diff --git a/.zuul.yaml b/.zuul.yaml index 659e297185..58a32cdac1 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -406,7 +406,9 @@ - .zuul.yaml - playbooks/group_vars/eavesdrop.yaml - testinfra/test_eavesdrop.py - + vars: + run_playbooks: + - playbooks/remote_puppet_else.yaml - job: name: system-config-run-letsencrypt @@ -423,6 +425,10 @@ label: ubuntu-bionic - name: letsencrypt02.opendev.org label: ubuntu-bionic + vars: + run_playbooks: + - playbooks/service-nameserver.yaml + - playbooks/service-letsencrypt.yaml host-vars: letsencrypt01.opendev.org: host_copy_output: @@ -448,6 +454,10 @@ label: ubuntu-xenial - name: nb01.openstack.org label: ubuntu-xenial + vars: + run_playbooks: + - playbooks/service-nodepool.yaml + - playbooks/remote_puppet_else.yaml files: - .zuul.yaml - playbooks/group_vars/nodepool.yaml @@ -457,22 +467,6 @@ - playbooks/templates/clouds/ - testinfra/test_nodepool.py -- job: - name: system-config-run-docker - parent: system-config-run - description: | - Test docker installation and setup - nodeset: - nodes: - - name: bridge.openstack.org - label: ubuntu-bionic - - name: bionic-docker - label: ubuntu-bionic - files: - - .zuul.yaml - - playbooks/roles/install-docker - - testinfra/test_docker.py - - job: name: system-config-run-dns parent: system-config-run @@ -489,6 +483,9 @@ label: ubuntu-bionic - name: ns1.opendev.org label: ubuntu-bionic + vars: + run_playbooks: + - playbooks/service-nameserver.yaml host-vars: adns1.opendev.org: host_copy_output: @@ -518,6 +515,9 @@ label: ubuntu-bionic - name: insecure-ci-registry01.opendev.org label: ubuntu-bionic + vars: + run_playbooks: + - playbooks/service-registry.yaml host-vars: insecure-ci-registry01.opendev.org: host_copy_output: @@ -546,7 +546,9 @@ - name: gitea01.opendev.org label: ubuntu-bionic vars: - run_base_test_playbook: playbooks/zuul/test-gitea.yaml + run_playbooks: + - playbooks/service-gitea-lb.yaml + run_test_playbook: playbooks/test-gitea.yaml host-vars: gitea01.opendev.org: host_copy_output: @@ -583,6 +585,9 @@ label: ubuntu-bionic - name: zp01.opendev.org label: ubuntu-bionic + vars: + run_playbooks: + - playbooks/service-zuul.yaml files: - .zuul.yaml - playbooks/roles/zuul-preview/ @@ -634,7 +639,6 @@ - system-config-run-dns - system-config-run-eavesdrop - system-config-run-nodepool - - system-config-run-docker - system-config-run-docker-registry - system-config-run-gitea: dependencies: @@ -659,7 +663,6 @@ - system-config-run-dns - system-config-run-eavesdrop - system-config-run-nodepool - - system-config-run-docker - system-config-run-docker-registry - system-config-run-gitea: dependencies: diff --git a/playbooks/base.yaml b/playbooks/base.yaml index 5d66aeb601..183f3b36e9 100644 --- a/playbooks/base.yaml +++ b/playbooks/base.yaml @@ -22,89 +22,3 @@ roles: - snmpd - iptables - -- hosts: bridge.openstack.org:!disabled - name: "Base: configure cloud credentials on bridge" - roles: - - install-kubectl - - configure-kubectl - tasks: - - include_role: - name: configure-openstacksdk - vars: - openstacksdk_config_file: '{{ openstacksdk_config_dir }}/all-clouds.yaml' - openstacksdk_config_template: clouds/bridge_all_clouds.yaml.j2 - - include_role: - name: configure-openstacksdk - vars: - openstacksdk_config_template: clouds/bridge_clouds.yaml.j2 - -- hosts: nodepool-launcher:nodepool-builder:!disabled - name: "Base: configure OpenStackSDK on nodepool" - strategy: free - roles: - - minimal-nodepool - - configure-openstacksdk - - configure-kubectl - -- hosts: "puppet:!disabled" - name: "Base: install and configure puppet on puppet hosts" - roles: - - puppet-install - - disable-puppet-agent - -- hosts: adns:!disabled - name: "Base: configure adns server" - roles: - - master-nameserver - -- hosts: "ns1.opendev.org:ns2.opendev.org:!disabled" - name: "Base: configure authoritative nameservers" - roles: - - nameserver - -- hosts: "docker:!disabled" - name: "Base: install and configure docker on docker hosts" - roles: - - install-docker - -- hosts: "registry:!disabled" - name: "Base: configure registry" - roles: - - install-docker - - registry - -- hosts: "gitea:!disabled" - name: "Base: configure gitea" - roles: - - install-docker - - gitea - -- hosts: "gitea-lb:!disabled" - name: "Base: configure gitea load balancer" - roles: - - install-docker - - haproxy - -- hosts: "zuul-preview:!disabled" - name: "Base: configure zuul-preview" - roles: - - install-docker - - zuul-preview - -# This next section needs to happen in order. letsencrypt hosts -# export their TXT authentication records which is installed onto -# adns1, and then the hosts verify to issue/renew keys -- hosts: "letsencrypt:!disabled" - name: "Base: deploy and renew certificates" - roles: - - letsencrypt-acme-sh-install - - letsencrypt-request-certs -- hosts: "adns:!disabled" - name: "Install txt records" - roles: - - letsencrypt-install-txt-record -- hosts: "letsencrypt:!disabled" - name: "Create certs" - roles: - - letsencrypt-create-certs diff --git a/playbooks/bridge.yaml b/playbooks/bridge.yaml index 2142fb6d5b..08305f6eaf 100644 --- a/playbooks/bridge.yaml +++ b/playbooks/bridge.yaml @@ -1,5 +1,5 @@ -- hosts: bridge.openstack.org - name: "Bridge: configure the bastion host" +- hosts: bridge.openstack.org:!disabled + name: "Bridge: boostrap the bastion host" become: true roles: - pip3 @@ -21,6 +21,3 @@ install_ansible_ara_name: '{{ bridge_ara_name | default("ara") }}' install_ansible_ara_version: '{{ bridge_ara_version | default("0.16.1") }}' - root-keys - - ansible-cron - - cloud-launcher-cron - - edit-secrets-script diff --git a/playbooks/remote_puppet_afs.yaml b/playbooks/remote_puppet_afs.yaml index 1aac92a3ed..6b57788f26 100644 --- a/playbooks/remote_puppet_afs.yaml +++ b/playbooks/remote_puppet_afs.yaml @@ -1,3 +1,9 @@ +- hosts: "afs:afsdb:!disabled" + name: "Base: install and configure puppet on puppet hosts" + roles: + - puppet-install + - disable-puppet-agent + - hosts: "afs:afsdb:!disabled" name: "AFS: run puppet on the AFS servers" strategy: free diff --git a/playbooks/remote_puppet_else.yaml b/playbooks/remote_puppet_else.yaml index 1180d2e56f..b16511c982 100644 --- a/playbooks/remote_puppet_else.yaml +++ b/playbooks/remote_puppet_else.yaml @@ -1,5 +1,7 @@ -- hosts: 'puppet:!review:!zuul-scheduler:!afs:!afsdb:!puppetmaster*:!disabled' +- hosts: 'puppet:!review:!afs:!afsdb:!puppetmaster*:!disabled' name: "Puppet-else: run puppet on all other servers" strategy: free roles: + - puppet-install + - disable-puppet-agent - puppet diff --git a/playbooks/remote_puppet_git.yaml b/playbooks/remote_puppet_git.yaml index 2e08cbf42f..2f9bfcb948 100644 --- a/playbooks/remote_puppet_git.yaml +++ b/playbooks/remote_puppet_git.yaml @@ -1,3 +1,15 @@ +- hosts: "gitea:!disabled" + name: "Base: configure gitea" + roles: + - install-docker + - gitea + +- hosts: "review:!disabled" + name: "Base: install and configure puppet on puppet hosts" + roles: + - puppet-install + - disable-puppet-agent + - hosts: "localhost:!disabled" name: "Puppet-git: Collect the project-config ref" strategy: free @@ -27,13 +39,3 @@ facts: project_config_ref: "{{ hostvars.localhost.gitinfo.after }}" puppet_timeout: 60m - -- hosts: "zuul-scheduler:!disabled" - name: "Puppet-git: Run puppet on the Zuul scheduler" - strategy: free - gather_facts: true - roles: - - role: puppet - facts: - project_config_ref: "{{ hostvars.localhost.gitinfo.after }}" - puppet_timeout: 60m diff --git a/playbooks/roles/gitea/defaults/main.yaml b/playbooks/roles/gitea/defaults/main.yaml new file mode 100644 index 0000000000..ae0017d80d --- /dev/null +++ b/playbooks/roles/gitea/defaults/main.yaml @@ -0,0 +1 @@ +gitea_no_log: true diff --git a/playbooks/roles/gitea/tasks/main.yaml b/playbooks/roles/gitea/tasks/main.yaml index 077f05df06..05dd64c2cf 100644 --- a/playbooks/roles/gitea/tasks/main.yaml +++ b/playbooks/roles/gitea/tasks/main.yaml @@ -59,7 +59,7 @@ block: - name: Create root user command: "docker exec -t giteadocker_gitea-web_1 gitea admin create-user --name root --password {{ gitea_root_password }} --email {{ gitea_root_email }} --admin" - no_log: true + no_log: "{{ gitea_no_log }}" - name: Check if gerrit user exists uri: url: "https://localhost:3000/api/v1/users/gerrit" diff --git a/playbooks/service-bridge.yaml b/playbooks/service-bridge.yaml new file mode 100644 index 0000000000..1eeea3ef03 --- /dev/null +++ b/playbooks/service-bridge.yaml @@ -0,0 +1,18 @@ +- hosts: bridge.openstack.org:!disabled + name: "Bridge: configure the bastion host" + roles: + - ansible-cron + - cloud-launcher-cron + - edit-secrets-script + - install-kubectl + - configure-kubectl + tasks: + - include_role: + name: configure-openstacksdk + vars: + openstacksdk_config_file: '{{ openstacksdk_config_dir }}/all-clouds.yaml' + openstacksdk_config_template: clouds/bridge_all_clouds.yaml.j2 + - include_role: + name: configure-openstacksdk + vars: + openstacksdk_config_template: clouds/bridge_clouds.yaml.j2 diff --git a/playbooks/service-gitea-lb.yaml b/playbooks/service-gitea-lb.yaml new file mode 100644 index 0000000000..6a13f142a1 --- /dev/null +++ b/playbooks/service-gitea-lb.yaml @@ -0,0 +1,5 @@ +- hosts: "gitea-lb:!disabled" + name: "Base: configure gitea load balancer" + roles: + - install-docker + - haproxy diff --git a/playbooks/service-letsencrypt.yaml b/playbooks/service-letsencrypt.yaml new file mode 100644 index 0000000000..b85dff3caf --- /dev/null +++ b/playbooks/service-letsencrypt.yaml @@ -0,0 +1,16 @@ +# This needs to happen in order. letsencrypt hosts export their TXT +# authentication records which is installed onto adns1, and then the +# hosts verify to issue/renew keys +- hosts: "letsencrypt:!disabled" + name: "Base: deploy and renew certificates" + roles: + - letsencrypt-acme-sh-install + - letsencrypt-request-certs +- hosts: "adns:!disabled" + name: "Install txt records" + roles: + - letsencrypt-install-txt-record +- hosts: "letsencrypt:!disabled" + name: "Create certs" + roles: + - letsencrypt-create-certs diff --git a/playbooks/service-nameserver.yaml b/playbooks/service-nameserver.yaml new file mode 100644 index 0000000000..f954c90c8a --- /dev/null +++ b/playbooks/service-nameserver.yaml @@ -0,0 +1,10 @@ +- hosts: adns:!disabled + name: "Base: configure adns server" + roles: + - master-nameserver + +- hosts: "ns1.opendev.org:ns2.opendev.org:!disabled" + name: "Base: configure authoritative nameservers" + roles: + - nameserver + diff --git a/playbooks/service-nodepool.yaml b/playbooks/service-nodepool.yaml new file mode 100644 index 0000000000..b6bbd26de6 --- /dev/null +++ b/playbooks/service-nodepool.yaml @@ -0,0 +1,7 @@ +- hosts: nodepool-launcher:nodepool-builder:!disabled + name: "Base: configure OpenStackSDK on nodepool" + strategy: free + roles: + - minimal-nodepool + - configure-openstacksdk + - configure-kubectl diff --git a/playbooks/service-registry.yaml b/playbooks/service-registry.yaml new file mode 100644 index 0000000000..7b8a402a41 --- /dev/null +++ b/playbooks/service-registry.yaml @@ -0,0 +1,5 @@ +- hosts: "registry:!disabled" + name: "Base: configure registry" + roles: + - install-docker + - registry diff --git a/playbooks/service-zuul.yaml b/playbooks/service-zuul.yaml new file mode 100644 index 0000000000..a042ebacd3 --- /dev/null +++ b/playbooks/service-zuul.yaml @@ -0,0 +1,5 @@ +- hosts: "zuul-preview:!disabled" + name: "Base: configure zuul-preview" + roles: + - install-docker + - zuul-preview diff --git a/playbooks/zuul/test-gitea.yaml b/playbooks/test-gitea.yaml similarity index 78% rename from playbooks/zuul/test-gitea.yaml rename to playbooks/test-gitea.yaml index 3bedfa8515..252bcc5e7a 100644 --- a/playbooks/zuul/test-gitea.yaml +++ b/playbooks/test-gitea.yaml @@ -14,6 +14,14 @@ dest: "/opt/project-config/gerrit/projects.yaml" content: "{{ projects }}" +# TODO(mordred) This should be part of the service, once we refactor +# the project creation and are running remote_puppet_git. +- hosts: "gitea" + name: "Install and configure gitea" + roles: + - install-docker + - gitea + - hosts: "gitea" name: "Create repos on gitea servers" strategy: free diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml index b9c7f63e0c..649dcb1e2f 100644 --- a/playbooks/zuul/run-base.yaml +++ b/playbooks/zuul/run-base.yaml @@ -18,6 +18,17 @@ repo: /home/zuul/src/opendev.org/opendev/system-config dest: /opt/system-config force: yes + # TODO: the next two tasks are update-system-config.yaml and + # should be removed or refactored out of here to a shared + # location. + - name: Clone puppet modules to /etc/puppet/modules + command: ./install_modules.sh + args: + chdir: /opt/system-config + - name: Install ansible roles to /etc/ansible/roles + command: ansible-galaxy install --roles-path /etc/ansible/roles --force -r roles.yaml + args: + chdir: /opt/system-config - name: Add groups config for test nodes template: src: "templates/gate-groups.yaml.j2" @@ -33,7 +44,7 @@ path: /etc/ansible/ansible.cfg section: defaults option: inventory_plugins - value: /home/zuul/src/opendev.org/opendev/system-config/playbooks/roles/install-ansible/files/inventory_plugins + value: /opt/system-config/playbooks/roles/install-ansible/files/inventory_plugins - name: Update ansible.cfg to configure inventory plugins ini_file: path: /etc/ansible/ansible.cfg @@ -74,9 +85,15 @@ command: ansible localhost -m debug -a 'var=groups' - name: Run base.yaml command: ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/base.yaml + - name: Run bridge service playbook + command: ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/service-bridge.yaml + - name: Run playbook + when: run_playbooks is defined + loop: "{{ run_playbooks }}" + command: "ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/{{ item }}" - name: Run test playbook - when: run_base_test_playbook is defined - shell: "ANSIBLE_ROLES_PATH=/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/{{ run_base_test_playbook }}" + when: run_test_playbook is defined + shell: "ANSIBLE_ROLES_PATH=/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/{{ run_test_playbook }}" - name: Run testinfra to validate configuration include_role: name: tox diff --git a/playbooks/zuul/templates/gate-groups.yaml.j2 b/playbooks/zuul/templates/gate-groups.yaml.j2 index 7f2c0b3b52..206b4e6585 100644 --- a/playbooks/zuul/templates/gate-groups.yaml.j2 +++ b/playbooks/zuul/templates/gate-groups.yaml.j2 @@ -2,12 +2,6 @@ # for gate jobs are put in the right groups for testing plugin: yamlgroup groups: - puppet: - - trusty - - xenial - - centos7 - # note: bionic currently isn't puppeted - docker: - bionic-docker diff --git a/playbooks/zuul/templates/group_vars/gitea.yaml.j2 b/playbooks/zuul/templates/group_vars/gitea.yaml.j2 index d76319f546..b793353ddb 100644 --- a/playbooks/zuul/templates/group_vars/gitea.yaml.j2 +++ b/playbooks/zuul/templates/group_vars/gitea.yaml.j2 @@ -5,6 +5,7 @@ gitea_root_db_password: TlG1lNXKLfruXN0j gitea_db_username: gitea gitea_db_password: 5bfuOBKtltff0XZX gitea_root_password: BUbBcpToMwR05ZCB +gitea_no_log: false gitea_gerrit_password: yVpMWIUIvT7f6NwA gitea_tls_cert: | -----BEGIN CERTIFICATE----- diff --git a/run_all.sh b/run_all.sh index 03c4406c20..47107e8862 100755 --- a/run_all.sh +++ b/run_all.sh @@ -92,6 +92,31 @@ start_timer timeout -k 2m 120m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/base.yaml send_timer base +# Service playbooks +start_timer +timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-gitea-lb.yaml +send_timer gitea-lb + +start_timer +timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-letsencrypt.yaml +send_timer letsencrypt + +start_timer +timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-nameserver.yaml +send_timer nameserver + +start_timer +timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-nodepool.yaml +send_timer nodepool + +start_timer +timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-registry.yaml +send_timer registry + +start_timer +timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-zuul.yaml +send_timer zuul + # Run the git/gerrit/zuul sequence, since it's important that they all work together start_timer timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/remote_puppet_git.yaml diff --git a/testinfra/test_base.py b/testinfra/test_base.py index a304fc8c78..0256961529 100644 --- a/testinfra/test_base.py +++ b/testinfra/test_base.py @@ -40,24 +40,6 @@ def test_exim_is_installed(host): assert cmd.rc == 0 -def test_puppet(host): - # We only install puppet on trusty, xenial and centos 7 - if (host.system_info.codename in ['trusty', 'xenial'] or - host.system_info.distribution in ['centos']): - # Package name differs depending on puppet release version - # just check one version of puppet is installed. - puppet = host.package("puppet") - puppet_agent = host.package("puppet-agent") - assert puppet.is_installed or puppet_agent.is_installed - service = host.service("puppet") - assert not service.is_running - assert not service.is_enabled - else: - puppet = host.package("puppet") - puppet_agent = host.package("puppet-agent") - assert not puppet.is_installed and not puppet_agent.is_installed - - def test_iptables(host): rules = host.iptables.rules() rules = [x.strip() for x in rules] diff --git a/testinfra/test_docker.py b/testinfra/test_docker.py deleted file mode 100644 index 25c09fb1d0..0000000000 --- a/testinfra/test_docker.py +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2018 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -testinfra_hosts = ['bionic-docker'] - - -def test_docker_service(host): - docker = host.service('docker') - assert docker.is_running