Skip to content

kolla: reconcile the drift-check allowlist#2571

Open
ideaship wants to merge 5 commits into
mainfrom
drift-tooling-allowlist
Open

kolla: reconcile the drift-check allowlist#2571
ideaship wants to merge 5 commits into
mainfrom
drift-tooling-allowlist

Conversation

@ideaship

@ideaship ideaship commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

What

Reconciles the kolla drift-check allowlist now that the checks (#2569,
merged) run against the current repos. Five commits, src/drift-allowlist.yml only:

  • neutron_ovn_vpn_agent — defined upstream at master, ahead of the supported release
    range (self-retires once 2026.1 is supported).
  • chrony / openstack_exporter — live OSISM inventions whose names collide with dead or
    renamed kolla services (verified via upstream git history + OSISM consumers); allowlisting
    at the enable-flag level also clears their companion vars in kolla_orphan_config.
  • auditd — live OSISM host-level auditd; never an upstream kolla service.
  • httpd rolling image tags — role-managed by design, not release-pinned.
  • Drop the stale kolla_groupvars_missing section (eutron_external_interface):
    upstream fixed the typo on stable/2025.2 (bug 2160035, merged 2026-07-08), so the
    finding this entry suppressed is gone and the daily check reports the entry as stale —
    the removal trigger the entry's own comment named.

No merge-order constraint: the previous gate on osism/defaults#297 dissolved with the
upstream typo fix (the entry is stale on main today regardless of #297).

Builds on merged #2569 (drift checks) + #2570 (transport/archive backend).

Related

@ideaship ideaship force-pushed the drift-tooling-allowlist branch from 5a432ae to 9fd2eb3 Compare July 12, 2026 07:25
@ideaship ideaship marked this pull request as ready for review July 12, 2026 07:34
@ideaship ideaship moved this from New to Ready for review in Human Board Jul 12, 2026
@ideaship ideaship moved this from Ready for review to In review in Human Board Jul 12, 2026
ideaship added 5 commits July 13, 2026 05:22
kolla_image_orphan flags neutron_ovn_vpn_agent_image / _tag because they
are defined in kolla-ansible master (neutron role) but not in any
release in the supported 2024.1-2025.2 union. It is a forward-looking
upstream addition OSISM carries ahead of the range, not dead cruft, so
allowlist both vars. Once 2026.1 is supported the union will cover them,
the check will stop flagging them, and stale-allowlist detection will
report these entries as stale -- prompting their removal.

Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Roger Luethi <luethi@osism.tech>
kolla_enablement_orphan flagged enable_chrony and
enable_openstack_exporter as orphaned (no upstream kolla-ansible
counterpart at a supported release), and kolla_orphan_config
consequently flagged their seven companion vars as dead config to
remove: chrony_servers and chrony_allowed_subnets in
all/099-generic.yml, and the five openstack_exporter_* vars
(clouds_yml_cloud, clouds_yml_path, secure_yml_path,
service_monitor_scrape_interval, service_monitor_scrape_timeout) in
all/099-infrastructure.yml.

Both are false positives: these are live OSISM inventions whose names
collide with dead or renamed kolla services. Verified two ways:

- Upstream kolla-ansible git history shows chrony_servers,
  chrony_allowed_subnets and every openstack_exporter_* var never
  existed upstream. The kolla chrony role that was removed in Xena
  defined chrony_image/chrony_tag/chrony_bindaddress, never
  chrony_servers; upstream's exporter is the separate
  prometheus_openstack_exporter.
- They are consumed by live OSISM roles that the drift scan does not
  cover: ansible-collection-services/roles/chrony (chrony.conf.j2 host
  NTP config) and osism-kubernetes/roles/monitoring (the k8s
  openstack-exporter ServiceMonitor and clouds.yml wiring).

Allowlist is the tool's designed resolution for OSISM inventions (cf.
the existing common / kolla_operations entries), not adding the
consumer repos to the scan: these are upstream-mirror checks, not
consumer-usage checks, so consumer-scanning would mask genuine drift
and drop the documented rationale. Allowlisting at the enable-flag
level also clears the paired kolla_orphan_config companion-var findings,
because that check derives its dead-service set from
kolla_enablement_orphan minus this allowlist.

After the change, check-drift.py --group all reports zero
kolla_orphan_config drift and kolla_enablement_orphan no longer lists
chrony/openstack_exporter (nine to seven flags, leaving the genuinely
removed karbor/qinling/searchlight/auditd). Overall "to act on" drops
from 61 to 52, allowlisted rises 53 to 55, with no stale entries, and
all 262 drift tests pass.

While here, correct the section comment: kolla_enablement_orphan uses
explicit scope -- it flags every invented enable_* by name regardless of
value -- not a "truthy-only scope"; the old wording wrongly implied a
flag must be truthy to surface.

Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Roger Luethi <luethi@osism.tech>
kolla_enablement_orphan flagged enable_auditd as orphaned because
upstream kolla-ansible defines no auditd service at any supported
release. This is a false positive: enable_auditd is a live OSISM
invention that never existed upstream (verified via kolla-ansible git
history), gating OSISM's own host-level audit daemon. It is consumed by
ansible-collection-services/roles/auditd and the generic/auditd.yml,
bootstrap.yml and maintenance.yml playbooks (when: enable_auditd).

Allowlist it alongside the other OSISM-invented enable flags rather than
removing the flag or extending the scan, consistent with the chrony and
openstack_exporter entries. After the change check-drift.py --group all
reports zero kolla_enablement_orphan drift, no stale allowlist entries,
and all 262 drift tests pass.

Enrich the reason to note enable_auditd is false by default: the check
still flags it because kolla_enablement_orphan uses explicit scope (by
name, regardless of value), so the entry is load-bearing, not stale.

Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Roger Luethi <luethi@osism.tech>
The role_unpinned check flags role-default <alias>_tag pins that have no
canonical release base.yml pin. Two of the four remaining findings are
httpd role images whose tags are intentionally rolling and role-managed,
not release-pinned:

- httpd: the Apache static/reverse-proxy server, pinned to the rolling
  'alpine' tag by design.
- httpd_data: a one-shot rsync data-import sidecar (httpd_data_enable is
  off by default) that tracks registry.osism.tech/osism/rsync:latest by
  design.

Neither should carry a base.yml pin, so allowlist both under
role_unpinned, matching the existing zuul_* CI-stack precedent. This
clears 2 of the 4 role_unpinned findings; kepler and thanos_sidecar
remain and are handled separately.

Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Roger Luethi <luethi@osism.tech>
Upstream fixed the eutron_external_interface typo on stable/2025.2
(bug 2160035, merged 2026-07-08), so the kolla_groupvars_missing
finding this entry suppressed is gone and the entry reports stale --
exactly the removal trigger its comment named. It was the only entry
in the section, so remove the entry together with its now-empty
"# --- kolla_groupvars_missing ---" header.

Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Roger Luethi <luethi@osism.tech>
@ideaship ideaship force-pushed the drift-tooling-allowlist branch from 9fd2eb3 to 5f5c065 Compare July 13, 2026 03:22
@ideaship ideaship requested a review from berendt July 13, 2026 03:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: In review

Development

Successfully merging this pull request may close these issues.

2 participants