Add ansible role to manage gerritbot

This new ansible role deploys gerritbot with docker-compose on
eavesdrop.openstack.org. This way we can run it where the other bots
live.

Testing is rudimentary for now as we don't really want to connect to a
production gerrit and freenode. We check things the best we can.

We will want to coordinate deployment of this change with disabling the
running service on the gerrit server.

Depends-On: https://review.opendev.org/745240
Change-Id: I008992978791ff0a38f92fb4bc529ff643f01dd6
This commit is contained in:
Clark Boylan 2020-08-04 15:14:28 -07:00
parent 4092ef34e5
commit 506a11f9d2
10 changed files with 184 additions and 1 deletions

View File

@ -0,0 +1 @@
Set up gerritbot

View File

@ -0,0 +1,4 @@
gerritbot_irc_nick: openstackgerrit
gerritbot_irc_server: irc.freenode.net
gerritbot_gerrit_user: gerritbot
gerritbot_gerrit_host: review.openstack.org

View File

@ -0,0 +1,15 @@
# Version 2 is the latest that is supported by docker-compose in
# Ubuntu Xenial.
version: '2'
services:
gerritbot:
image: docker.io/opendevorg/gerritbot:latest
network_mode: host
# TODO For testing our broken config may cause this to restart
# in a loop making freenode sad. Avoid that for now while we
# sort out how to test this.
restart: 'no'
volumes:
# This contains the main config, channel config, and ssh key
- /etc/gerritbot:/etc/gerritbot

View File

@ -0,0 +1,32 @@
[loggers]
keys=root,gerrit,gerritbot
[handlers]
keys=console
[formatters]
keys=simple
[logger_root]
level=DEBUG
handlers=console
[logger_gerrit]
level=DEBUG
handlers=console
qualname=gerrit
[logger_gerritbot]
level=DEBUG
handlers=console
qualname=gerritbot
[handler_console]
level=INFO
class=StreamHandler
formatter=simple
args=(sys.stdout,)
[formatter_simple]
format=%(asctime)s %(levelname)s %(name)s: %(message)s
datefmt=

View File

@ -0,0 +1,67 @@
- name: Ensure /etc/gerritbot directory
file:
state: directory
path: /etc/gerritbot
mode: 0755
- name: Put gerritbot config in place
template:
src: gerritbot.config.j2
dest: /etc/gerritbot/gerritbot.config
owner: root
group: root
mode: 0600
- name: Put gerritbot logging config in place
copy:
src: logging.config
dest: /etc/gerritbot/logging.config
owner: root
group: root
mode: 0644
- name: Put gerritbot channel config in place
copy:
src: /opt/project-config/gerritbot/channels.yaml
remote_src: yes
dest: /etc/gerritbot/channel_config.yaml
owner: root
group: root
mode: 0644
register: channel_config_copied
- name: Put gerritbot ssh key in place
copy:
content: "{{ gerritbot_ssh_key }}"
dest: /etc/gerritbot/gerritbot_rsa
owner: root
group: root
mode: 0600
- name: Ensure /etc/gerritbot-docker directory
file:
state: directory
path: /etc/gerritbot-docker
mode: 0755
- name: Put docker-compose file in place
copy:
src: docker-compose.yaml
dest: /etc/gerritbot-docker/docker-compose.yaml
owner: root
group: root
mode: 0644
- name: Run docker-compose pull
shell:
cmd: docker-compose pull
chdir: /etc/gerritbot-docker/
- name: Run docker-compose up
shell:
cmd: "docker-compose up -d {{ channel_config_copied is changed | ternary('--force-recreate', '') }}"
chdir: /etc/gerritbot-docker/
- name: Run docker prune to cleanup unneeded images
shell:
cmd: docker image prune -f

View File

@ -0,0 +1,13 @@
[ircbot]
nick={{ gerritbot_irc_nick }}
pass={{ gerritbot_irc_password }}
server={{ gerritbot_irc_server }}
port=6697
channel_config=/etc/gerritbot/channel_config.yaml
log_config=/etc/gerritbot/logging.config
[gerrit]
user={{ gerritbot_gerrit_user }}
key=/etc/gerritbot/gerritbot_rsa
host={{ gerritbot_gerrit_host }}
port=29418

View File

@ -7,5 +7,6 @@
- sync-project-config
- install-docker
- accessbot
- gerritbot
- name: run-puppet
manifest: /opt/system-config/production/manifests/eavesdrop.pp

View File

@ -9,3 +9,38 @@ accessbot_nick: username
accessbot_nick_password: password
ptgbot_password: password
access_bot_install_only: true
gerritbot_irc_nick: gerritbottest
gerritbot_irc_password: notarealpassword
gerritbot_irc_server: irc.doesnotexist.com
gerritbot_gerrit_user: gerritbottest
gerritbot_gerrit_host: review-dev.opendev.org
# This is a real key to make paramiko happy
# but it was generated just for testing.
gerritbot_ssh_key: |
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAsCCW/N5CWfLqUfO51GpTYFiF1a6oNVROj1l67Jftql7iocOnoS/b
BUgNWryLgt8zGeCdjMZMOlzeO9zIs8T7GhCM/1uhha11MDYuy2WxXmRrOWkgOsqvdQ8Zbr
yQToNRbnrmkTPVpQLVMo+i9lD/t9SUKPAZ1mmMpEMQcA3Pwx8xtGdZJZHr4ePSuval89Jn
8aUXBeTVQ2gfo6iffQnqAHJwQDjgskM41TfuZaQnNpFb9jBpJ68sWnV/1VWO6PjWJB0UfO
lwFOuB920kponfn3oge8mlH4aEHRqeN8uCSVewLU/4VVSxlV69jpbaFpGzCWn4tY7tebq4
/suCIvJpPwAAA8iHujUFh7o1BQAAAAdzc2gtcnNhAAABAQCwIJb83kJZ8upR87nUalNgWI
XVrqg1VE6PWXrsl+2qXuKhw6ehL9sFSA1avIuC3zMZ4J2Mxkw6XN473MizxPsaEIz/W6GF
rXUwNi7LZbFeZGs5aSA6yq91DxluvJBOg1FueuaRM9WlAtUyj6L2UP+31JQo8BnWaYykQx
BwDc/DHzG0Z1klkevh49K69qXz0mfxpRcF5NVDaB+jqJ99CeoAcnBAOOCyQzjVN+5lpCc2
kVv2MGknryxadX/VVY7o+NYkHRR86XAU64H3bSSmid+feiB7yaUfhoQdGp43y4JJV7AtT/
hVVLGVXr2OltoWkbMJafi1ju15urj+y4Ii8mk/AAAAAwEAAQAAAQAvOJ2isGhzu1gtnr3t
AJDYHQPM9aXtnmvtrRzzAAzdh9EVc+KmqbD8KoRCFpkE/pix0HINQ0E+yJVg0WISKLb2Fw
fmkwesUoQ/59cF+37hguTooJHekWcXaHP2J6I9GqIjj9nvhkk6k5bbln0nszHMdLdAfpc+
0E+/3qcyk9FnS6zei3aYHCNDYkfSmE9eFr0STrvk4XgmrWfZMZ8nO3vq5GS8KrH0PA03s1
91UEb0yZS3eqdpTGv+it11TAwuz+5sW4YxDcBdCU9PwdIQt6KXauE4bfAFrSNIPf0dyEW6
noAtQ1ynad50eOpfLuo353CV3svaasmxXvuL3c26T4UZAAAAgQCkXQDZ03Q6Yt2V51FFXl
KyXao7LHMlvkvMJtiD/VXlZx2OEyqcEoalJjclMDTQA9Ars6cHvoysXQm1XSpjSzYuePRR
TyUNN1gLN/qFL51y5ZaJNUM/f/wRNziCIbwFlPIuR0fq/FlMRSmeElaOUyzsWcYJ0R2hIw
YyqPXgLQk90gAAAIEA2dyydT1DkJ/yhfg3PCoANDUtGQV9Pbd4cwfP5ynauuLw1W3FHAWS
KmpE8TG+KKtlTnx0f4n4lySx69BE+46TVE6yhRTEYVtelvEJRDvXAeI/zjtLNwNNrHfLxG
tDh3jI6c6OMA7ldwzlgxyRPlPtFsx5/UoHN5xN6BrVjZmMZ9MAAACBAM71lW7KLirHAxnI
tGY2iXCbU3avoFMy+0dItNSTxqkZkWdL2m//de1GnnCvUfbztvcRGvcfZf6xhN8JG5GMbS
cXQaQheBjtMHv9eMHbVu2pru0MRk1OMWXhwLS1XC0u0ZukL+oBt6BPdTWbXakQm/Lr++Ou
60qDzGhMay/gX+FlAAAAEWNsYXJrQG5pYmJsZXIubGFuAQ==
-----END OPENSSH PRIVATE KEY-----

View File

@ -23,3 +23,15 @@ def test_eavesdrop(host):
web = ('-A openstack-INPUT -p tcp -m state --state NEW'
' -m tcp --dport 80 -j ACCEPT')
assert web in rules
def test_gerritbot_logs(host):
# A simple check that docker-compose and our container did something
cmd = host.run("docker logs gerritbot-docker_gerritbot_1")
# We expect auth to fail so check that it did
assert "Authentication (publickey) failed" in cmd.stdout
def test_gerritbot_running(host):
# Check that the container hasn't stopped
cmd = host.run("docker ps -a")
assert 'gerritbot-docker_gerritbot_1' in cmd.stdout
assert 'Up ' in cmd.stdout

View File

@ -116,7 +116,9 @@
- opendev/ansible-role-puppet
- opendev/system-config
- openstack/project-config
requires: accessbot-container-image
requires:
- accessbot-container-image
- gerritbot-container-image
nodeset:
nodes:
- name: bridge.openstack.org
@ -137,6 +139,7 @@
- playbooks/roles/disable-puppet-agent/
- playbooks/roles/accessbot
- playbooks/roles/logrotate
- playbooks/zuul/templates/group_vars/eavesdrop.yaml.j2
- modules/openstack_project/manifests/eavesdrop.pp
- manifests/eavesdrop.pp
- docker/accessbot/