Split the base playbook into services

This is a first step toward making smaller playbooks which can be
run by Zuul in CD.

Zuul should be able to handle missing projects now, so remove it
from the puppet_git playbook and into puppet.

Make the base playbook be merely the base roles.

Make service playbooks for each service.

Remove the run-docker job because it's covered by service jobs.

Stop testing that puppet is installed in testinfra. It's accidentally
working due to the selection of non-puppeted hosts only being on
bionic nodes and not installing puppet on bionic. Instead, we can now
rely on actually *running* puppet when it's important, such as in the
eavesdrop job. Also remove the installation of puppet on the nodes in
the base job, since it's only useful to test that a synthetic test
of installing puppet on nodes we don't use works.

Don't run remote_puppet_git on gitea for now - it's too slow. A
followup patch will rework gitea project creation to not take hours.

Change-Id: Ibb78341c2c6be28005cea73542e829d8f7cfab08
This commit is contained in:
James E. Blair 2019-05-02 15:07:32 -06:00 committed by Monty Taylor
parent 8baf6cabd3
commit 8ad300927e
22 changed files with 168 additions and 171 deletions

View File

@ -406,7 +406,9 @@
- .zuul.yaml
- playbooks/group_vars/eavesdrop.yaml
- testinfra/test_eavesdrop.py
vars:
run_playbooks:
- playbooks/remote_puppet_else.yaml
- job:
name: system-config-run-letsencrypt
@ -423,6 +425,10 @@
label: ubuntu-bionic
- name: letsencrypt02.opendev.org
label: ubuntu-bionic
vars:
run_playbooks:
- playbooks/service-nameserver.yaml
- playbooks/service-letsencrypt.yaml
host-vars:
letsencrypt01.opendev.org:
host_copy_output:
@ -448,6 +454,10 @@
label: ubuntu-xenial
- name: nb01.openstack.org
label: ubuntu-xenial
vars:
run_playbooks:
- playbooks/service-nodepool.yaml
- playbooks/remote_puppet_else.yaml
files:
- .zuul.yaml
- playbooks/group_vars/nodepool.yaml
@ -457,22 +467,6 @@
- playbooks/templates/clouds/
- testinfra/test_nodepool.py
- job:
name: system-config-run-docker
parent: system-config-run
description: |
Test docker installation and setup
nodeset:
nodes:
- name: bridge.openstack.org
label: ubuntu-bionic
- name: bionic-docker
label: ubuntu-bionic
files:
- .zuul.yaml
- playbooks/roles/install-docker
- testinfra/test_docker.py
- job:
name: system-config-run-dns
parent: system-config-run
@ -489,6 +483,9 @@
label: ubuntu-bionic
- name: ns1.opendev.org
label: ubuntu-bionic
vars:
run_playbooks:
- playbooks/service-nameserver.yaml
host-vars:
adns1.opendev.org:
host_copy_output:
@ -518,6 +515,9 @@
label: ubuntu-bionic
- name: insecure-ci-registry01.opendev.org
label: ubuntu-bionic
vars:
run_playbooks:
- playbooks/service-registry.yaml
host-vars:
insecure-ci-registry01.opendev.org:
host_copy_output:
@ -546,7 +546,9 @@
- name: gitea01.opendev.org
label: ubuntu-bionic
vars:
run_base_test_playbook: playbooks/zuul/test-gitea.yaml
run_playbooks:
- playbooks/service-gitea-lb.yaml
run_test_playbook: playbooks/test-gitea.yaml
host-vars:
gitea01.opendev.org:
host_copy_output:
@ -583,6 +585,9 @@
label: ubuntu-bionic
- name: zp01.opendev.org
label: ubuntu-bionic
vars:
run_playbooks:
- playbooks/service-zuul.yaml
files:
- .zuul.yaml
- playbooks/roles/zuul-preview/
@ -634,7 +639,6 @@
- system-config-run-dns
- system-config-run-eavesdrop
- system-config-run-nodepool
- system-config-run-docker
- system-config-run-docker-registry
- system-config-run-gitea:
dependencies:
@ -659,7 +663,6 @@
- system-config-run-dns
- system-config-run-eavesdrop
- system-config-run-nodepool
- system-config-run-docker
- system-config-run-docker-registry
- system-config-run-gitea:
dependencies:

View File

@ -22,89 +22,3 @@
roles:
- snmpd
- iptables
- hosts: bridge.openstack.org:!disabled
name: "Base: configure cloud credentials on bridge"
roles:
- install-kubectl
- configure-kubectl
tasks:
- include_role:
name: configure-openstacksdk
vars:
openstacksdk_config_file: '{{ openstacksdk_config_dir }}/all-clouds.yaml'
openstacksdk_config_template: clouds/bridge_all_clouds.yaml.j2
- include_role:
name: configure-openstacksdk
vars:
openstacksdk_config_template: clouds/bridge_clouds.yaml.j2
- hosts: nodepool-launcher:nodepool-builder:!disabled
name: "Base: configure OpenStackSDK on nodepool"
strategy: free
roles:
- minimal-nodepool
- configure-openstacksdk
- configure-kubectl
- hosts: "puppet:!disabled"
name: "Base: install and configure puppet on puppet hosts"
roles:
- puppet-install
- disable-puppet-agent
- hosts: adns:!disabled
name: "Base: configure adns server"
roles:
- master-nameserver
- hosts: "ns1.opendev.org:ns2.opendev.org:!disabled"
name: "Base: configure authoritative nameservers"
roles:
- nameserver
- hosts: "docker:!disabled"
name: "Base: install and configure docker on docker hosts"
roles:
- install-docker
- hosts: "registry:!disabled"
name: "Base: configure registry"
roles:
- install-docker
- registry
- hosts: "gitea:!disabled"
name: "Base: configure gitea"
roles:
- install-docker
- gitea
- hosts: "gitea-lb:!disabled"
name: "Base: configure gitea load balancer"
roles:
- install-docker
- haproxy
- hosts: "zuul-preview:!disabled"
name: "Base: configure zuul-preview"
roles:
- install-docker
- zuul-preview
# This next section needs to happen in order. letsencrypt hosts
# export their TXT authentication records which is installed onto
# adns1, and then the hosts verify to issue/renew keys
- hosts: "letsencrypt:!disabled"
name: "Base: deploy and renew certificates"
roles:
- letsencrypt-acme-sh-install
- letsencrypt-request-certs
- hosts: "adns:!disabled"
name: "Install txt records"
roles:
- letsencrypt-install-txt-record
- hosts: "letsencrypt:!disabled"
name: "Create certs"
roles:
- letsencrypt-create-certs

View File

@ -1,5 +1,5 @@
- hosts: bridge.openstack.org
name: "Bridge: configure the bastion host"
- hosts: bridge.openstack.org:!disabled
name: "Bridge: boostrap the bastion host"
become: true
roles:
- pip3
@ -21,6 +21,3 @@
install_ansible_ara_name: '{{ bridge_ara_name | default("ara") }}'
install_ansible_ara_version: '{{ bridge_ara_version | default("0.16.1") }}'
- root-keys
- ansible-cron
- cloud-launcher-cron
- edit-secrets-script

View File

@ -1,3 +1,9 @@
- hosts: "afs:afsdb:!disabled"
name: "Base: install and configure puppet on puppet hosts"
roles:
- puppet-install
- disable-puppet-agent
- hosts: "afs:afsdb:!disabled"
name: "AFS: run puppet on the AFS servers"
strategy: free

View File

@ -1,5 +1,7 @@
- hosts: 'puppet:!review:!zuul-scheduler:!afs:!afsdb:!puppetmaster*:!disabled'
- hosts: 'puppet:!review:!afs:!afsdb:!puppetmaster*:!disabled'
name: "Puppet-else: run puppet on all other servers"
strategy: free
roles:
- puppet-install
- disable-puppet-agent
- puppet

