d4c46ecdef
This replaces hard-coding of the host "bridge.openstack.org" with
hard-coding of the first (and only) host in the group "bastion".
The idea here is that we can, as much as possible, simply switch one
place to an alternative hostname for the bastion such as
"bridge.opendev.org" when we upgrade. This is just the testing path,
for now; a follow-on will modify the production path (which doesn't
really get speculatively tested)
This needs to be defined in two places :
1) We need to define this in the run jobs for Zuul to use in the
playbooks/zuul/run-*.yaml playbooks, as it sets up and collects
logs from the testing bastion host.
2) The nested Ansible run will then use inventory
inventory/service/groups.yaml
Various other places are updated to use this abstracted group as the
bastion host.
Variables are moved into the bastion group (which only has one host --
the actual bastion host) which means we only have to update the group
mapping to the new host.
This is intended to be a no-op change; all the jobs should work the
same, but just using the new abstractions.
Change-Id: Iffb462371939989b03e5d6ac6c5df63aa7708513
244 lines
8.8 KiB
YAML
244 lines
8.8 KiB
YAML
- import_playbook: ../bootstrap-bridge.yaml
|
|
vars:
|
|
root_rsa_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa', rstrip=False) }}"
|
|
ansible_cron_disable_job: true
|
|
cloud_launcher_disable_job: true
|
|
|
|
# setup opendev CA
|
|
- hosts: bastion[0]
|
|
become: true
|
|
tasks:
|
|
- name: Make temporary dir for CA generation
|
|
tempfile:
|
|
state: directory
|
|
register: _ca_tempdir
|
|
|
|
- name: Create CA PEM/crt
|
|
shell: |
|
|
set -x
|
|
# Generate a CA key
|
|
openssl genrsa -out ca.key 2048
|
|
# Create fake CA root certificate
|
|
openssl req -x509 -new -nodes -key ca.key -sha256 -days 30 -subj "/C=US/ST=CA/O=OpenDev Infra" -out ca.crt
|
|
args:
|
|
chdir: '{{ _ca_tempdir.path }}'
|
|
executable: /bin/bash
|
|
|
|
- name: Save key
|
|
slurp:
|
|
src: '{{ _ca_tempdir.path }}/ca.key'
|
|
register: _opendev_ca_key
|
|
|
|
- name: Save certificate
|
|
slurp:
|
|
src: '{{ _ca_tempdir.path }}//ca.crt'
|
|
register: _opendev_ca_certificate
|
|
|
|
- name: Cleanup tempdir
|
|
file:
|
|
path: '{{ _ca_tempdir.path }}'
|
|
state: absent
|
|
when: _ca_tempdir.path is defined
|
|
|
|
- hosts: all
|
|
become: true
|
|
tasks:
|
|
- name: Make CA directory
|
|
file:
|
|
path: '/etc/opendev-ca'
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
|
|
- name: Import files
|
|
shell: 'echo "{{ item.content }}" | base64 -d > {{ item.file }}'
|
|
args:
|
|
creates: '{{ item.file }}'
|
|
loop:
|
|
- file: '/etc/opendev-ca/ca.key'
|
|
content: '{{ hostvars[groups["bastion"][0]]["_opendev_ca_key"]["content"] }}'
|
|
- file: '/etc/opendev-ca/ca.crt'
|
|
content: '{{ hostvars[groups["bastion"][0]]["_opendev_ca_certificate"]["content"] }}'
|
|
|
|
- name: Install and trust certificate
|
|
shell:
|
|
cmd: |
|
|
cp /etc/opendev-ca/ca.crt /usr/local/share/ca-certificates/opendev-infra-ca.crt
|
|
update-ca-certificates
|
|
|
|
- hosts: bastion[0]
|
|
become: true
|
|
tasks:
|
|
- name: Write inventory on bridge
