From d4c46ecdef0a14da9fdde8a9efe144d83355b3b1 Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Tue, 20 Sep 2022 11:57:22 +1000 Subject: [PATCH] Abstract name of bastion host for testing path This replaces hard-coding of the host "bridge.openstack.org" with hard-coding of the first (and only) host in the group "bastion". The idea here is that we can, as much as possible, simply switch one place to an alternative hostname for the bastion such as "bridge.opendev.org" when we upgrade. This is just the testing path, for now; a follow-on will modify the production path (which doesn't really get speculatively tested) This needs to be defined in two places : 1) We need to define this in the run jobs for Zuul to use in the playbooks/zuul/run-*.yaml playbooks, as it sets up and collects logs from the testing bastion host. 2) The nested Ansible run will then use inventory inventory/service/groups.yaml Various other places are updated to use this abstracted group as the bastion host. Variables are moved into the bastion group (which only has one host -- the actual bastion host) which means we only have to update the group mapping to the new host. This is intended to be a no-op change; all the jobs should work the same, but just using the new abstractions. Change-Id: Iffb462371939989b03e5d6ac6c5df63aa7708513 --- .../bastion.yaml} | 0 inventory/service/groups.yaml | 8 ++- .../roles/sync-project-config/tasks/main.yaml | 4 +- playbooks/service-bridge.yaml | 2 +- playbooks/test-update-zuul-description.yaml | 2 +- playbooks/zuul/run-base-post.yaml | 4 +- playbooks/zuul/run-base.yaml | 16 ++--- playbooks/zuul/templates/gate-groups.yaml.j2 | 2 +- .../bastion.yaml.j2} | 0 zuul.d/infra-prod.yaml | 6 +- zuul.d/system-config-run.yaml | 70 +++++++++++++++++++ 11 files changed, 94 insertions(+), 20 deletions(-) rename inventory/service/{host_vars/bridge.openstack.org.yaml => group_vars/bastion.yaml} (100%) rename playbooks/zuul/templates/{host_vars/bridge.openstack.org.yaml.j2 => group_vars/bastion.yaml.j2} (100%) diff --git a/inventory/service/host_vars/bridge.openstack.org.yaml b/inventory/service/group_vars/bastion.yaml similarity index 100% rename from inventory/service/host_vars/bridge.openstack.org.yaml rename to inventory/service/group_vars/bastion.yaml diff --git a/inventory/service/groups.yaml b/inventory/service/groups.yaml index fd173f011a..d2c6277891 100644 --- a/inventory/service/groups.yaml +++ b/inventory/service/groups.yaml @@ -15,6 +15,10 @@ groups: - afsdb*.open*.org - afs[0-9]*.open*.org - static[0-9]*.opendev.org + # bastion group should should only have one entry because we assume + # groups['bastion'][0] is the bastion host name in several places. + bastion: + - bridge.openstack.org borg-backup: - etherpad[0-9]*.opendev.org - gitea01.opendev.org @@ -41,11 +45,11 @@ groups: certcheck: - cacti[0-9]*.open*.org cloud-launcher: - - bridge.openstack.org + - bridge*.open*.org codesearch: - codesearch[0-9]*.opendev.org control-plane-clouds: - - bridge.openstack.org + - bridge*.open*.org disabled: [] dns: - adns*.opendev.org diff --git a/playbooks/roles/sync-project-config/tasks/main.yaml b/playbooks/roles/sync-project-config/tasks/main.yaml index 9106f43d7d..e9119969c2 100644 --- a/playbooks/roles/sync-project-config/tasks/main.yaml +++ b/playbooks/roles/sync-project-config/tasks/main.yaml @@ -3,9 +3,9 @@ path: '{{ project_config_dest }}' state: directory -- name: Update from master +- name: Update from master on bastion host when: infra_prod_run_from_master|bool - delegate_to: bridge.openstack.org + delegate_to: '{{ groups["bastion"][0] }}' git: repo: https://opendev.org/openstack/project-config dest: '{{ project_config_src }}' diff --git a/playbooks/service-bridge.yaml b/playbooks/service-bridge.yaml index c9bea2b574..87aff6a437 100644 --- a/playbooks/service-bridge.yaml +++ b/playbooks/service-bridge.yaml @@ -1,4 +1,4 @@ -- hosts: bridge.openstack.org:!disabled +- hosts: bastion:!disabled name: "Bridge: configure the bastion host" roles: - iptables diff --git a/playbooks/test-update-zuul-description.yaml b/playbooks/test-update-zuul-description.yaml index b5c4ee95cf..25663ee6df 100644 --- a/playbooks/test-update-zuul-description.yaml +++ b/playbooks/test-update-zuul-description.yaml @@ -1,4 +1,4 @@ -- hosts: "bridge.openstack.org:!disabled" +- hosts: bastion:!disabled tasks: - name: Modify Zuuls description lineinfile: diff --git a/playbooks/zuul/run-base-post.yaml b/playbooks/zuul/run-base-post.yaml index 66faf3bf93..49faeeb82a 100644 --- a/playbooks/zuul/run-base-post.yaml +++ b/playbooks/zuul/run-base-post.yaml @@ -28,7 +28,7 @@ - include_role: name: stage-output -- hosts: bridge.openstack.org +- hosts: bastion tasks: - name: Set log directory set_fact: @@ -69,7 +69,7 @@ zuul: artifacts: - name: ARA report - url: "bridge.openstack.org/ara-report/" + url: '{{ groups["bastion"][0] }}/ara-report/' - name: Collect ansible configuration synchronize: diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml index b51ba2b977..2b6a15ed39 100644 --- a/playbooks/zuul/run-base.yaml +++ b/playbooks/zuul/run-base.yaml @@ -5,7 +5,7 @@ cloud_launcher_disable_job: true # setup opendev CA -- hosts: bridge.openstack.org +- hosts: bastion[0] become: true tasks: - name: Make temporary dir for CA generation @@ -57,9 +57,9 @@ creates: '{{ item.file }}' loop: - file: '/etc/opendev-ca/ca.key' - content: '{{ hostvars["bridge.openstack.org"]["_opendev_ca_key"]["content"] }}' + content: '{{ hostvars[groups["bastion"][0]]["_opendev_ca_key"]["content"] }}' - file: '/etc/opendev-ca/ca.crt' - content: '{{ hostvars["bridge.openstack.org"]["_opendev_ca_certificate"]["content"] }}' + content: '{{ hostvars[groups["bastion"][0]]["_opendev_ca_certificate"]["content"] }}' - name: Install and trust certificate shell: @@ -67,7 +67,7 @@ cp /etc/opendev-ca/ca.crt /usr/local/share/ca-certificates/opendev-infra-ca.crt update-ca-certificates -- hosts: bridge.openstack.org +- hosts: bastion[0] become: true tasks: - name: Write inventory on bridge @@ -115,6 +115,7 @@ loop: - group_vars/all.yaml - group_vars/adns.yaml + - group_vars/bastion.yaml - group_vars/eavesdrop.yaml - group_vars/nodepool.yaml - group_vars/ns.yaml @@ -136,7 +137,6 @@ - group_vars/zuul-merger.yaml - group_vars/zuul-scheduler.yaml - group_vars/zuul-web.yaml - - host_vars/bridge.openstack.org.yaml - host_vars/codesearch01.opendev.org.yaml - host_vars/etherpad01.opendev.org.yaml - host_vars/letsencrypt01.opendev.org.yaml @@ -185,7 +185,7 @@ name: encrypt-logs vars: encrypt_logs_files: '{{ _run_playbooks_logs.files | map(attribute="path") | list }}' - encrypt_logs_artifact_path: 'bridge.openstack.org/ansible' + encrypt_logs_artifact_path: '{{ groups["bastion"][0] }}/ansible' encrypt_logs_download_script_path: '/var/log/ansible' - name: Run test playbook @@ -216,7 +216,7 @@ zuul: artifacts: - name: Screenshots - url: "bridge.openstack.org/screenshots" + url: '{{ groups["bastion"][0] }}/screenshots' - name: Allow PBR's git calls to operate in system-config, despite not owning it command: git config --global safe.directory /home/zuul/src/opendev.org/opendev/system-config @@ -240,4 +240,4 @@ zuul: artifacts: - name: testinfra results - url: "bridge.openstack.org/test-results.html" + url: '{{ groups["bastion"][0] }}/test-results.html' diff --git a/playbooks/zuul/templates/gate-groups.yaml.j2 b/playbooks/zuul/templates/gate-groups.yaml.j2 index 31618da740..f2b754a21e 100644 --- a/playbooks/zuul/templates/gate-groups.yaml.j2 +++ b/playbooks/zuul/templates/gate-groups.yaml.j2 @@ -6,7 +6,7 @@ groups: - bionic-docker certcheck: - - bridge.openstack.org + - bridge[0-9]*.open*.org letsencrypt: - letsencrypt01.opendev.org diff --git a/playbooks/zuul/templates/host_vars/bridge.openstack.org.yaml.j2 b/playbooks/zuul/templates/group_vars/bastion.yaml.j2 similarity index 100% rename from playbooks/zuul/templates/host_vars/bridge.openstack.org.yaml.j2 rename to playbooks/zuul/templates/group_vars/bastion.yaml.j2 diff --git a/zuul.d/infra-prod.yaml b/zuul.d/infra-prod.yaml index 7b7c9d74bd..63e95dc77b 100644 --- a/zuul.d/infra-prod.yaml +++ b/zuul.d/infra-prod.yaml @@ -53,7 +53,7 @@ - playbooks/zuul/run-production-bootstrap-bridge-add-rootkey.yaml - playbooks/roles/install-ansible/ - playbooks/roles/root-keys/ - - inventory/service/host_vars/bridge.openstack.org.yaml + - inventory/service/group_vars/bastion.yaml - job: name: infra-prod-base @@ -117,7 +117,7 @@ files: - inventory/base - playbooks/service-bridge.yaml - - inventory/service/host_vars/bridge.openstack.org.yaml + - inventory/service/group_vars/bastion.yaml - playbooks/roles/logrotate/ - playbooks/roles/edit-secrets-script/ - playbooks/roles/install-kubectl/ @@ -656,4 +656,4 @@ - opendev/system-config files: - playbooks/run_cloud_launcher.yaml - - inventory/service/host_vars/bridge.openstack.org.yaml + - inventory/service/group_vars/bastion.yaml diff --git a/zuul.d/system-config-run.yaml b/zuul.d/system-config-run.yaml index 4e5b4cf1f5..1ac438dadd 100644 --- a/zuul.d/system-config-run.yaml +++ b/zuul.d/system-config-run.yaml @@ -68,6 +68,20 @@ label: ubuntu-focal - name: jammy label: ubuntu-jammy + groups: + # Each job should define this group -- to avoid hard-coding + # the bastion hostname in the job setup, playbooks/tasks refer + # to it only by this group. This should only have one entry + # -- in a couple of places the jobs use the actual hostname + # and assume element [0] here is that hostname. + # + # Note that this shouldn't be confused with the group in + # inventory/service/groups.yaml -- this group contains the + # host that Zuul, running on the executor, will setup as the + # bridge node. This node will then run a nested Ansible to + # test the production playbooks -- *that* Ansible has a + # "bastion" group too + - &bastion_group { name: bastion, nodes: [ bridge.openstack.org ] } files: - tox.ini - playbooks/ @@ -90,6 +104,8 @@ label: ubuntu-focal - name: jammy label: ubuntu-jammy + groups: + - <<: *bastion_group required-projects: - name: github.com/ansible/ansible override-checkout: devel @@ -129,6 +145,8 @@ label: ubuntu-focal-arm64 - name: jammy label: ubuntu-jammy-arm64 + groups: + - <<: *bastion_group files: - playbooks/ - roles/ @@ -154,6 +172,8 @@ - <<: *bridge_node_x86 - name: eavesdrop01.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -199,6 +219,8 @@ label: ubuntu-bionic - name: letsencrypt02.opendev.org label: ubuntu-bionic + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/service-nameserver.yaml @@ -244,6 +266,8 @@ label: ubuntu-focal - name: lists.katacontainers.io label: ubuntu-focal + groups: + - <<: *bastion_group required-projects: - opendev/system-config files: @@ -294,6 +318,8 @@ label: ubuntu-focal - name: nb01.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group required-projects: - opendev/system-config - openstack/project-config @@ -339,6 +365,8 @@ label: ubuntu-bionic - name: ns1.opendev.org label: ubuntu-bionic + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/service-nameserver.yaml @@ -375,6 +403,8 @@ label: ubuntu-bionic - name: borg-backup-jammy.opendev.org label: ubuntu-jammy + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/service-borg-backup.yaml @@ -446,6 +476,8 @@ label: ubuntu-bionic - name: mirror02.openafs.provider.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group - job: name: system-config-run-mirror-arm64 @@ -455,6 +487,8 @@ - <<: *bridge_node_arm64 - name: mirror01.openafs.provider.opendev.org label: ubuntu-focal-arm64 + groups: + - <<: *bastion_group - job: name: system-config-run-mirror-update @@ -466,6 +500,8 @@ - <<: *bridge_node_x86 - name: mirror-update99.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/service-mirror-update.yaml @@ -489,6 +525,8 @@ - <<: *bridge_node_x86 - name: insecure-ci-registry01.opendev.org label: ubuntu-bionic + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -522,6 +560,8 @@ - <<: *bridge_node_x86 - name: codesearch01.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -551,6 +591,8 @@ - <<: *bridge_node_x86 - name: etherpad01.opendev.org label: ubuntu-bionic + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -579,6 +621,8 @@ label: ubuntu-jammy - name: gitea99.opendev.org label: ubuntu-bionic + groups: + - <<: *bastion_group required-projects: - openstack/project-config - opendev/system-config @@ -655,6 +699,8 @@ - <<: *bridge_node_x86 - name: grafana01.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -683,6 +729,8 @@ - <<: *bridge_node_x86 - name: graphite02.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -711,6 +759,8 @@ - <<: *bridge_node_x86 - name: keycloak01.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -738,6 +788,8 @@ label: ubuntu-bionic - name: jvb01.opendev.org label: ubuntu-bionic + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -774,6 +826,8 @@ - <<: *bridge_node_x86 - name: paste99.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -801,6 +855,8 @@ - <<: *bridge_node_x86 - name: tracing99.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -825,6 +881,8 @@ - <<: *bridge_node_x86 - name: zk04.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/service-zookeeper.yaml @@ -850,6 +908,8 @@ - <<: *bridge_node_x86 - name: zp01.opendev.org label: ubuntu-bionic + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/service-zuul-preview.yaml @@ -878,6 +938,8 @@ label: ubuntu-focal - name: zuul-lb01.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group required-projects: - openstack/project-config - opendev/system-config @@ -946,6 +1008,8 @@ - <<: *bridge_node_x86 - name: review99.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group required-projects: - openstack/project-config - opendev/system-config @@ -1026,6 +1090,8 @@ - <<: *bridge_node_x86 - name: static99.opendev.org label: ubuntu-bionic + groups: + - <<: *bastion_group vars: run_playbooks: - playbooks/letsencrypt.yaml @@ -1056,6 +1122,8 @@ - <<: *bridge_node_x86 - name: refstack01.openstack.org label: ubuntu-focal + groups: + - <<: *bastion_group host-vars: refstack01.openstack.org: host_copy_output: @@ -1089,6 +1157,8 @@ label: ubuntu-focal - name: kdc-replica.opendev.org label: ubuntu-focal + groups: + - <<: *bastion_group host-vars: kdc-primary.opendev.org: host_copy_output: