action #62666
openMove openqa.opensuse.org into opensuse private network
0%
Description
Dear openQA admins
We are currently working towards a better separation of SUSE and openSUSE machines. This should finally allow more community contributors to be able to jump in and either help with the current infrastructure or deploy and develop new stuff - independent from any SUSE influence.
There are just a few machines left to finish this migration - and your openQA setup is one of it.
So it like to ask if you could consider to move your current admin machine (ariel) from the "SUSE owned" private network 192.168.254.0/24 into the "openSUSE Heroes owned" network 192.168.47.0/24?
Details:
Current situation:
- 192.168.254.15 is the current IP of your host in this network
- traffic to your webservice https://openqa.opensuse.org/ gets routed via a HAproxy pair from the internet to this interface
- your machine currently reaches out to other networks ("the internet") via a gateway in this network
- you access this machine (and the machines behind it) via a port forwarding rule
New, proposed situation:
- 47.78 will be the new IP of your host in the new network (this might change if you wait too long, but don't worry, we have enough IP addresses at the moment ;-)
- traffic to your webservice https://openqa.opensuse.org/ gets routed via another HAproxy pair from the internet to this interface
- your machine will reach out to other networks ("the internet") via another gateway in this network
- you access this machine (and the machines behind it) via a dedicated openVPN, which is reachable from everywhere
Especially the last point might be interesting for you, as all the others are more or less just cosmetic.
This openVPN is the "openSUSE heroes" openVPN, which has in general nothing to do with anything you might currently use. The openSUSE Heroes try to have security in mind with everything they do - and therefor decided to trust only themselves and their loved distribution. So they setup an own authentication provider and a this dedicated VPN to combine security, maintainability and effectiveness. The result are dedicated accounts for everyone who works on openSUSE related infrastructure - while including the ability to work from wherever he is at the moment. All you need is your account and the openVPN certificates for this. If you agree to get switched, I currently see two possible solutions to work on the infrastructure for openQA:
- use a jumphost, which has to be inside the SUSE network
- get dedicated accounts and VPN credentials and use them
Both options might be used in parallel (while - from a security point - only using the 2nd option would be preferred), which hopefully will not become too complicated for you.
Benefit: if there will be community members, who like to help and work on openQA, they could easily be allowed to do so.
Alternatively, you can decide to "stay on the SUSE side", which will imply no change of your current workflows. You might be the only openSUSE infrastructure project staying under SUSE-IT umbrella in this case - but this option clearly exists.
With kind regards,
Lars on behalf of the openSUSE heroes
PS: I tried to add everyone as "watcher" to this ticket, who has currently an account on ariel. I clearly missed some and apologize for this, but I could not really figure out everyone's "ariel login" <-> "bugzilla login" mapping.