opendev/system-config
Code Issues Proposed changes

Merge "Reference bastion through prod_bastion group"

Browse Source
This commit is contained in:
Zuul 2022-11-07 22:03:17 +00:00 committed by Gerrit Code Review
commit 3b60679d6b
9 changed files with 20 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
inventory/service/groups.yaml
View File

@ -15,10 +15,8 @@ groups:
- afsdb*.open*.org - afsdb*.open*.org
- afs[0-9]*.open*.org - afs[0-9]*.open*.org
- static[0-9]*.opendev.org - static[0-9]*.opendev.org
# bastion group should should only have one entry because we assume
# groups['bastion'][0] is the bastion host name in several places.
bastion: bastion:
- bridge01.opendev.org - bridge*.opendev.org
borg-backup: borg-backup:
- etherpad[0-9]*.opendev.org - etherpad[0-9]*.opendev.org
- gitea01.opendev.org - gitea01.opendev.org

2
playbooks/bootstrap-bridge.yaml
View File

@ -12,7 +12,7 @@
# In both cases, the "bastion" group has one entry, which is the # In both cases, the "bastion" group has one entry, which is the
# bastion host to run against. # bastion host to run against.
- hosts: bastion[0]:!disabled - hosts: prod_bastion[0]:!disabled
name: "Bridge: bootstrap the bastion host" name: "Bridge: bootstrap the bastion host"
become: true become: true
tasks: tasks:

2
playbooks/zuul/roles/add-bastion-host/tasks/main.yaml
View File

@ -1,7 +1,7 @@
- name: Add bastion host to inventory for production playbook - name: Add bastion host to inventory for production playbook
add_host: add_host:
name: 'bridge01.opendev.org' name: 'bridge01.opendev.org'
groups: 'bastion' groups: 'prod_bastion'
ansible_python_interpreter: python3 ansible_python_interpreter: python3
ansible_user: zuul ansible_user: zuul
# Without setting ansible_host directly, mirror-workspace-git-repos # Without setting ansible_host directly, mirror-workspace-git-repos

4
playbooks/zuul/run-base-post.yaml
View File

@ -28,7 +28,7 @@
- include_role: - include_role:
name: stage-output name: stage-output
- hosts: bastion - hosts: prod_bastion[0]
tasks: tasks:
- name: Set log directory - name: Set log directory
set_fact: set_fact:
@ -69,7 +69,7 @@
zuul: zuul:
artifacts: artifacts:
- name: ARA report - name: ARA report
url: '{{ groups["bastion"][0] }}/ara-report/' url: '{{ groups["prod_bastion"][0] }}/ara-report/'
- name: Collect ansible configuration - name: Collect ansible configuration
synchronize: synchronize:

14
playbooks/zuul/run-base.yaml
View File

@ -5,7 +5,7 @@
cloud_launcher_disable_job: true cloud_launcher_disable_job: true
# setup opendev CA # setup opendev CA
- hosts: bastion[0] - hosts: prod_bastion[0]
become: true become: true
tasks: tasks:
- name: Make temporary dir for CA generation - name: Make temporary dir for CA generation
@ -57,9 +57,9 @@
creates: '{{ item.file }}' creates: '{{ item.file }}'
loop: loop:
- file: '/etc/opendev-ca/ca.key' - file: '/etc/opendev-ca/ca.key'
content: '{{ hostvars[groups["bastion"][0]]["_opendev_ca_key"]["content"] }}' content: '{{ hostvars[groups["prod_bastion"][0]]["_opendev_ca_key"]["content"] }}'
- file: '/etc/opendev-ca/ca.crt' - file: '/etc/opendev-ca/ca.crt'
content: '{{ hostvars[groups["bastion"][0]]["_opendev_ca_certificate"]["content"] }}' content: '{{ hostvars[groups["prod_bastion"][0]]["_opendev_ca_certificate"]["content"] }}'
- name: Install and trust certificate - name: Install and trust certificate
shell: shell:
@ -67,7 +67,7 @@
cp /etc/opendev-ca/ca.crt /usr/local/share/ca-certificates/opendev-infra-ca.crt cp /etc/opendev-ca/ca.crt /usr/local/share/ca-certificates/opendev-infra-ca.crt
update-ca-certificates update-ca-certificates
- hosts: bastion[0] - hosts: prod_bastion[0]
become: true become: true
tasks: tasks:
- name: Write inventory on bridge - name: Write inventory on bridge
@ -185,7 +185,7 @@
name: encrypt-logs name: encrypt-logs
vars: vars:
encrypt_logs_files: '{{ _run_playbooks_logs.files | map(attribute="path") | list }}' encrypt_logs_files: '{{ _run_playbooks_logs.files | map(attribute="path") | list }}'
encrypt_logs_artifact_path: '{{ groups["bastion"][0] }}/ansible' encrypt_logs_artifact_path: '{{ groups["prod_bastion"][0] }}/ansible'
encrypt_logs_download_script_path: '/var/log/ansible' encrypt_logs_download_script_path: '/var/log/ansible'
- name: Run test playbook - name: Run test playbook
@ -216,7 +216,7 @@
zuul: zuul:
artifacts: artifacts:
- name: Screenshots - name: Screenshots
url: '{{ groups["bastion"][0] }}/screenshots' url: '{{ groups["prod_bastion"][0] }}/screenshots'
- name: Allow PBR's git calls to operate in system-config, despite not owning it - name: Allow PBR's git calls to operate in system-config, despite not owning it
command: git config --global safe.directory /home/zuul/src/opendev.org/opendev/system-config command: git config --global safe.directory /home/zuul/src/opendev.org/opendev/system-config
@ -240,4 +240,4 @@
zuul: zuul:
artifacts: artifacts:
- name: testinfra results - name: testinfra results
url: '{{ groups["bastion"][0] }}/test-results.html' url: '{{ groups["prod_bastion"][0] }}/test-results.html'

2
playbooks/zuul/run-production-bootstrap-bridge-add-rootkey.yaml
View File

@ -1,4 +1,4 @@
- hosts: bastion[0] - hosts: prod_bastion[0]
connection: local connection: local
tasks: tasks:
- name: Install root keys - name: Install root keys

2
playbooks/zuul/run-production-playbook-post.yaml
View File

@ -2,7 +2,7 @@
roles: roles:
- add-bastion-host - add-bastion-host
- hosts: bastion[0] - hosts: prod_bastion[0]
tasks: tasks:
- name: Encrypt log - name: Encrypt log
when: infra_prod_playbook_encrypt_log|default(False) when: infra_prod_playbook_encrypt_log|default(False)

2
playbooks/zuul/run-production-playbook.yaml
View File

@ -2,7 +2,7 @@
roles: roles:
- add-bastion-host - add-bastion-host
- hosts: bastion[0] - hosts: prod_bastion[0]
tasks: tasks:
- name: Run the production playbook and capture logs - name: Run the production playbook and capture logs
block: block:

10
zuul.d/system-config-run.yaml
View File

@ -59,7 +59,7 @@
currently in use. currently in use.
nodeset: nodeset:
nodes: nodes:
- &bridge_node_x86 { name: bridge01.opendev.org, label: ubuntu-jammy } - &bridge_node_x86 { name: bridge99.opendev.org, label: ubuntu-jammy }
- name: xenial - name: xenial
label: ubuntu-xenial label: ubuntu-xenial
- name: bionic - name: bionic
@ -81,7 +81,7 @@
# bridge node. This node will then run a nested Ansible to # bridge node. This node will then run a nested Ansible to
# test the production playbooks -- *that* Ansible has a # test the production playbooks -- *that* Ansible has a
# "bastion" group too # "bastion" group too
- &bastion_group { name: bastion, nodes: [ bridge01.opendev.org ] } - &bastion_group { name: prod_bastion, nodes: [ bridge99.opendev.org ] }
files: files:
- tox.ini - tox.ini
- playbooks/ - playbooks/
@ -138,7 +138,7 @@
Run the "base" playbook on ARM64. Run the "base" playbook on ARM64.
nodeset: nodeset:
nodes: nodes:
- &bridge_node_arm64 { name: bridge01.opendev.org, label: ubuntu-jammy-arm64 } - &bridge_node_arm64 { name: bridge99.opendev.org, label: ubuntu-jammy-arm64 }
- name: bionic - name: bionic
label: ubuntu-bionic-arm64 label: ubuntu-bionic-arm64
- name: focal - name: focal
@ -228,7 +228,7 @@
# Make sure this test runs acme.sh # Make sure this test runs acme.sh
letsencrypt_self_generate_tokens: False letsencrypt_self_generate_tokens: False
host-vars: host-vars:
bridge01.opendev.org: bridge99.opendev.org:
host_copy_output: host_copy_output:
'/var/lib/certcheck': logs '/var/lib/certcheck': logs
letsencrypt01.opendev.org: letsencrypt01.opendev.org:
@ -967,7 +967,7 @@
'/etc/hosts': logs '/etc/hosts': logs
'/etc/zuul/zuul.conf': logs '/etc/zuul/zuul.conf': logs
'/var/log/zuul/debug.log': logs '/var/log/zuul/debug.log': logs
bridge01.opendev.org: bridge99.opendev.org:
host_copy_output: host_copy_output:
'/etc/hosts': logs '/etc/hosts': logs
zuul-lb01.opendev.org: zuul-lb01.opendev.org: