Previously we had set up the test gerrit instance to use the same
hostname as production: review02.opendev.org. This causes some confusion
as we have to override settings specifically for testing like a reduced
heap size, but then also copy settings from the prod host vars as we
override the host vars entirely. Using a new hostname allows us to use a
different set of host vars with unique values reducing confusion.
Change-Id: I4b95bbe1bde29228164a66f2d3b648062423e294
Previously we had a test specific group vars file for the review Ansible
group. This provided junk secrets to our test installations of Gerrit
then we relied on the review02.opendev.org production host vars file to
set values that are public.
Unfortunately, this meant we were using the production heapLimit value
which is far too large for our test instances leading to the occasionaly
failure:
There is insufficient memory for the Java Runtime Environment to continue.
Native memory allocation (mmap) failed to map 9596567552 bytes for committing reserved memory.
We cannot set the heapLimit in the group var file because the hostvar
file overrides those values. To fix this we need to replace the test
specific group var contents with a test specific host var file instead.
To avoid repeating ourselves we also create a new review.yaml group_vars
file to capture common settings between testing and prod. Note we should
look at combining this new file with the gerrit.yaml group_vars.
On the testing side of things we set the heapLimit to 6GB, we change the
serverid value to prevent any unexpected notedb confusion, and we remove
replication config.
Change-Id: Id8ec5cae967cc38acf79ecf18d3a0faac3a9c4b3
The gerrit config diff after the 3.3 ugprade [1] seems to remove some
quotes. We also quote the bug URL, because it seems to think the
trailing # is a comment now.
[1] https://etherpad.opendev.org/p/gerrit-upgrade-3.3
Change-Id: I3ca0ec925a0e6da33a1cbe2333c118b1baa7257c
While under development, the subdomain for the PTG site was
originally written as ptgbot.opendev.org and this is what was
communicated to event organizers. Mass communications subsequently
went out including this for URLs to the service. In order to make
the content from those announcements viable, add the additional name
to our configuration so we can redirect from it to the name we
eventually settled on.
While we're adjusting vhost metadata, make the ServerAdmin
directives between the HTTP and HTTPS vhosts for the service
consistent.
Change-Id: I726069f83b792fa31d92b759adc5c1214ca087fa
In order to use Rewrite* directives, mod_rewrite must be activated
in the vhost via RewriteEngine.
Change-Id: I495ee5e9fd3b1d489122d6e282d3a91d1035c126
The default channel name in the ptgbot role defaults did not
correctly specify a starting hash which it requires, but also the
test jobs seem to need it set in the eavesdrop group vars specific
to testing.
Change-Id: I16cdeac4f7af50e2cac36c80d78f3a87f482e4aa
This shifts our Gerrit upgrade testing ahead to testing 3.3 to 3.4
upgrades as we have upgraded to 3.3 at this point.
Change-Id: Ibb45113dd50f294a2692c65f19f63f83c96a3c11
This bumps the gerrit image up to our 3.3 image. Followup changes will
shift upgrade testing to test 3.3 to 3.4 upgrades, clean up no longer
needed 3.2 images, and start building 3.4 images.
Change-Id: Id0f544846946d4c50737a54ceb909a0a686a594e
Set the channel we want ptgbot joining in production with a group
var, like we do for statusbot's channel list. Correct the password
var name to match what's used in the template for production (and
matches the override set in our private hostvars on the bastion).
Clean up the unnecessary auth nicks list which was copied from the
statusbot config but is entirely unused. Also get rid of some
unnecessary empty lines in the defaults as they really don't make
the file any more readable.
Change-Id: Id026b89d642eae13feba374e4f3ec610b543e530
We set the letsencrypt_self_generate_tokens value to True in testing
which means the variable is valid and exists in testing. However, in
production this variable isn't set and doesn't ahve a default so we get:
The task includes an option with an undefined variable. The error was:
'letsencrypt_self_generate_tokens' is undefined
Fix this by setting the default value for this var to False. Also, add
it to the README of letsencrypt-request-certs as this is where it is
primarily used.
Change-Id: I862df6ea3ff7f3a1df2a088b04d230bb618aaa85
The dependent change exports the ptgbot website on port 8000 in the
container. Proxy this through apache.
Depends-On: https://review.opendev.org/c/openstack/ptgbot/+/812417
Change-Id: Idf9e9f5ffad981427d24a3476c0c1f244721d917
Currently we connect to the LE staging environment with acme.sh during
CI to get the DNS-01 tokens (but we never follow-through and actually
generate the certificate, as we have nowhere to publish the tokens).
We've known for a while that LE staging isn't really meant to be used
by CI like this, and recent instability has made the issue pronounced.
This modifies the driver script to generate fake tokens which work to
ensure all the DNS processing, etc. is happening correctly.
I have put this behind a flag so the letsencrypt job still does this
however. I think it is worth this job actually calling acme.sh to
validate this path; this shouldn't be required too often.
Change-Id: I7c0b471a0661aa311aaa861fd2a0d47b07e45a72
We have seen a case where the weekly verification run conflicted with
an in-progress backup run. Make the verification step wait for up to
an hour for the lock to allow backups to complete.
Change-Id: Id87dd090c7cd652695ab0c4aa73477cf0d72c28d
This file used to be managed by puppet-gerrit and it seems we missed
converting it to Ansible. Add it with the contents from the server.
Change-Id: I10a10166446941d2676ae9181fc74b5a1408c5ed
This reverts commit aa5623982fbecb4958ee90ab7ddc54d6d0d49747.
The MIT mirror seems to now be missing Fedora 34 indices, but the
one we were using before at UH looks just fine now.
Change-Id: I59649ea93cc1ce13715096dcd0b8f828ce6b6724
Nginx doesn't seem to support explcit intermedate cert chains [0] and we
need to supply all of the certs together in a single file. Thankfully
acme.sh does this and calls it the fullchain.cer file. Use that in the
nginx config for graphite to fix issues with ssl verification to this
service.
[0] http://nginx.org/en/docs/http/configuring_https_servers.html#chains
Change-Id: I318fb92a30c1593c2a2e4cb37496b16f17472f1d
We move robots.txt to custom/ instead of custom/public/ as
custom/public/ is now served at /assets/ via the gitea webserver and we
need robots.txt at the root. Related to this we update image urls to be
prefixed with AssetUrlPrefix in their paths so that if this path changes
against in the future we should automatically accomodate that.
Change-Id: I8ce5fe8ff342617ff156a401be8418d593fd35c4
In order to avoid unnecessary browser requests to other sites,
install a copy of the OpenDev logo on the Lodgeit server and serve
it from there rather than pointing at one served from Gitea.
Change-Id: I4c3678a1de8ca4a41cd0c64aab71b2e0e25373af
Previously we were doing this weekly. Gerrit does this daily. "Split"
the difference and do gitea every other day.
We have noticed that replication to gitea can be slow at times. One idea
is that the less packed repos on the gitea side may make negotiating the
updates slower. Pack more often to see if this helps.
Change-Id: I8961007dce3e448bfdbf1c5f3e8dfc5ec8eb82fb
