infra-prod: split out setup steps

This should be a production no-op; it splits the key and source setup
into a separate playbooks, but imports them both in pre.yaml in the
same order.

Currently this job sets up the executor so that it can log into bridge
to run the playbooks, then clones the system-config state into
/home/zuul/src/opendev.org/opendev/system-config on bridge.

This presents a problem for parallel operation; every production job
will overwrite each other's system-config checkout.  This is
unnecessary since they are all working in the context of the same
buildset -- we only need to populate system-config on bridge once at
the start and all deployment jobs can share that checkout.

Thus we add two extra jobs to split up the operation of the existing
opendev-infra-prod-base job.

 opendev-infra-prod-setup-src sets up the keys so the executor can log
  into bridge and also replicates the state of system-config onto
  bridge for this buildset.  This is intended to run once per buildset.

 opendev-infra-prod-setup-keys just sets up the keys so that the
  executor can run production playbooks.  It is intended that
  opendev-infra-prod-setup-src will have already run to put the
  correct changeset of system-config on bridge.o.o.  This way,
  production jobs can run in parallel all using the same copy of the
  source without overwriting it.

These are used in https://review.opendev.org/c/opendev/system-config/+/807808

(This will eventually leave opendev-infra-prod-base unused, it can be
cleaned up in a follow-on)

Change-Id: I1bbf4f1402938216401dd924da62aa869a08875b

doc/source/misc-jobs.rst

@@ -15,3 +15,5 @@ Specialized Jobs
 These jobs are not for general use.
 
 .. zuul:autojob:: opendev-infra-prod-base
+.. zuul:autojob:: opendev-infra-prod-setup-src
+.. zuul:autojob:: opendev-infra-prod-setup-keys

playbooks/infra-prod/pre.yaml

@@ -1,59 +1,5 @@
-- hosts: localhost
-  tasks:
-    - name: Add bridge.o.o to inventory
-      add_host:
-        name: bridge.openstack.org
-        ansible_python_interpreter: python3
-        ansible_user: zuul
-        # Without setting ansible_host directly, mirror-workspace-git-repos
-        # gets sad because if delegate_to localhost and with add_host that
-        # ends up with ansible_host being localhost.
-        ansible_host: bridge.openstack.org
-        ansible_port: 22
+- name: Setup keys
+  import_playbook: setup-keys.yaml
 
-- hosts: localhost
-  tasks:
-    - name: Add bridge.o.o hostkey to known hosts
-      known_hosts:
-        name: bridge.openstack.org
-        key: "bridge.openstack.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxRzDkWvvVQtsLTAqAwedRWA84/42KKVdFS0QP8lZFsMpgTXUhjipJ7VcFun5gM87tnt0J71rlN+ospBh0/1wfp2jASEskUyGhXAa5xHjnJN7veUyW+AggEosK/OTunvZgf54p1sQg45Sq/uCjc0Ua0fRMOq2o5z/mgpl6rSjLOlWi9wKA/6axnUbs9w4iD5esyBQ+VcISSJOTqhAo/3UG0NwCU+6Ggwwhg0nl5iCMpQfq4A207IbJ72MkJzlQgW3edsRb5POzdZcGxkTYvVdP3kgHP4Bof3MFFZjBUMz6SuRQyNV5poysMtbtlO0SvgAJNhXr6Vn0GA9XhqFP6+HT"
-
-- hosts: bridge.openstack.org
-  tasks:
-    - name: "Make sure a manaul maint isn't going on"
-      wait_for:
-        path: /home/zuul/DISABLE-ANSIBLE
-        state: absent
-        sleep: 10
-        timeout: 3600 # Wait for an hour before bailing
-
-    - name: "Correct ownership of repos"
-      command: "chown -R zuul:zuul /home/zuul/src"
-      # E303: Skip linting since it triggers on the "chown" command,
-      # but we prefer the shell above
-      tags:
-        - skip_ansible_lint
-      # Ignore the error if the dir doesn't exist
-      ignore_errors: true
-      # Do this as root, because it needs to chown root-owned files
-      become: true
-
-    # This role executes code on the executor, so this needs to be in
-    # a trusted playbook.
-    - name: Synchronize src repos to workspace directory.
-      include_role:
-        name: prepare-workspace-git
-
-    # When running from periodic/hourly we want to explicitly override
-    # to run from the tip of master
-    - name: Should we run from master
-      set_fact:
-        infra_prod_run_from_master: "{{ zuul.pipeline|default('') in ['periodic', 'opendev-prod-hourly'] }}"
-
-    - name: Update from master
-      when: infra_prod_run_from_master|bool
-      git:
-        repo: https://opendev.org/opendev/system-config
-        dest: /home/zuul/src/opendev.org/opendev/system-config
-        force: yes
-        version: master
+- name: Setup source
+  import_playbook: setup-source.yaml

