Merge branch 'main' into mandatory-and-supported-IaaS-services

.zuul.d/secure.yaml

@@ -3,27 +3,27 @@
     name: SECRET_STANDARDS
     data:
       zuul_ci_api_key: !encrypted/pkcs1-oaep
-        - bsOAcG0vC2ZM7L3rvHuav2c7FS0a5exfbAQ5s134bn4idh5olm7a1tNO+bTmtmz5DiFRJ
-          j/N2nkxjcP4n9ISPh0bXwFjzK3AsRD3AVqiFBkPZ5UBj6WGwhIzAZVkf79GH8CWV0E2Rz
-          9JxqhjzlreCrGBuFtmS7HSKqW0Wn5OgQlDXUdRQmDb9Za2MPVwKXDkKPEL7+SSs+1YiJC
-          JKTDJ5wXnnG6axjtU1MD9aGxX3PEaffJBcyZjYuQd9ipSSnBhR+8Ze3dpi2GVl72xvAdi
-          88mAVT39ru0/QQCc8NppToynG19+AAIi3kGaol8mropi+Q3K/uWKoVh8mQ1IA5sJg/1Kq
-          KDBfoL8xzOUk42tav5Rb8C7A7pNi8u0WscQXhoDlSxJLyQ7/LlpovH+H8KVHCnW4xC3MV
-          zhdWGsR2RJK8B5hUgfXJsV4dDJU6fE5XZHCA+pJ69Lya6+aGtVwACYaSLXYbhb496V6W+
-          FAbJmmHOXqWsJyjTouLMxKa/OcbAi+4TClF33qqSEda/hzgGNsUjhbhFQ9HZqsyoZzpVs
-          t/za1YIN1CSZRRofqIqUx1L+YpFyUqyhuxMkQJPllp9Uxzcffyxy1vYEsyplnwhJM3uXa
-          SoDs5fxitV1OnLBTcWvXWvDMY6dOvdTHhPu3wuAw+YiWfXegp58kVn3z0oLXBo=
+        - jUzccSZN0bjWMX8BPntW4dct5gT5YtlNPQUbQRELCKBlce7y1Ao41g4u06CXBMfzUZIYG
+          eWoxhDsn2QfMnN8RLxkWEjGBG/+n7ql2N1CC+FuSBqU8FkDliSPNZdlC75BFBQYksVeG/
+          XbnP90D4u3cOzE6nK72Ftr5hK90Is/PquIfcStXjxoirZjO4tsgz8kI4elBGGg2q96guu
+          5LTVejYcxH/iwr78AM4YvRSnLto7L0tNxfTI3K6l9gFLWHY52DINYhmZq18MmGIx99Yat
+          wvnLefMeX634FzlS+qzemC029T5FKot+rNG4zD2JbpyN7Raqt6HBLRh1SIyte7RLqTmmA
+          sONOho8I+LhRvb0no3vjslNm/OJU1SSdcTPilFv6Vyvr0wt892ihsqHn6F0ZT3HAXpkeI
+          h5Vax81vIl6T+ZUCqgqea7zgQHr1RntqOc1tu8nx1PtrzHRySZBS+CQwo9GKbXR0HdLOk
+          ANItov3dMRqgDewGQPoX7UyI23zfa5JmFAkDkM016l+r4xDfo4v/eGVArloyTEF362gMh
+          o3NDMUlGaL2kNehk6k/ol8HyWilVRceGFDVRZjYlGWFU+jFTNYi0vqq8mP1gv9CIVOe/b
+          K6dgp6XZo/apeESp4e8xlfJA2Tf+UpylmBtsgcHXjOWPNH9JaalA8pv6LWjcf8=
       zuul_ci_basic_auth: !encrypted/pkcs1-oaep
-        - T8f5tOKbDFKlxJaj7FbB0U6G61zUNrxxXZmrAQnzfhoXUMd9eWhrzXjUKbFUEa+3IaNnF
