opendev/system-config
Code Issues Proposed changes
system-config/playbooks/zuul/run-base.yaml
Jeremy Stanley a6ab3543fc Move Airship and Kata lists to Mailman 3 
This uncomments the list additions for the lists.airshipit.org and
lists.katacontainers.io sites on the new mailman server, removing
the configuration for them from the lists.opendev.org server and, in
the case of the latter, removing all our configuration management
for the server as it was the only site hosted there.

Change-Id: Ic1c735469583e922313797f709182f960e691efc
2023-09-14 12:08:34 +00:00

252 lines
9.2 KiB
YAML
Raw Blame History

- import_playbook: ../bootstrap-bridge.yaml
vars:
root_rsa_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa', rstrip=False) }}"
ansible_cron_disable_job: true
cloud_launcher_disable_job: true
# setup opendev CA
- hosts: prod_bastion[0]
become: true
tasks:
- name: Make temporary dir for CA generation
tempfile:
state: directory
register: _ca_tempdir
- name: Create CA PEM/crt
shell: |
set -x
# Generate a CA key
openssl genrsa -out ca.key 2048
# Create fake CA root certificate
openssl req -x509 -new -nodes -key ca.key -sha256 -days 30 -subj "/C=US/ST=CA/O=OpenDev Infra" -out ca.crt
args:
chdir: '{{ _ca_tempdir.path }}'
executable: /bin/bash
- name: Save key
slurp:
src: '{{ _ca_tempdir.path }}/ca.key'
register: _opendev_ca_key
- name: Save certificate
slurp:
src: '{{ _ca_tempdir.path }}//ca.crt'
register: _opendev_ca_certificate
- name: Cleanup tempdir
file:
path: '{{ _ca_tempdir.path }}'
state: absent
when: _ca_tempdir.path is defined
- hosts: all
become: true
tasks:
- name: Make CA directory
file:
path: '/etc/opendev-ca'
state: directory
owner: root
group: root
mode: 0600
- name: Import files
shell: 'echo "{{ item.content }}" | base64 -d > {{ item.file }}'
args:
creates: '{{ item.file }}'
loop:
- file: '/etc/opendev-ca/ca.key'
content: '{{ hostvars[groups["prod_bastion"][0]]["_opendev_ca_key"]["content"] }}'
- file: '/etc/opendev-ca/ca.crt'
content: '{{ hostvars[groups["prod_bastion"][0]]["_opendev_ca_certificate"]["content"] }}'
- name: Install and trust certificate
shell:
cmd: |
cp /etc/opendev-ca/ca.crt /usr/local/share/ca-certificates/opendev-infra-ca.crt
update-ca-certificates
- hosts: prod_bastion[0]
become: true
tasks:
- name: Write inventory on bridge
include_role:
name: write-inventory
vars:
write_inventory_dest: /home/zuul/src/opendev.org/opendev/system-config/inventory/base/gate-hosts.yaml
write_inventory_exclude_hostvars:
- ansible_user
- ansible_python_interpreter
write_inventory_additional_hostvars:
public_v4: nodepool.private_ipv4
public_v6: nodepool.public_ipv6
- name: Add groups config for test nodes
template:
src: "templates/gate-groups.yaml.j2"
dest: "/etc/ansible/hosts/gate-groups.yaml"
- name: Update ansible.cfg to use job inventory
ini_file:
path: /etc/ansible/ansible.cfg
section: defaults
option: inventory
value: /home/zuul/src/opendev.org/opendev/system-config/inventory/base/gate-hosts.yaml,/home/zuul/src/opendev.org/opendev/system-config/inventory/service/groups.yaml,/etc/ansible/hosts/gate-groups.yaml
- name: Make host_vars directory
file:
path: "/etc/ansible/hosts/host_vars"
state: directory
- name: Make group_vars directory
file:
path: "/etc/ansible/hosts/group_vars"
state: directory
- name: Write hostvars files
vars:
bastion_ipv4: "{{ nodepool['public_ipv4'] }}"
bastion_ipv6: "{{ nodepool['public_ipv6'] }}"
bastion_public_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa.pub') }}"
iptables_test_public_tcp_ports:
# Zuul web console
- 19885
# selenium
- 4444
template:
src: "templates/{{ item }}.j2"
dest: "/etc/ansible/hosts/{{ item }}"
loop:
- group_vars/all.yaml
- group_vars/adns.yaml
- group_vars/adns-primary.yaml
- group_vars/bastion.yaml
- group_vars/eavesdrop.yaml
- group_vars/nodepool.yaml
- group_vars/registry.yaml
- group_vars/gitea.yaml
- group_vars/gitea-lb.yaml
- group_vars/kerberos-kdc.yaml
- group_vars/keycloak.yaml
- group_vars/letsencrypt.yaml
- group_vars/mailman.yaml
- group_vars/meetpad.yaml
- group_vars/jvb.yaml
- group_vars/refstack.yaml
- group_vars/registry.yaml
- group_vars/control-plane-clouds.yaml
- group_vars/afs-client.yaml
- group_vars/zuul-lb.yaml
- group_vars/zuul.yaml
- group_vars/zuul-executor.yaml
- group_vars/zuul-merger.yaml
- group_vars/zuul-scheduler.yaml
- group_vars/zuul-web.yaml
- host_vars/codesearch01.opendev.org.yaml
- host_vars/etherpad99.opendev.org.yaml
- host_vars/letsencrypt01.opendev.org.yaml
- host_vars/letsencrypt02.opendev.org.yaml
- host_vars/lists.openstack.org.yaml
- host_vars/gitea99.opendev.org.yaml
- host_vars/grafana01.opendev.org.yaml
- host_vars/mirror01.openafs.provider.opendev.org.yaml
- host_vars/mirror02.openafs.provider.opendev.org.yaml
- host_vars/mirror-update99.opendev.org.yaml
- host_vars/paste99.opendev.org.yaml
- host_vars/refstack01.openstack.org.yaml
- host_vars/review99.opendev.org.yaml
- name: Write lists99 host_vars.
# This file is special because it has raw tags in it that we need to
# carry through. I can't figure out a better way to do that then copying
# it directly rather than treating it as a template.
copy:
src: "files/host_vars/lists99.opendev.org.yaml"
dest: "/etc/ansible/hosts/host_vars/lists99.opendev.org.yaml"
- name: Display group membership
command: ansible localhost -m debug -a 'var=groups'
- name: Run base.yaml
shell: 'set -o pipefail && ansible-playbook -f 50 -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/base.yaml 2>&1 | tee /var/log/ansible/base.yaml.log'
args:
executable: /bin/bash
- name: Run bridge service playbook
shell: 'set -o pipefail && ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/service-bridge.yaml 2>&1 | tee /var/log/ansible/service-bridge.yaml.log'
args:
executable: /bin/bash
- name: Run dstat logger playbook
shell: 'set -o pipefail && ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/service-dstatlogger.yaml 2>&1 | tee /var/log/ansible/service-dstatlogger.yaml.log'
args:
executable: /bin/bash
- name: Run playbook
when: run_playbooks is defined
loop: "{{ run_playbooks }}"
shell: "set -o pipefail && ansible-playbook -f 50 -v /home/zuul/src/opendev.org/opendev/system-config/{{ item }} 2>&1 | tee /var/log/ansible/{{ item | basename }}.log"
args:
executable: /bin/bash
- name: Build list of playbook logs
find:
paths: '/var/log/ansible'
patterns: '*.yaml.log'
register: _run_playbooks_logs
- name: Encrypt playbook logs
when: run_playbooks is defined
include_role:
name: encrypt-logs
vars:
encrypt_logs_files: '{{ _run_playbooks_logs.files | map(attribute="path") | list }}'
encrypt_logs_artifact_path: '{{ groups["prod_bastion"][0] }}/ansible'
encrypt_logs_download_script_path: '/var/log/ansible'
- name: Run test playbook
when: run_test_playbook is defined
shell: "set -o pipefail && ANSIBLE_ROLES_PATH=/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/{{ run_test_playbook }} 2>&1 | tee /var/log/ansible/{{ run_test_playbook | basename }}.log"
args:
executable: /bin/bash
- name: Generate testinfra extra data fixture
set_fact:
testinfra_extra_data:
zuul_job: '{{ zuul.job }}'
zuul: '{{ zuul }}'
- name: Write out testinfra extra data fixture
copy:
content: '{{ testinfra_extra_data | to_nice_yaml(indent=2) }}'
dest: '/home/zuul/testinfra_extra_data_fixture.yaml'
- name: Make screenshots directory
file:
path: '/var/log/screenshots'
state: directory
- name: Return screenshots artifact
zuul_return:
data:
zuul:
artifacts:
- name: Screenshots
url: '{{ groups["prod_bastion"][0] }}/screenshots'
- name: Allow PBR's git calls to operate in system-config, despite not owning it
command: git config --global safe.directory /home/zuul/src/opendev.org/opendev/system-config
- name: Run and collect testinfra
block:
- name: Run testinfra to validate configuration
include_role:
name: tox
vars:
tox_envlist: testinfra
# This allows us to run from external projects (like testinfra
# itself)
tox_environment:
TESTINFRA_EXTRA_DATA: '/home/zuul/testinfra_extra_data_fixture.yaml'
zuul_work_dir: src/opendev.org/opendev/system-config
always:
- name: Return testinfra report artifact
zuul_return:
data:
zuul:
artifacts:
- name: testinfra results
url: '{{ groups["prod_bastion"][0] }}/test-results.html'
View Git Blame Copy Permalink