- import_playbook: ../bootstrap-bridge.yaml
vars:
root_rsa_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa', rstrip=False) }}"
ansible_cron_disable_job: true
cloud_launcher_disable_job: true
# setup opendev CA
- hosts: prod_bastion[0]
become: true
tasks:
- name: Make temporary dir for CA generation
tempfile:
state: directory
register: _ca_tempdir
- name: Create CA PEM/crt
shell: |
set -x
# Generate a CA key
openssl genrsa -out ca.key 2048
# Create fake CA root certificate
openssl req -x509 -new -nodes -key ca.key -sha256 -days 30 -subj "/C=US/ST=CA/O=OpenDev Infra" -out ca.crt
args:
chdir: '{{ _ca_tempdir.path }}'
executable: /bin/bash
- name: Save key
slurp:
src: '{{ _ca_tempdir.path }}/ca.key'
register: _opendev_ca_key
- name: Save certificate
slurp:
src: '{{ _ca_tempdir.path }}//ca.crt'
register: _opendev_ca_certificate
- name: Cleanup tempdir
file:
path: '{{ _ca_tempdir.path }}'
state: absent
when: _ca_tempdir.path is defined
- hosts: all
become: true
tasks:
- name: Make CA directory
file:
path: '/etc/opendev-ca'
state: directory
owner: root
group: root
mode: 0600
- name: Import files
shell: 'echo "{{ item.content }}" | base64 -d > {{ item.file }}'
args:
creates: '{{ item.file }}'
loop:
- file: '/etc/opendev-ca/ca.key'
content: '{{ hostvars[groups["prod_bastion"][0]]["_opendev_ca_key"]["content"] }}'
- file: '/etc/opendev-ca/ca.crt'
content: '{{ hostvars[groups["prod_bastion"][0]]["_opendev_ca_certificate"]["content"] }}'
- name: Install and trust certificate
shell:
cmd: |
cp /etc/opendev-ca/ca.crt /usr/local/share/ca-certificates/opendev-infra-ca.crt
update-ca-certificates
- hosts: prod_bastion[0]
become: true
tasks:
- name: Write inventory on bridge
include_role:
name: write-inventory
vars:
write_inventory_dest: /home/zuul/src/opendev.org/opendev/system-config/inventory/base/gate-hosts.yaml
write_inventory_exclude_hostvars:
- ansible_user
- ansible_python_interpreter
write_inventory_additional_hostvars:
public_v4: nodepool.private_ipv4
public_v6: nodepool.public_ipv6
- name: Add groups config for test nodes
template:
src: "templates/gate-groups.yaml.j2"
dest: "/etc/ansible/hosts/gate-groups.yaml"
- name: Update ansible.cfg to use job inventory
ini_file:
path: /etc/ansible/ansible.cfg
section: defaults
option: inventory
value: /home/zuul/src/opendev.org/opendev/system-config/inventory/base/gate-hosts.yaml,/home/zuul/src/opendev.org/opendev/system-config/inventory/service/groups.yaml,/etc/ansible/hosts/gate-groups.yaml
- name: Make host_vars directory
file:
path: "/etc/ansible/hosts/host_vars"
state: directory
- name: Make group_vars directory
file:
path: "/etc/ansible/hosts/group_vars"
state: directory
- name: Write hostvars files
vars:
bastion_ipv4: "{{ nodepool['public_ipv4'] }}"
bastion_ipv6: "{{ nodepool['public_ipv6'] }}"
bastion_public_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa.pub') }}"
iptables_test_public_tcp_ports:
# Zuul web console
- 19885
# selenium
- 4444
template:
src: "templates/{{ item }}.j2"
dest: "/etc/ansible/hosts/{{ item }}"
loop:
- group_vars/all.yaml
- group_vars/adns.yaml
- group_vars/adns-primary.yaml
- group_vars/bastion.yaml
- group_vars/eavesdrop.yaml
- group_vars/nodepool.yaml
- group_vars/registry.yaml
- group_vars/gitea.yaml
- group_vars/gitea-lb.yaml
- group_vars/kerberos-kdc.yaml
- group_vars/keycloak.yaml
- group_vars/letsencrypt.yaml
- group_vars/mailman.yaml
- group_vars/meetpad.yaml
- group_vars/jvb.yaml
- group_vars/refstack.yaml
- group_vars/registry.yaml
- group_vars/control-plane-clouds.yaml
- group_vars/afs-client.yaml
- group_vars/zuul-lb.yaml
- group_vars/zuul.yaml
- group_vars/zuul-executor.yaml
- group_vars/zuul-merger.yaml
- group_vars/zuul-scheduler.yaml
- group_vars/zuul-web.yaml
- host_vars/codesearch01.opendev.org.yaml
- host_vars/etherpad99.opendev.org.yaml
- host_vars/letsencrypt01.opendev.org.yaml
- host_vars/letsencrypt02.opendev.org.yaml
- host_vars/lists.openstack.org.yaml
- host_vars/gitea99.opendev.org.yaml
- host_vars/grafana01.opendev.org.yaml
- host_vars/mirror01.openafs.provider.opendev.org.yaml
- host_vars/mirror02.openafs.provider.opendev.org.yaml
- host_vars/mirror-update99.opendev.org.yaml
- host_vars/paste99.opendev.org.yaml
- host_vars/refstack01.openstack.org.yaml
- host_vars/review99.opendev.org.yaml
- name: Write lists99 host_vars.
# This file is special because it has raw tags in it that we need to
# carry through. I can't figure out a better way to do that then copying
# it directly rather than treating it as a template.
copy:
src: "files/host_vars/lists99.opendev.org.yaml"
dest: "/etc/ansible/hosts/host_vars/lists99.opendev.org.yaml"
- name: Display group membership
command: ansible localhost -m debug -a 'var=groups'
- name: Run base.yaml
shell: 'set -o pipefail && ansible-playbook -f 50 -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/base.yaml 2>&1 | tee /var/log/ansible/base.yaml.log'
args:
executable: /bin/bash
- name: Run bridge service playbook
shell: 'set -o pipefail && ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/service-bridge.yaml 2>&1 | tee /var/log/ansible/service-bridge.yaml.log'
args:
executable: /bin/bash
- name: Run dstat logger playbook
shell: 'set -o pipefail && ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/service-dstatlogger.yaml 2>&1 | tee /var/log/ansible/service-dstatlogger.yaml.log'
args:
executable: /bin/bash
- name: Run playbook
when: run_playbooks is defined
loop: "{{ run_playbooks }}"
shell: "set -o pipefail && ansible-playbook -f 50 -v /home/zuul/src/opendev.org/opendev/system-config/{{ item }} 2>&1 | tee /var/log/ansible/{{ item | basename }}.log"
args:
executable: /bin/bash
- name: Build list of playbook logs
find:
paths: '/var/log/ansible'
patterns: '*.yaml.log'
register: _run_playbooks_logs
- name: Encrypt playbook logs
when: run_playbooks is defined
include_role:
name: encrypt-logs
vars:
encrypt_logs_files: '{{ _run_playbooks_logs.files | map(attribute="path") | list }}'
encrypt_logs_artifact_path: '{{ groups["prod_bastion"][0] }}/ansible'
encrypt_logs_download_script_path: '/var/log/ansible'
- name: Run test playbook
when: run_test_playbook is defined
shell: "set -o pipefail && ANSIBLE_ROLES_PATH=/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/{{ run_test_playbook }} 2>&1 | tee /var/log/ansible/{{ run_test_playbook | basename }}.log"
args:
executable: /bin/bash
- name: Generate testinfra extra data fixture
set_fact:
testinfra_extra_data:
zuul_job: '{{ zuul.job }}'
zuul: '{{ zuul }}'
- name: Write out testinfra extra data fixture
copy:
content: '{{ testinfra_extra_data | to_nice_yaml(indent=2) }}'
dest: '/home/zuul/testinfra_extra_data_fixture.yaml'
- name: Make screenshots directory
file:
path: '/var/log/screenshots'
state: directory
- name: Return screenshots artifact
zuul_return:
data:
zuul:
artifacts:
- name: Screenshots
url: '{{ groups["prod_bastion"][0] }}/screenshots'
- name: Allow PBR's git calls to operate in system-config, despite not owning it
command: git config --global safe.directory /home/zuul/src/opendev.org/opendev/system-config
- name: Run and collect testinfra
block:
- name: Run testinfra to validate configuration
include_role:
name: tox
vars:
tox_envlist: testinfra
# This allows us to run from external projects (like testinfra
# itself)
tox_environment:
TESTINFRA_EXTRA_DATA: '/home/zuul/testinfra_extra_data_fixture.yaml'
zuul_work_dir: src/opendev.org/opendev/system-config
always:
- name: Return testinfra report artifact
zuul_return:
data:
zuul:
artifacts:
- name: testinfra results
url: '{{ groups["prod_bastion"][0] }}/test-results.html'