Merge pull request #731 from stackhpc/merge-zed-antelope

Merge zed into antelope

Author: Alex-Welsh

.github/workflows/overcloud-host-image-build.yml

@@ -34,14 +34,14 @@ jobs:
     runs-on: [self-hosted, stackhpc-kayobe-config-kolla-builder-rl9]
     permissions: {}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           path: src/kayobe-config
 
       - name: Determine OpenStack release
         id: openstack_release
         run: |
-          BRANCH=$(awk -F'=' '/defaultbranch/ {print $2}' .gitreview)
+          BRANCH=$(awk -F'=' '/defaultbranch/ {print $2}' src/kayobe-config/.gitreview)
           echo "openstack_release=${BRANCH}" | sed "s|stable/||" >> $GITHUB_OUTPUT
 
       # Generate a tag to apply to all built overcloud host images.
@@ -67,7 +67,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          sudo dnf -y install zstd
+          sudo dnf -y install zstd debootstrap
 
       - name: Setup networking
         run: |
@@ -84,14 +84,6 @@ jobs:
           sudo ip l set dummy1 up
           sudo ip l set dummy1 master breth1
 
-      # FIXME: Without this workaround we see the following issue after the runner is power cycled:
-      # TASK [MichaelRigart.interfaces : RedHat | ensure network service is started and enabled] ***
-      #   Unable to start service network: Job for network.service failed because the control process exited with error code.
-      #   See \"systemctl status network.service\" and \"journalctl -xe\" for details.
-      - name: Kill dhclient (workaround)
-        run: |
-          (sudo killall dhclient || true) && sudo systemctl restart network
-
       - name: Install Kayobe
         run: |
           mkdir -p venvs &&

doc/requirements.txt

@@ -5,3 +5,4 @@
 reno>=3.4.0 # Apache-2.0
 sphinx>=4.2.0 # BSD
 sphinxcontrib-svg2pdfconverter>=0.1.0 # BSD
+Sphinx-Substitution-Extensions # Apache-2.0

doc/source/conf.py

@@ -30,15 +30,18 @@
 # Variables to override
 
 current_series = "2023.1"
+previous_series = "zed"
 branch = f"stackhpc/{current_series}"
 
 # Substitutions loader
-rst_epilog = """
+rst_prolog = """
 .. |current_release| replace:: {current_release}
 .. |current_release_git_branch_name| replace:: {current_release_git_branch_name}
+.. |previous_release| replace:: {previous_release}
 """.format(  # noqa: E501
     current_release_git_branch_name=branch,
     current_release=current_series,
+    previous_release=previous_series,
 )
 
 # -- General configuration ----------------------------------------------------
@@ -51,6 +54,7 @@
     'sphinx.ext.extlinks',
     #'sphinx.ext.intersphinx',
     'sphinxcontrib.rsvgconverter',
+    'sphinx_substitution_extensions',
 ]
 
 # autodoc generation is a bit aggressive and a nuisance when doing heavy
@@ -118,3 +122,6 @@
     f"{project}-doc": (f"https://docs.openstack.org/{project}/{current_series}/", "%s documentation")
     for project in extlinks_projects
 }
+extlinks["skc-doc"] = (f"https://stackhpc-kayobe-config.readthedocs.io/en/stackhpc-{current_series}/", "%s documentation")
+extlinks["kayobe-renos"] = (f"https://docs.openstack.org/releasenotes/kayobe/{current_series}.html", "%s release notes")
+extlinks["kolla-ansible-renos"] = (f"https://docs.openstack.org/releasenotes/kolla-ansible/{current_series}.html", "%s release notes")

