edab04d5ef
This refactors the docs publication/promote jobs so that there are base versions which can be consumed by tenants who will supply their own AFS secrets, as well as versions for use in this tenant (which consume the base versions in exactly the way another tenant would). The documentation policies for the tenant are encoded in the secret, so each tenant can choose the publication locations and scheme once and allow all projects within that tenant to use these jobs. Change-Id: I8f201c0351d4d532ddcbcf1f22f9297dece04fff
411 lines
16 KiB
YAML
411 lines
16 KiB
YAML
# Shared zuul config common to all opendev tenants.
|
|
# Contains definitions of trusted jobs
|
|
|
|
|
|
# Changes to this job require a special procedure, because they can
|
|
# not be tested before landing, and if they are faulty, they will
|
|
# break all jobs, meaning subsequent corrections will not be able to
|
|
# land. To make a change:
|
|
#
|
|
# 1) Ensure that base-test and its playbooks are identical to base.
|
|
# 2) Make the change to base-test and/or its playbooks.
|
|
# 3) Merge the change from step 2. No jobs normally use base-test, so
|
|
# this is safe.
|
|
# 4) Propose a change to a job to reparent it to base-test. Choose a
|
|
# job which will exercise whatever you are changing. The
|
|
# "unittests" job in zuul-jobs is a good choice. Use [DNM] in the
|
|
# commit subject so that people know not to merge the change. Set
|
|
# it to "Work in progress" so people don't review it.
|
|
# 5) Once test results arrive for the change in step 2, make a change
|
|
# which copies the job and/or playbooks of base-test to base. In
|
|
# the commit message, link to (without using Depends-On:) the
|
|
# change from step 4 so reviewers can see the test results.
|
|
# 6) Once the change in step 5 merges, abandon the change from step 4.
|
|
|
|
- secret:
|
|
name: site_logs
|
|
data:
|
|
fqdn: logs.openstack.org
|
|
path: /srv/static/logs
|
|
ssh_known_hosts: |
|
|
logs.openstack.org,23.253.108.137,2001:4800:7817:104:be76:4eff:fe05:dbee ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDcvLuGLagUAZfc0BThLus8ufSPCrIhDtG0BdXvhblJjvIbkuELD3dRWRZVSYZAdzGZRY3t6vTAcguTrkbQg5ngXfdfF+OKPkaH8DiZwAX/1g/iRXhInkZTGBVqHo9pLAMeNNwviSy2JjpTqdD6fLEkHwW+uw4E2YZhYivctTSbOepMkzAtFV0w5cpyBzjAT/Hax2x5un6es8R0Iw3AAnUmtapn5e5NCrg2rPNpd0nve84wUavvbC2DeGDOZQdnIahwo60Sder5ZE/x6cG39bkSDdgFQArAzrNrH6BHmNGjfFPpnGmfc7P8gQwDPtMf02HvKapqATXpIxdbSGimWLL
|
|
ssh_username: jenkins
|
|
ssh_private_key: !encrypted/pkcs1-oaep
|
|
- t9SCvfU4po36HYV0yCxivgaDF+L6BQVUGramqW3dgARxP+Mdl51h1+K/8EdNke0wzfDWX
|
|
tdVL6Vsh4D5/evfLuBgeILjXT/pzozfhDksjz78TiWBnFQyiC3FHwVB6tZ9903fIiltw5
|
|
aXg9AB3iYxSE/XQUKU3ThCt7zDJ0FoTrASVlKWaGeeMUiLBSaXaNrRTEFWyUJn7OU3nrj
|
|
646ac7QJnkZ5j/kQbKDdWF73tCrL69fOoHHZtc0QbnizbBRjdVyECktVy3jvYfIAEdsKW
|
|
Apg1HCQBJETe64PQR1OKv18sC6MdfSVP//8mpOAMdVeJzfNqkk83V1IBWHWTQgIAAyt/4
|
|
wB0aXUjX2rwMkInJfO6g2b+tMUajqEntib6IRKKXMb7/kS7ZcXwDkMj6bxBmnKgMLSx89
|
|
+fhBnYLoaNv9keBlDLtGc62glO3B9TxcxNzOFuBp0mLPR28v6DXBn0uXJwzdqXf1WAUsQ
|
|
m6BKVE34J99vuzHFDn7J0ov/biZtJLAsD6q0enBm0nJQPuXfrW0c/jcUO4D+SjStBo/t+
|
|
ZLMzzJvoygXTBFkiDX+6icIzLJMbpS8rBrGj+NbE+k1Lzni9Gq9Wo2xgDnGPwWDD97eup
|
|
H3cCIfhcFCP9m9YINLxxsJzpK8+Xss7LNqN8NbEbLPAbDH7b+rqIjoBPEAfVPM=
|
|
- C/Oz2r1fTYChvAbFpOdCF7+ZmEzSDYphP7fY/ENTOlvhq98QS3fGxRqj+oNEEppnM1oS1
|
|
Cc/bR3kzSqgMK629H0qVVqJhR0ffNT6ip6CIP2BkAaqT/6yUY5tp0BjZyC+O7tV6QtWkq
|
|
gj6k/cJcgT7JKMLSN4zjdO1A9qeLpjc9y98lArIeYXFvJHpXC9J8Vj8Fd+ODhH/YUUEkQ
|
|
nqCXcBTd2k1RFEWvCVRN7tKkiuAa4HPPmj+In9TKw3j2grn3LMmkUrQn5G7bWyuzQGp2u
|
|
2pVwvYNSEKxJiMMA0pTNLDMKaA5kvCQsQdt61FVN3AYZyCEbXq/6Is+JKoiZjBeyfUurB
|
|
btEoPNpjVmPQysCrvakSfbMi+Pn3jrZToxRNC30r1LWdHfKo0ovVRN0CEfce3suRu7uP8
|
|
BXH7Ow4sYKF5FLjzwzCO6VuoDg+SrfjbBwnzoySIsB3CXXieMUj+0ytfG1FBmKg2IiLQ7
|
|
Eaz+G4gCMe+1dMG87cKmizz7vC21ZFyeF3C2jBmXMMRvFgLCphHZOPfUOcy2yCPPFYmsg
|
|
2DBxx2VrvcPljTW6woVbb4Kxrd7+2TRbT9mzWDQDDdKGveIqUnEURGacJ+WRc8ZlBpFwN
|
|
cmwbJal3VSo0sB/X25ZNnF7Y7JHrXI6a3s/ck2ppid+2h1sk1oE6br/DRjYCN4=
|
|
- k8yssVEnQr58u8krETfjnByeO6UmQL7+JfXSYHI79z9n3Fp3nIRrFoH177d47iHtcYxyP
|
|
8IsQD2HMIGuRhyKZk5ruYwod/yeXZBwBcs7YSsof0U5gJ4gh6gw+bLQamKEaI4smq+xQA
|
|
UxxoHDw5m96+VUBeLdnXDFkq0qXiWOMmrCnVGgnDeuPZfyDbu8ILZi6c4WUFwj5o0oqRZ
|
|
pWEls8IfULjBEDMfbWhMrUh7zKurUwDXycmTAv4PriUdMdoMacqz/brxZZKC07+mzFiMj
|
|
iJvwV6STxATXy78+wWrM7MReoGownI0M0DKh07w/DEG000NTQnRz42DbwGbQQb8ugj4ee
|
|
1sB3+pz3udnwffREtht2uf2C48dHFqMOKeGNV3MJv8Z93H6rpgdpuySZwXC3iL2ga8m4I
|
|
U8ypFoCXXR5rHRqAL8xmuUVoavYC4XLPN1QvKueZnQW5XntZxXH/lSe9OnEo6SVya4v8p
|
|
CEQ6+XIWQCKIFPXxFM+KCoh7c8FASmJ7Tw1WLw+DNdSKL8kewk0Z2FvkR6bTzzcKT3RCf
|
|
/xM/+N674GhkYRFCMsQxrT9e6cfB2FRbBrxR1GJQQrS9KHPGn7dgKNN4/0snbtypekhjl
|
|
7oDENP6sbflXAo3Zeuq/XlvW0uobBqdI6bbkdMISAd779hVT5eQWvftwozrjHI=
|
|
- VjHYrglFpBi8Apnb64NYiblBANVDC0tXgAOzC7/NhcZ9Vc4rI7oRPfc48hrxjFlC+Uvtg
|
|
yI9cwu9y4FDDgGQ6qLovzP/Dvcwoga0YOZ7RYxdsT7N0/okRlWPRyj2h/7nlhrIxwK8bN
|
|
xRi7t/JniQkMrWiDckgw0YflLboMYQg8ShtCy1bZL1m0ISuBbodeswOLTiKFk2IG3R58h
|
|
Xylmgi2iM1md5ZeM9PhyLd8DrhuuJiKvhIiszdQNJN5Gg2CymYBveMfglE9r/10qgOM21
|
|
3UC37hSArn7WTu9Rwbo9bdNVePNik/x2O3fgMGND6ySX9vG8npPjOaomTGpds/z7DUn6F
|
|
0B4RWDoYDD57BHviUSYDDEbfpNS6dk/K4RpArjpS7ZZcUIok5sXSV18zSI8Gaa32SKU59
|
|
MdHuBtGW6p6kUTnuMSNCVsKGNOvjHsfnWFomUddEwhNFJW+tangCSkNaTQq/Yaf394lw8
|
|
nOsautk56uoiZPhSzdBpR9s8z0z1z0eGzdeBWyV+IFF/UJCftDiOSu0zA28RgDIwIg690
|
|
jVFWkZZRprDU6/5zgZPTLHOfz00IoMbGBKWSfvuOhF5l6VpSC3JVvcRd6/bivUq/1XkzP
|
|
uMv41vSFc4Kac1KmgAi96zglyRkzQgYVtLVNYyKbuLhVfx4U34mal/05sU3/MI=
|
|
|
|
- secret:
|
|
name: opendev-zuul-docs
|
|
data:
|
|
keytab: !encrypted/pkcs1-oaep
|
|
- nFyEj6IMXdp7UZwOQz9qAi6IlcKILCCzUqoNbchto7g2Uv8D/ZGdDU3DT+KV6ziWtv2d/
|
|
WBXQFjsCjE66SXpAUvtcGxj/rVqFGlayOb2WbOeo4+WvrFusNycVIs55R7I0vYyFzidZl
|
|
FVNP3+5Uv8N54mhFEVMudZdBO8aCwNftea5A2lLdZL/bnK071bzCKNYZAuDI/2j1VOsKx
|
|
JT346KdP3vqmyokqo+OxFE6QfbFHLTMgZigId3bkK01lpI0TBY2Wiv4rF76ErQWe/eghB
|
|
yOwrO1Oh2kkHADsrjrJ3rKGI8ZkWpgYIxKExXH9IAedbYaWhz7unvVrjUVjR/QIySv/u7
|
|
dENCrZhx2zd429eOjUHD+NmHisWoOQnvOVfiYBFbEPL9uAC+ek7fDxB3/9z3ok6KPv9f8
|
|
XLMNS63cQgPjYJP6kOqjrV/FXLl30SS3ikV0wVI2ErqYn3R2ukOccKJaF4uV9HCf+/mKt
|
|
0Uz89b0sUTzL5JkFYz/PhdqRVGwjjRNYahQb+QzWkxw/AgNS8Pdl/ijffx5DXAY5oKnJD
|
|
Jpyp6oXA+W+qefPPqQlxa9EbP3emwVf/HWUdCjlCw+GjDz730P94Xd8ie6KiGq3ywYtFn
|
|
EuJvheVCAYjlq4lwshfNIysNA8WePvAze9T5DpVl1MayR7b1KC+R/7wM6xUCbw=
|
|
service_name: service/opendev-zuul@OPENSTACK.ORG
|
|
docs_master_path: "/afs/.openstack.org/project/opendev.org/docs/{{ zuul.project.name }}/latest"
|
|
docs_branch_path: "/afs/.openstack.org/project/opendev.org/docs/{{ zuul.project.name }}/{{ zuul.branch }}"
|
|
docs_tag_path: "/afs/.openstack.org/project/opendev.org/docs/{{ zuul.project.name }}/{{ zuul.tag }}"
|
|
docs_redirect_path: "/afs/.openstack.org/project/opendev.org/docs/{{ zuul.project.name }}/.htaccess"
|
|
docs_redirect_content: "Redirect 302 /{{ zuul.project.name }} /{{ zuul.project.name }}/latest"
|
|
|
|
- job:
|
|
name: base
|
|
parent: null
|
|
abstract: true
|
|
description: |
|
|
The base job for OpenDev's installation of Zuul.
|
|
|
|
All jobs ultimately inherit from this. It runs a pre-playbook
|
|
which copies all of the job's prepared git repos on to all of
|
|
the nodes in the nodeset. It runs a post-playbook which copies
|
|
all of the files in the logs/ subdirectory of the executor
|
|
work directory to the logserver.
|
|
|
|
It also sets default timeout and nodeset values (which may be
|
|
overidden).
|
|
|
|
Responds to these variables:
|
|
|
|
.. zuul:jobvar:: base_serial
|
|
:default: Omitted
|
|
|
|
This sets the serial keyword in the pre and post playbooks
|
|
which can be an integer or percentage.
|
|
|
|
See ansible documentation for more information:
|
|
http://docs.ansible.com/ansible/latest/playbooks_delegation.html
|
|
|
|
pre-run: playbooks/base/pre.yaml
|
|
post-run:
|
|
- playbooks/base/post.yaml
|
|
- playbooks/base/post-logs.yaml
|
|
roles:
|
|
- zuul: openstack-infra/zuul-jobs
|
|
vars:
|
|
ara_report_type: database
|
|
ara_report_path: ara-report
|
|
timeout: 1800
|
|
post-timeout: 1800
|
|
nodeset:
|
|
nodes:
|
|
- name: ubuntu-bionic
|
|
label: ubuntu-bionic
|
|
secrets:
|
|
- site_logs
|
|
|
|
# See the procedure described above "base" before making changes to
|
|
# this job.
|
|
- job:
|
|
name: base-test
|
|
parent: null
|
|
description: |
|
|
A job to test changes to the base job without disturbing the
|
|
main job in production. Not for general use.
|
|
pre-run: playbooks/base-test/pre.yaml
|
|
post-run:
|
|
- playbooks/base-test/post.yaml
|
|
- playbooks/base-test/post-logs.yaml
|
|
roles:
|
|
- zuul: openstack-infra/zuul-jobs
|
|
timeout: 1800
|
|
post-timeout: 1800
|
|
vars:
|
|
ara_report_type: database
|
|
ara_report_path: ara-report
|
|
nodeset:
|
|
nodes:
|
|
- name: ubuntu-bionic
|
|
label: ubuntu-bionic
|
|
secrets:
|
|
- site_logs
|
|
|
|
- secret:
|
|
name: opendev-intermediate-registry
|
|
data:
|
|
host: insecure-ci-registry.opendev.org
|
|
port: 5000
|
|
username: zuul
|
|
password: !encrypted/pkcs1-oaep
|
|
- Y38es0iMk5vIGNZ9/FQtSb65hUqAvfduUV3pPnhURbMbEMuZpPiKRSxRaGWOVOZ0VcxaP
|
|
0eVYUSIHm+1n3+FK10ivFCl+EzanyFL70vleUxqHcN5dwTuevmB9kNp9FH8K45OKRvd1g
|
|
t7cpjMfbDV2iFik1uUkevbLzJZI+efXI0KLwCUYFifEWcl2exrqw8mudbmjjfxe0Prz11
|
|
EBxMBxCjLi3WEVvrquB76jW7p+ifgKJQc4FqUjzmLMI2xOeD1s4f+23InJOoRHKNC2lZu
|
|
/N2WSHQWxkebZnavjQTlshlBygD3etgkkYEjand9vcwWqTB0xnDagEUcrjl0axKJmPzXb
|
|
fGeyHrqld+IDaGxZP+JHcCZS5RNfXUOUt97Kgs9yzBtLwS+Lp4mqXXHvH1N17WFrT8YTD
|
|
cNxiFwR/wuq1g7AZWs0ej7rMBDF2rDnVV6/+8RWlqIhIjtCm4C8IsX/vm2/VsLTuNWdAM
|
|
JepYSbDvSQ5X55Ed3cZlGk+iPbfNFPb+EMIj3P7bxUjErQeT/hAhD6uKipSnisz+L6+RI
|
|
Ry8sLIVUbzLpIJKfcvo6xQCnepVdkF9dZET3prfnCf40MjCGeAITvgg1WcGX+yTiSQajr
|
|
oNz3bbxNeb2+MOucogQBwiSUnRPhpk2e+oMBVXGvDBjaHG1W0xakwMgQ9fIspw=
|
|
|
|
- job:
|
|
name: opendev-buildset-registry
|
|
description: |
|
|
Starts a buildset registry which interacts with the intermediate
|
|
CI registry to share speculative container images between
|
|
projects.
|
|
|
|
Configure any jobs which require the use of a buildset registry
|
|
to depend on this job using the "dependencies" job attribute.
|
|
|
|
This job will pause after starting the registry so that it is
|
|
available to any jobs which depend on it. Once all such jobs
|
|
are complete, this job will finish.
|
|
pre-run: playbooks/buildset-registry/pre.yaml
|
|
run: playbooks/buildset-registry/run.yaml
|
|
post-run: playbooks/buildset-registry/post.yaml
|
|
secrets:
|
|
- secret: opendev-intermediate-registry
|
|
name: intermediate_registry
|
|
requires: docker-image
|
|
|
|
- job:
|
|
name: opendev-build-docker-image
|
|
parent: opendev-buildset-registry
|
|
description: |
|
|
Starts a buildset registry (if one has not already been started,
|
|
e.g., by invoking :zuul:job:`opendev-buildset-registry` and
|
|
specifying it as a dependency) and builds one or more docker
|
|
images.
|
|
|
|
Analog of build-docker-image job, but with a buildset registry.
|
|
|
|
.. include:: ../../playbooks/docker-image/README.rst
|
|
run: playbooks/docker-image/run.yaml
|
|
provides: docker-image
|
|
|
|
- job:
|
|
name: opendev-upload-docker-image
|
|
parent: opendev-build-docker-image
|
|
description: |
|
|
Starts a buildset registry and builds and uploads one or more
|
|
docker images to docker.io.
|
|
|
|
Analog of upload-docker-image job, but with a buildset registry.
|
|
|
|
.. include:: ../../playbooks/docker-image/README.rst
|
|
.. include:: ../../playbooks/docker-image/credentials.rst
|
|
post-run: playbooks/docker-image/upload.yaml
|
|
|
|
- job:
|
|
name: opendev-promote-docker-image
|
|
parent: promote-docker-image
|
|
description: |
|
|
Retag a previously-uploaded docker image.
|
|
|
|
Analog of promote-docker-image job.
|
|
|
|
.. include:: ../../playbooks/docker-image/README.rst
|
|
.. include:: ../../playbooks/docker-image/credentials.rst
|
|
|
|
- job:
|
|
name: opendev-tox-docs
|
|
# This is not parented to tox-docs because the post playbook
|
|
# differs.
|
|
description: |
|
|
Build documentation with "tox".
|
|
|
|
Uses tox with the ``docs`` environment.
|
|
vars:
|
|
tox_envlist: docs
|
|
bindep_profile: compile doc
|
|
pre-run: playbooks/tox-docs/pre.yaml
|
|
run: playbooks/tox-docs/run.yaml
|
|
post-run: playbooks/tox-docs/post.yaml
|
|
success-url: docs/
|
|
|
|
- job:
|
|
name: opendev-publish-tox-docs-base
|
|
# This is not parented to opendev-tox-docs because the post
|
|
# playbook differs.
|
|
description: |
|
|
Publish a ref-based documentation build.
|
|
|
|
Use this in the tag or release pipelines to publish a build
|
|
based on a newly-created tag.
|
|
|
|
This is an abstract job intended to be inherited from in an
|
|
OpenDev tenant and an appropriate secret added.
|
|
|
|
.. zuul:jobvar:: afs
|
|
:type: dict
|
|
|
|
This is expected to be a Zuul Secret with these keys:
|
|
|
|
.. zuul:jobvar:: keytab
|
|
|
|
The AFS keytab for the service principal.
|
|
|
|
.. zuul:jobvar:: service_name
|
|
|
|
The name of the service princpal.
|
|
|
|
.. zuul:jobvar:: docs_master_path
|
|
|
|
The full docs publication path to use if the job is run on
|
|
the master branch.
|
|
|
|
.. zuul:jobvar:: docs_branch_path
|
|
|
|
The full docs publication path to use if the job is run on
|
|
any other branch.
|
|
|
|
.. zuul:jobvar:: docs_tag_path
|
|
|
|
The full docs publication path to use if the job is run on
|
|
a tag.
|
|
abstract: True
|
|
vars:
|
|
tox_envlist: docs
|
|
bindep_profile: compile doc
|
|
pre-run: playbooks/tox-docs/pre.yaml
|
|
run: playbooks/tox-docs/run.yaml
|
|
post-run:
|
|
- playbooks/tox-docs/post.yaml
|
|
- playbooks/tox-docs/publish.yaml
|
|
|
|
- job:
|
|
name: opendev-publish-tox-docs
|
|
parent: opendev-publish-tox-docs-base
|
|
description: |
|
|
Publish a ref-based documentation build.
|
|
|
|
Use this in the tag or release pipelines to publish a build
|
|
based on a newly-created tag.
|
|
post-run: playbooks/tox-docs/publish.yaml
|
|
secrets:
|
|
- secret: opendev-zuul-docs
|
|
name: afs
|
|
pass-to-parent: true
|
|
|
|
- job:
|
|
name: opendev-promote-docs-base
|
|
description: |
|
|
Publish a previously built branch-tip documentation tarball.
|
|
|
|
Use this in the promote pipeline to publish a branch tip tarball
|
|
built in the gate pipeline.
|
|
|
|
This is an abstract job intended to be inherited from in an
|
|
OpenDev tenant and an appropriate secret added.
|
|
|
|
.. zuul:jobvar:: afs
|
|
:type: dict
|
|
|
|
This is expected to be a Zuul Secret with these keys:
|
|
|
|
.. zuul:jobvar:: keytab
|
|
|
|
The AFS keytab for the service principal.
|
|
|
|
.. zuul:jobvar:: service_name
|
|
|
|
The name of the service princpal.
|
|
|
|
.. zuul:jobvar:: docs_master_path
|
|
|
|
The full docs publication path to use if the job is run on
|
|
the master branch.
|
|
|
|
.. zuul:jobvar:: docs_branch_path
|
|
|
|
The full docs publication path to use if the job is run on
|
|
any other branch.
|
|
|
|
.. zuul:jobvar:: docs_tag_path
|
|
|
|
The full docs publication path to use if the job is run on
|
|
a tag.
|
|
|
|
.. zuul:jobvar:: docs_redirect_path
|
|
|
|
If this variable is present, a .htaccess redirect will be
|
|
created at this path when the job is run on the master
|
|
branch. For example, it can be used to redirect "project/"
|
|
to "project/latest".
|
|
|
|
.. zuul:jobvar:: docs_redirect_content
|
|
|
|
The contents of the .htaccess file in docs_redirect_path.
|
|
|
|
.. zuul:jobvar:: download_artifact_job
|
|
|
|
The name of the job which built the docs artifact which this
|
|
job should download and promote.
|
|
abstract: True
|
|
run: playbooks/docs/promote.yaml
|
|
nodeset:
|
|
nodes: []
|
|
|
|
- job:
|
|
name: opendev-promote-docs
|
|
parent: opendev-promote-docs-base
|
|
description: |
|
|
Publish a previously built branch-tip documentation tarball.
|
|
|
|
Use this in the promote pipeline to publish a branch tip tarball
|
|
built in the gate pipeline.
|
|
vars:
|
|
download_artifact_job: opendev-tox-docs
|
|
secrets:
|
|
- secret: opendev-zuul-docs
|
|
name: afs
|
|
pass-to-parent: true
|
|
|
|
- project:
|
|
check:
|
|
jobs:
|
|
- opendev-tox-docs
|
|
- openstack-zuul-jobs-linters
|
|
gate:
|
|
jobs:
|
|
- opendev-tox-docs
|
|
- openstack-zuul-jobs-linters
|
|
promote:
|
|
jobs:
|
|
- opendev-promote-docs
|