- import_playbook: ../bootstrap-bridge.yaml vars: root_rsa_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa', rstrip=False) }}" ansible_cron_disable_job: true cloud_launcher_disable_job: true # setup opendev CA - hosts: prod_bastion[0] become: true tasks: - name: Make temporary dir for CA generation tempfile: state: directory register: _ca_tempdir - name: Create CA PEM/crt shell: | set -x # Generate a CA key openssl genrsa -out ca.key 2048 # Create fake CA root certificate openssl req -x509 -new -nodes -key ca.key -sha256 -days 30 -subj "/C=US/ST=CA/O=OpenDev Infra" -out ca.crt args: chdir: '{{ _ca_tempdir.path }}' executable: /bin/bash - name: Save key slurp: src: '{{ _ca_tempdir.path }}/ca.key' register: _opendev_ca_key - name: Save certificate slurp: src: '{{ _ca_tempdir.path }}//ca.crt' register: _opendev_ca_certificate - name: Cleanup tempdir file: path: '{{ _ca_tempdir.path }}' state: absent when: _ca_tempdir.path is defined - hosts: all become: true tasks: - name: Make CA directory file: path: '/etc/opendev-ca' state: directory owner: root group: root mode: 0600 - name: Import files shell: 'echo "{{ item.content }}" | base64 -d > {{ item.file }}' args: creates: '{{ item.file }}' loop: - file: '/etc/opendev-ca/ca.key' content: '{{ hostvars[groups["prod_bastion"][0]]["_opendev_ca_key"]["content"] }}' - file: '/etc/opendev-ca/ca.crt' content: '{{ hostvars[groups["prod_bastion"][0]]["_opendev_ca_certificate"]["content"] }}' - name: Install and trust certificate shell: cmd: | cp /etc/opendev-ca/ca.crt /usr/local/share/ca-certificates/opendev-infra-ca.crt update-ca-certificates - hosts: prod_bastion[0] become: true tasks: - name: Write inventory on bridge include_role: name: write-inventory vars: write_inventory_dest: /home/zuul/src/opendev.org/opendev/system-config/inventory/base/gate-hosts.yaml write_inventory_exclude_hostvars: - ansible_user - ansible_python_interpreter write_inventory_additional_hostvars: public_v4: nodepool.private_ipv4 public_v6: nodepool.public_ipv6 - name: Add groups config for test nodes template: src: "templates/gate-groups.yaml.j2" dest: "/etc/ansible/hosts/gate-groups.yaml" - name: Update ansible.cfg to use job inventory ini_file: path: /etc/ansible/ansible.cfg section: defaults option: inventory value: /home/zuul/src/opendev.org/opendev/system-config/inventory/base/gate-hosts.yaml,/home/zuul/src/opendev.org/opendev/system-config/inventory/service/groups.yaml,/etc/ansible/hosts/gate-groups.yaml - name: Make host_vars directory file: path: "/etc/ansible/hosts/host_vars" state: directory - name: Make group_vars directory file: path: "/etc/ansible/hosts/group_vars" state: directory - name: Write hostvars files vars: bastion_ipv4: "{{ nodepool['public_ipv4'] }}" bastion_ipv6: "{{ nodepool['public_ipv6'] }}" bastion_public_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa.pub') }}" iptables_test_public_tcp_ports: # Zuul web console - 19885 # selenium - 4444 template: src: "templates/{{ item }}.j2" dest: "/etc/ansible/hosts/{{ item }}" loop: - group_vars/all.yaml - group_vars/adns.yaml - group_vars/adns-primary.yaml - group_vars/bastion.yaml - group_vars/eavesdrop.yaml - group_vars/nodepool.yaml - group_vars/registry.yaml - group_vars/gitea.yaml - group_vars/gitea-lb.yaml - group_vars/kerberos-kdc.yaml - group_vars/keycloak.yaml - group_vars/letsencrypt.yaml - group_vars/mailman.yaml - group_vars/meetpad.yaml - group_vars/jvb.yaml - group_vars/refstack.yaml - group_vars/registry.yaml - group_vars/control-plane-clouds.yaml - group_vars/afs-client.yaml - group_vars/zuul-lb.yaml - group_vars/zuul.yaml - group_vars/zuul-executor.yaml - group_vars/zuul-merger.yaml - group_vars/zuul-scheduler.yaml - group_vars/zuul-web.yaml - host_vars/codesearch01.opendev.org.yaml - host_vars/etherpad99.opendev.org.yaml - host_vars/letsencrypt01.opendev.org.yaml - host_vars/letsencrypt02.opendev.org.yaml - host_vars/lists.openstack.org.yaml - host_vars/gitea99.opendev.org.yaml - host_vars/grafana01.opendev.org.yaml - host_vars/mirror01.openafs.provider.opendev.org.yaml - host_vars/mirror02.openafs.provider.opendev.org.yaml - host_vars/mirror-update99.opendev.org.yaml - host_vars/paste99.opendev.org.yaml - host_vars/refstack01.openstack.org.yaml - host_vars/review99.opendev.org.yaml - name: Write lists99 host_vars. # This file is special because it has raw tags in it that we need to # carry through. I can't figure out a better way to do that then copying # it directly rather than treating it as a template. copy: src: "files/host_vars/lists99.opendev.org.yaml" dest: "/etc/ansible/hosts/host_vars/lists99.opendev.org.yaml" - name: Display group membership command: ansible localhost -m debug -a 'var=groups' - name: Run base.yaml shell: 'set -o pipefail && ansible-playbook -f 50 -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/base.yaml 2>&1 | tee /var/log/ansible/base.yaml.log' args: executable: /bin/bash - name: Run bridge service playbook shell: 'set -o pipefail && ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/service-bridge.yaml 2>&1 | tee /var/log/ansible/service-bridge.yaml.log' args: executable: /bin/bash - name: Run dstat logger playbook shell: 'set -o pipefail && ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/service-dstatlogger.yaml 2>&1 | tee /var/log/ansible/service-dstatlogger.yaml.log' args: executable: /bin/bash - name: Run playbook when: run_playbooks is defined loop: "{{ run_playbooks }}" shell: "set -o pipefail && ansible-playbook -f 50 -v /home/zuul/src/opendev.org/opendev/system-config/{{ item }} 2>&1 | tee /var/log/ansible/{{ item | basename }}.log" args: executable: /bin/bash - name: Build list of playbook logs find: paths: '/var/log/ansible' patterns: '*.yaml.log' register: _run_playbooks_logs - name: Encrypt playbook logs when: run_playbooks is defined include_role: name: encrypt-logs vars: encrypt_logs_files: '{{ _run_playbooks_logs.files | map(attribute="path") | list }}' encrypt_logs_artifact_path: '{{ groups["prod_bastion"][0] }}/ansible' encrypt_logs_download_script_path: '/var/log/ansible' - name: Run test playbook when: run_test_playbook is defined shell: "set -o pipefail && ANSIBLE_ROLES_PATH=/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/{{ run_test_playbook }} 2>&1 | tee /var/log/ansible/{{ run_test_playbook | basename }}.log" args: executable: /bin/bash - name: Generate testinfra extra data fixture set_fact: testinfra_extra_data: zuul_job: '{{ zuul.job }}' zuul: '{{ zuul }}' - name: Write out testinfra extra data fixture copy: content: '{{ testinfra_extra_data | to_nice_yaml(indent=2) }}' dest: '/home/zuul/testinfra_extra_data_fixture.yaml' - name: Make screenshots directory file: path: '/var/log/screenshots' state: directory - name: Return screenshots artifact zuul_return: data: zuul: artifacts: - name: Screenshots url: '{{ groups["prod_bastion"][0] }}/screenshots' - name: Allow PBR's git calls to operate in system-config, despite not owning it command: git config --global safe.directory /home/zuul/src/opendev.org/opendev/system-config - name: Run and collect testinfra block: - name: Run testinfra to validate configuration include_role: name: tox vars: tox_envlist: testinfra # This allows us to run from external projects (like testinfra # itself) tox_environment: TESTINFRA_EXTRA_DATA: '/home/zuul/testinfra_extra_data_fixture.yaml' zuul_work_dir: src/opendev.org/opendev/system-config always: - name: Return testinfra report artifact zuul_return: data: zuul: artifacts: - name: testinfra results url: '{{ groups["prod_bastion"][0] }}/test-results.html'