doc/source/configuration/monitoring.rst

@@ -136,3 +136,39 @@ mgrs group and list them as the endpoints for prometheus. Additionally,
 depending on your configuration, you may need set the
 ``kolla_enable_prometheus_ceph_mgr_exporter`` variable to ``true`` in order to
 enable the ceph mgr exporter.
+
+OpenStack Capacity
+==================
+
+OpenStack Capacity allows you to see how much space you have avaliable
+in your cloud. StackHPC Kayobe Config includes this exporter by default
+and it's necessary that some variables are set to allow deployment.
+
+To successfully deploy OpenStack Capacity, you are required to specify
+the OpenStack application credentials in ``kayobe/secrets.yml`` as:
+
+.. code-block:: yaml
+
+    secrets_os_exporter_auth_url: <some_auth_url>
+    secrets_os_exporter_credential_id: <some_credential_id>
+    secrets_os_exporter_credential_secret: <some_credential_secret>
+
+After defining your credentials, You may deploy OpenStack Capacity
+using the ``ansible/deploy-os-capacity-exporter.yml`` Ansible playbook
+via Kayobe.
+
+.. code-block:: console
+
+    kayobe playbook run ansible/deploy-os-capacity-exporter.yml
+
+It is required that you re-configure the Prometheus, Grafana and HAProxy
+services following deployment, to do this run the following Kayobe command.
+
+.. code-block:: console
+
+    kayobe overcloud service reconfigure -kt grafana,prometheus,haproxy
+
+If you notice ``HaproxyServerDown`` or ``HaproxyBackendDown`` prometheus
+alerts after deployment it's likely the os_exporter secrets have not been
+set correctly, double check you have entered the correct authentication
+information appropiate to your cloud and re-deploy.

doc/source/configuration/vault.rst

@@ -296,6 +296,7 @@ Configure Barbican
       [vault_plugin]
       vault_url = https://{{ kolla_internal_vip_address }}:8200
       use_ssl = True
+      ssl_ca_crt_file = {% raw %}{{ openstack_cacert }}{% endraw %}
       approle_role_id = {{ secrets_barbican_approle_role_id }}
       approle_secret_id = {{ secrets_barbican_approle_secret_id }}
       kv_mountpoint = barbican

doc/source/configuration/wazuh.rst

@@ -57,7 +57,9 @@ Define VM sizing in ``etc/kayobe/inventory/group_vars/wazuh-manager/infra-vms``:
   infra_vm_data_capacity: "200G"
 
 
-Optional: define LVM volumes ``etc/kayobe/inventory/group_vars/wazuh-manager/lvm``:
+Optional: define LVM volumes in ``etc/kayobe/inventory/group_vars/wazuh-manager/lvm``.
+``/var/ossec`` often requires greater storage space, and ``/var/lib/wazuh-indexer``
+may be beneficial too.
 
 .. code-block:: console
 
@@ -73,7 +75,7 @@ Optional: define LVM volumes ``etc/kayobe/inventory/group_vars/wazuh-manager/lvm
           size: "100%VG"
           filesystem: "ext4"
           mount: true
-          mntp: “/var/lib/elasticsearch”
+          mntp: "/var/ossec"
           create: true
 
 
@@ -249,7 +251,7 @@ It will be used by wazuh secrets playbook to generate wazuh secrets vault file.
 .. code-block:: console
 
   kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/wazuh-secrets.yml
-  ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/inventory/group_vars/wazuh/wazuh-manager/wazuh-secrets
+  ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/wazuh-secrets.yml
 
 
 TLS (optional)
@@ -300,6 +302,21 @@ Example OpenSSL rune to convert to PKCS#8:
 
 TODO: document how to use a local certificate. Do we need to override all certificates?
 
+Custom SCA Policies (optional)
+------------------------------
+
+Wazuh ships with a large selection of Security Configuration Assessment
+rulesets. However, you may find you want to add more. This can be achieved via
+`custom policies <https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/how-to-configure.html>`_.
+
+SKC supports this automatically, just add the policy file from this PR to
+``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies``.
+
+Currently, Wazuh does not ship with a CIS benchmark for Rocky 9. You can find
+the in-development policy here: https://github.com/wazuh/wazuh/pull/17810 To
+include this in your deployment, simply copy it to
+``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies/cis_rocky_linux_9.yml``.
+
 Deploy
 ------
 
@@ -314,6 +331,8 @@ Encrypt the keys (and remember to commit to git):
 
 ``ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/ansible/wazuh/certificates/certs/*.key``
 
+.. _wazuh-verification:
+
 Verification
 ------------
 

doc/source/operations/index.rst

@@ -7,6 +7,7 @@ This guide is for operators of the StackHPC Kayobe configuration project.
 .. toctree::
    :maxdepth: 1
 
+   upgrading
    rabbitmq
    octavia
    hotfix-playbook