action #169564
Updated by okurz 23 days ago
## Acceptance criteria
* **AC1**: All OSD production hosts in the NUE2 server room that are managed via Salt have WireGuard setup via Salt so they can reach the CC area
* **AC2:** The setup is reproducible
## Suggestions
* Follow steps on https://confluence.suse.com/display/~dawei_pang/VMs+on+vm-server.qa2.suse.asia+accessing+CC+area#VMsonvmserver.qa2.suse.asiaaccessingCCarea-HowtoprepareWGonyourVMs on one host and prepare a Salt change to apply this to other relevant hosts.
* Introduce a special role or add a condition based on worker classes to setup WireGuard only on hosts in the NUE2 server room.
* Take https://confluence.suse.com/display/enginfra/Wireguard+gateway+-+auto+configuration+tool as inspiration for the Salt change.
* This involves letting IT do the final configuration manually. Supposedly that's also where the keypair is generated and the public key copied over to the WG gateway.
* Have a look at https://sd.suse.com/servicedesk/customer/portal/1/SD-171369 in case we get a response from IT after all.
* Talk to Beijing Colleagues who have already been through this.
* Put into salt or documentation what needs to be done if we want to reproduce, e.g. put private keys into the salt pillar repo
* When done, add affected workers back to Salt, e.g. via `for key in petrol.qe.nue2.suse.org sapworker1.qe.nue2.suse.org diesel.qe.nue2.suse.org mania.qe.nue2.suse.org; do salt-key --accept="$key" --include-rejected --yes; done`
Back