7f06a0ce2e
Please carefully review the changelog: https://github.com/go-gitea/gitea/blob/v1.17.1/CHANGELOG.md and ensure that we've properly addressed the items listed there. I have listed the breaking changes list here and any actions we've taken or justification for why they don't affect us: * Require go1.18 for Gitea 1.17 (#19918) We were already using go 1.18. * Make AppDataPath absolute against the AppWorkPath if it is not (#19815) Path is already absolute: playbooks/roles/gitea/templates/app.ini.j2:APP_DATA_PATH = /data/gitea * Nuke the incorrect permission report on /api/v1/notifications (#19761) This has to do with how that api endpoint returns permissions. We don't use this anywhere as far as I can tell. * Refactor git module, make Gitea use internal git config (#19732) In the gitea container /data/git/.gitconfig is present but we don't appear to manage this in system-config. I think that means this change is a noop for us as gitea will move its managed .gitconfig from /data/git/.gitconfig to /data/git/repositories/.gitconfig. I expect the contents to be the same since gitea must be managing the file old content today. * Remove RequireHighlightJS field, update plantuml example. (#19615) This was a flag that toggled syntax highlighting on and off as best as I can tell. The default is to just have it turned on and we don't check the flag in any of our templates. * Increase minimal required git version to 2.0 (#19577) Debian Bullseye ships with 2.30.2-1. * Add a directory prefix gitea-src-VERSION to release-tar-file (#19396) They were tarbombing people and their tarballs extracted into the current dir. They now no longer do that. We build from git so this doesn't affect us. * Use "main" as default branch name (#19354) We explicitly set the default branch name to master for both gitea and gerrit. This should be a noop for us. Testing has been added to check this. https://opendev.org/opendev/system-config/src/branch/master/playbooks/roles/gitea-git-repos/library/gitea_create_repos.py#L129-L132 https://opendev.org/opendev/jeepyb/src/branch/master/jeepyb/cmd/manage_projects.py#L488 * Make cron task no notice on success (#19221) I'm not aware of us relying on any cron tasks or any cron task notifications. * Add pam account authorization check (#19040) We don't integrate with pam so the change in behavior to check authorization does not affect us. * Show messages for users if the ROOT_URL is wrong, show JavaScript errors (#18971) This message shows up in CI because ROOT_URL is https://opendev.org but we access gitea in testing via localhost. I don't think this is worth fixing. Its a good reminder that the instance is a test instance. * Refactor mirror code & fix StartToMirror (#18904) We don't mirror repos with gitea. Should be a noop for us. * Remove deprecated SSH ciphers from default (#18697) hmac-sha1-96, diffie-hellman-group1-sha1, and arcfour{128,256} are removed. The only ssh user is gerrit's replication. MINA should be able to support more modern ciphers and be fine. * Add the possibility to allow the user to have a favicon which differs from the main logo (#18542) Previously, logo.svg was used as the favicon.svg and gitea only fell back to favicon.png if the browser couldn't so the .svg. But now they want to support users having different logo.svg and favicon.svg. This necessitates explicitly adding a favicon.svg. Something we already do. Details at https://github.com/go-gitea/gitea/pull/18542 * Update reserved usernames list (#18438) This shouldn't be a problem for us as we don't have regular users and gerrit is not a reserved name. * Support custom ACME provider (#18340) We run ACME with LE out of band. This doesn't affect us. * Change initial TrustModel to committer (#18335) This changes the signed commits trust model from collaborator to committer. THis won't affect us as we aren't maintaining trusted keys. But basically this now shows if the signed commit by the committer matches the committer's key. * Update HTTP status codes (#18063) This changed redirect HTTP codes from 302 to 307. Shouldn't affect us. * Upgrade Alpine from 3.13 to 3.15 (#18050) We build on Debian and not alpine. The alpine nodejs version did change from 14 to 16 in this change and we've updated to match. * Restrict email address validation (#17688) If we had real users this may pose a problem as they are limiting the set of emails gitea would accept to a smaller set than they accepted before. Also fewer than actually allowed by email. But we don't have real users so this should be fine. * Refactor Router Logger (#17308) This streamlines and improves the log format of some of the gitea logs. We aren't automatically processing these logs today so this shouldn't have a major impact on us. Additionally this release adds a new git.HOME_PATH setting to set the location for writing out git configs and potential gnupg configs. We should be fine to let gitea write this content out to the default path, but there is potential for this to impact our ssh daemon. Changes made include: * Minimal updates to web templates to match 1.17 * Updating nodejs to v16 as v14 failed to build gitea * Disabling the new enabled by default "packages" feature * New test to check repos have a master branch by default instead of Gitea's new default of main. Change-Id: I88105eccd118e3daca72f0b86a6b351c35e37413
OpenDev System Configuration
This is the machinery that drives the configuration, testing, continuous integration and deployment of services provided by the OpenDev project.
Services are driven by Ansible playbooks and associated roles stored
here. If you are interested in the configuration of a particular
service, starting at playbooks/service-<name>.yaml
will show you how it is configured.
Most services are deployed via containers; many of them are built or
customised in this repository; see docker/.
A small number of legacy services are still configured with Puppet.
Although the act of running puppet on these hosts is managed by Ansible,
the actual core of their orchestration lives in manifests
and modules.
The files in this repository are provided as an opinionated example service deployment, and to allow the OpenDev Collaboratory to use public software development workflows in order to coordinate changes and improvements to the systems it runs. This repository is not intended as a reconsumable project on its own, and anyone wishing to adjust it to suit their own needs should do so with a fork. The system-config reviewers are unable to evaluate and support use cases for the contents here other than their own.
Testing
OpenDev infrastructure runs a complete testing and continuous-integration environment, powered by Zuul.
Any changes to playbooks, roles or containers will trigger jobs to thoroughly test those changes.
Tests run the orchestration for the modified services on test nodes
assigned to the job. After the testing deployment is configured
(validating the basic environment at least starts running), specific
tests are configured in the testinfra directory to validate
functionality.
Continuous Deployment
Once changes are reviewed and committed, they will be applied
automatically to the production hosts. This is done by Zuul jobs running
in the deploy pipeline. At any one time, you may see these
jobs running live on the status page or
you could check historical runs on the pipeline
results (note there is also an opendev-prod-hourly
pipeline, which ensures things like upstream package updates or
certificate renewals are incorporated in a timely fashion).
Contributing
Contributions are welcome!
You do not need any special permissions to make contributions, even those that will affect production services. Your changes will be automatically tested, reviewed by humans and, once accepted, deployed automatically.
Bug fixes or modifications to existing code are great places to start, and you will see the results of your changes in CI testing. Please remember that this repository consists of configuration and orchestration for OpenDev Collaboratory production systems, so contributions to it will be evaluated on the basis of whether they're useful or applicable to OpenDev's services. Changes intended to make the contents more easily reusable outside OpenDev itself are not in scope, and so will be rejected by reviewers.
You can develop all the playbooks, roles, containers and testing required for a new service just by uploading a change. Using a similar service as a template is generally a good place to start. If deploying to production will require new compute resources (servers, volumes, etc.) these will have to be deployed by an OpenDev administrator before your code is committed. Thus if you know you will need new resources, it is best to coordinate this before review.
The #opendev IRC on OFTC channel is the main place for interactive discussion. Feel free to ask any questions and someone will try to help ASAP. The OpenDev meeting is a co-ordinated time to synchronize on infrastructure issues. Issues should be added to the agenda for discussion; even if you can not attend, you can raise your issue and check back on the logs later. There is also the service-discuss mailing list where you are welcome to send queries or questions.
Documentation
The latest documentation is available at https://docs.opendev.org/opendev/system-config/latest/
That documentation is generated from this repository. You can geneate
it yourself with tox -e docs.