Air-gapped Zuul build

Status: draft — automation details and job wiring will be expanded in upcoming releases.

This LLD captures how Zuul is bootstrapped and configured to orchestrate offline Kolla builds.

Prepare infrastructure

1. Provision hosts or containers for scheduler, web, executors, mergers, logserver, and Nodepool launcher. Co-locate components only when resources are limited.
2. Install prerequisites: Python 3.9+, container runtime for log publishing, and systemd units for Zuul and Nodepool services.
3. Deploy highly available Zookeeper and SQL backends before starting Zuul.

Install and configure Zuul

• Install via distribution packages or zuul-operator.
• Create /etc/zuul/zuul.conf with connections and databases:

  [connection gerrit]
  driver=gerrit
  server=<gerrit-host>
  user=zuul
  
  [zookeeper]
  hosts=zookeeper-1:2181,zookeeper-2:2181
  
  [database]
  dburi=mysql+pymysql://zuul:<password>@db/zuul
  

• Secure the web API and UI with TLS and your chosen authentication (OIDC recommended).

Bring up Nodepool

• Define labels sized for Kolla builds (4+ vCPU, 16+ GB RAM, >= 80GB disk). Builders need fast local storage for container layers.
• Configure providers (OpenStack/Kubernetes/static) and ensure cloud images include Docker/Podman, buildah, skopeo, and CA bundles.
• Validate by launching a test node and running a simple Zuul job that prints node facts and pulls from the internal registry.

Hardening tips

• Restrict executor SSH keys to Nodepool-managed nodes only.
• Use security groups or firewalls to block internet egress from builders after mirrors are seeded.
• Terminate TLS at an ingress or reverse proxy; prefer mutual TLS for registry access from builders.