This change configures puppet to install core plugins which are packaged with
the released gerrit.war file. The method to install the plugins is to just extract
them from the war file and place them into review_site/plugins folder. This method seemed
easier than using the 'init --install-plugin' option because the --install-plugin
option requires listing every plugin by name.
Change-Id: I08335f970cee9e88d41c3695fccb370d05d1a4d1
The ssh key in ~gerrit2/.ssh/id_rsa which is what is used for outbound
ssh-based replication is currently just kinda there by hand. Add management
of the files there.
Change-Id: I5bfea4543d6eb46ba2e9f3c791f4e6b6c5534522
Closes-Bug: 1209464
This patch addresses:
LDAP not requiring username or password (anonymous bind)
This is required to support configurations where LDAP is on a secure network,
and anonymous bind is enabled.
LDAP using a self signed SSL cert (verify ssl on or off)
This is required to support configurations where LDAP requires SSL, but ssl is
using an internal or self signed certificate, and therefore fails cert checks.
This also covers testing conditions where a consumer might use OS with LDAP+ssl
unsigned.
LDAP using a nonstandard cn naming convention (ie email address).
This is required to deal with an edge case where 'cn' in ldap might be something
other than a bare username. Gerrit pulls the ssh username from that value and
will not accept a non-alphanumeric address. By setting 'accountSshUserName' in
puppet, that is setable.
LDAP prepopulating account Full name.
Gerrit has a configuration option to pull Full Name from LDAP, this change exposes
that option.
Change-Id: Ibd41d59ff98e406b42e1e14cc17e23b3d6211d58
It would be good to keep the command output and exit code when installing or
upgrading gerrit in case it doesn't work.
Change-Id: Ia93001706b4ea509797419b74716c23db47aaed1
jeepyb gets a new upstream tracking syntax in
https://review.openstack.org/#/c/35535/
Switch to use it.
The new syntax will operate via git push, so that changes to upstream
can trigger zuul events.
Change-Id: Ideca999aca0e8583cce9a1227089243216175158
Scoping rules mean that we need to be explicit here or else puppet finds
the wrong thing. Also, puppet needs a trailing slash.
Change-Id: Ifc2f03dbf1dd746515e00ded5d76fe7393ce6c7e
The `$mysql_password` variable is used by the `secure.config.erb`
template in the gerrit class, but is not passed from
openstack_project::review -> openstack_project::gerrit -> gerrit.
Instead it uses dynamic scopeing to find the variable and won't work in
Puppet 3. This adds the full parameter passing for Puppet 3.
This commit also adds "Template uses" comments immediately preceding
resources declarations which use a `template()` function to describe all
variables used by the gerrit templates. This greatly helps with
debugging issues such as this.
Change-Id: I747e3e4623444c0345a7aed3732b7d316f1a7726
These things were listed before we had jeepyb as its own things
(gerritlib in gerrit) and before jeepyb has pbr/requirements.txt
as it does now. With the move to pip install -U . in /opt/jeepyb,
there is no need to also ask puppet to manage these.
Change-Id: I7b521d03b3df8c0bde37586748769f160e615d31
* modules/gerrit/manifests/init.pp: The gerrit installer adds
jarfiles for bcprov and mysql-connector into its lib directory, but
puppet needs to know how to add them itself.
Change-Id: Id61260d0d28f1aadf85dc8604688b0131cddf682
Puppetlabs-mysql 0.6.1 correctly removes the local ::1 root user in the
account_security manifest. Upgrade to this version to take advantage of
that. Do not upgrade to latest version (0.9.0) to minimize delta that
needs testing.
Change-Id: Ic8265733f1159f34ae0afcccdea4c7d8cd44e3cb
The version of puppetlabs-mysql that we use does not remove the local
::1 root user from the mysqld. Explicitly remove this user.
Change-Id: I626fcc77c75a29d3f3cab57217b714e68a30b468
This time, make the default value false instead of empty string.
This reverts commit 99d3283dc246da4b4d2d26ecfb193b308881f05d
Change-Id: I88108ff75f1c2bd3aa78856c186312340258ec3c
Make it possible to configure with LDAP or OPENID_SSO.
Also, it's possible to not want to need CLAs.
Change-Id: Ie6660c819f4078dd4dd5be052e74aaa98c54cab4
This commit moves the MySQL configuration from the gerrit puppet
module into a seperate mysql puppet module. The purpose of
this change is to allow us to more easily customise gerrit's
mysql configuration for each instance of gerrit that we deploy..
Partial-Bug: 1083101
Change-Id: Ibcc31b3fce8af54229fd4de69a49842ac1c428ae
We have a cgit server now, which means we should replace
all references to github with references to git.openstack.org.
Change-Id: I68ad1ce514fb4326c7d9940b5a84999af5b58562
Will take effect when Zuul is running this change:
I74702fd7d37358e6f4caa7e7ac0a3ede73184077
This change also adds that feature to the Zuul config and enables
it for OpenStack. It also adds the ability to specify HTML in a
commentlink (and uses it).
Change-Id: Idb4ad8e6079165d681271987a92cab5d8b7c81be
Modify gerrit's git replication configuration so that it
pulls in from a list of replication targets defined in
puppet rather than individually added stanzas.
Pull the replicate_github variable from files, since it
is no longer required.
The replicate_local variable remains because it's used
in the apache configuration and for setup of the local
replication space for git.
Also add the cgit server to the list of servers.
Change-Id: I68de89bb216565f1754eb9b192bd437adcbf768b
Oracle has EOLed Java 6. While OpenJDK 6 is still supported, development
on it has slowed. Upgrade to OpenJDK 7 and run Gerrit on this newer
platform.
Change-Id: Id5867a0269bc6af3e7f6214112e91c8848ffbbe4
Actually, it's support for parameterized listen_address, but the
real thing you want it for is setting the port.
Change-Id: If75fedce32f35a8f72c92fc709d5c9e8b2d35235
Reviewed-on: https://review.openstack.org/33925
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
And slow down bing (msnbot).
Change-Id: Id8361047abc2cfb52260b3d0ef01275ec3a923f5
Reviewed-on: https://review.openstack.org/32435
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Elizabeth Krumbach Joseph <lyz@princessleia.com>
Reviewed-by: Anita Kuno <anita.kuno@enovance.com>
Approved: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
Change-Id: If87b0242c9203175335842832d13ebc6dfec2950
Reviewed-on: https://review.openstack.org/25119
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
* modules/gerrit/templates/gerrit.vhost.erb: If the contactstore
feature is enabled, don't shadow the URL to the fakestore CGI with
the Gerrit loopback proxy.
Change-Id: Ic6d01d671b762370b91f732c1a980051cdb5f6c2
Reviewed-on: https://review.openstack.org/20053
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
This is useful for testing Gerrit's contactstore features if you
don't have a real contact store server set up already.
* modules/gerrit/files/fakestore.cgi: An extremely trivial shell
script which returns the content Gerrit expects from a successful
submission to a contactstore server. Note this does not check the
application security key or store any of the post variables--it is
simply a black hole for contact updates.
* modules/gerrit/manifests/init.pp: If the contactstore feature is
enabled in Gerrit, install the fakestore.cgi script so it can be
available for testing.
* modules/gerrit/templates/gerrit.vhost.erb: If the contactstore
feature is enabled, ScriptAlias the /fakestore URL to the
fakestore.cgi script.
