From 51611845d457191596b05bedca18d5206b2236aa Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Tue, 20 Sep 2022 15:27:15 +1000 Subject: [PATCH] Convert production playbooks to bastion host group Following-on from Iffb462371939989b03e5d6ac6c5df63aa7708513, instead of directly referring to a hostname when adding the bastion host to the inventory for the production playbooks, this finds it from the first element of the "bastion" group. As we do this twice for the run and post playbooks, abstract it into a role. The host value is currently "bridge.openstack.org" -- as is the existing hard-coding -- thus this is intended to be a no-op change. It is setting the foundation to make replacing the bastion host a simpler process in the future. Change-Id: I286796ebd71173019a627f8fe8d9a25d0bfc575a --- playbooks/roles/add-bastion-host/README.rst | 4 ++++ .../roles/add-bastion-host/tasks/main.yaml | 21 +++++++++++++++++++ .../zuul/run-production-playbook-post.yaml | 19 ++++------------- playbooks/zuul/run-production-playbook.yaml | 19 ++++------------- zuul.d/infra-prod.yaml | 2 +- 5 files changed, 34 insertions(+), 31 deletions(-) create mode 100644 playbooks/roles/add-bastion-host/README.rst create mode 100644 playbooks/roles/add-bastion-host/tasks/main.yaml diff --git a/playbooks/roles/add-bastion-host/README.rst b/playbooks/roles/add-bastion-host/README.rst new file mode 100644 index 0000000000..bab34c1120 --- /dev/null +++ b/playbooks/roles/add-bastion-host/README.rst @@ -0,0 +1,4 @@ +Add the bastion host to the inventory dynamically + +For roles that run on the bastion host, it should be added to the +inventory dynamically by the production jobs. diff --git a/playbooks/roles/add-bastion-host/tasks/main.yaml b/playbooks/roles/add-bastion-host/tasks/main.yaml new file mode 100644 index 0000000000..932819f258 --- /dev/null +++ b/playbooks/roles/add-bastion-host/tasks/main.yaml @@ -0,0 +1,21 @@ +- name: Get the bastion hostname + set_fact: + _bastion_hostname: '{{ groups["bastion"][0] }}' + +- name: Show bastion details + debug: + msg: "Bastion host is {{ _bastion_hostname }}" + +- name: Add bastion host to inventory for playbook + add_host: + name: '{{ _bastion_hostname }}' + groups: 'bastion' + ansible_python_interpreter: python3 + ansible_user: zuul + # Without setting ansible_host directly, mirror-workspace-git-repos + # gets sad because if delegate_to localhost and with add_host that + # ends up with ansible_host being localhost. + ansible_host: '{{ _bastion_hostname }}' + ansible_port: 22 + # Port 19885 is firewalled + zuul_console_disabled: true diff --git a/playbooks/zuul/run-production-playbook-post.yaml b/playbooks/zuul/run-production-playbook-post.yaml index cdfa5540a7..30c67379c7 100644 --- a/playbooks/zuul/run-production-playbook-post.yaml +++ b/playbooks/zuul/run-production-playbook-post.yaml @@ -1,19 +1,8 @@ - hosts: localhost - tasks: - - name: Add bridge.o.o to inventory for playbook - add_host: - name: bridge.openstack.org - ansible_python_interpreter: python3 - ansible_user: zuul - # Without setting ansible_host directly, mirror-workspace-git-repos - # gets sad because if delegate_to localhost and with add_host that - # ends up with ansible_host being localhost. - ansible_host: bridge.openstack.org - ansible_port: 22 - # Port 19885 is frewalled - zuul_console_disabled: true + roles: + - add-bastion-host -- hosts: bridge.openstack.org +- hosts: bastion[0] tasks: - name: Encrypt log when: infra_prod_playbook_encrypt_log|default(False) @@ -62,7 +51,7 @@ state: absent when: _encrypt_tempdir is defined - # Not using normal zuul job roles as bridge.openstack.org is not a + # Not using normal zuul job roles as the bastion host is not a # test node with all the normal bits in place. - name: Collect log output synchronize: diff --git a/playbooks/zuul/run-production-playbook.yaml b/playbooks/zuul/run-production-playbook.yaml index e1140dbdb3..51c3070e27 100644 --- a/playbooks/zuul/run-production-playbook.yaml +++ b/playbooks/zuul/run-production-playbook.yaml @@ -1,19 +1,8 @@ - hosts: localhost - tasks: - - name: Add bridge.o.o to inventory for playbook - add_host: - name: bridge.openstack.org - ansible_python_interpreter: python3 - ansible_user: zuul - # Without setting ansible_host directly, mirror-workspace-git-repos - # gets sad because if delegate_to localhost and with add_host that - # ends up with ansible_host being localhost. - ansible_host: bridge.openstack.org - ansible_port: 22 - # Port 19885 is firewalled - zuul_console_disabled: true + roles: + - add-bastion-host -- hosts: bridge.openstack.org +- hosts: bastion[0] tasks: - name: Run the production playbook and capture logs block: @@ -27,7 +16,7 @@ become: yes shell: 'echo "Running {{ _log_timestamp }}: ansible-playbook -v -f {{ infra_prod_ansible_forks }} /home/zuul/src/opendev.org/opendev/system-config/playbooks/{{ playbook_name }}" > /var/log/ansible/{{ playbook_name }}.log' - - name: Run specified playbook on bridge.o.o and redirect output + - name: Run specified playbook on bastion host and redirect output become: yes shell: 'ansible-playbook -v -f {{ infra_prod_ansible_forks }} /home/zuul/src/opendev.org/opendev/system-config/playbooks/{{ playbook_name }} >> /var/log/ansible/{{ playbook_name }}.log' register: _run diff --git a/zuul.d/infra-prod.yaml b/zuul.d/infra-prod.yaml index 63e95dc77b..e0f496e6e2 100644 --- a/zuul.d/infra-prod.yaml +++ b/zuul.d/infra-prod.yaml @@ -17,7 +17,7 @@ CD deployment of our infrastructure. Set playbook_name to specify the playbook relative to /home/zuul/src/opendev.org/opendev/system-config/playbooks - on bridge.openstack.org. + on the bastion host. abstract: true semaphores: infra-prod-playbook run: playbooks/zuul/run-production-playbook.yaml