|
|
include_role:
|
|
name: write-inventory
|
|
vars:
|
|
write_inventory_dest: /home/zuul/src/opendev.org/opendev/system-config/inventory/base/gate-hosts.yaml
|
|
write_inventory_exclude_hostvars:
|
|
- ansible_user
|
|
- ansible_python_interpreter
|
|
write_inventory_additional_hostvars:
|
|
public_v4: nodepool.private_ipv4
|
|
public_v6: nodepool.public_ipv6
|
|
- name: Add groups config for test nodes
|
|
template:
|
|
src: "templates/gate-groups.yaml.j2"
|
|
dest: "/etc/ansible/hosts/gate-groups.yaml"
|
|
- name: Update ansible.cfg to use job inventory
|
|
ini_file:
|
|
path: /etc/ansible/ansible.cfg
|
|
section: defaults
|
|
option: inventory
|
|
value: /home/zuul/src/opendev.org/opendev/system-config/inventory/base/gate-hosts.yaml,/home/zuul/src/opendev.org/opendev/system-config/inventory/service/groups.yaml,/etc/ansible/hosts/gate-groups.yaml
|
|
- name: Make host_vars directory
|
|
file:
|
|
path: "/etc/ansible/hosts/host_vars"
|
|
state: directory
|
|
- name: Make group_vars directory
|
|
file:
|
|
path: "/etc/ansible/hosts/group_vars"
|
|
state: directory
|
|
- name: Write hostvars files
|
|
vars:
|
|
bastion_ipv4: "{{ nodepool['public_ipv4'] }}"
|
|
bastion_ipv6: "{{ nodepool['public_ipv6'] }}"
|
|
bastion_public_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa.pub') }}"
|
|
iptables_test_public_tcp_ports:
|
|
# Zuul web console
|
|
- 19885
|
|
# selenium
|
|
- 4444
|
|
template:
|
|
src: "templates/{{ item }}.j2"
|
|
dest: "/etc/ansible/hosts/{{ item }}"
|
|
loop:
|
|
- group_vars/all.yaml
|
|
- group_vars/adns.yaml
|
|
- group_vars/bastion.yaml
|
|
- group_vars/eavesdrop.yaml
|
|
- group_vars/nodepool.yaml
|
|
- group_vars/ns.yaml
|
|
- group_vars/registry.yaml
|
|
- group_vars/gitea.yaml
|
|
- group_vars/gitea-lb.yaml
|
|
- group_vars/kerberos-kdc.yaml
|
|
- group_vars/keycloak.yaml
|
|
- group_vars/letsencrypt.yaml
|
|
- group_vars/meetpad.yaml
|
|
- group_vars/jvb.yaml
|
|
- group_vars/refstack.yaml
|
|
- group_vars/registry.yaml
|
|
- group_vars/control-plane-clouds.yaml
|
|
- group_vars/afs-client.yaml
|
|
- group_vars/zuul-lb.yaml
|
|
- group_vars/zuul.yaml
|
|
- group_vars/zuul-executor.yaml
|
|
- group_vars/zuul-merger.yaml
|
|
- group_vars/zuul-scheduler.yaml
|
|
- group_vars/zuul-web.yaml
|
|
- host_vars/codesearch01.opendev.org.yaml
|
|
- host_vars/etherpad01.opendev.org.yaml
|
|
- host_vars/letsencrypt01.opendev.org.yaml
|
|
- host_vars/letsencrypt02.opendev.org.yaml
|
|
- host_vars/lists.openstack.org.yaml
|
|
- host_vars/lists.katacontainers.io.yaml
|
|
- host_vars/gitea99.opendev.org.yaml
|
|
- host_vars/grafana01.opendev.org.yaml
|
|
- host_vars/mirror01.openafs.provider.opendev.org.yaml
|
|
- host_vars/mirror02.openafs.provider.opendev.org.yaml
|
|
- host_vars/mirror-update99.opendev.org.yaml
|
|
- host_vars/paste99.opendev.org.yaml
|
|
- host_vars/refstack01.openstack.org.yaml
|
|
- host_vars/review99.opendev.org.yaml
|
|
- name: Display group membership
|
|
command: ansible localhost -m debug -a 'var=groups'
|
|
- name: Run base.yaml
|
|
shell: 'set -o pipefail && ansible-playbook -f 50 -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/base.yaml 2>&1 | tee /var/log/ansible/base.yaml.log'
|
|
args:
|
|
executable: /bin/bash
|
|
- name: Run bridge service playbook
|
|
shell: 'set -o pipefail && ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/service-bridge.yaml 2>&1 | tee /var/log/ansible/service-bridge.yaml.log'
|
|
args:
|
|
executable: /bin/bash
|
|
- name: Run dstat logger playbook
|
|
shell: 'set -o pipefail && ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/service-dstatlogger.yaml 2>&1 | tee /var/log/ansible/service-dstatlogger.yaml.log'
|
|
args:
|
|
executable: /bin/bash
|
|
|
|
- name: Run playbook
|
|
when: run_playbooks is defined
|
|
loop: "{{ run_playbooks }}"
|
|
shell: "set -o pipefail && ansible-playbook -f 50 -v /home/zuul/src/opendev.org/opendev/system-config/{{ item }} 2>&1 | tee /var/log/ansible/{{ item | basename }}.log"
|
|
args:
|
|
executable: /bin/bash
|
|
|
|
- name: Build list of playbook logs
|
|
find:
|
|
paths: '/var/log/ansible'
|
|
patterns: '*.yaml.log'
|
|
register: _run_playbooks_logs
|
|
|
|
- name: Encrypt playbook logs
|
|
when: run_playbooks is defined
|
|
include_role:
|
|
name: encrypt-logs
|
|
vars:
|
|
encrypt_logs_files: '{{ _run_playbooks_logs.files | map(attribute="path") | list }}'
|
|
encrypt_logs_artifact_path: '{{ groups["bastion"][0] }}/ansible'
|
|
encrypt_logs_download_script_path: '/var/log/ansible'
|
|
|
|
- name: Run test playbook
|
|
when: run_test_playbook is defined
|
|
shell: "set -o pipefail && ANSIBLE_ROLES_PATH=/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/{{ run_test_playbook }} 2>&1 | tee /var/log/ansible/{{ run_test_playbook | basename }}.log"
|
|
args:
|
|
executable: /bin/bash
|
|
|
|
- name: Generate testinfra extra data fixture
|
|
set_fact:
|
|
testinfra_extra_data:
|
|
zuul_job: '{{ zuul.job }}'
|
|
zuul: '{{ zuul }}'
|
|
|
|
- name: Write out testinfra extra data fixture
|
|
copy:
|
|
content: '{{ testinfra_extra_data | to_nice_yaml(indent=2) }}'
|
|
dest: '/home/zuul/testinfra_extra_data_fixture.yaml'
|
|
|
|
- name: Make screenshots directory
|
|
file:
|
|
path: '/var/log/screenshots'
|
|
state: directory
|
|
|
|
- name: Return screenshots artifact
|
|
zuul_return:
|
|
data:
|
|
zuul:
|
|
artifacts:
|
|
- name: Screenshots
|
|
url: '{{ groups["bastion"][0] }}/screenshots'
|
|
|
|
- name: Allow PBR's git calls to operate in system-config, despite not owning it
|
|
command: git config --global safe.directory /home/zuul/src/opendev.org/opendev/system-config
|
|
|
|
- name: Run and collect testinfra
|
|
block:
|
|
- name: Run testinfra to validate configuration
|
|
include_role:
|
|
name: tox
|
|
vars:
|
|
tox_envlist: testinfra
|
|
# This allows us to run from external projects (like testinfra
|
|
# itself)
|
|
tox_environment:
|
|
TESTINFRA_EXTRA_DATA: '/home/zuul/testinfra_extra_data_fixture.yaml'
|
|
zuul_work_dir: src/opendev.org/opendev/system-config
|
|
always:
|
|
- name: Return testinfra report artifact
|
|
zuul_return:
|
|
data:
|
|
zuul:
|
|
artifacts:
|
|
- name: testinfra results
|
|
url: '{{ groups["bastion"][0] }}/test-results.html'
|