system-config/playbooks/zuul/run-production-playbook-post.yaml
Ian Wienand 51611845d4
Convert production playbooks to bastion host group
Following-on from Iffb462371939989b03e5d6ac6c5df63aa7708513, instead
of directly referring to a hostname when adding the bastion host to
the inventory for the production playbooks, this finds it from the
first element of the "bastion" group.

As we do this twice for the run and post playbooks, abstract it into a
role.

The host value is currently "bridge.openstack.org" -- as is the
existing hard-coding -- thus this is intended to be a no-op change.
It is setting the foundation to make replacing the bastion host a
simpler process in the future.

Change-Id: I286796ebd71173019a627f8fe8d9a25d0bfc575a
2022-10-20 09:49:10 +11:00

113 lines
3.6 KiB
YAML

- hosts: localhost
roles:
- add-bastion-host
- hosts: bastion[0]
tasks:
- name: Encrypt log
when: infra_prod_playbook_encrypt_log|default(False)
block:
- name: Create temporary staging area for encrypted logs
tempfile:
state: directory
register: _encrypt_tempdir
- name: Copy log to tempdir as Zuul user
copy:
src: '/var/log/ansible/{{ playbook_name }}.log'
dest: '{{ _encrypt_tempdir.path }}'
owner: zuul
group: zuul
mode: '0644'
remote_src: yes
become: yes
- name: Encrypt logs
include_role:
name: encrypt-logs
vars:
encrypt_logs_files:
- '{{ _encrypt_tempdir.path }}/{{ playbook_name }}.log'
# Artifact URL should just point to root directory, so blank
encrypt_logs_artifact_path: ''
encrypt_logs_download_script_path: '{{ _encrypt_tempdir.path }}'
- name: Return logs
synchronize:
src: '{{ item[0] }}'
dest: '{{ item[1] }}'
mode: pull
verify_host: true
loop:
- ['{{ _encrypt_tempdir.path }}/{{ playbook_name }}.log.gpg', '{{ zuul.executor.log_root }}/{{ playbook_name }}.log.gpg']
- ['{{ _encrypt_tempdir.path }}/download-logs.sh' , '{{ zuul.executor.log_root }}/download-gpg-logs.sh']
always:
- name: Remove temporary staging
file:
path: '{{ _encrypt_tempdir.path }}'
state: absent
when: _encrypt_tempdir is defined
# Not using normal zuul job roles as the bastion host is not a
# test node with all the normal bits in place.
- name: Collect log output
synchronize:
dest: "{{ zuul.executor.log_root }}/{{ playbook_name }}.log"
mode: pull
src: "/var/log/ansible/{{ playbook_name }}.log"
verify_host: true
when: infra_prod_playbook_collect_log
- name: Return playbook log artifact to Zuul
when: infra_prod_playbook_collect_log
zuul_return:
data:
zuul:
artifacts:
- name: "Playbook Log"
url: "{{ playbook_name }}.log"
metadata:
type: text
# Save files locally on bridge
- name: Get original timestamp from file header
shell: |
head -1 /var/log/ansible/{{ playbook_name }}.log | sed -n 's/^Running \(.*\):.*$/\1/p'
args:
executable: /bin/bash
register: _log_timestamp
- name: Turn timestamp into a string
set_fact:
_log_timestamp: '{{ _log_timestamp.stdout | trim }}'
- name: Rename playbook log on bridge
when: not infra_prod_playbook_collect_log
become: yes
copy:
remote_src: yes
src: "/var/log/ansible/{{ playbook_name }}.log"
dest: "/var/log/ansible/{{ playbook_name }}.log.{{ _log_timestamp }}"
# Reset the access/modification time to the timestamp in the filename; this
# makes lining things up more logical
- name: Reset file time
file:
path: '/var/log/ansible/{{ playbook_name }}.log.{{ _log_timestamp }}'
state: touch
modification_time: '{{ _log_timestamp }}'
modification_time_format: '%Y-%m-%dT%H:%M:%S'
access_time: '{{ _log_timestamp }}'
access_time_format: '%Y-%m-%dT%H:%M:%S'
become: yes
- name: Cleanup old playbook logs on bridge
when: not infra_prod_playbook_collect_log
become: yes
shell: |
find /var/log/ansible -name '{{ playbook_name }}.log.*' -type f -mtime +30 -delete