diff --git a/inventory/service/host_vars/bridge.openstack.org.yaml b/inventory/service/group_vars/bastion.yaml similarity index 100% rename from inventory/service/host_vars/bridge.openstack.org.yaml rename to inventory/service/group_vars/bastion.yaml diff --git a/inventory/service/groups.yaml b/inventory/service/groups.yaml index fd173f011a..d2c6277891 100644 --- a/inventory/service/groups.yaml +++ b/inventory/service/groups.yaml @@ -15,6 +15,10 @@ groups: - afsdb*.open*.org - afs[0-9]*.open*.org - static[0-9]*.opendev.org + # bastion group should should only have one entry because we assume + # groups['bastion'][0] is the bastion host name in several places. + bastion: + - bridge.openstack.org borg-backup: - etherpad[0-9]*.opendev.org - gitea01.opendev.org @@ -41,11 +45,11 @@ groups: certcheck: - cacti[0-9]*.open*.org cloud-launcher: - - bridge.openstack.org + - bridge*.open*.org codesearch: - codesearch[0-9]*.opendev.org control-plane-clouds: - - bridge.openstack.org + - bridge*.open*.org disabled: [] dns: - adns*.opendev.org diff --git a/playbooks/roles/sync-project-config/tasks/main.yaml b/playbooks/roles/sync-project-config/tasks/main.yaml index 9106f43d7d..e9119969c2 100644 --- a/playbooks/roles/sync-project-config/tasks/main.yaml +++ b/playbooks/roles/sync-project-config/tasks/main.yaml @@ -3,9 +3,9 @@ path: '{{ project_config_dest }}' state: directory -- name: Update from master +- name: Update from master on bastion host when: infra_prod_run_from_master|bool - delegate_to: bridge.openstack.org + delegate_to: '{{ groups["bastion"][0] }}' git: repo: https://opendev.org/openstack/project-config dest: '{{ project_config_src }}' diff --git a/playbooks/service-bridge.yaml b/playbooks/service-bridge.yaml index c9bea2b574..87aff6a437 100644 --- a/playbooks/service-bridge.yaml +++ b/playbooks/service-bridge.yaml @@ -1,4 +1,4 @@ -- hosts: bridge.openstack.org:!disabled +- hosts: bastion:!disabled name: "Bridge: configure the bastion host" roles: - iptables diff --git a/playbooks/test-update-zuul-description.yaml b/playbooks/test-update-zuul-description.yaml index b5c4ee95cf..25663ee6df 100644 --- a/playbooks/test-update-zuul-description.yaml +++ b/playbooks/test-update-zuul-description.yaml @@ -1,4 +1,4 @@ -- hosts: "bridge.openstack.org:!disabled" +- hosts: bastion:!disabled tasks: - name: Modify Zuuls description lineinfile: diff --git a/playbooks/zuul/run-base-post.yaml b/playbooks/zuul/run-base-post.yaml index 66faf3bf93..49faeeb82a 100644 --- a/playbooks/zuul/run-base-post.yaml +++ b/playbooks/zuul/run-base-post.yaml @@ -28,7 +28,7 @@ - include_role: name: stage-output -- hosts: bridge.openstack.org +- hosts: bastion tasks: - name: Set log directory set_fact: @@ -69,7 +69,7 @@ zuul: artifacts: - name: ARA report - url: "bridge.openstack.org/ara-report/" + url: '{{ groups["bastion"][0] }}/ara-report/' - name: Collect ansible configuration synchronize: diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml index b51ba2b977..2b6a15ed39 100644 --- a/playbooks/zuul/run-base.yaml +++ b/playbooks/zuul/run-base.yaml @@ -5,7 +5,7 @@ cloud_launcher_disable_job: true # setup opendev CA -- hosts: bridge.openstack.org +- hosts: bastion[0] become: true tasks: - name: Make temporary dir for CA generation @@ -57,9 +57,9 @@ creates: '{{ item.file }}' loop: - file: '/etc/opendev-ca/ca.key' - content: '{{ hostvars["bridge.openstack.org"]["_opendev_ca_key"]["content"] }}' + content: '{{ hostvars[groups["bastion"][0]]["_opendev_ca_key"]["content"] }}' - file: '/etc/opendev-ca/ca.crt' - content: '{{ hostvars["bridge.openstack.org"]["_opendev_ca_certificate"]["content"] }}' + content: '{{ hostvars[groups["bastion"][0]]["_opendev_ca_certificate"]["content"] }}' - name: Install and trust certificate shell: @@ -67,7 +67,7 @@ cp /etc/opendev-ca/ca.crt /usr/local/share/ca-certificates/opendev-infra-ca.crt update-ca-certificates -- hosts: bridge.openstack.org +- hosts: bastion[0] become: true tasks: - name: Write inventory on bridge @@ -115,6 +115,7 @@ loop: - group_vars/all.yaml - group_vars/adns.yaml + - group_vars/bastion.yaml - group_vars/eavesdrop.yaml - group_vars/nodepool.yaml - group_vars/ns.yaml @@ -136,7 +137,6 @@ - group_vars/zuul-merger.yaml - group_vars/zuul-scheduler.yaml - group_vars/zuul-web.yaml - - host_vars/bridge.openstack.org.yaml - host_vars/codesearch01.opendev.org.yaml - host_vars/etherpad01.opendev.org.yaml - host_vars/letsencrypt01.opendev.org.yaml @@ -185,7 +185,7 @@ name: encrypt-logs vars: encrypt_logs_files: '{{ _run_playbooks_logs.files | map(attribute="path") | list }}' - encrypt_logs_artifact_path: 'bridge.openstack.org/ansible' + encrypt_logs_artifact_path: '{{ groups["bastion"][0] }}/ansible' encrypt_logs_download_script_path: '/var/log/ansible' - name: Run test playbook @@ -216,7 +216,7 @@ zuul: artifacts: - name: Screenshots - url: "bridge.openstack.org/screenshots" + url: '{{ groups["bastion"][0] }}/screenshots' - name: Allow PBR's git calls to operate in system-config, despite not owning it command: git config --global safe.directory /home/zuul/src/opendev.org/opendev/system-config @@ -240,4 +240,4 @@ zuul: artifacts: - name: testinfra results - url: "bridge.openstack.org/test-results.html" + url: '{{ groups["bastion"][0] }}/test-results.html' diff --git a/playbooks/zuul/templates/gate-groups.yaml.j2 b/playbooks/zuul/templates/gate-groups.yaml.j2 index 31618da740..f2b754a21e 100644 --- a/playbooks/zuul/templates/gate-groups.yaml.j2 +++ b/playbooks/zuul/templates/gate-groups.yaml.j2 @@ -6,7 +6,7 @@ groups: - bionic-docker certcheck: - - bridge.openstack.org + - bridge[0-9]*.open*.org letsencrypt: - letsencrypt01.opendev.org diff --git a/playbooks/zuul/templates/host_vars/bridge.openstack.org.yaml.j2 b/playbooks/zuul/templates/group_vars/bastion.yaml.j2 similarity index 100% rename from playbooks/zuul/templates/host_vars/bridge.openstack.org.yaml.j2 rename to playbooks/zuul/templates/group_vars/bastion.yaml.j2 diff --git a/zuul.d/infra-prod.yaml b/zuul.d/infra-prod.yaml index 7b7c9d74bd..63e95dc77b 100644 --- a/zuul.d/infra-prod.yaml +++ b/zuul.d/infra-prod.yaml @@ -53,7 +53,7 @@ - playbooks/zuul/run-production-bootstrap-bridge-add-rootkey.yaml - playbooks/roles/install-ansible/ - playbooks/roles/root-keys/ - - inventory/service/host_vars/bridge.openstack.org.yaml + - inventory/service/group_vars/bastion.yaml - job: name: infra-prod-base @@ -117,7 +117,7 @@ files: - inventory/base - playbooks/service-bridge.yaml - - inventory/service/host_vars/bridge.openstack.org.yaml + - inventory/service/group_vars/bastion.yaml - playbooks/roles/logrotate/ - playbooks/roles/edit-secrets-script/ - playbooks/roles/install-kubectl/ @@ -656,4 +656,4 @@ - opendev/system-config files: - playbooks/run_cloud_launcher.yaml - - inventory/service/host_vars/bridge.openstack.org.yaml + - inventory/service/group_vars/bastion.yaml diff --git a/zuul.d/system-config-run.yaml b/zuul.d/system-config-run.yaml index 4e5b4cf1f5..1ac438dadd 100644 --- a/zuul.d/system-config-run.yaml +++ b/zuul.d/system-config-run.yaml @@ -68,6 +68,20 @@ label: ubuntu-focal - name: jammy label: ubuntu-jammy + groups: + # Each job should define this group -- to avoid hard-coding + # the bastion hostname in the job setup, playbooks/tasks refer + # to it only by this group. This should only have one entry + # -- in a couple of places the jobs use the actual hostname + # and assume element [0] here is that hostname. + # + # Note that this shouldn't be confused with the group in + # inventory/service/groups.yaml -- this group contains the + # host that Zuul, running on the executor, will setup as the + # bridge node. This node will then run a nested Ansible to + # test the production playbooks -- *that* Ansible has a + # "bastion" group too + - &bastion_group { name: bastion, nodes: [ bridge.openstack.org ] } files: - tox.ini - playbooks/ @@ -90,6 +104,8 @@ label: ubuntu-focal - name: jammy label: ubuntu-jammy + groups: + - <<: *bastion_group required-projects: - name: github.com/ansible/ansible override-checkout: devel @@ -129,6 +145,8 @@ label: ubuntu-focal-arm64 - name: jammy label: ubuntu-jammy-arm64 + groups: + - <<: *bastion_group files: - playbooks/ - roles/ @@ -154,6 +172,8 @@ - <<: *bridge_node_x86 - name: eavesdrop01.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -199,6 +219,8 @@ label: ubuntu-bionic - name: letsencrypt02.opendev.org label: ubuntu-bionic + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/service-nameserver.yaml @@ -244,6 +266,8 @@ label: ubuntu-focal - name: lists.katacontainers.io label: ubuntu-focal + groups: + - <<: *bastion_group required-projects: - opendev/system-config files: @@ -294,6 +318,8 @@ label: ubuntu-focal - name: nb01.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group required-projects: - opendev/system-config - openstack/project-config @@ -339,6 +365,8 @@ label: ubuntu-bionic - name: ns1.opendev.org label: ubuntu-bionic + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/service-nameserver.yaml @@ -375,6 +403,8 @@ label: ubuntu-bionic - name: borg-backup-jammy.opendev.org label: ubuntu-jammy + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/service-borg-backup.yaml @@ -446,6 +476,8 @@ label: ubuntu-bionic - name: mirror02.openafs.provider.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group - job: name: system-config-run-mirror-arm64 @@ -455,6 +487,8 @@ - <<: *bridge_node_arm64 - name: mirror01.openafs.provider.opendev.org label: ubuntu-focal-arm64 + groups: + - <<: *bastion_group - job: name: system-config-run-mirror-update @@ -466,6 +500,8 @@ - <<: *bridge_node_x86 - name: mirror-update99.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/service-mirror-update.yaml @@ -489,6 +525,8 @@ - <<: *bridge_node_x86 - name: insecure-ci-registry01.opendev.org label: ubuntu-bionic + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -522,6 +560,8 @@ - <<: *bridge_node_x86 - name: codesearch01.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -551,6 +591,8 @@ - <<: *bridge_node_x86 - name: etherpad01.opendev.org label: ubuntu-bionic + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -579,6 +621,8 @@ label: ubuntu-jammy - name: gitea99.opendev.org label: ubuntu-bionic + groups: + - <<: *bastion_group required-projects: - openstack/project-config - opendev/system-config @@ -655,6 +699,8 @@ - <<: *bridge_node_x86 - name: grafana01.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -683,6 +729,8 @@ - <<: *bridge_node_x86 - name: graphite02.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -711,6 +759,8 @@ - <<: *bridge_node_x86 - name: keycloak01.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -738,6 +788,8 @@ label: ubuntu-bionic - name: jvb01.opendev.org label: ubuntu-bionic + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -774,6 +826,8 @@ - <<: *bridge_node_x86 - name: paste99.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -801,6 +855,8 @@ - <<: *bridge_node_x86 - name: tracing99.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -825,6 +881,8 @@ - <<: *bridge_node_x86 - name: zk04.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/service-zookeeper.yaml @@ -850,6 +908,8 @@ - <<: *bridge_node_x86 - name: zp01.opendev.org label: ubuntu-bionic + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/service-zuul-preview.yaml @@ -878,6 +938,8 @@ label: ubuntu-focal - name: zuul-lb01.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group required-projects: - openstack/project-config - opendev/system-config @@ -946,6 +1008,8 @@ - <<: *bridge_node_x86 - name: review99.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group required-projects: - openstack/project-config - opendev/system-config @@ -1026,6 +1090,8 @@ - <<: *bridge_node_x86 - name: static99.opendev.org label: ubuntu-bionic + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -1056,6 +1122,8 @@ - <<: *bridge_node_x86 - name: refstack01.openstack.org label: ubuntu-focal + groups: + - <<: *bastion_group host-vars: refstack01.openstack.org: host_copy_output: @@ -1089,6 +1157,8 @@ label: ubuntu-focal - name: kdc-replica.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group host-vars: kdc-primary.opendev.org: host_copy_output: