_____ ____ _____ __ __
/ ___/____ _/ / /_/ ___// /_____ ______/ /__
\__ \/ __ `/ / __/\__ \/ __/ __ `/ ___/ //_/
___/ / /_/ / / /_ ___/ / /_/ /_/ / /__/ ,<
/____/\__,_/_/\__//____/\__/\__,_/\___/_/|_|
Authoritative source of this repository is https://gitlab.infra.opensuse.org/infra/salt. Merge requests can be filed there, but access requires the openSUSE Heroes VPN.
Read-only mirrors are available at:
- https://github.com/openSUSE/heroes-salt
- https://code.opensuse.org/heroes/salt (currently not receiving updates)
- https://progress.opensuse.org/projects/opensuse-admin/repository
Documentation can be found in the openSUSE admin wiki.
States can be applied from the master:
salt <target> state.apply
Debugging Salt on a client (i.e. a machine running the salt-minion) is possible using:
salt-call state.apply -l debug test=True
Remember to have a lot of fun! :-)
In addition to the Salt states in this repository various reusable states ("formulas") are in use.
Our formulas (installed from packages):
- https://github.com/openSUSE/salt-formulas (authoritative) or https://code.opensuse.org/heroes/salt-formulas (mirror)
Upstream formulas and forks (installed from Git submodules):
- https://gitlab.infra.opensuse.org/infra/salt-formulas-git (authoritative) or https://code.opensuse.org/heroes/salt-formulas-git (mirror)
Merge requests to the repository trigger a test suite:
lint
: Linting of .jinja, .py, .sh, .sls, .yaml filesvalidate
:- Schema validation of data in pillar/infra/
- File header and suffix check
- Empty files check
- PGP secrets check
- Profiles check
- Roles check
show_highstate
: Saltstate.show_highstate
for every site with all roles enabled - finds basic pillar/state template errorstest_haproxy
: Validates the HAProxy configuration for all proxy clusters - finds pillar and HAProxy syntax errorstest_nginx
: Validates the NGINX configuration for all roles using NGINX - finds pillar and NGINX syntax errorstest_highstate
: Saltstate.test
for every role - finds most pillar/state errorstest_nftables
: Lints and validates the nftables configuration under salt/files/nftables/ - finds cosmetic and syntax issuestest_prometheus
: Validates the Prometheus and Alertmanager configurations as well as the alerting rules under salt/files/prometheus/ - finds monitoring pillar and configuration issues including invalid rules
If the pipeline succeeds and the merge request gets merged, the new data will be copied to all Salt Masters.
The general workflow should be to create a branch (either directly in this repository or in a clone/fork), do your changes, commit and create a merge request for review. This gives other team members the possibility to notice and review your changes. It even sends out Emails, so other team members become aware of them.
On the other side, we do not want to block anyone from being productive. So here are the general rules:
- Always use merge requests.
- We allow to merge those requests on your own - but we want to make use of the benefits of merge requests (notifications, tests, visibility).
Merge requests that require a review:
- changes that might affect a bigger amount of machines - especially, if this affects machines maintained by others
- potentially dangerous stuff that might break existing setups
Merge requests that could be self-merged:
- emergency updates repairing something that is already broken (think about a new gateway IP address as an example)
- typo fixes (includes whitespace fixes)
- changes which only affect machines maintained by the requester themselves
- changes which nobody reviewed / which did not receive any input for more than one week