Split the base playbook into services
This is a first step toward making smaller playbooks which can be run by Zuul in CD. Zuul should be able to handle missing projects now, so remove it from the puppet_git playbook and into puppet. Make the base playbook be merely the base roles. Make service playbooks for each service. Remove the run-docker job because it's covered by service jobs. Stop testing that puppet is installed in testinfra. It's accidentally working due to the selection of non-puppeted hosts only being on bionic nodes and not installing puppet on bionic. Instead, we can now rely on actually *running* puppet when it's important, such as in the eavesdrop job. Also remove the installation of puppet on the nodes in the base job, since it's only useful to test that a synthetic test of installing puppet on nodes we don't use works. Don't run remote_puppet_git on gitea for now - it's too slow. A followup patch will rework gitea project creation to not take hours. Change-Id: Ibb78341c2c6be28005cea73542e829d8f7cfab08
This commit is contained in:
parent
8baf6cabd3
commit
8ad300927e
43
.zuul.yaml
43
.zuul.yaml
@ -406,7 +406,9 @@
|
||||
- .zuul.yaml
|
||||
- playbooks/group_vars/eavesdrop.yaml
|
||||
- testinfra/test_eavesdrop.py
|
||||
|
||||
vars:
|
||||
run_playbooks:
|
||||
- playbooks/remote_puppet_else.yaml
|
||||
|
||||
- job:
|
||||
name: system-config-run-letsencrypt
|
||||
@ -423,6 +425,10 @@
|
||||
label: ubuntu-bionic
|
||||
- name: letsencrypt02.opendev.org
|
||||
label: ubuntu-bionic
|
||||
vars:
|
||||
run_playbooks:
|
||||
- playbooks/service-nameserver.yaml
|
||||
- playbooks/service-letsencrypt.yaml
|
||||
host-vars:
|
||||
letsencrypt01.opendev.org:
|
||||
host_copy_output:
|
||||
@ -448,6 +454,10 @@
|
||||
label: ubuntu-xenial
|
||||
- name: nb01.openstack.org
|
||||
label: ubuntu-xenial
|
||||
vars:
|
||||
run_playbooks:
|
||||
- playbooks/service-nodepool.yaml
|
||||
- playbooks/remote_puppet_else.yaml
|
||||
files:
|
||||
- .zuul.yaml
|
||||
- playbooks/group_vars/nodepool.yaml
|
||||
@ -457,22 +467,6 @@
|
||||
- playbooks/templates/clouds/
|
||||
- testinfra/test_nodepool.py
|
||||
|
||||
- job:
|
||||
name: system-config-run-docker
|
||||
parent: system-config-run
|
||||
description: |
|
||||
Test docker installation and setup
|
||||
nodeset:
|
||||
nodes:
|
||||
- name: bridge.openstack.org
|
||||
label: ubuntu-bionic
|
||||
- name: bionic-docker
|
||||
label: ubuntu-bionic
|
||||
files:
|
||||
- .zuul.yaml
|
||||
- playbooks/roles/install-docker
|
||||
- testinfra/test_docker.py
|
||||
|
||||
- job:
|
||||
name: system-config-run-dns
|
||||
parent: system-config-run
|
||||
@ -489,6 +483,9 @@
|
||||
label: ubuntu-bionic
|
||||
- name: ns1.opendev.org
|
||||
label: ubuntu-bionic
|
||||
vars:
|
||||
run_playbooks:
|
||||
- playbooks/service-nameserver.yaml
|
||||
host-vars:
|
||||
adns1.opendev.org:
|
||||
host_copy_output:
|
||||
@ -518,6 +515,9 @@
|
||||
label: ubuntu-bionic
|
||||
- name: insecure-ci-registry01.opendev.org
|
||||
label: ubuntu-bionic
|
||||
vars:
|
||||
run_playbooks:
|
||||
- playbooks/service-registry.yaml
|
||||
host-vars:
|
||||
insecure-ci-registry01.opendev.org:
|
||||
host_copy_output:
|
||||
@ -546,7 +546,9 @@
|
||||
- name: gitea01.opendev.org
|
||||
label: ubuntu-bionic
|
||||
vars:
|
||||
run_base_test_playbook: playbooks/zuul/test-gitea.yaml
|
||||
run_playbooks:
|
||||
- playbooks/service-gitea-lb.yaml
|
||||
run_test_playbook: playbooks/test-gitea.yaml
|
||||
host-vars:
|
||||
gitea01.opendev.org:
|
||||
host_copy_output:
|
||||
@ -583,6 +585,9 @@
|
||||
label: ubuntu-bionic
|
||||
- name: zp01.opendev.org
|
||||
label: ubuntu-bionic
|
||||
vars:
|
||||
run_playbooks:
|
||||
- playbooks/service-zuul.yaml
|
||||
files:
|
||||
- .zuul.yaml
|
||||
- playbooks/roles/zuul-preview/
|
||||
@ -634,7 +639,6 @@
|
||||
- system-config-run-dns
|
||||
- system-config-run-eavesdrop
|
||||
- system-config-run-nodepool
|
||||
- system-config-run-docker
|
||||
- system-config-run-docker-registry
|
||||
- system-config-run-gitea:
|
||||
dependencies:
|
||||
@ -659,7 +663,6 @@
|
||||
- system-config-run-dns
|
||||
- system-config-run-eavesdrop
|
||||
- system-config-run-nodepool
|
||||
- system-config-run-docker
|
||||
- system-config-run-docker-registry
|
||||
- system-config-run-gitea:
|
||||
dependencies:
|
||||
|
@ -22,89 +22,3 @@
|
||||
roles:
|
||||
- snmpd
|
||||
- iptables
|
||||
|
||||
- hosts: bridge.openstack.org:!disabled
|
||||
name: "Base: configure cloud credentials on bridge"
|
||||
roles:
|
||||
- install-kubectl
|
||||
- configure-kubectl
|
||||
tasks:
|
||||
- include_role:
|
||||
name: configure-openstacksdk
|
||||
vars:
|
||||
openstacksdk_config_file: '{{ openstacksdk_config_dir }}/all-clouds.yaml'
|
||||
openstacksdk_config_template: clouds/bridge_all_clouds.yaml.j2
|
||||
- include_role:
|
||||
name: configure-openstacksdk
|
||||
vars:
|
||||
openstacksdk_config_template: clouds/bridge_clouds.yaml.j2
|
||||
|
||||
- hosts: nodepool-launcher:nodepool-builder:!disabled
|
||||
name: "Base: configure OpenStackSDK on nodepool"
|
||||
strategy: free
|
||||
roles:
|
||||
- minimal-nodepool
|
||||
- configure-openstacksdk
|
||||
- configure-kubectl
|
||||
|
||||
- hosts: "puppet:!disabled"
|
||||
name: "Base: install and configure puppet on puppet hosts"
|
||||
roles:
|
||||
- puppet-install
|
||||
- disable-puppet-agent
|
||||
|
||||
- hosts: adns:!disabled
|
||||
name: "Base: configure adns server"
|
||||
roles:
|
||||
- master-nameserver
|
||||
|
||||
- hosts: "ns1.opendev.org:ns2.opendev.org:!disabled"
|
||||
name: "Base: configure authoritative nameservers"
|
||||
roles:
|
||||
- nameserver
|
||||
|
||||
- hosts: "docker:!disabled"
|
||||
name: "Base: install and configure docker on docker hosts"
|
||||
roles:
|
||||
- install-docker
|
||||
|
||||
- hosts: "registry:!disabled"
|
||||
name: "Base: configure registry"
|
||||
roles:
|
||||
- install-docker
|
||||
- registry
|
||||
|
||||
- hosts: "gitea:!disabled"
|
||||
name: "Base: configure gitea"
|
||||
roles:
|
||||
- install-docker
|
||||
- gitea
|
||||
|
||||
- hosts: "gitea-lb:!disabled"
|
||||
name: "Base: configure gitea load balancer"
|
||||
roles:
|
||||
- install-docker
|
||||
- haproxy
|
||||
|
||||
- hosts: "zuul-preview:!disabled"
|
||||
name: "Base: configure zuul-preview"
|
||||
roles:
|
||||
- install-docker
|
||||
- zuul-preview
|
||||
|
||||
# This next section needs to happen in order. letsencrypt hosts
|
||||
# export their TXT authentication records which is installed onto
|
||||
# adns1, and then the hosts verify to issue/renew keys
|
||||
- hosts: "letsencrypt:!disabled"
|
||||
name: "Base: deploy and renew certificates"
|
||||
roles:
|
||||
- letsencrypt-acme-sh-install
|
||||
- letsencrypt-request-certs
|
||||
- hosts: "adns:!disabled"
|
||||
name: "Install txt records"
|
||||
roles:
|
||||
- letsencrypt-install-txt-record
|
||||
- hosts: "letsencrypt:!disabled"
|
||||
name: "Create certs"
|
||||
roles:
|
||||
- letsencrypt-create-certs
|
||||
|
@ -1,5 +1,5 @@
|
||||
- hosts: bridge.openstack.org
|
||||
name: "Bridge: configure the bastion host"
|
||||
- hosts: bridge.openstack.org:!disabled
|
||||
name: "Bridge: boostrap the bastion host"
|
||||
become: true
|
||||
roles:
|
||||
- pip3
|
||||
@ -21,6 +21,3 @@
|
||||
install_ansible_ara_name: '{{ bridge_ara_name | default("ara") }}'
|
||||
install_ansible_ara_version: '{{ bridge_ara_version | default("0.16.1") }}'
|
||||
- root-keys
|
||||
- ansible-cron
|
||||
- cloud-launcher-cron
|
||||
- edit-secrets-script
|
||||
|
@ -1,3 +1,9 @@
|
||||
- hosts: "afs:afsdb:!disabled"
|
||||
name: "Base: install and configure puppet on puppet hosts"
|
||||
roles:
|
||||
- puppet-install
|
||||
- disable-puppet-agent
|
||||
|
||||
- hosts: "afs:afsdb:!disabled"
|
||||
name: "AFS: run puppet on the AFS servers"
|
||||
strategy: free
|
||||
|
@ -1,5 +1,7 @@
|
||||
- hosts: 'puppet:!review:!zuul-scheduler:!afs:!afsdb:!puppetmaster*:!disabled'
|
||||
- hosts: 'puppet:!review:!afs:!afsdb:!puppetmaster*:!disabled'
|
||||
name: "Puppet-else: run puppet on all other servers"
|
||||
strategy: free
|
||||
roles:
|
||||
- puppet-install
|
||||
- disable-puppet-agent
|
||||
- puppet
|
||||
|
@ -1,3 +1,15 @@
|
||||
- hosts: "gitea:!disabled"
|
||||
name: "Base: configure gitea"
|
||||
roles:
|
||||
- install-docker
|
||||
- gitea
|
||||
|
||||
- hosts: "review:!disabled"
|
||||
name: "Base: install and configure puppet on puppet hosts"
|
||||
roles:
|
||||
- puppet-install
|
||||
- disable-puppet-agent
|
||||
|
||||
- hosts: "localhost:!disabled"
|
||||
name: "Puppet-git: Collect the project-config ref"
|
||||
strategy: free
|
||||
@ -27,13 +39,3 @@
|
||||
facts:
|
||||
project_config_ref: "{{ hostvars.localhost.gitinfo.after }}"
|
||||
puppet_timeout: 60m
|
||||
|
||||
- hosts: "zuul-scheduler:!disabled"
|
||||
name: "Puppet-git: Run puppet on the Zuul scheduler"
|
||||
strategy: free
|
||||
gather_facts: true
|
||||
roles:
|
||||
- role: puppet
|
||||
facts:
|
||||
project_config_ref: "{{ hostvars.localhost.gitinfo.after }}"
|
||||
puppet_timeout: 60m
|
||||
|
1
playbooks/roles/gitea/defaults/main.yaml
Normal file
1
playbooks/roles/gitea/defaults/main.yaml
Normal file
@ -0,0 +1 @@
|
||||
gitea_no_log: true
|
@ -59,7 +59,7 @@
|
||||
block:
|
||||
- name: Create root user
|
||||
command: "docker exec -t giteadocker_gitea-web_1 gitea admin create-user --name root --password {{ gitea_root_password }} --email {{ gitea_root_email }} --admin"
|
||||
no_log: true
|
||||
no_log: "{{ gitea_no_log }}"
|
||||
- name: Check if gerrit user exists
|
||||
uri:
|
||||
url: "https://localhost:3000/api/v1/users/gerrit"
|
||||
|
18
playbooks/service-bridge.yaml
Normal file
18
playbooks/service-bridge.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
- hosts: bridge.openstack.org:!disabled
|
||||
name: "Bridge: configure the bastion host"
|
||||
roles:
|
||||
- ansible-cron
|
||||
- cloud-launcher-cron
|
||||
- edit-secrets-script
|
||||
- install-kubectl
|
||||
- configure-kubectl
|
||||
tasks:
|
||||
- include_role:
|
||||
name: configure-openstacksdk
|
||||
vars:
|
||||
openstacksdk_config_file: '{{ openstacksdk_config_dir }}/all-clouds.yaml'
|
||||
openstacksdk_config_template: clouds/bridge_all_clouds.yaml.j2
|
||||
- include_role:
|
||||
name: configure-openstacksdk
|
||||
vars:
|
||||
openstacksdk_config_template: clouds/bridge_clouds.yaml.j2
|
5
playbooks/service-gitea-lb.yaml
Normal file
5
playbooks/service-gitea-lb.yaml
Normal file
@ -0,0 +1,5 @@
|
||||
- hosts: "gitea-lb:!disabled"
|
||||
name: "Base: configure gitea load balancer"
|
||||
roles:
|
||||
- install-docker
|
||||
- haproxy
|
16
playbooks/service-letsencrypt.yaml
Normal file
16
playbooks/service-letsencrypt.yaml
Normal file
@ -0,0 +1,16 @@
|
||||
# This needs to happen in order. letsencrypt hosts export their TXT
|
||||
# authentication records which is installed onto adns1, and then the
|
||||
# hosts verify to issue/renew keys
|
||||
- hosts: "letsencrypt:!disabled"
|
||||
name: "Base: deploy and renew certificates"
|
||||
roles:
|
||||
- letsencrypt-acme-sh-install
|
||||
- letsencrypt-request-certs
|
||||
- hosts: "adns:!disabled"
|
||||
name: "Install txt records"
|
||||
roles:
|
||||
- letsencrypt-install-txt-record
|
||||
- hosts: "letsencrypt:!disabled"
|
||||
name: "Create certs"
|
||||
roles:
|
||||
- letsencrypt-create-certs
|
10
playbooks/service-nameserver.yaml
Normal file
10
playbooks/service-nameserver.yaml
Normal file
@ -0,0 +1,10 @@
|
||||
- hosts: adns:!disabled
|
||||
name: "Base: configure adns server"
|
||||
roles:
|
||||
- master-nameserver
|
||||
|
||||
- hosts: "ns1.opendev.org:ns2.opendev.org:!disabled"
|
||||
name: "Base: configure authoritative nameservers"
|
||||
roles:
|
||||
- nameserver
|
||||
|
7
playbooks/service-nodepool.yaml
Normal file
7
playbooks/service-nodepool.yaml
Normal file
@ -0,0 +1,7 @@
|
||||
- hosts: nodepool-launcher:nodepool-builder:!disabled
|
||||
name: "Base: configure OpenStackSDK on nodepool"
|
||||
strategy: free
|
||||
roles:
|
||||
- minimal-nodepool
|
||||
- configure-openstacksdk
|
||||
- configure-kubectl
|
5
playbooks/service-registry.yaml
Normal file
5
playbooks/service-registry.yaml
Normal file
@ -0,0 +1,5 @@
|
||||
- hosts: "registry:!disabled"
|
||||
name: "Base: configure registry"
|
||||
roles:
|
||||
- install-docker
|
||||
- registry
|
5
playbooks/service-zuul.yaml
Normal file
5
playbooks/service-zuul.yaml
Normal file
@ -0,0 +1,5 @@
|
||||
- hosts: "zuul-preview:!disabled"
|
||||
name: "Base: configure zuul-preview"
|
||||
roles:
|
||||
- install-docker
|
||||
- zuul-preview
|
@ -14,6 +14,14 @@
|
||||
dest: "/opt/project-config/gerrit/projects.yaml"
|
||||
content: "{{ projects }}"
|
||||
|
||||
# TODO(mordred) This should be part of the service, once we refactor
|
||||
# the project creation and are running remote_puppet_git.
|
||||
- hosts: "gitea"
|
||||
name: "Install and configure gitea"
|
||||
roles:
|
||||
- install-docker
|
||||
- gitea
|
||||
|
||||
- hosts: "gitea"
|
||||
name: "Create repos on gitea servers"
|
||||
strategy: free
|
@ -18,6 +18,17 @@
|
||||
repo: /home/zuul/src/opendev.org/opendev/system-config
|
||||
dest: /opt/system-config
|
||||
force: yes
|
||||
# TODO: the next two tasks are update-system-config.yaml and
|
||||
# should be removed or refactored out of here to a shared
|
||||
# location.
|
||||
- name: Clone puppet modules to /etc/puppet/modules
|
||||
command: ./install_modules.sh
|
||||
args:
|
||||
chdir: /opt/system-config
|
||||
- name: Install ansible roles to /etc/ansible/roles
|
||||
command: ansible-galaxy install --roles-path /etc/ansible/roles --force -r roles.yaml
|
||||
args:
|
||||
chdir: /opt/system-config
|
||||
- name: Add groups config for test nodes
|
||||
template:
|
||||
src: "templates/gate-groups.yaml.j2"
|
||||
@ -33,7 +44,7 @@
|
||||
path: /etc/ansible/ansible.cfg
|
||||
section: defaults
|
||||
option: inventory_plugins
|
||||
value: /home/zuul/src/opendev.org/opendev/system-config/playbooks/roles/install-ansible/files/inventory_plugins
|
||||
value: /opt/system-config/playbooks/roles/install-ansible/files/inventory_plugins
|
||||
- name: Update ansible.cfg to configure inventory plugins
|
||||
ini_file:
|
||||
path: /etc/ansible/ansible.cfg
|
||||
@ -74,9 +85,15 @@
|
||||
command: ansible localhost -m debug -a 'var=groups'
|
||||
- name: Run base.yaml
|
||||
command: ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/base.yaml
|
||||
- name: Run bridge service playbook
|
||||
command: ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/service-bridge.yaml
|
||||
- name: Run playbook
|
||||
when: run_playbooks is defined
|
||||
loop: "{{ run_playbooks }}"
|
||||
command: "ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/{{ item }}"
|
||||
- name: Run test playbook
|
||||
when: run_base_test_playbook is defined
|
||||
shell: "ANSIBLE_ROLES_PATH=/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/{{ run_base_test_playbook }}"
|
||||
when: run_test_playbook is defined
|
||||
shell: "ANSIBLE_ROLES_PATH=/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/{{ run_test_playbook }}"
|
||||
- name: Run testinfra to validate configuration
|
||||
include_role:
|
||||
name: tox
|
||||
|
@ -2,12 +2,6 @@
|
||||
# for gate jobs are put in the right groups for testing
|
||||
plugin: yamlgroup
|
||||
groups:
|
||||
puppet:
|
||||
- trusty
|
||||
- xenial
|
||||
- centos7
|
||||
# note: bionic currently isn't puppeted
|
||||
|
||||
docker:
|
||||
- bionic-docker
|
||||
|
||||
|
@ -5,6 +5,7 @@ gitea_root_db_password: TlG1lNXKLfruXN0j
|
||||
gitea_db_username: gitea
|
||||
gitea_db_password: 5bfuOBKtltff0XZX
|
||||
gitea_root_password: BUbBcpToMwR05ZCB
|
||||
gitea_no_log: false
|
||||
gitea_gerrit_password: yVpMWIUIvT7f6NwA
|
||||
gitea_tls_cert: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
|
25
run_all.sh
25
run_all.sh
@ -92,6 +92,31 @@ start_timer
|
||||
timeout -k 2m 120m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/base.yaml
|
||||
send_timer base
|
||||
|
||||
# Service playbooks
|
||||
start_timer
|
||||
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-gitea-lb.yaml
|
||||
send_timer gitea-lb
|
||||
|
||||
start_timer
|
||||
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-letsencrypt.yaml
|
||||
send_timer letsencrypt
|
||||
|
||||
start_timer
|
||||
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-nameserver.yaml
|
||||
send_timer nameserver
|
||||
|
||||
start_timer
|
||||
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-nodepool.yaml
|
||||
send_timer nodepool
|
||||
|
||||
start_timer
|
||||
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-registry.yaml
|
||||
send_timer registry
|
||||
|
||||
start_timer
|
||||
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/service-zuul.yaml
|
||||
send_timer zuul
|
||||
|
||||
# Run the git/gerrit/zuul sequence, since it's important that they all work together
|
||||
start_timer
|
||||
timeout -k 2m 30m ansible-playbook -f 50 ${ANSIBLE_PLAYBOOKS}/remote_puppet_git.yaml
|
||||
|
@ -40,24 +40,6 @@ def test_exim_is_installed(host):
|
||||
assert cmd.rc == 0
|
||||
|
||||
|
||||
def test_puppet(host):
|
||||
# We only install puppet on trusty, xenial and centos 7
|
||||
if (host.system_info.codename in ['trusty', 'xenial'] or
|
||||
host.system_info.distribution in ['centos']):
|
||||
# Package name differs depending on puppet release version
|
||||
# just check one version of puppet is installed.
|
||||
puppet = host.package("puppet")
|
||||
puppet_agent = host.package("puppet-agent")
|
||||
assert puppet.is_installed or puppet_agent.is_installed
|
||||
service = host.service("puppet")
|
||||
assert not service.is_running
|
||||
assert not service.is_enabled
|
||||
else:
|
||||
puppet = host.package("puppet")
|
||||
puppet_agent = host.package("puppet-agent")
|
||||
assert not puppet.is_installed and not puppet_agent.is_installed
|
||||
|
||||
|
||||
def test_iptables(host):
|
||||
rules = host.iptables.rules()
|
||||
rules = [x.strip() for x in rules]
|
||||
|
@ -1,21 +0,0 @@
|
||||
# Copyright 2018 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
testinfra_hosts = ['bionic-docker']
|
||||
|
||||
|
||||
def test_docker_service(host):
|
||||
docker = host.service('docker')
|
||||
assert docker.is_running
|
Loading…
Reference in New Issue
Block a user