Skip to content

Init of preprod branch #1458

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
LukasCuperDT wants to merge 251 commits into
base: main
Choose a base branch
from
Draft

Init of preprod branch #1458

LukasCuperDT wants to merge 251 commits into from

Conversation

@LukasCuperDT
Copy link
Contributor

@LukasCuperDT LukasCuperDT commented Dec 1, 2025

No description provided.

@gitguardian
Copy link

gitguardian bot commented Dec 1, 2025
edited
Loading

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
While these secrets were previously flagged, we no longer have a reference to the
specific commits where they were detected. Once a secret has been leaked into a git
repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@LukasCuperDT LukasCuperDT force-pushed the preprod branch 3 times, most recently from dc717ad to 85fa909 Compare December 1, 2025 11:37
LukasCuperDT and others added 7 commits December 3, 2025 09:18
@LukasCuperDT
Providing initial zuul preprod setup (#1459)
d455333
@LukasCuperDT
Remove pool2, use only pool1 for zuul preprod
e4b8b15
@LukasCuperDT
Fix zuul preprod: remove node selectors, fix zookeeper certs, add exe…
f20aaeb 
…cutor storage class
@LukasCuperDT
Add explicit image fields to deployment patches to prevent strategic …
aa1adcd 
…merge issues
@LukasCuperDT
Use JSON patches to properly remove nodeSelector fields
c0381cf
@LukasCuperDT
Remove hardcoded node selectors from base components
c3206cb 
- Removed nodeSelector: dedicated=zuul-ci from all 8 base component files
- Deleted remove-node-selectors.yaml patch (no longer needed)
- Updated kustomization.yaml to remove patch reference
- Allows pods to schedule on any available nodes
@LukasCuperDT
Fix PVC storage class issues
ed92248 
- Add patch to change zuul-config PVC from csi-nas to csi-sfsturbo
- csi-nas was failing with provisioning errors
- Deleted old zuul-var-zuul-executor-0 PVC (will be recreated with correct storageClassName)
@LukasCuperDT LukasCuperDT force-pushed the preprod branch 2 times, most recently from b1956d0 to becabb8 Compare December 3, 2025 09:45
@LukasCuperDT
Change zuul-config PVC storage class to nfs-rw
1da5a6a 
- csi-sfsturbo requires special parameters (everest.io/volume-as)
- Use nfs-rw flex-volume based storage class instead
@LukasCuperDT
Disable name suffix hash for zuul-config and nodepool-config secrets
980e008 
- Pods expect exact secret names without hash suffixes
- Added disableNameSuffixHash: true to both secret generators
@LukasCuperDT
Fix container names in patches to match base components
e17dce7 
- Changed container names from component-specific (zuul-scheduler, zuul-web, etc) to 'zuul'
- Base components use 'name: zuul' for all containers
- Patches were creating new containers instead of patching existing ones
- This caused volume mounts from base to be lost
@LukasCuperDT
Fix SSH key mounts - use /var/lib/zuul-ssh instead of /etc/zuul
f97c5ab
@LukasCuperDT LukasCuperDT force-pushed the preprod branch 2 times, most recently from 485fcc9 to c786473 Compare January 15, 2026 15:00
@LukasCuperDT
feat(swift-proxy): Update to use Kolla container images
bbd622f 
- Switch to OpenStack Kolla images (2024.1-ubuntu-jammy):
  - swift-proxy-server for proxy
  - swift-object, swift-container, swift-account for storage
- Add Kolla config.json ConfigMaps for each service
- Update security contexts to allow Kolla containers to run as root
- Create shared PV pointing to same NFS as zuul-config
- Remove hardcoded commands, use Kolla's kolla_start entrypoint
- Fix PVC binding to use separate PV in swift-proxy namespace
@LukasCuperDT
swift-proxy: align preprod pipeline with production
1a0d7f3 
- Add symlink filter after versioned_writes to match production
- Document that validatetoken (custom middleware) is skipped in Kolla
- Pipeline now matches production except for custom validatetoken filter
@LukasCuperDT
swift-proxy: mount ring files ConfigMap in proxy and storage pods
4b374ad 
- Add swift-rings volume mount to proxy deployment
- Add swift-rings volume mount to all storage server containers
- Fixes: FileNotFoundError for container.ring.gz
- Ring files are created by ring-builder job hook
@LukasCuperDT
swift-proxy: make ring-builder a regular Job with sync wave
6078e10 
GitOps approach:
- Remove all hooks (Helm and ArgoCD hooks are not GitOps-friendly)
- Use sync-wave: -1 to ensure job runs before deployment
- ArgoCD will deploy and manage the job as regular resource
- Job creates rings ConfigMap that pods depend on
@LukasCuperDT
swift-proxy: set replica factor to 1 for preprod
a8aaa58 
Preprod has only 1 storage node, requires replica factor of 1
Production uses 3 replicas with multiple storage nodes
@LukasCuperDT
swift-proxy: use Kubernetes API directly to create rings ConfigMap
2cfb0ba 
- Replace kubectl with curl + Kubernetes API calls
- Kolla image doesn't have kubectl installed
- Use service account token for authentication
- Create or update ConfigMap with ring files as binaryData
@LukasCuperDT
swift-proxy: add RBAC for ring-builder job to create ConfigMaps
ebf9e12 
- Create Role allowing configmap create/update operations
- Bind Role to service account used by ring-builder job
- Fixes: 403 Forbidden when job tries to create rings ConfigMap
@LukasCuperDT
swift-proxy: remove duplicate ServiceAccount from rbac.yaml
4d518f4 
ServiceAccount already exists in serviceaccount.yaml
@LukasCuperDT
swift: Mount rings at /srv/rings and copy to /etc/swift after Kolla init
8c25c38 
Kolla needs to write configuration files to /etc/swift, but mounting
the rings ConfigMap there makes it read-only. Changed approach:
- Mount swift-rings ConfigMap at /srv/rings (read-only)
- Let Kolla initialize and write configs to /etc/swift
- Copy ring files from /srv/rings to /etc/swift after Kolla completes
- Start Swift servers with ring files in place

Applied to: proxy deployment and all three storage containers
(object-server, container-server, account-server)
@LukasCuperDT
swift: Use kolla_set_configs instead of kolla_start
e67ee05 
kolla_start immediately executes the Swift server, which fails because
ring files aren't copied yet. Changed to:
1. Call kolla_set_configs directly to setup configs
2. Copy ring files from /srv/rings to /etc/swift
3. Exec Swift server with rings in place

Also use full venv paths for Swift binaries.
@LukasCuperDT
zuul: Switch logs to internal Swift cluster
b23007e 
Changed zuul-logs cloud configuration to use internal Swift cluster
instead of OBS:
- Endpoint: http://swift-proxy-preprod.swift-proxy.svc.cluster.local:8080
- No authentication needed (internal cluster access)
- Shares SFS Turbo storage with Zuul
- Container: zuul-preprod-logs

This fixes 403 Forbidden errors when uploading logs to OBS.
@LukasCuperDT
fix(zuul): add git safe.directory to fix zuul-config ownership errors
f577cf5
@LukasCuperDT
fix(zuul): remove zuul_log_path override to allow dynamic path genera…
6a47190 
…tion
@LukasCuperDT
fix(zuul): revert clouds.yaml to use OBS with Vault secrets for log s…
8b345fc 
…torage
@LukasCuperDT
fix(zuul): disable log upload temporarily - OBS container access forb…
f4006d1 
…idden
@LukasCuperDT
feat(zuul): configure log upload to internal Swift with Vault-based t…
2737f19 
…empauth

- Re-enable log uploads (zuul_site_upload_logs: true)
- Configure zuul-logs cloud to use internal Swift cluster
- Use v1password auth with credentials from Vault (secret/data/zuul/logs/otc_technical_user)
- Swift tempauth configured to read account, user, and password from Vault
- Credentials: swift_username (account:user format), swift_password
- Region set to eu-de for consistency with OTC
- ArgoCD Vault Plugin will inject secrets at deployment time
@LukasCuperDT
feat(zuul): use log_writer credentials for internal Swift with logs a…
4472917 
…ccount
@LukasCuperDT
fix(zuul): remove auth_type for Swift v1 tempauth auto-detection
4747eb8
@LukasCuperDT
fix(swift): add sync-wave to RBAC resources before Job
9a76115
@LukasCuperDT
fix(swift): ensure ServiceAccount annotations are properly merged wit…
82d6314 
…h sync-wave
@LukasCuperDT
fix(swift): add sync-wave -2 to all ConfigMaps before Job runs
1945759
@LukasCuperDT
fix(swift): use logwriter instead of log_writer for tempauth compatib…
d0e7e64 
…ility
@LukasCuperDT
fix: Swift proxy service should only select proxy pods, not storage pods
e06c4a6
@LukasCuperDT
fix: Add init container to create Swift device directory structure
d75ec8e
@LukasCuperDT
fix: Replace tempauth with no-auth configuration for internal Zuul lo…
398a29c 
…g storage

- Remove tempauth from Swift proxy pipeline (was causing 503 errors)
- Add formpost middleware for unauthenticated uploads
- Configure clouds.yaml with auth_type: none and direct endpoint
- Simplifies authentication for internal-only log storage cluster
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@otcbot otcbot Awaiting requested review from otcbot otcbot will be requested when the pull request is marked ready for review otcbot is a code owner

@vladimirhasko vladimirhasko Awaiting requested review from vladimirhasko vladimirhasko will be requested when the pull request is marked ready for review vladimirhasko is a code owner

@tischrei tischrei Awaiting requested review from tischrei tischrei will be requested when the pull request is marked ready for review tischrei is a code owner

@SebastianGode SebastianGode Awaiting requested review from SebastianGode SebastianGode will be requested when the pull request is marked ready for review SebastianGode is a code owner

@sgmv sgmv Awaiting requested review from sgmv sgmv will be requested when the pull request is marked ready for review sgmv is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@LukasCuperDT @SebastianGode @vladimirhasko