opendev
/
system-config
Code Issues Proposed changes

Abstract name of bastion host for testing path 

This replaces hard-coding of the host "bridge.openstack.org" with
hard-coding of the first (and only) host in the group "bastion".

The idea here is that we can, as much as possible, simply switch one
place to an alternative hostname for the bastion such as
"bridge.opendev.org" when we upgrade.  This is just the testing path,
for now; a follow-on will modify the production path (which doesn't
really get speculatively tested)

This needs to be defined in two places :

 1) We need to define this in the run jobs for Zuul to use in the
    playbooks/zuul/run-*.yaml playbooks, as it sets up and collects
    logs from the testing bastion host.

 2) The nested Ansible run will then use inventory
    inventory/service/groups.yaml

Various other places are updated to use this abstracted group as the
bastion host.

Variables are moved into the bastion group (which only has one host --
the actual bastion host) which means we only have to update the group
mapping to the new host.

This is intended to be a no-op change; all the jobs should work the
same, but just using the new abstractions.

Change-Id: Iffb462371939989b03e5d6ac6c5df63aa7708513
This commit is contained in:
Ian Wienand 2022-09-20 11:57:22 +10:00
parent deed697853
commit d4c46ecdef
No known key found for this signature in database
11 changed files with 94 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
inventory/service/host_vars/bridge.openstack.org.yaml → inventory/service/group_vars/bastion.yaml
View File

8
inventory/service/groups.yaml
View File

@ -15,6 +15,10 @@ groups:
- afsdb*.open*.org
- afs[0-9]*.open*.org
- static[0-9]*.opendev.org
# bastion group should should only have one entry because we assume
# groups['bastion'][0] is the bastion host name in several places.
bastion:
- bridge.openstack.org
borg-backup:
- etherpad[0-9]*.opendev.org
- gitea01.opendev.org
@ -41,11 +45,11 @@ groups:
certcheck:
- cacti[0-9]*.open*.org
cloud-launcher:
- bridge.openstack.org
- bridge*.open*.org
codesearch:
- codesearch[0-9]*.opendev.org
control-plane-clouds:
- bridge.openstack.org
- bridge*.open*.org
disabled: []
dns:
- adns*.opendev.org

4
playbooks/roles/sync-project-config/tasks/main.yaml
View File

@ -3,9 +3,9 @@
path: '{{ project_config_dest }}'
state: directory
- name: Update from master
- name: Update from master on bastion host
when: infra_prod_run_from_master|bool
delegate_to: bridge.openstack.org
delegate_to: '{{ groups["bastion"][0] }}'
git:
repo: https://opendev.org/openstack/project-config
dest: '{{ project_config_src }}'

2
playbooks/service-bridge.yaml
View File

@ -1,4 +1,4 @@
- hosts: bridge.openstack.org:!disabled
- hosts: bastion:!disabled
name: "Bridge: configure the bastion host"
roles:
- iptables

2
playbooks/test-update-zuul-description.yaml
View File

@ -1,4 +1,4 @@
- hosts: "bridge.openstack.org:!disabled"
- hosts: bastion:!disabled
tasks:
- name: Modify Zuuls description
lineinfile:

4
playbooks/zuul/run-base-post.yaml
View File

@ -28,7 +28,7 @@
- include_role:
name: stage-output
- hosts: bridge.openstack.org
- hosts: bastion
tasks:
- name: Set log directory
set_fact:
@ -69,7 +69,7 @@
zuul:
artifacts:
- name: ARA report
url: "bridge.openstack.org/ara-report/"
url: '{{ groups["bastion"][0] }}/ara-report/'
- name: Collect ansible configuration
synchronize:

