From be992b3bb65865181871ff81e42efede188c9823 Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Wed, 15 Mar 2023 12:00:25 +1100
Subject: [PATCH] infra-prod: run job against linaro

We have access to manage the linaro cloud, but we don't want to
completely own the host as it has been configured with kolla-ansible;
so we don't want to take over things like name resolution, iptables
rules, docker installation, etc.

But we would like to manage some parts of it, like rolling out our
root users, some cron jobs, etc.  While we could just log in and do
these things, it doesn't feel very openinfra.

This allows us to have a group "unmanaged" that skips the base jobs.
The base playbook is updated to skip these hosts.

For now, we add a cloud-linaro prod job that just does nothing so we
can validate the whole thing.  When it's working, I plan to add a few
things as discussed above.

Change-Id: Ie8de70cbac7ffb9d727a06a349c3d2a3b3aa0b40
---
 inventory/base/hosts.yaml           | 13 +++++++++++++
 inventory/service/groups.yaml       |  3 +++
 playbooks/base.yaml                 |  2 +-
 playbooks/service-cloud-linaro.yaml |  6 ++++++
 zuul.d/infra-prod.yaml              | 11 +++++++++++
 zuul.d/project.yaml                 |  6 ++++++
 6 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 playbooks/service-cloud-linaro.yaml

diff --git a/inventory/base/hosts.yaml b/inventory/base/hosts.yaml
index b7ea777147..bf17739a92 100644
--- a/inventory/base/hosts.yaml
+++ b/inventory/base/hosts.yaml
@@ -1006,3 +1006,16 @@ all:
         - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUbbEvvPRMJZ1kFqDjMc3ahax3zYx7/ESMgBe4mS3xWsr4HTqlJUXJdIhEk+cw23NdxiEzum7aLiv6vYgHAEfEK9Ajrhy3AKZGe92ey2nXXShbcthJNr35GSjzod2OIC71XJUwh0cM/FbmweIDY0K0E7FRnapSr3H77lUb545we5tXoSrhZtEpgFkMYwUQ3YDQLXgX7/rLb17NE4/zKDgl9oYi9i7LIIVocS9o8bzy+aYCUWIH2lc9Jcf7ho4NdViNGWoih2/f/BxAO3fGWyyHfUYb/HR7qgL9DMlehzG4Z/4XvS8fgCsq8BGoqcyn0aQlGlOI1RX/3Wsr3tmhJ+X9'
         - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI8Vbr6vcHDpghr/pKg9I/Dy7FpyAdzEQKd0xOzHNaEtpPpHFcPUH/L9JghHsDPHqcvMKbenyCwaGlAWtB4fJn0='
         - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8uoICryIEi+2pecVwX/zYIySEAWKELWH4/XYBBdhDQ'
+    # NOTE - the following hosts are "partially managed" in that we
+    # don't run the full base deployment on them, but rather a
+    # specific subset of hand-picked roles, etc.
+    openinfraci.linaro.cloud:
+      ansible_host: 147.75.35.206
+      location:
+        cloud: opendevci-linaro
+        region_name: RegionOne
+      public_v4: 147.75.35.206
+      host_keys:
+        - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4VJyWg7kQTXQ+j2J2U1yrh61VAeZTTIerpc5tu5R+I+ebxZzcE9AAvqDLgflaCGDfv02Ds5BRGsD43sUHNzr/RtxNREqkTe713+dZGFuIdhDJSIz56iOzKmT6woc1n4wh4r8JEjTyiEGFimJYclkIHHx3RZyQroy/ntMr7lQSMfYeMr65LIahJzxOLHM1SEa/fMaMBqerdPsit56tnqfPxEM4iEUkN/Rfc8t94JgtB52VzqKWtvpFHy5DIP0MilrPI2xf/2PMycl1hj+LL4AO+mgSqRtv5TmPjv4KTH6ro0edFXm7vWZEl+8OXCUOErmPwSHFwLVIyuCsV4vI/nUGIZ7ttxUv8ZsKTC8yrzZBZen/0xF+kcLKhm3A3poR/KN8yqoCO542Wl+zwDcXiYvdDVS908796JSlfqf59mMnmuDg4gGGRYGEeRmPkdwwm1Lm8tgkwJX3HAx7ziEZbZ2hu1v3yg2DKI+K1OEhp+eucL0OkaBmdvAAvVMQEn1FbJ8='
+        - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGnFxrjQah1S64D3hNzdWl8FmQR93gkw4zsgkCE+ZY1Bc5bdrfS/xQeTuxIpBP6L/7UlCe8ks48qc8caJ5vmy+0='
+        - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5xRCcYInStxHXEhkVws5RmqzUc0S/4wi1zOtd6zlUB'
diff --git a/inventory/service/groups.yaml b/inventory/service/groups.yaml
index 02adb14d8f..e835adf8ab 100644
--- a/inventory/service/groups.yaml
+++ b/inventory/service/groups.yaml
@@ -159,6 +159,9 @@ groups:
     - translate-dev[0-9]*.open*.org
   translate:
     - translate[0-9]*.open*.org
+  # This group does not run the base jobs
+  unmanaged:
+    - openinfraci.linaro.cloud
   webservers:
     - cacti[0-9]*.open*.org
     - codesearch[0-9]*.opendev.org
diff --git a/playbooks/base.yaml b/playbooks/base.yaml
index a784ef330c..aacc1c58cf 100644
--- a/playbooks/base.yaml
+++ b/playbooks/base.yaml
@@ -1,4 +1,4 @@
-- hosts: "!disabled"
+- hosts: "!unmanaged:!disabled"
   name: "Base: set up common environment on all hosts"
   roles:
     - base/users
diff --git a/playbooks/service-cloud-linaro.yaml b/playbooks/service-cloud-linaro.yaml
new file mode 100644
index 0000000000..f35ac7a84a
--- /dev/null
+++ b/playbooks/service-cloud-linaro.yaml
@@ -0,0 +1,6 @@
+- hosts: "openinfraci.linaro.cloud"
+  tasks:
+
+    - name: Initial task
+      debug:
+        msg: "This is a placeholder"
diff --git a/zuul.d/infra-prod.yaml b/zuul.d/infra-prod.yaml
index 287e884b53..023d3eaf05 100644
--- a/zuul.d/infra-prod.yaml
+++ b/zuul.d/infra-prod.yaml
@@ -669,3 +669,14 @@
     files:
       - playbooks/run_cloud_launcher.yaml
       - inventory/service/group_vars/bastion.yaml
+
+- job:
+    name: infra-prod-cloud-linaro
+    parent: infra-prod-service-base
+    description: Run management tasks against Linaro
+    vars:
+      playbook_name: service-cloud-linaro.yaml
+    required-projects:
+      - opendev/system-config
+    files:
+      - playbooks/service-cloud-linaro.yaml
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index f463b4cee3..2d32f099af 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -394,6 +394,11 @@
               - name: infra-prod-base
                 soft: true
 
+        - infra-prod-cloud-linaro: &infra-prod-cloud-linaro
+            dependencies:
+              - name: infra-prod-base
+                soft: true
+
         #
         # Hosts using certificates and backups
         #
@@ -614,6 +619,7 @@
         - infra-prod-service-afs: *infra-prod-service-afs
         - infra-prod-service-nameserver: *infra-prod-service-nameserver
         - infra-prod-service-mirror-update: *infra-prod-service-mirror-update
+        - infra-prod-cloud-linaro: *infra-prod-cloud-linaro
         - infra-prod-service-borg-backup: *infra-prod-service-borg-backup
         - infra-prod-letsencrypt: *infra-prod-letsencrypt
         - infra-prod-service-codesearch: *infra-prod-service-codesearch