't remove the openstack clouds.yaml entries for
the linaro cloud yet. It isn't entirely clear when things will go
offline, but it may be as late as August 10 so we keep those credentials
around as they may be useful until then.
Change-Id: Idd6b455de8da2aa9901bf989b1d131f1f4533420
The entry we had did not match the name used by nodepool. This caused us
to not detect that this cert would expire (and has now expired).
Change-Id: Ibd4885f2f3fbbc776f76fef92736b98b8f87c664
Apparently this has a cert that can expire independently from
www.openstack.org, so let's check this, too.
Change-Id: I852af03b99205e07241e90b589c9d579204ed766
While the site isn't directly related to opendev, we use it a lot in our
CI, so having an early warning if the cert is failing seems useful.
Change-Id: I4816a0a0f890849c6379d0db50f8ac0f1693deaa
None of the services we operate rely on openstackid.org any longer,
so we can drop our monitoring of its cert expiration safely (which
is currently complaining). We're already monitoring its successor,
id.openinfra.dev.
Change-Id: I059ef0492f05137fa542c819b64427bd9ef0eb0c
The OpenStackID project has been rebranded, and the old
openstackid.org deployment is being retained temporarily in order to
ease transition, but id.openinfra.dev is in place now and intended
as its successor.
Monitor its HTTPS cert like we do for its predecessor, so we'll be
aware of any impending expiration, as we host some services which
depend on it.
Change-Id: I7fee4d42db672bffa80fbca953979fad9896880e
* ask.o.o has been converted to LE
* ethercalc.o.o has been converted to LE
* storyboard.o.o has been converted to LE
* translate.o.o has been converted to LE
* openstackid-dev.o.o is fine without a valid cert
Change-Id: Ic7639f0e62d5269e35a5d909d67318cd74d0233e
Several of these domains have migrated to be deployed via our
letsencrypt roles and thus no-longer need special casing in the
certcheck list as they are automatically added now.
Change-Id: Id417db6af09f3ba96bb6da09d8cbf28dd8ddf276
The Limesurvey service hosted at survey.openstack.org was a beta
which saw limited use. The platform it runs on, Xenial, is now EOL
from Ubuntu/Canonical and in order to upgrade to a newer
distribution release we would need to rewrite all the configuration
management (the version of Puppet supported by newer Ubuntu is not
backward-compatible with what we've been running).
If a similar service becomes interesting to users of our
collaboratory in the future, it will need to be reintroduced with
freshly written configuration management anyway. The old configs and
documentation remain in our Git history should anyone wish to use
them as inspiration.
Change-Id: I59b419cf112d32f20084ab93eb6f2417a7f93fdb
Once we are satisfied that we have disabled the inputs to firehose we
can land this change to stop managing it in config management. Once that
is complete the server can be removed.
Change-Id: I7ebd54f566f8d6f940a921b38139b54a9c4569d8
This autogenerates the list of ssl domains for the ssl-cert-check tool
directly from the letsencrypt list.
The first step is the install-certcheck role that replaces the
puppet-ssl_cert_check module that does the same. The reason for this
is so that during gate testing we can test this on the test
bridge.openstack.org server, and avoid adding another node as a
requirement for this test.
letsencrypt-request-certs is updated to set a fact
letsencrypt_certcheck_domains for each host that is generating a
certificate. As described in the comments, this defaults to the first
host specified for the certificate and the listening port can be
indicated (if set, this new port value is stripped when generating
certs as is not necessary for certificate generation).
The new letsencrypt-config-certcheck role runs and iterates all
letsencrypt hosts to build the final list of domains that should be
checked. This is then extended with the
letsencrypt_certcheck_additional_domains value that covers any hosts
using certificates not provisioned by letsencrypt using this
mechanism.
These additional domains are pre-populated from the openstack.org
domains in the extant check file, minus those openstack.org domain
certificates we are generating via letsencrypt (see
letsencrypt-create-certs/handlers/main.yaml). Additionally, we
update some of the certificate variables in host_vars that are
listening on port !443.
As mentioned, bridge.openstack.org is placed in the new certcheck
group for gate testing, so the tool and config file will be deployed
to it. For production, cacti is added to the group, which is where
the tool currently runs. The extant puppet installation is disabled,
pending removal in a follow-on change.
Change-Id: Idbe084f13f3684021e8efd9ac69b63fe31484606