Change-Id: Ifa0f80bab9e8b8e207f0ffd83f01c8a3d904618e
Reviewed-on: https://review.openstack.org/19939
Reviewed-by: James E. Blair <corvus@inaugust.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
Change-Id: I409bd50ae374e0288531f07cfeea34856c5f8067
Reviewed-on: https://review.openstack.org/17319
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: James E. Blair <corvus@inaugust.com>
Change-Id: I6d6addc2bc0e28b289726cddd6626669dbec1e17
Reviewed-on: https://review.openstack.org/17292
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
Change-Id: I6e5fa77a301eec30cff8e16bad33a91bfd95b13f
Signed-off-by: Paul Belanger <paul.belanger@polybeacon.com>
Reviewed-on: https://review.openstack.org/17176
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
Instead of keeping many of these files directly in the tree, use them
from the out-of-tree jeepyb project, which makes them easier to consume
for other people who are not us.
Change-Id: Id704f2e17dd80709ef63cbbf2c5475a08a835f91
Reviewed-on: https://review.openstack.org/16777
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
The blueprint script used openstack-ci instead of the actual project
for any non-openstack/ project. This is counter-productive now that
we have more than one org in gerrit.
Change-Id: Id06fdd89751a62c6da400adefcc84791a030d1b8
Reviewed-on: https://review.openstack.org/16994
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Tested-by: Jenkins
Mostly documentation and parameterised class parameter complaints.
Change-Id: Idbfd348a5befb041ce6eb36f9c6b195fc0c6799f
Reviewed-on: https://review.openstack.org/16685
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins
manage_projects.py was running `git diff-index --quiet HEAD --`
previously to check if project.config had changed. This apparently
returns an exit code of 1 in some cases where a diff was not expected.
Switch to using `git diff --quiet HEAD` to check if any differences are
found. This appears to be more reliable in some manual testing.
Change-Id: I253423e41f80d71a5f2389bfc421e799f00f6fd9
Reviewed-on: https://review.openstack.org/16236
Reviewed-by: James E. Blair <corvus@inaugust.com>
Reviewed-by: Paul Belanger <paul.belanger@polybeacon.com>
Approved: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins
Fixes bug #1070577
Make the notify_impact script generic so that it can handle different
types of notifications. Then add a SecurityImpact notification.
Change-Id: Id4bbf7db29e36dde783328e31685079e79d0b1e9
Reviewed-on: https://review.openstack.org/14856
Reviewed-by: James E. Blair <corvus@inaugust.com>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
Do not let update_bug.py reopen a FixCommitted or FixReleased bug just
because the bug number was mentioned in a commit message. In most cases
that mention is just a simple reference to a closed bug. In the rare
cases the committer actually wanted to reopen a closed bug, he should
rather have open a specific bug about it anyway.
Fixes bug 1078745
Change-Id: I513e6fc73d6bab02de21628e55a5d28189834632
Reviewed-on: https://review.openstack.org/16080
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
Change-Id: If10bd25e71f321a7b3ea1cbbe42ab5ec764d62b0
Reviewed-on: https://review.openstack.org/16215
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: Clark Boylan <clark.boylan@gmail.com>
Tested-by: Jenkins
The format of the projects.yaml file has been updated and
fetch_remotes.py could not parse it. Correct this by making
fetch_remotes.py aware of the format changes.
Change-Id: Ic0680d02c0e9ce31aae805ac2495957f106acb0a
Reviewed-on: https://review.openstack.org/16098
Reviewed-by: James E. Blair <corvus@inaugust.com>
Reviewed-by: Paul Belanger <paul.belanger@polybeacon.com>
Approved: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins
manage_projects.py was unable to find groups in the ACL files because it
was looking for lines that began with tabs but we normalized to lines
beginning with 8 spaces. Also the git clone command string formatting
was not correct.
Change-Id: Ib65d7ad0ca3861d61d7557be72a7c6d6d6e21265
Reviewed-on: https://review.openstack.org/16144
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
In the manage_projects.py script print the captured git output when git
push fails.
Change-Id: I77d8b7e926b6b23b4727a1856a79146daa9d6381
Reviewed-on: https://review.openstack.org/16137
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Approved: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Tested-by: Jenkins