-          Uyu5VYeIMRxZ3dBltDpHCUDs+3ei+LYm7D/d8W1x5wg03HrLUv8OOeiMM7PrvQMINXz5x
-          cEC0d16sCcapmN20Yleamfi7JWUCh1M4zibWCSCCbaXgKeHvUQEMIy4pLr1F6dN98W+Tq
-          ecinhrSJcbqQUg5hdt0Qn3UKCm1ncl9smvY4TvRABO14LZv0NSvzpwXvPq/OiNwviPPSh
-          MU5KERRAyDBlJYLOtdXqDTwJ26K83h52jNAHWH2CEi03864ORNQgt8eRxfsgSXkdk1EXF
-          HHFwJfqztaPOqpKBXmNr8oe4E/iuWa/buLhknYknA/HeGMOZWFvFtv9iuLKBNd9W0/Asn
-          p3ZkxTSx17sS1/mLJyINi3p/g+bmZ/R4qSwVsvFUl93evddg/dFrxg6/S6cMAj8iUMEsD
-          KTt/5smVB+LTW4ZTbCzBq9ygrVOKOTlY0d43AwlYbVu65+8YLJAgmKWQ3G1LISXzlIqoA
-          yynW3UafFYZUDCWAFO9acabAHlpsaivDjvgG+2S6Fj3GeQic+7vKZzoCUAJFZmgRDXNBb
-          LuNzERqm/m4ZeN4D4HHbJAmtza+sT5DM4ZvpdGLJaWQUs+ki+fes2h8FQhBMYg=
+        - cGUlUyavav0SwvkMeaZu5VZs/FD7qMUXx+vkskQULii1Kjmob9wpIpwBasB6C5wjkz7Yu
+          SZc9kDeYLGNlLS0liGEnNzQEHtSToVCLmEsuEQQWVLKgjVFHhuYG92D//OTnPhwGdrWR0
+          YbN++e6dfdoUTFgNomE9yQ/AiP31frb5xsnkzBOd4Yck7ctlCaoEFqsLDpg9fCvmHuTOD
+          rI5lwaxHjaNCsBdWBvGrV/y06wWz3Dd4DI/mK9gzQT8LQUJb14WuM7Skif0piig/3X2+p
+          4AFYEj9ZsxTaGL+IhHsMQKHQOxZ8qfDsBTVYjaQxo7qGrGtZ9sZcRcmhScA5OgSiMI3kA
+          jrFtm3TMT15SZVaaG/fqmaYykGl9JXD5jBvpwIY6oPmjjY9hNmc5bm0tmsJ/RF6f8ZChP
+          sR5e/wOJUnYbUxTyuId1ZrFL7kFQxfc1HWg1VCwRTfeYwFal5K3CqXWu9u6O/6foa/DFn
+          uHYP40Lq1Rd4LRQjT3TW9TybgM2Jvt6sd7sCKM7KQ4/fGyj8BswRThBNzuJMN83QmmAiq
+          phthkp6X2A7ELMd22wjrOy7ruwZfXObhagJNis4x/t55fdDpnZcW3KeeqOJAv2xkD4StF
+          32RSKLdIRbtWLsouOYPNloVFwPAykbrFkDfH2lyy0LJS9gWyK7t6u4Ks3P7hUE=
       gx_scs_key: !encrypted/pkcs1-oaep
         - gbtzWcQo4LytBGfTskgeFs0bFXzAZo2R33ljlNFAfNzdzlrPDnrEljyys+Bp9+yjEfcG/
           rq8YeW0FVVYYulnmkasfgbUP8lMmsMHli5AwCLB00QjqCsy6Ixc1ELUr+KTTSYXyU8qhT
@@ -266,6 +266,28 @@
           VfHQSOSy9hDC+tbt87xwpWNbWIMV9wVFPNLMowb9oAmqbjEEV2qMR9t+XJFHGQ3ta+nFM
           IPiM1gXvIZEXHRW23JBckC4dgxWZ43F2u7TM6emB2gW1DKgnWOn/tRlIcNKZxeZ6daJ9Y
           s8QePn/Z5DS6DaADyyLGaNbIAUXTvEgCEZvq6xAknTF0PT0zqw33PF3mwNoclM=