playbooks/infra-prod/setup-keys.yaml

@@ -0,0 +1,18 @@
+- hosts: localhost
+  tasks:
+    - name: Add bridge.o.o to inventory
+      add_host:
+        name: bridge.openstack.org
+        ansible_python_interpreter: python3
+        ansible_user: zuul
+        # Without setting ansible_host directly, mirror-workspace-git-repos
+        # gets sad because if delegate_to localhost and with add_host that
+        # ends up with ansible_host being localhost.
+        ansible_host: bridge.openstack.org
+        ansible_port: 22
+
+    - name: Add bridge.o.o hostkey to known hosts
+      known_hosts:
+        name: bridge.openstack.org
+        key: "bridge.openstack.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxRzDkWvvVQtsLTAqAwedRWA84/42KKVdFS0QP8lZFsMpgTXUhjipJ7VcFun5gM87tnt0J71rlN+ospBh0/1wfp2jASEskUyGhXAa5xHjnJN7veUyW+AggEosK/OTunvZgf54p1sQg45Sq/uCjc0Ua0fRMOq2o5z/mgpl6rSjLOlWi9wKA/6axnUbs9w4iD5esyBQ+VcISSJOTqhAo/3UG0NwCU+6Ggwwhg0nl5iCMpQfq4A207IbJ72MkJzlQgW3edsRb5POzdZcGxkTYvVdP3kgHP4Bof3MFFZjBUMz6SuRQyNV5poysMtbtlO0SvgAJNhXr6Vn0GA9XhqFP6+HT"
+

playbooks/infra-prod/setup-source.yaml

@@ -0,0 +1,39 @@
+- hosts: bridge.openstack.org
+  tasks:
+    - name: "Make sure a manual maintenance isn't going on"
+      wait_for:
+        path: /home/zuul/DISABLE-ANSIBLE
+        state: absent
+        sleep: 10
+        timeout: 3600 # Wait for an hour before bailing
+
+    - name: "Correct ownership of repos"
+      command: "chown -R zuul:zuul /home/zuul/src"
+      # E303: Skip linting since it triggers on the "chown" command,
+      # but we prefer the shell above
+      tags:
+        - skip_ansible_lint
+      # Ignore the error if the dir doesn't exist
+      ignore_errors: true
+      # Do this as root, because it needs to chown root-owned files
+      become: true
+
+    # This role executes code on the executor, so this needs to be in
+    # a trusted playbook.
+    - name: Synchronize src repos to workspace directory.
+      include_role:
+        name: prepare-workspace-git
+
+    # When running from periodic/hourly we want to explicitly override
+    # to run from the tip of master
+    - name: Should we run from master
+      set_fact:
+        infra_prod_run_from_master: "{{ zuul.pipeline|default('') in ['periodic', 'opendev-prod-hourly'] }}"
+
+    - name: Update from master
+      when: infra_prod_run_from_master|bool
+      git:
+        repo: https://opendev.org/opendev/system-config
+        dest: /home/zuul/src/opendev.org/opendev/system-config
+        force: yes
+        version: master

zuul.d/jobs.yaml

@@ -600,3 +600,23 @@
       This is not for general use.
     abstract: true
     pre-run: playbooks/infra-prod/pre.yaml
+
+- job:
+    name: opendev-infra-prod-setup-src
+    description: |
+      A base job for replicating source to OpenDev's bridge.
+
+      This is not for general use.
+    abstract: true
+    pre-run:
+      - playbooks/infra-prod/setup-keys.yaml
+      - playbooks/infra-prod/setup-src.yaml
+
+- job:
+    name: opendev-infra-prod-setup-keys
+    description: |
+      A base job for allowing executors to log into OpenDev's bridge.
+
+      This is not for general use.
+    abstract: true
+    pre-run: playbooks/infra-prod/setup-keys.yaml