Add ansible role to manage gerritbot

This new ansible role deploys gerritbot with docker-compose on
eavesdrop.openstack.org. This way we can run it where the other bots
live.

Testing is rudimentary for now as we don't really want to connect to a
production gerrit and freenode. We check things the best we can.

We will want to coordinate deployment of this change with disabling the
running service on the gerrit server.

Depends-On: https://review.opendev.org/745240
Change-Id: I008992978791ff0a38f92fb4bc529ff643f01dd6

playbooks/roles/gerritbot/README.rst

@@ -0,0 +1 @@
+Set up gerritbot

playbooks/roles/gerritbot/defaults/main.yaml

@@ -0,0 +1,4 @@
+gerritbot_irc_nick: openstackgerrit
+gerritbot_irc_server: irc.freenode.net
+gerritbot_gerrit_user: gerritbot
+gerritbot_gerrit_host: review.openstack.org

playbooks/roles/gerritbot/files/docker-compose.yaml

@@ -0,0 +1,15 @@
+# Version 2 is the latest that is supported by docker-compose in
+# Ubuntu Xenial.
+version: '2'
+
+services:
+  gerritbot:
+    image: docker.io/opendevorg/gerritbot:latest
+    network_mode: host
+    # TODO For testing our broken config may cause this to restart
+    # in a loop making freenode sad. Avoid that for now while we
+    # sort out how to test this.
+    restart: 'no'
+    volumes:
+      # This contains the main config, channel config, and ssh key
+      - /etc/gerritbot:/etc/gerritbot

playbooks/roles/gerritbot/files/logging.config

@@ -0,0 +1,32 @@
+[loggers]
+keys=root,gerrit,gerritbot
+
+[handlers]
+keys=console
+
+[formatters]
+keys=simple
+
+[logger_root]
+level=DEBUG
+handlers=console
+
+[logger_gerrit]
+level=DEBUG
+handlers=console
+qualname=gerrit
+
+[logger_gerritbot]
+level=DEBUG
+handlers=console
+qualname=gerritbot
+
+[handler_console]
+level=INFO
+class=StreamHandler
+formatter=simple
+args=(sys.stdout,)
+
+[formatter_simple]
+format=%(asctime)s %(levelname)s %(name)s: %(message)s
+datefmt=

playbooks/roles/gerritbot/tasks/main.yaml

@@ -0,0 +1,67 @@
+- name: Ensure /etc/gerritbot directory
+  file:
+    state: directory
+    path: /etc/gerritbot
+    mode: 0755
+
+- name: Put gerritbot config in place
+  template:
+    src: gerritbot.config.j2
+    dest: /etc/gerritbot/gerritbot.config
+    owner: root
+    group: root
+    mode: 0600
+
+- name: Put gerritbot logging config in place
+  copy:
+    src: logging.config
+    dest: /etc/gerritbot/logging.config
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Put gerritbot channel config in place
+  copy:
+    src: /opt/project-config/gerritbot/channels.yaml
+    remote_src: yes
+    dest: /etc/gerritbot/channel_config.yaml
+    owner: root
+    group: root
+    mode: 0644
+  register: channel_config_copied
+
+- name: Put gerritbot ssh key in place
+  copy:
+    content: "{{ gerritbot_ssh_key }}"
+    dest: /etc/gerritbot/gerritbot_rsa
+    owner: root
+    group: root
+    mode: 0600
+
+- name: Ensure /etc/gerritbot-docker directory
+  file:
+    state: directory
+    path: /etc/gerritbot-docker
+    mode: 0755
+
+- name: Put docker-compose file in place
+  copy:
+    src: docker-compose.yaml
+    dest: /etc/gerritbot-docker/docker-compose.yaml
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Run docker-compose pull
+  shell:
+    cmd: docker-compose pull
+    chdir: /etc/gerritbot-docker/
+
+- name: Run docker-compose up
+  shell:
+    cmd: "docker-compose up -d {{ channel_config_copied is changed | ternary('--force-recreate', '') }}"
+    chdir: /etc/gerritbot-docker/
+
+- name: Run docker prune to cleanup unneeded images
+  shell:
+    cmd: docker image prune -f

playbooks/roles/gerritbot/templates/gerritbot.config.j2

@@ -0,0 +1,13 @@
+[ircbot]
+nick={{ gerritbot_irc_nick }}
+pass={{ gerritbot_irc_password }}
+server={{ gerritbot_irc_server }}
+port=6697
+channel_config=/etc/gerritbot/channel_config.yaml
+log_config=/etc/gerritbot/logging.config
+
+[gerrit]
+user={{ gerritbot_gerrit_user }}
+key=/etc/gerritbot/gerritbot_rsa
+host={{ gerritbot_gerrit_host }}
+port=29418

playbooks/service-eavesdrop.yaml

@@ -7,5 +7,6 @@
     - sync-project-config
     - install-docker
     - accessbot
+    - gerritbot
     - name: run-puppet
       manifest: /opt/system-config/production/manifests/eavesdrop.pp

playbooks/zuul/templates/group_vars/eavesdrop.yaml.j2

@@ -9,3 +9,38 @@ accessbot_nick: username
 accessbot_nick_password: password
 ptgbot_password: password
 access_bot_install_only: true
+gerritbot_irc_nick: gerritbottest
+gerritbot_irc_password: notarealpassword
+gerritbot_irc_server: irc.doesnotexist.com
+gerritbot_gerrit_user: gerritbottest
+gerritbot_gerrit_host: review-dev.opendev.org
+# This is a real key to make paramiko happy
+# but it was generated just for testing.
+gerritbot_ssh_key: |
+  -----BEGIN OPENSSH PRIVATE KEY-----
+  b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
+  NhAAAAAwEAAQAAAQEAsCCW/N5CWfLqUfO51GpTYFiF1a6oNVROj1l67Jftql7iocOnoS/b
+  BUgNWryLgt8zGeCdjMZMOlzeO9zIs8T7GhCM/1uhha11MDYuy2WxXmRrOWkgOsqvdQ8Zbr
+  yQToNRbnrmkTPVpQLVMo+i9lD/t9SUKPAZ1mmMpEMQcA3Pwx8xtGdZJZHr4ePSuval89Jn
+  8aUXBeTVQ2gfo6iffQnqAHJwQDjgskM41TfuZaQnNpFb9jBpJ68sWnV/1VWO6PjWJB0UfO
+  lwFOuB920kponfn3oge8mlH4aEHRqeN8uCSVewLU/4VVSxlV69jpbaFpGzCWn4tY7tebq4
+  /suCIvJpPwAAA8iHujUFh7o1BQAAAAdzc2gtcnNhAAABAQCwIJb83kJZ8upR87nUalNgWI
+  XVrqg1VE6PWXrsl+2qXuKhw6ehL9sFSA1avIuC3zMZ4J2Mxkw6XN473MizxPsaEIz/W6GF
+  rXUwNi7LZbFeZGs5aSA6yq91DxluvJBOg1FueuaRM9WlAtUyj6L2UP+31JQo8BnWaYykQx
+  BwDc/DHzG0Z1klkevh49K69qXz0mfxpRcF5NVDaB+jqJ99CeoAcnBAOOCyQzjVN+5lpCc2
+  kVv2MGknryxadX/VVY7o+NYkHRR86XAU64H3bSSmid+feiB7yaUfhoQdGp43y4JJV7AtT/
+  hVVLGVXr2OltoWkbMJafi1ju15urj+y4Ii8mk/AAAAAwEAAQAAAQAvOJ2isGhzu1gtnr3t
+  AJDYHQPM9aXtnmvtrRzzAAzdh9EVc+KmqbD8KoRCFpkE/pix0HINQ0E+yJVg0WISKLb2Fw
+  fmkwesUoQ/59cF+37hguTooJHekWcXaHP2J6I9GqIjj9nvhkk6k5bbln0nszHMdLdAfpc+
+  0E+/3qcyk9FnS6zei3aYHCNDYkfSmE9eFr0STrvk4XgmrWfZMZ8nO3vq5GS8KrH0PA03s1
+  91UEb0yZS3eqdpTGv+it11TAwuz+5sW4YxDcBdCU9PwdIQt6KXauE4bfAFrSNIPf0dyEW6
+  noAtQ1ynad50eOpfLuo353CV3svaasmxXvuL3c26T4UZAAAAgQCkXQDZ03Q6Yt2V51FFXl
+  KyXao7LHMlvkvMJtiD/VXlZx2OEyqcEoalJjclMDTQA9Ars6cHvoysXQm1XSpjSzYuePRR
+  TyUNN1gLN/qFL51y5ZaJNUM/f/wRNziCIbwFlPIuR0fq/FlMRSmeElaOUyzsWcYJ0R2hIw
+  YyqPXgLQk90gAAAIEA2dyydT1DkJ/yhfg3PCoANDUtGQV9Pbd4cwfP5ynauuLw1W3FHAWS
+  KmpE8TG+KKtlTnx0f4n4lySx69BE+46TVE6yhRTEYVtelvEJRDvXAeI/zjtLNwNNrHfLxG
+  tDh3jI6c6OMA7ldwzlgxyRPlPtFsx5/UoHN5xN6BrVjZmMZ9MAAACBAM71lW7KLirHAxnI
+  tGY2iXCbU3avoFMy+0dItNSTxqkZkWdL2m//de1GnnCvUfbztvcRGvcfZf6xhN8JG5GMbS
+  cXQaQheBjtMHv9eMHbVu2pru0MRk1OMWXhwLS1XC0u0ZukL+oBt6BPdTWbXakQm/Lr++Ou
+  60qDzGhMay/gX+FlAAAAEWNsYXJrQG5pYmJsZXIubGFuAQ==
+  -----END OPENSSH PRIVATE KEY-----

testinfra/test_eavesdrop.py

@@ -23,3 +23,15 @@ def test_eavesdrop(host):
     web = ('-A openstack-INPUT -p tcp -m state --state NEW'
            ' -m tcp --dport 80 -j ACCEPT')
     assert web in rules
+
+def test_gerritbot_logs(host):
+    # A simple check that docker-compose and our container did something
+    cmd = host.run("docker logs gerritbot-docker_gerritbot_1")
+    # We expect auth to fail so check that it did
+    assert "Authentication (publickey) failed" in cmd.stdout
+
+def test_gerritbot_running(host):
+    # Check that the container hasn't stopped
+    cmd = host.run("docker ps -a")
+    assert 'gerritbot-docker_gerritbot_1' in cmd.stdout
+    assert 'Up ' in cmd.stdout

zuul.d/system-config-run.yaml

@@ -116,7 +116,9 @@
       - opendev/ansible-role-puppet
       - opendev/system-config
       - openstack/project-config
-    requires: accessbot-container-image
+    requires:
+      - accessbot-container-image
+      - gerritbot-container-image
     nodeset:
       nodes:
         - name: bridge.openstack.org
@@ -137,6 +139,7 @@
       - playbooks/roles/disable-puppet-agent/
       - playbooks/roles/accessbot
       - playbooks/roles/logrotate
+      - playbooks/zuul/templates/group_vars/eavesdrop.yaml.j2
       - modules/openstack_project/manifests/eavesdrop.pp
       - manifests/eavesdrop.pp
       - docker/accessbot/