+      pco_prod4_ac_id: !encrypted/pkcs1-oaep
+        - L4tJH+zPSVZweHeg7FjSVgeDZdumMqhyEU9Amf6lUKqrHGz7llHgDp0InKyjrFe/CwWkG
+          Y3hySGiEvsrdqywYWRq3y1gfxCvdJ7RMIO7j0xH2oJtCa+v1MpJYLG7FwC34YNt4aphgg
+          VWdL6HgmBTwxmQZhRGMykqSoPTKRT0jInUZwKUg/xbAUj6WzMId0sfxM0C+q4zdSbyxhT
+          sRT9J7ewHbOBpOnO+RTjNP1yHhU8ZqZvJ8RoVHLGuu3i8mGjSdr5cnUrZj7bxdCv9Xh8h
+          QzirkJJ0MN7oiyvAjQdzC6fZQvlTGaH3ifzLZFWl/1ipwOsDDvb58011KxIjA4RpwoBU/
+          fdLWZZnsLDGk1I/j1XZULipRHVqBZxCotIfXjMQhbbuRRC8nAADaS9jbB703gjgN90nxO
+          Adbp9kRj7MHLc0F1JRs8AbadCu4+VVxIPQFzg2LtfN200tXDYJ0XwXUZ899fGJkfXTJgi
+          Dy55LTZ8Dvumi+5AU5fuQ9cqeGGjG21878vuopaG9qwoEo6gcpHAQ77WpqfLYfN13jUUg
+          9zFfpmzPJ7/307QVSMMdRdogEjAFkJ0TzwFYOysVTdv+wbfc5VTBAiX2HFLmyiE2G5F7g
+          2dWrNS4ahwIlNXtG1PVvQ+kcT7gdx5WViHCUc4qwLwIgzkRguVLUIcokW2R6CI=
+      pco_prod4_ac_secret: !encrypted/pkcs1-oaep
+        - Poj5AZd4iE9iSZpUTizRgup9PshitKyN/hScYPee/NJmfF8qHKkpXEWK1YvnfCcL8xOuE
+          cgVAKWkWxpggBAYYRen7AdkGZR4zldCqHQ26xnjmXRvjEv0ncUL96pWg9yj6GeZjFyLon
+          /mFS7fc+cTDgPjJ2zgKi2uT4MV1LVAiARa5RXgXRZ64vg1F6UT1kKIuLUmM3iu83KImsh
+          AJgXjR0xsBS8qxbQ3l85+ybSBglXRp0ETOinxrVfyS7rpSnXepGLE2s2evSHVntybEgsy
+          TNCCtOti8phaGh2WSEyA/YZekMpMNhSq5bYS6J3ttF9fkpBE4Xsgbu7Z5yL4BTkEDOXBG
+          I8nNV8ICq8i5VEcaMByPWetJwFUxlYuQ07dOaqQk7XohQKd6+XMeUAkKlag9Vosb8K1kX
+          lX9EyR1Y+C28tc4soeXsg/TkE702JnCpJ7I3aQqSjbhUm0yDWOEwzT4TOoN1j35iXzD1K
+          +sTx+tASbZ9UobexgC+3hyMa1CanFzPPjgMm3UYyrMmnvi96zImau6Q/CpJhQg3tZ8vLz
+          4BnqOQklRAJxZA5btw8SFAb7GB2TCeEs/+dt/XqLrY2XkeaR9lGBl3Bftvkr9vFVfsVmx
+          7IMobRXhnMOdUZQo7JBc5BV2CB0ZhBn0phUCHQtD4BGQZb/YIl0wO1wyJdk4A0=
       regio_a_key: !encrypted/pkcs1-oaep
         - UEDFCkodx6dlfe9bidIhoPdXqEY4vBT9rwJLXXveBmPY9Q3cnQkQRjz4D/o7VHkyfCpkj
           hzWgvxpsFKnVBkHgLNCbXH8YUhhDTfNGJeLvgVNMo1sk/3JdfUynvgPNAWo1IA9hxxgXN

Standards/scs-0001-v1-sovereign-cloud-standards.md

@@ -18,12 +18,12 @@ It strives for interoperable and sovereign cloud stacks
 which can be deployed and used by a wide range of organizations and individuals.
 Wherever feasible,
 transparency and openness both in respect to the inner workings of the platforms standardised by SCS,
-as well as the SCS organisation itself
+as well as the SCS organization itself
 are a paradigm we intend to live.
 
 ## Requirements
 
-The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119](https://datatracker.ietf.org/doc/html/rfc2119).
+The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119](https://datatracker.ietf.org/doc/html/rfc2119).
 
 In addition, "FORBIDDEN" is to be interpreted equivalent to "MUST NOT".
 
@@ -297,7 +297,7 @@ it can be deprecated.
 Obsoletions SHOULD be announced ahead of their execution by setting the
 `deprecated_at` field to a future date and moving the `status` to `Deprecated`.
 This signals current and future implementors
-that the subject matter of the document
+that the subject of the document
 is not considered necessary or state of the art anymore.
 
 If one or more replacement documents for the document exists,
@@ -349,7 +349,7 @@ The advantages of such an approach are:
 The disadvantages of that approach are:
 
 - It is possible to make breaking changes after stabilization.
-  Potentially, an hypothetical SCS-1234 document might refer to something completely different
+  Potentially, a hypothetical SCS-1234 document might refer to something completely different
   in a hypothetical R15 release than what it meant in R5,
   if there have been sufficient, gradual breaking changes to the document.
 

Standards/scs-0002-v2-standards-docs-org.md

@@ -155,7 +155,7 @@ Docusaurus' robust toolkit assists in crafting and maintaining quality documenta
 
 #### Special Implementation Details
 
-SCS's unique architecture necessitates a unique approach to documentation. To ensure seamless integration of reference documentation for Components and components developed for SCS, we have created a custom workflow. This workflow automatically syncs upstream repositories, pulling the most recent documentation at regular intervals.
+The unique architecture of SCS necessitates a unique approach to documentation. To ensure seamless integration of reference documentation for Components and components developed for SCS, we have created a custom workflow. This workflow automatically syncs upstream repositories, pulling the most recent documentation at regular intervals.
 
 We have accomplished this by utilizing a Node.js post-install script found [here](https://github.com/SovereignCloudStack/docs-page/blob/main/getDocs.js).
 

Standards/scs-0003-v1-sovereign-cloud-standards-yaml.md

@@ -21,7 +21,7 @@ SCS plans to offer six kinds of certificates with varying scope. These scopes ca
    - SCS-open
    - SCS-sovereign
 2. _cloud layer_, of which there are two:
-   - infastructure as a service (IaaS)
+   - infrastructure as a service (IaaS)
    - Kubernetes as a service (KaaS)
 
 So, for instance, a certificate can have the scope _SCS-compatible IaaS_ or _SCS-sovereign KaaS_.
@@ -137,8 +137,13 @@ Every list of standards consists of several standards that – altogether – de
 | `name`                   | String | Full name of the particular standard                                                                   | _Flavor naming_                                                                                                                |
 | `url`                    | String | Valid URL to the latest raw version of the particular standard                                         | _[Flavor naming](https://raw.githubusercontent.com/SovereignCloudStack/standards/main/Standards/scs-0100-v2-flavor-naming.md)_ |
 | `condition`              | String | State of the particular standard, currently either `mandatory` or `optional`, default is `mandatory`   | _mandatory_                                                                                                                    |
+| `parameters`             | Map    | Maps parameter names to parameter values                                                               |                                                                                                                                |
 | `checks`                 | Array  | List of all checks that must pass; each entry being a check descriptor                                 |                                                                                                                                |
 
+The parameters specified here will be added to the variable assignment for all check tools that belong to this standard, so they will be substituted in the same way.
+The advantage is that these parameters may show up in the automatically generated documentation, whereas the check tools themselves probably won't.
+See the "Standard images" standard in the larger basic example below for a possible use case.
+
 ### Check descriptor
 
 The following fields are valid for every check descriptor:
@@ -194,7 +199,7 @@ versions:
             id: flavor-name-check
             lifetime: day
       - name: Image metadata
-        url: https://raw.githubusercontent.com/SovereignCloudStack/Docs/main/Standards/SCS-0004-v1-image-metadata.md
+        url: https://raw.githubusercontent.com/SovereignCloudStack/standards/main/Standards/scs-0102-v1-image-metadata.md
         condition: mandatory
         checks:
           - executable: image-md-check.py
@@ -205,6 +210,14 @@ versions:
             condition: optional
             id: image-md-check-2
             lifetime: day
+      - name: Standard images
+        url: https://raw.githubusercontent.com/SovereignCloudStack/standards/main/Standards/scs-0104-v1-standard-images.md
+        parameters:
+          image_spec: https://raw.githubusercontent.com/SovereignCloudStack/standards/main/Tests/iaas/scs-0104-v1-images.yaml
+        checks:
+          - executable: ./iaas/standard-images/images-openstack.py
+            args: -c {os_cloud} -d {image_spec}
+            id: standard-images-check
   - version: v4 # This is the upcoming version with a given target date. No further changes should be done to this set of standards
     stabilized_at: 2022-04-01
     standards:
@@ -245,13 +258,13 @@ must be announced 14 days in advance via the corresponding mailing list.
 
 ### File format
 
-In order to have a document that can be processed by a wide range of tools, we need to opt for a simple but yet well supported format.
+In order to have a document that can be processed by a wide range of tools, we need to opt for a simple but yet well-supported format.
 YAML offers readability for humans as well as good support by many frameworks. Since YAML is heavily used in the cloud and container
 domain, the choice is obvious.
 
 ### Dependency graph for certifications
 
-This standard only allows exactly one depending certification, otherwise we would need to use a list of mappings. Since this is
+This standard only allows depending on exactly one certification, otherwise we would need to use a list of mappings. Since this is
 in accordance to the current plan of the SIG Standardization & Certification, we can safely ignore multiple dependency of
 certification for now.
 

Standards/scs-0004-v1-achieving-certification.md

@@ -41,7 +41,7 @@ As operator, I want to obtain a certificate with the scope SCS-compatible IaaS o
 
 6. Once the certificate is granted by the SCS certification assessment body, the operator SHOULD use the corresponding logo and publicly state the certified "SCS compatibility" on the respective layer for the time of the validity of the certification. In case of a public cloud, this public display is even REQUIRED. In any case, the logo MUST be accompanied by a hyperlink (a QR code for printed assets) to the respective certificate status page.
 
-7. If the certificate is to be revoked for any reason, it will be included in a publicly available Certificate Revokation List (CRL). This fact will also be reflected in the certificate status page.
+7. If the certificate is to be revoked for any reason, it will be included in a publicly available Certificate Revocation List (CRL). This fact will also be reflected in the certificate status page.
 
 8. If any of the automated tests or manual checks fail after the certificate has been issued, the certificate is not immediately revoked. Rather, the automated tests MUST pass 99.x % of the runs, and the operator SHALL be notified at the second failed attempt in a row at the latest. In case a manual check fails, it has to be repeated at a date to be negotiated with SCS. It MAY NOT fail more than two times in a row.
 

Standards/scs-0100-v1-flavor-naming.md

@@ -94,7 +94,7 @@ the lack of workload management that would prevent worst case performance < 20%
 #### Insufficient microcode
 
 Not using these mitigations must be indicated by an additional `i suffix` for insecure
-(weak protection against CPU vulns through insufficient microcode, lack of disabled hyperthreading
+(weak protection against CPU vulnerabilities through insufficient microcode, lack of disabled hyperthreading
 on L1TF susceptible CPUs w/o effective core scheduling or disabled protections on the host/hypervisor).
 
 #### Examples
@@ -299,22 +299,22 @@ The optional `h` suffix to the comput unit count indicates high-performance (e.g
 high bandwidth gfx memory such as HBM);
 `h` can be duplicated for even higher performance.
 
-`-ib` indicates Inifinband networking.
+`-ib` indicates Infiniband networking.
 
 More extensions will be forthcoming.
 
-Extensions need to be specified in the above mentioned order.
+Extensions need to be specified in the above-mentioned order.
 
 ## Proposal Examples
 
-| Example                   | Decoding                                                                                        |
-| ------------------------- | ----------------------------------------------------------------------------------------------- |
-| SCS-2C:4:10n              | 2 dedicated cores (x86-64), 4GiB RAM, 10GB network disk                                         |
-| SCS-8Ti:32:50p-i1         | 8 dedicated hyperthreads (insecure), Skylake, 32GiB RAM, 50GB local NVMe                        |
-| SCS-1L:1u:5               | 1 vCPU (heavily oversubscribed), 1GiB Ram (no ECC), 5GB disk (unspecific)                       |
-| SCS-16T:64:200s-GNa:64-ib | 16 dedicated threads, 64GiB RAM, 200GB local SSD, Inifiniband, 64 Passthrough nVidia Ampere SMs |
-| SCS-4C:16:2x200p-a1       | 4 dedicated Arm64 cores (A78 class), 16GiB RAM, 2x200GB local NVMe drives                       |
-| SCS-1V:0.5                | 1 vCPU, 0.5GiB RAM, no disk (boot from cinder volume)                                           |
+| Example                   | Decoding                                                                                       |
+| ------------------------- | ---------------------------------------------------------------------------------------------- |
+| SCS-2C:4:10n              | 2 dedicated cores (x86-64), 4GiB RAM, 10GB network disk                                        |
+| SCS-8Ti:32:50p-i1         | 8 dedicated hyperthreads (insecure), Skylake, 32GiB RAM, 50GB local NVMe                       |
+| SCS-1L:1u:5               | 1 vCPU (heavily oversubscribed), 1GiB Ram (no ECC), 5GB disk (unspecific)                      |
+| SCS-16T:64:200s-GNa:64-ib | 16 dedicated threads, 64GiB RAM, 200GB local SSD, Infiniband, 64 Passthrough nVidia Ampere SMs |
+| SCS-4C:16:2x200p-a1       | 4 dedicated Arm64 cores (A78 class), 16GiB RAM, 2x200GB local NVMe drives                      |
+| SCS-1V:0.5                | 1 vCPU, 0.5GiB RAM, no disk (boot from cinder volume)                                          |
 
 ## Standard SCS flavors
 
@@ -376,14 +376,14 @@ for usability and easier portability, even beyond the mandated flavors.
 You must be very careful to expose low vCPU guarantees (`L` instead ov `V`), insecure
 hyperthreading/microcode `i`, non-ECC-RAM `u`, memory oversubscription `o`. Note that omitting these qualifiers is
 overstating your security, reliability or performance properties and may be reason for
-clients to feel betrayed or claim damages. It might in extreme cases also cause SCS to withdraw certification
+clients to feel betrayed or claim damages. It might, in extreme cases, also cause SCS to withdraw certification
 along with public statements.
 
-You may offer additional SCS- flavors, following the naming scheme outlined here.
+You may offer additional `SCS-` flavors, following the naming scheme outlined here.
 
 You may offer additional flavors, not following above scheme.
 
-You must not offer flavors with the SCS- prefix which do not follow this naming scheme.
+You must not offer flavors with the `SCS-` prefix which do not follow this naming scheme.
 You must not extend the SCS naming scheme with your own suffices; you are encouraged however
 to suggest extensions that we can discuss and add to the official scheme.
 
@@ -434,8 +434,8 @@ on the flavor list compliance of the cloud environment.
 
 Some providers might offer VM services ("IaaS") without trying to adhere to SCS standards,
 yet still finding the flavor naming standards useful. The Gaia-X Technical Committee's
-Provider Working Group (WG) would seem like a logical place for such dicussions then.
+Provider Working Group (WG) would seem like a logical place for such discussions then.
 If so, we could
-replace the SCS- prefix with a GX- prefix and transfer the naming scheme governance from
+replace the `SCS-` prefix with a GX- prefix and transfer the naming scheme governance from
 the SCS project to the Gaia-X Provider WG (where we participate). SCS certification would
 then reference the Gaia-X flavor naming standard as a requirement.