16
playbooks/zuul/run-base.yaml
View File

@ -5,7 +5,7 @@
cloud_launcher_disable_job: true
# setup opendev CA
- hosts: bridge.openstack.org
- hosts: bastion[0]
become: true
tasks:
- name: Make temporary dir for CA generation
@ -57,9 +57,9 @@
creates: '{{ item.file }}'
loop:
- file: '/etc/opendev-ca/ca.key'
content: '{{ hostvars["bridge.openstack.org"]["_opendev_ca_key"]["content"] }}'
content: '{{ hostvars[groups["bastion"][0]]["_opendev_ca_key"]["content"] }}'
- file: '/etc/opendev-ca/ca.crt'
content: '{{ hostvars["bridge.openstack.org"]["_opendev_ca_certificate"]["content"] }}'
content: '{{ hostvars[groups["bastion"][0]]["_opendev_ca_certificate"]["content"] }}'
- name: Install and trust certificate
shell:
@ -67,7 +67,7 @@
cp /etc/opendev-ca/ca.crt /usr/local/share/ca-certificates/opendev-infra-ca.crt
update-ca-certificates
- hosts: bridge.openstack.org
- hosts: bastion[0]
become: true
tasks:
- name: Write inventory on bridge
@ -115,6 +115,7 @@
loop:
- group_vars/all.yaml
- group_vars/adns.yaml
- group_vars/bastion.yaml
- group_vars/eavesdrop.yaml
- group_vars/nodepool.yaml
- group_vars/ns.yaml
@ -136,7 +137,6 @@
- group_vars/zuul-merger.yaml
- group_vars/zuul-scheduler.yaml
- group_vars/zuul-web.yaml
- host_vars/bridge.openstack.org.yaml
- host_vars/codesearch01.opendev.org.yaml
- host_vars/etherpad01.opendev.org.yaml
- host_vars/letsencrypt01.opendev.org.yaml
@ -185,7 +185,7 @@
name: encrypt-logs
vars:
encrypt_logs_files: '{{ _run_playbooks_logs.files | map(attribute="path") | list }}'
encrypt_logs_artifact_path: 'bridge.openstack.org/ansible'
encrypt_logs_artifact_path: '{{ groups["bastion"][0] }}/ansible'
encrypt_logs_download_script_path: '/var/log/ansible'
- name: Run test playbook
@ -216,7 +216,7 @@
zuul:
artifacts:
- name: Screenshots
url: "bridge.openstack.org/screenshots"
url: '{{ groups["bastion"][0] }}/screenshots'
- name: Allow PBR's git calls to operate in system-config, despite not owning it
command: git config --global safe.directory /home/zuul/src/opendev.org/opendev/system-config
@ -240,4 +240,4 @@
zuul:
artifacts:
- name: testinfra results
url: "bridge.openstack.org/test-results.html"
url: '{{ groups["bastion"][0] }}/test-results.html'

2
playbooks/zuul/templates/gate-groups.yaml.j2
View File

@ -6,7 +6,7 @@ groups:
- bionic-docker
certcheck:
- bridge.openstack.org
- bridge[0-9]*.open*.org
letsencrypt:
- letsencrypt01.opendev.org

0
playbooks/zuul/templates/host_vars/bridge.openstack.org.yaml.j2 → playbooks/zuul/templates/group_vars/bastion.yaml.j2
View File

6
zuul.d/infra-prod.yaml
View File

@ -53,7 +53,7 @@
- playbooks/zuul/run-production-bootstrap-bridge-add-rootkey.yaml
- playbooks/roles/install-ansible/
- playbooks/roles/root-keys/
- inventory/service/host_vars/bridge.openstack.org.yaml
- inventory/service/group_vars/bastion.yaml
- job:
name: infra-prod-base
@ -117,7 +117,7 @@
files:
- inventory/base
- playbooks/service-bridge.yaml
- inventory/service/host_vars/bridge.openstack.org.yaml
- inventory/service/group_vars/bastion.yaml
- playbooks/roles/logrotate/
- playbooks/roles/edit-secrets-script/
- playbooks/roles/install-kubectl/
@ -656,4 +656,4 @@
- opendev/system-config
files:
- playbooks/run_cloud_launcher.yaml
- inventory/service/host_vars/bridge.openstack.org.yaml
- inventory/service/group_vars/bastion.yaml

70
zuul.d/system-config-run.yaml
View File

@ -68,6 +68,20 @@
label: ubuntu-focal
- name: jammy
label: ubuntu-jammy
groups:
# Each job should define this group -- to avoid hard-coding
# the bastion hostname in the job setup, playbooks/tasks refer
# to it only by this group. This should only have one entry
# -- in a couple of places the jobs use the actual hostname
# and assume element [0] here is that hostname.
#
# Note that this shouldn't be confused with the group in
# inventory/service/groups.yaml -- this group contains the
# host that Zuul, running on the executor, will setup as the
# bridge node. This node will then run a nested Ansible to
# test the production playbooks -- *that* Ansible has a
# "bastion" group too
- &bastion_group { name: bastion, nodes: [ bridge.openstack.org ] }
files:
- tox.ini
- playbooks/
@ -90,6 +104,8 @@
label: ubuntu-focal
- name: jammy
label: ubuntu-jammy
groups:
- <<: *bastion_group
required-projects:
- name: github.com/ansible/ansible
override-checkout: devel
@ -129,6 +145,8 @@
label: ubuntu-focal-arm64
- name: jammy
label: ubuntu-jammy-arm64
groups:
- <<: *bastion_group
files:
- playbooks/
- roles/
@ -154,6 +172,8 @@
- <<: *bridge_node_x86
- name: eavesdrop01.opendev.org
label: ubuntu-focal
groups:
- <<: *bastion_group
vars:
run_playbooks:
- playbooks/letsencrypt.yaml
@ -199,6 +219,8 @@
label: ubuntu-bionic
- name: letsencrypt02.opendev.org
label: ubuntu-bionic
groups:
- <<: *bastion_group
vars:
run_playbooks:
- playbooks/service-nameserver.yaml
@ -244,6 +266,8 @@
label: ubuntu-focal
- name: lists.katacontainers.io
label: ubuntu-focal
groups:
- <<: *bastion_group
required-projects:
- opendev/system-config
files:
@ -294,6 +318,8 @@
label: ubuntu-focal
- name: nb01.opendev.org
label: ubuntu-focal
groups:
- <<: *bastion_group
required-projects:
- opendev/system-config
- openstack/project-config
@ -339,6 +365,8 @@
label: ubuntu-bionic
- name: ns1.opendev.org
label: ubuntu-bionic
groups:
- <<: *bastion_group
vars:
run_playbooks:
- playbooks/service-nameserver.yaml
@ -375,6 +403,8 @@
label: ubuntu-bionic
- name: borg-backup-jammy.opendev.org
label: ubuntu-jammy
groups:
- <<: *bastion_group
vars:
run_playbooks:
- playbooks/service-borg-backup.yaml
@ -446,6 +476,8 @@
label: ubuntu-bionic
- name: mirror02.openafs.provider.opendev.org
label: ubuntu-focal
groups:
- <<: *bastion_group
- job:
name: system-config-run-mirror-arm64
@ -455,6 +487,8 @@
- <<: *bridge_node_arm64
- name: mirror01.openafs.provider.opendev.org
label: ubuntu-focal-arm64
groups:
- <<: *bastion_group
- job:
name: system-config-run-mirror-update
@ -466,6 +500,8 @@
- <<: *bridge_node_x86
- name: mirror-update99.opendev.org
label: ubuntu-focal
groups:
- <<: *bastion_group
vars:
run_playbooks:
- playbooks/service-mirror-update.yaml
@ -489,6 +525,8 @@
- <<: *bridge_node_x86
- name: insecure-ci-registry01.opendev.org
label: ubuntu-bionic
groups:
- <<: *bastion_group
vars:
run_playbooks:
- playbooks/letsencrypt.yaml
@ -522,6 +560,8 @@
- <<: *bridge_node_x86
- name: codesearch01.opendev.org
label: ubuntu-focal
groups:
- <<: *bastion_group
vars:
run_playbooks:
- playbooks/letsencrypt.yaml
@ -551,6 +591,8 @@
- <<: *bridge_node_x86
- name: etherpad01.opendev.org
label: ubuntu-bionic
groups:
- <<: *bastion_group
vars:
run_playbooks:
- playbooks/letsencrypt.yaml
@ -579,6 +621,8 @@
label: ubuntu-jammy
- name: gitea99.opendev.org
label: ubuntu-bionic
groups:
- <<: *bastion_group
required-projects:
- openstack/project-config
- opendev/system-config
@ -655,6 +699,8 @@
- <<: *bridge_node_x86
- name: grafana01.opendev.org
label: ubuntu-focal
groups:
- <<: *bastion_group
vars:
run_playbooks:
- playbooks/letsencrypt.yaml
@ -683,6 +729,8 @@
- <<: *bridge_node_x86
- name: graphite02.opendev.org
label: ubuntu-focal
groups:
- <<: *bastion_group
vars:
run_playbooks:
- playbooks/letsencrypt.yaml
@ -711,6 +759,8 @@
- <<: *bridge_node_x86
- name: keycloak01.opendev.org
label: ubuntu-focal
groups:
- <<: *bastion_group
vars:
run_playbooks:
- playbooks/letsencrypt.yaml
@ -738,6 +788,8 @@
label: ubuntu-bionic
- name: jvb01.opendev.org
label: ubuntu-bionic
groups:
- <<: *bastion_group
vars:
run_playbooks:
- playbooks/letsencrypt.yaml
@ -774,6 +826,8 @@
- <<: *bridge_node_x86
- name: paste99.opendev.org
label: ubuntu-focal
groups:
- <<: *bastion_group
vars:
run_playbooks:
- playbooks/letsencrypt.yaml
@ -801,6 +855,8 @@
- <<: *bridge_node_x86
- name: tracing99.opendev.org
label: ubuntu-focal
groups:
- <<: *bastion_group
vars:
run_playbooks:
- playbooks/letsencrypt.yaml
@ -825,6 +881,8 @@
- <<: *bridge_node_x86
- name: zk04.opendev.org
label: ubuntu-focal
groups:
- <<: *bastion_group
vars:
run_playbooks:
- playbooks/service-zookeeper.yaml
@ -850,6 +908,8 @@
- <<: *bridge_node_x86
- name: zp01.opendev.org
label: ubuntu-bionic
groups:
- <<: *bastion_group
vars:
run_playbooks:
- playbooks/service-zuul-preview.yaml
@ -878,6 +938,8 @@
label: ubuntu-focal
- name: zuul-lb01.opendev.org
label: ubuntu-focal
groups:
- <<: *bastion_group
required-projects:
- openstack/project-config
- opendev/system-config
@ -946,6 +1008,8 @@
- <<: *bridge_node_x86
- name: review99.opendev.org
label: ubuntu-focal
groups:
- <<: *bastion_group
required-projects:
- openstack/project-config
- opendev/system-config
@ -1026,6 +1090,8 @@
- <<: *bridge_node_x86
- name: static99.opendev.org
label: ubuntu-bionic
groups:
- <<: *bastion_group
vars:
run_playbooks:
- playbooks/letsencrypt.yaml
@ -1056,6 +1122,8 @@
- <<: *bridge_node_x86
- name: refstack01.openstack.org
label: ubuntu-focal
groups:
- <<: *bastion_group
host-vars:
refstack01.openstack.org:
host_copy_output:
@ -1089,6 +1157,8 @@
label: ubuntu-focal
- name: kdc-replica.opendev.org
label: ubuntu-focal
groups:
- <<: *bastion_group
host-vars:
kdc-primary.opendev.org:
host_copy_output: