From b04e9692e01d2faead2466da7843f5a74370b263 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matthias=20B=C3=BCchse?= <matthias.buechse@alasca.cloud>
Date: Sun, 9 Nov 2025 17:14:00 +0100
Subject: [PATCH] Add FOCIS environment to compliance monitor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Matthias Büchse <matthias.buechse@alasca.cloud>
---
 .zuul.d/secure.yaml                         | 22 +++++++++++++++++++++
 Tests/config.toml                           |  1 +
 compliance-monitor/bootstrap.yaml           |  3 +++
 compliance-monitor/sql.py                   |  2 +-
 compliance-monitor/templates/overview.md.j2 |  7 +++++++
 playbooks/clouds.yaml.j2                    |  9 +++++++++
 6 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/.zuul.d/secure.yaml b/.zuul.d/secure.yaml
index d3003b6a9..3434124d2 100644
--- a/.zuul.d/secure.yaml
+++ b/.zuul.d/secure.yaml
@@ -101,6 +101,28 @@
           gY6QHocYpATL46iLkv97QANNUxTdxL7hQjdl/tf3TAHjCclmxdWhBJdvCJN/1xCM6EgVp
           NykBYxJ+kxSmkcFCSdUM8Td75bA/UzkPCdix1reJMdEAxTE9fC55XQ/liTLlGquQDnZty
           VLDH7x3ZJcxZsvqKR6vNbYYzJvDPTBYpHrhD7kx3ubyO9KX+SzZ+Dfhe9M8T8U=
+      focis_ac_id: !encrypted/pkcs1-oaep
+        - KB/tDE/a07eU+xtwor1iLxhvRdA/6bgkZn2aCPvkYtKKoVmT6sXpfRl1t319WqZRIRkoh
+          GK0d9KMJkVT+Q5sbZiSxMD24yMBvwaImIBG6OCzxjyklqal1SOt6CLx4q/uGoGl7QrPOM
+          WcRoluG1FCoDeUewgaZ50TQD0TQ8YGxuhRZi6s8KldDrYVkB/9HBUmwNhgd2LhExmNbtR
+          rRwV7nTJgy3bPDZzJHrKUBk04ZCP1gYRWB4DamsSDV1K+BxeiuxtL6QaoYqZPPWqNoCf3
+          XL6zHCFWKXZM2gkkgZF0/MG8F0vUVILSL9ObF0/Ueozyxzs1oss3zfET2bR3WNNasP2+D
+          NueSiYzurLlVcX0XmqSdcHwiNolc3sfnUAL1uHeRP/KNhRpe3P4nBIkAp+Z5OUw616YdG
+          63CRWs/X/TdshOiMaScGwHGwytaSincar/7e8HM4EbHN5Gg8t1+/Qs2MopuPLyPcH8ogo
+          YbdI4KBz6CcfrNdtut9XlmNLT91emT9ayC+XDqBypksHXHcypuqoOHMQUdjSPtXDLsI//
+          dsSRxDL+4TtWaVovPAxaLGsiVohsoCEdAxBmYxbkA2DNYdOMf6glu7O4wMtEIjaBdzdfP
+          CKfkOiwdCjtq++Ofn/C+3zI+2H+58TosQdCXcYIGmyKw5WSN7/sCosWDUtcsq4=
+      focis_ac_secret: !encrypted/pkcs1-oaep
+        - E8fpHXVmMa7ptAndyV8fqgC6tmGL9qmtpI10q1Yh6Qo0iIt09HNl8aZLtupmavTqYJg+D
+          7BI3ziTG4PNfc6MK0rvsQE/jGCf/XGW7yyfrmcvok+8mwD7foya5gEDLvbxFuIUopdTEt
+          Wk+5qLHNv87fKtQVGoda1qZXQ2ZjEw3sLv5eENLEft+u3XZnPLMVJ3p9ZGK0mvBcIfAlk
+          qPpSigJhZSaKC0ndZsiWvIaD9lkKYVqcIs8BjVj0tH3DM9yxVT1Ky59aERWc4vKYnZTkN
+          JxdLCVhWttT77qSXWZm1SE+GhqmmZRRh4xsnDWW7MMZ48OG36VOZOvOpk34sIzQ6+n/I4
+          zL+bxnPw2vjF6PKbUWD2p8LFbiZbJ7VR4N0656MI3WOzkjMC3+CKIAm8jwJS94SNsGShA
+          KRnp4y6eyZqWV+oJngIaIjz0wAQc/iocWaq7eiZBAjyrPAJjmOYgcHzkV/ryoZx+rLFi5
+          ZxVGDNNZEUA4dAYW6o+aK6GG7yIAE57MoyIPToFBMngnvk2ao2Vyd2f+JL//6IjF4C/V9
+          UjBCh4LVOwxibUQcm8m3hPmnnLTGF1cAKJTyfbP+gdYnYLjCAXBG2z/CubYAQUGV+eSwk
+          a/d4ptd1S9331Cao1VeWUAI5vI28oyO/KIPrKpEBn0LmJwcLn9qEI6O1V6YvhA=
       poc_wgcloud_ac_id: !encrypted/pkcs1-oaep
         - dQIs3NJt1CpP1925+b9QjjwonqjmiuCl1ewxw160yIEHQ/qyQiwutJbsg4IYS9XKhKc2X
           GumOOpLY7+/uNRR5pZmEfOdlGnPoJvVhYtCqHBFy7xQ6NLHKFxCT8zHM9ppSl1Hjc2G2F
diff --git a/Tests/config.toml b/Tests/config.toml
index ff42352dc..93fa80872 100644
--- a/Tests/config.toml
+++ b/Tests/config.toml
@@ -21,6 +21,7 @@ subjects = [
     "artcodix",
     "artcodix-ro",
     # currently not reachable from outside: "cc-rrze",
+    "focis",
     "pco-prod1",
     "pco-prod2",
     "pco-prod3",
diff --git a/compliance-monitor/bootstrap.yaml b/compliance-monitor/bootstrap.yaml
index bc8683b60..fa2358340 100644
--- a/compliance-monitor/bootstrap.yaml
+++ b/compliance-monitor/bootstrap.yaml
@@ -35,6 +35,9 @@ accounts:
       - public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIF8kQx6ur/WSSY9ThK/mwhrl/VsYnjRk44GSXBy3VfKI"
         public_key_type: "ssh-ed25519"
         public_key_name: "primary"
+  - subject: focis
+    delegates:
+      - zuul_ci
   - subject: pco-prod1
     group: pco-prod
     delegates:
diff --git a/compliance-monitor/sql.py b/compliance-monitor/sql.py
index 38a0d8f45..2d39635a6 100644
--- a/compliance-monitor/sql.py
+++ b/compliance-monitor/sql.py
@@ -137,7 +137,7 @@ def db_ensure_schema_v3(cur: cursor):
 
 def db_ensure_schema_v4(cur: cursor):
     # start from v3, do small alteration
-    db_ensure_schema_v2(cur)
+    db_ensure_schema_v3(cur)
     cur.execute('''
     ALTER TABLE account ADD COLUMN IF NOT EXISTS "group" text;
     ''')
diff --git a/compliance-monitor/templates/overview.md.j2 b/compliance-monitor/templates/overview.md.j2
index b721884ca..facb6741a 100644
--- a/compliance-monitor/templates/overview.md.j2
+++ b/compliance-monitor/templates/overview.md.j2
@@ -22,12 +22,19 @@ Version numbers are suffixed by a symbol depending on state: * for _draft_, †
 | [CNDS](https://cnds.io/) | Public cloud for customers (2 regions) | artcodix GmbH |
 {#- #} [{{ results | pick(iaas, 'artcodix', 'artcodix-ro') | summary }}]({{ detail_url('group-artcodix', iaas) }}) {# -#}
 | [HM](https://ohm.muc.cloud.cnds.io/) |
+{% if unverified -%}
+| FOCIS | FOCIS environment | Cloud&amp;Heat Technologies GmbH |
+{#- #} [{{ results | pick(iaas, 'focis') | summary }}]({{ detail_url('focis', iaas) }}) {# -#}
+| n/a |
+{% endif -%}
 | [pluscloud open](https://www.plusserver.com/en/products/pluscloud-open) | Public cloud for customers (4 regions)  | plusserver GmbH | {# #}
 {#- #}[{{ results | pick(iaas, 'pco-prod1', 'pco-prod2', 'pco-prod3', 'pco-prod4') | summary }}]({{ detail_url('group-pco-prod', iaas) }}) {# -#}
 | [HM1](https://health.prod1.plusserver.sovereignit.cloud:3000/d/9ltTEmlnk/openstack-health-monitor2?orgId=1&var-mycloud=plus-pco) [HM2](https://health.prod1.plusserver.sovereignit.cloud:3000/d/9ltTEmlnk/openstack-health-monitor2?orgId=1&var-mycloud=plus-prod2) [HM3](https://health.prod1.plusserver.sovereignit.cloud:3000/d/9ltTEmlnk/openstack-health-monitor2?orgId=1&var-mycloud=plus-prod3) [HM4](https://health.prod1.plusserver.sovereignit.cloud:3000/d/9ltTEmlnk/openstack-health-monitor2?orgId=1&var-mycloud=plus-prod4) |
+{% if unverified -%}
 | PoC WG-Cloud OSBA | Cloud PoC for FITKO | Cloud&amp;Heat Technologies GmbH |
 {#- #} [{{ results | pick(iaas, 'poc-wgcloud') | summary }}]({{ detail_url('poc-wgcloud', iaas) }}) {# -#}
 | [HM](https://health.poc-wgcloud.osba.sovereignit.cloud:3000/d/9ltTEmlnk/openstack-health-monitor2?var-mycloud=poc-wgcloud&orgId=1) |
+{% endif -%}
 | [REGIO.cloud](https://regio.digital) | Public cloud for customers | OSISM GmbH |
 {#- #} [{{ results | pick(iaas, 'regio-a') | summary }}]({{ detail_url('regio-a', iaas) }}) {# -#}
 | [HM](https://apimon.services.regio.digital/public-dashboards/17cf094a47404398a5b8e35a4a3968d4?orgId=1&refresh=5m) |
diff --git a/playbooks/clouds.yaml.j2 b/playbooks/clouds.yaml.j2
index 2019a78df..8adf430b8 100644
--- a/playbooks/clouds.yaml.j2
+++ b/playbooks/clouds.yaml.j2
@@ -37,6 +37,15 @@ clouds:
       auth_url: https://api.cc.rrze.de:5000
       application_credential_id: "{{ clouds_conf.cc_rrze_ac_id }}"
       application_credential_secret: "{{ clouds_conf.cc_rrze_ac_secret }}"
+  focis:
+    region_name: "default"
+    interface: "public"
+    identity_api_version: 3
+    auth_type: "v3applicationcredential"
+    auth:
+      auth_url: https://keystone.dd8.cloudandheat.com:443/v3/
+      application_credential_id: "{{ clouds_conf.focis_ac_id }}"
+      application_credential_secret: "{{ clouds_conf.focis_ac_secret }}"
   pco-prod1:
     region_name: "prod1"
     interface: "public"