View File

@ -1,3 +1,15 @@
- hosts: "gitea:!disabled"
name: "Base: configure gitea"
roles:
- install-docker
- gitea
- hosts: "review:!disabled"
name: "Base: install and configure puppet on puppet hosts"
roles:
- puppet-install
- disable-puppet-agent
- hosts: "localhost:!disabled"
name: "Puppet-git: Collect the project-config ref"
strategy: free
@ -27,13 +39,3 @@
facts:
project_config_ref: "{{ hostvars.localhost.gitinfo.after }}"
puppet_timeout: 60m
- hosts: "zuul-scheduler:!disabled"
name: "Puppet-git: Run puppet on the Zuul scheduler"
strategy: free
gather_facts: true
roles:
- role: puppet
facts:
project_config_ref: "{{ hostvars.localhost.gitinfo.after }}"
puppet_timeout: 60m

View File

@ -0,0 +1 @@
gitea_no_log: true

View File

@ -59,7 +59,7 @@
block:
- name: Create root user
command: "docker exec -t giteadocker_gitea-web_1 gitea admin create-user --name root --password {{ gitea_root_password }} --email {{ gitea_root_email }} --admin"
no_log: true
no_log: "{{ gitea_no_log }}"
- name: Check if gerrit user exists
uri:
url: "https://localhost:3000/api/v1/users/gerrit"

View File

@ -0,0 +1,18 @@
- hosts: bridge.openstack.org:!disabled
name: "Bridge: configure the bastion host"
roles:
- ansible-cron
- cloud-launcher-cron
- edit-secrets-script
- install-kubectl
- configure-kubectl
tasks:
- include_role:
name: configure-openstacksdk
vars:
openstacksdk_config_file: '{{ openstacksdk_config_dir }}/all-clouds.yaml'
openstacksdk_config_template: clouds/bridge_all_clouds.yaml.j2
- include_role:
name: configure-openstacksdk
vars:
openstacksdk_config_template: clouds/bridge_clouds.yaml.j2

View File

@ -0,0 +1,5 @@
- hosts: "gitea-lb:!disabled"
name: "Base: configure gitea load balancer"
roles:
- install-docker
- haproxy

View File

@ -0,0 +1,16 @@
# This needs to happen in order. letsencrypt hosts export their TXT
# authentication records which is installed onto adns1, and then the
# hosts verify to issue/renew keys
- hosts: "letsencrypt:!disabled"
name: "Base: deploy and renew certificates"
roles:
- letsencrypt-acme-sh-install
- letsencrypt-request-certs
- hosts: "adns:!disabled"
name: "Install txt records"
roles:
- letsencrypt-install-txt-record
- hosts: "letsencrypt:!disabled"
name: "Create certs"
roles:
- letsencrypt-create-certs

View File

@ -0,0 +1,10 @@
- hosts: adns:!disabled
name: "Base: configure adns server"
roles:
- master-nameserver
- hosts: "ns1.opendev.org:ns2.opendev.org:!disabled"
name: "Base: configure authoritative nameservers"
roles:
- nameserver

View File

@ -0,0 +1,7 @@
- hosts: nodepool-launcher:nodepool-builder:!disabled
name: "Base: configure OpenStackSDK on nodepool"
strategy: free
roles:
- minimal-nodepool
- configure-openstacksdk
- configure-kubectl

View File

@ -0,0 +1,5 @@
- hosts: "registry:!disabled"
name: "Base: configure registry"
roles:
- install-docker
- registry

View File

@ -0,0 +1,5 @@
- hosts: "zuul-preview:!disabled"
name: "Base: configure zuul-preview"
roles:
- install-docker
- zuul-preview

View File

@ -14,6 +14,14 @@
dest: "/opt/project-config/gerrit/projects.yaml"
content: "{{ projects }}"
# TODO(mordred) This should be part of the service, once we refactor
# the project creation and are running remote_puppet_git.
- hosts: "gitea"
name: "Install and configure gitea"
roles:
- install-docker
- gitea
- hosts: "gitea"
name: "Create repos on gitea servers"
strategy: free

View File

@ -18,6 +18,17 @@
repo: /home/zuul/src/opendev.org/opendev/system-config
dest: /opt/system-config
force: yes
# TODO: the next two tasks are update-system-config.yaml and
# should be removed or refactored out of here to a shared
# location.
- name: Clone puppet modules to /etc/puppet/modules
command: ./install_modules.sh
args:
chdir: /opt/system-config
- name: Install ansible roles to /etc/ansible/roles
command: ansible-galaxy install --roles-path /etc/ansible/roles --force -r roles.yaml
args:
chdir: /opt/system-config
- name: Add groups config for test nodes
template:
src: "templates/gate-groups.yaml.j2"
@ -33,7 +44,7 @@
path: /etc/ansible/ansible.cfg
section: defaults
option: inventory_plugins
value: /home/zuul/src/opendev.org/opendev/system-config/playbooks/roles/install-ansible/files/inventory_plugins
value: /opt/system-config/playbooks/roles/install-ansible/files/inventory_plugins
- name: Update ansible.cfg to configure inventory plugins
ini_file:
path: /etc/ansible/ansible.cfg
@ -74,9 +85,15 @@
command: ansible localhost -m debug -a 'var=groups'
- name: Run base.yaml
command: ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/base.yaml
- name: Run bridge service playbook
command: ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/service-bridge.yaml
- name: Run playbook
when: run_playbooks is defined
loop: "{{ run_playbooks }}"
command: "ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/{{ item }}"
- name: Run test playbook
when: run_base_test_playbook is defined
shell: "ANSIBLE_ROLES_PATH=/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/{{ run_base_test_playbook }}"
when: run_test_playbook is defined
shell: "ANSIBLE_ROLES_PATH=/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/{{ run_test_playbook }}"
- name: Run testinfra to validate configuration
include_role:
name: tox

View File

@ -2,12 +2,6 @@
# for gate jobs are put in the right groups for testing
plugin: yamlgroup
groups:
puppet:
- trusty
- xenial
- centos7
# note: bionic currently isn't puppeted
docker:
- bionic-docker

View File

@ -5,6 +5,7 @@ gitea_root_db_password: TlG1lNXKLfruXN0j
gitea_db_username: gitea
gitea_db_password: 5bfuOBKtltff0XZX
gitea_root_password: BUbBcpToMwR05ZCB
gitea_no_log: false
gitea_gerrit_password: yVpMWIUIvT7f6NwA
gitea_tls_cert: |
-----BEGIN CERTIFICATE-----

View File

@ -92,6 +92,31 @@ start_timer
timeout -k 2m 120m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/base.yaml
send_timer base
# Service playbooks
start_timer
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-gitea-lb.yaml
send_timer gitea-lb
start_timer
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-letsencrypt.yaml
send_timer letsencrypt
start_timer
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-nameserver.yaml
send_timer nameserver
start_timer
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-nodepool.yaml
send_timer nodepool
start_timer
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-registry.yaml
send_timer registry
start_timer
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-zuul.yaml
send_timer zuul
# Run the git/gerrit/zuul sequence, since it's important that they all work together
start_timer
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/remote_puppet_git.yaml

View File

@ -40,24 +40,6 @@ def test_exim_is_installed(host):
assert cmd.rc == 0
def test_puppet(host):
# We only install puppet on trusty, xenial and centos 7
if (host.system_info.codename in ['trusty', 'xenial'] or
host.system_info.distribution in ['centos']):
# Package name differs depending on puppet release version
# just check one version of puppet is installed.
puppet = host.package("puppet")
puppet_agent = host.package("puppet-agent")
assert puppet.is_installed or puppet_agent.is_installed
service = host.service("puppet")
assert not service.is_running
assert not service.is_enabled
else:
puppet = host.package("puppet")
puppet_agent = host.package("puppet-agent")
assert not puppet.is_installed and not puppet_agent.is_installed
def test_iptables(host):
rules = host.iptables.rules()
rules = [x.strip() for x in rules]

View File

@ -1,21 +0,0 @@
# Copyright 2018 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
testinfra_hosts = ['bionic-docker']
def test_docker_service(host):
docker = host.service('docker')
assert docker.is_running