# Make sure only one run of a system-config playbook happens at a time - semaphore: name: infra-prod-playbook max: 1 - job: name: infra-prod-playbook parent: opendev-infra-prod-base description: | Run specified playbook against productions hosts. This is a parent job designed to be inherited to enabled CD deployment of our infrastructure. Set playbook_name to specify the playbook relative to /home/zuul/src/opendev.org/opendev/system-config/playbooks on bridge.openstack.org. abstract: true semaphore: infra-prod-playbook run: playbooks/zuul/run-production-playbook.yaml required-projects: - opendev/system-config vars: infra_prod_ansible_forks: 5 infra_prod_playbook_collect_log: false nodeset: nodes: [] - job: name: infra-prod-install-ansible parent: infra-prod-playbook description: Install ansible on bridge. vars: playbook_name: install-ansible.yaml files: - inventory/ - roles/ - install_modules.sh - modules.env - playbooks/install-ansible.yaml - playbooks/roles/pip3/ - playbooks/roles/install-ansible/ - playbooks/roles/logrotate/ - playbooks/roles/root-keys/ - inventory/service/host_vars/bridge.openstack.org.yaml - playbooks/zuul/run-production-playbook.yaml - job: name: infra-prod-base parent: infra-prod-playbook description: Run the base playbook everywhere. dependencies: - name: infra-prod-install-ansible soft: true vars: playbook_name: base.yaml infra_prod_ansible_forks: 50 files: - inventory/ - inventory/service/host_vars/ - inventory/service/group_vars/ - playbooks/base.yaml - playbooks/roles/base/ - job: name: infra-prod-letsencrypt parent: infra-prod-playbook description: Run letsencrypt.yaml playbook. vars: playbook_name: letsencrypt.yaml dependencies: - name: infra-prod-install-ansible soft: true files: - inventory/ - playbooks/letsencrypt.yaml # Any touching of host_vars or group_vars can substantively # change the certs we're doing, so be greedy here. - inventory/service/host_vars/ - inventory/service/group_vars/ - playbooks/roles/letsencrypt - playbooks/roles/logrotate/ - job: name: infra-prod-manage-projects parent: infra-prod-playbook description: | Create and update projects in gerrit and gitea. allowed-projects: - opendev/system-config - openstack/project-config required-projects: - opendev/system-config - openstack/project-config vars: playbook_name: manage-projects.yaml infra_prod_ansible_forks: 10 infra_prod_playbook_collect_log: true - job: name: infra-prod-service-base parent: infra-prod-playbook description: Base job for most service playbooks. abstract: true dependencies: - name: infra-prod-install-ansible soft: true - name: infra-prod-letsencrypt soft: true - job: name: infra-prod-service-bridge parent: infra-prod-service-base description: Run service-bridge.yaml playbook. vars: playbook_name: service-bridge.yaml files: - inventory/ - playbooks/service-bridge.yaml - inventory/service/host_vars/bridge.openstack.org.yaml - playbooks/roles/logrotate/ - playbooks/roles/edit-secrets-script/ - playbooks/roles/install-kubectl/ - playbooks/roles/iptables/ - playbooks/roles/configure-kubectl/ - playbooks/roles/configure-openstacksdk/ - playbooks/templates/clouds/bridge_all_clouds.yaml.j2 - job: name: infra-prod-service-gitea-lb parent: infra-prod-service-base description: Run service-gitea-lb.yaml playbook. vars: playbook_name: service-gitea-lb.yaml files: - inventory/ - playbooks/service-gitea-lb.yaml - inventory/service/group_vars/gitea-lb.yaml - playbooks/roles/pip3/ - playbooks/roles/iptables/ - playbooks/roles/install-docker/ - playbooks/roles/haproxy/ - job: name: infra-prod-service-nameserver parent: infra-prod-service-base description: Run service-nameserver.yaml playbook. vars: playbook_name: service-nameserver.yaml files: - inventory/ - playbooks/service-nameserver.yaml - inventory/service/host_vars/adns1.opendev.org.yaml - inventory/service/host_vars/ns1.opendev.org.yaml - inventory/service/host_vars/ns2.opendev.org.yaml - inventory/service/group_vars/adns.yaml - inventory/service/group_vars/ns.yaml - playbooks/roles/master-nameserver/ - playbooks/roles/nameserver/ - playbooks/roles/iptables/ - job: name: infra-prod-service-nodepool parent: infra-prod-service-base description: Run service-nodepool.yaml playbook. vars: playbook_name: service-nodepool.yaml required-projects: - opendev/system-config - openstack/project-config files: - inventory/ - playbooks/service-nodepool.yaml - inventory/service/host_vars/nb - inventory/service/host_vars/nl - inventory/service/group_vars/nodepool - inventory/service/group_vars/puppet - playbooks/roles/install-ansible-roles/ - playbooks/roles/run-puppet/ - playbooks/roles/configure-kubectl/ - playbooks/roles/configure-openstacksdk/ - playbooks/roles/install-docker/ - playbooks/roles/iptables/ - playbooks/roles/nodepool - playbooks/templates/clouds/nodepool_ - job: name: infra-prod-service-etherpad parent: infra-prod-service-base description: Run service-etherpad.yaml playbook. vars: playbook_name: service-etherpad.yaml files: - inventory/ - playbooks/service-etherpad.yaml - inventory/service/host_vars/etherpad01.opendev.org.yaml - inventory/service/group_vars/etherpad - playbooks/roles/install-docker/ - playbooks/roles/pip3/ - playbooks/roles/etherpad - playbooks/roles/logrotate - playbooks/roles/iptables/ - docker/etherpad/ - job: name: infra-prod-service-meetpad parent: infra-prod-service-base description: Run service-meetpad.yaml playbook. dependencies: - name: infra-prod-install-ansible soft: true - name: infra-prod-letsencrypt soft: true vars: playbook_name: service-meetpad.yaml files: - inventory/ - playbooks/service-meetpad.yaml - inventory/service/host_vars/meetpad01.opendev.org.yaml - inventory/service/group_vars/meetpad.yaml - playbooks/roles/pip3/ - playbooks/roles/install-docker/ - playbooks/roles/iptables/ - playbooks/roles/jitsi-meet/ - job: name: infra-prod-service-mirror-update parent: infra-prod-service-base description: Run service-mirror-update.yaml playbook. vars: playbook_name: service-mirror-update.yaml files: - inventory/ - playbooks/service-mirror-update.yaml - playbooks/roles/kerberos-client/ - playbooks/roles/openafs-client/ - playbooks/roles/mirror-update/ - playbooks/roles/reprepro/ - playbooks/roles/iptables/ - playbooks/roles/logrotate/ - job: name: infra-prod-service-mirror parent: infra-prod-service-base description: Run service-mirror.yaml playbook. vars: playbook_name: service-mirror.yaml files: - inventory/ - playbooks/service-mirror.yaml - inventory/service/group_vars/mirror.yaml - playbooks/roles/kerberos-client/ - playbooks/roles/openafs-client/ - playbooks/roles/mirror/ - playbooks/roles/afs-release/ - playbooks/roles/afsmon/ - playbooks/roles/iptables/ - playbooks/roles/logrotate/ - job: name: infra-prod-service-static parent: infra-prod-service-base description: Run service-static.yaml playbook. vars: playbook_name: service-static.yaml files: - inventory/ - playbooks/service-static.yaml - inventory/service/host_vars/static01.opendev.org.yaml - inventory/service/group_vars/static.yaml - playbooks/roles/iptables/ - playbooks/roles/kerberos-client/ - playbooks/roles/openafs-client/ - playbooks/roles/static/ - playbooks/roles/zuul-user/ - job: name: infra-prod-service-borg-backup parent: infra-prod-service-base description: Run service-borg-backup.yaml playbook. vars: playbook_name: service-borg-backup.yaml files: - inventory/ - playbooks/service-borg-backup.yaml - playbooks/roles/install-borg/ - playbooks/roles/borg-backup/ - playbooks/roles/borg-backup-server/ - playbooks/roles/iptables/ - job: name: infra-prod-service-registry parent: infra-prod-service-base description: Run service-registry.yaml playbook. vars: playbook_name: service-registry.yaml files: - inventory/ - playbooks/service-registry.yaml - inventory/service/group_vars/registry.yaml - playbooks/roles/pip3/ - playbooks/roles/install-docker/ - playbooks/roles/iptables/ - playbooks/roles/registry/ - job: name: infra-prod-service-zuul-preview parent: infra-prod-service-base description: Run service-zuul-preview.yaml playbook. vars: playbook_name: service-zuul-preview.yaml files: - inventory/ - playbooks/service-zuul-preview.yaml - inventory/service/group_vars/zuul-preview.yaml - playbooks/roles/pip3/ - playbooks/roles/install-docker/ - playbooks/roles/iptables/ - playbooks/roles/zuul-preview/ - job: name: infra-prod-service-zookeeper parent: infra-prod-service-base description: Run service-zookeeper.yaml playbook. vars: playbook_name: service-zookeeper.yaml files: - inventory/.* - inventory/service/group_vars/zookeeper.yaml - ^inventory/service/host_vars/zk\d+\..* - playbooks/roles/pip3/ - playbooks/roles/install-docker/ - playbooks/roles/iptables/ - playbooks/roles/zookeeper/ - job: name: infra-prod-service-zuul parent: infra-prod-service-base description: | Run service-zuul.yaml playbook. This configures the main Zuul cluster. It will perform a smart-reconfigure of the scheduler if the tenant configuration is changed. vars: playbook_name: service-zuul.yaml dependencies: - name: infra-prod-install-ansible soft: true - name: infra-prod-letsencrypt soft: true - name: infra-prod-manage-projects soft: true files: - inventory/.* - playbooks/install-ansible.yaml - playbooks/service-zuul.yaml - inventory/service/group_vars/zuul - inventory/service/group_vars/zookeeper.yaml - inventory/service/host_vars/zk\d+ - inventory/service/host_vars/zuul01.openstack.org - playbooks/roles/install-docker/ - playbooks/roles/iptables/ - playbooks/roles/zookeeper/ - playbooks/roles/zuul - job: name: infra-prod-service-review parent: infra-prod-service-base description: Run service-review.yaml playbook. vars: playbook_name: service-review.yaml dependencies: &infra_prod_service_review_deps - name: infra-prod-install-ansible soft: true - name: infra-prod-letsencrypt soft: true - name: system-config-promote-image-gerrit-3.2 soft: true files: - inventory/ - playbooks/service-review.yaml - inventory/service/group_vars/gerrit.yaml - inventory/service/host_vars/review01.openstack.org.yaml - playbooks/roles/pip3/ - playbooks/roles/install-docker/ - playbooks/roles/iptables/ - playbooks/roles/gerrit/ - job: name: infra-prod-service-refstack parent: infra-prod-service-base description: Run service-refstack.yaml playbook. vars: playbook_name: service-refstack.yaml dependencies: - name: infra-prod-install-ansible soft: true - name: infra-prod-letsencrypt soft: true - name: system-config-promote-image-refstack soft: true files: - inventory/ - playbooks/service-refstack.yaml - inventory/service/group_vars/ - inventory/service/host_vars/refstack[0-9][0-9] - playbooks/roles/install-docker/ - playbooks/roles/pip3/ - playbooks/roles/refstack/ - playbooks/roles/iptables/ - playbooks/roles/logrotate/ - docker/refstack - docker/python-base/ - job: name: infra-prod-service-gitea parent: infra-prod-service-base description: Run service-gitea.yaml playbook. vars: playbook_name: service-gitea.yaml dependencies: - name: infra-prod-install-ansible soft: true - name: infra-prod-letsencrypt soft: true - name: system-config-promote-image-gitea-init soft: true - name: system-config-promote-image-gitea soft: true files: - inventory/ - playbooks/service-gitea.yaml - inventory/service/group_vars/gitea.yaml - inventory/service/host_vars/gitea[0-9][0-9] - playbooks/roles/install-docker/ - playbooks/roles/pip3/ - playbooks/roles/gitea/ - playbooks/roles/iptables/ - playbooks/roles/logrotate/ - docker/gitea/ - docker/gitea-init/ - docker/jinja-init/ - docker/python-base/ - job: name: infra-prod-service-eavesdrop parent: infra-prod-service-base description: Run service-eavesdrop.yaml playbook. required-projects: - opendev/ansible-role-puppet - opendev/system-config - openstack/project-config dependencies: - name: infra-prod-install-ansible soft: true - name: infra-prod-letsencrypt soft: true - name: system-config-promote-image-accessbot soft: true vars: playbook_name: service-eavesdrop.yaml files: &infra_prod_eavesdrop_files - inventory/ - playbooks/service-eavesdrop.yaml - playbooks/run-accessbot.yaml - inventory/service/group_vars/eavesdrop.yaml - inventory/service/group_vars/puppet.yaml - playbooks/roles/run-puppet/ - playbooks/roles/install-ansible-roles/ - playbooks/roles/zuul-user - playbooks/roles/install-docker - playbooks/roles/iptables/ - playbooks/roles/puppet-install/ - playbooks/roles/disable-puppet-agent/ - playbooks/roles/accessbot - playbooks/roles/logrotate - modules/openstack_project/manifests/eavesdrop.pp - manifests/eavesdrop.pp - docker/accessbot/ - job: name: infra-prod-run-accessbot parent: infra-prod-service-base description: Run run-accessbot.yaml playbook. required-projects: - opendev/system-config - openstack/project-config dependencies: - infra-prod-service-eavesdrop vars: playbook_name: run-accessbot.yaml files: - accessbot/channels.yaml - playbooks/run-accessbot.yaml - playbooks/roles/accessbot - docker/accessbot/ - job: name: infra-prod-service-codesearch parent: infra-prod-service-base description: Run service-codesearch.yaml playbook. vars: playbook_name: service-codesearch.yaml files: - docker/hound/ - inventory/ - playbooks/service-codesearch.yaml - inventory/service/host_vars/codesearch01.opendev.yaml - inventory/service/group_vars/codesearch - playbooks/roles/install-docker/ - playbooks/roles/pip3/ - playbooks/roles/codesearch - playbooks/roles/logrotate - playbooks/roles/iptables - job: name: infra-prod-service-grafana parent: infra-prod-service-base description: Run service-grafana.yaml playbook. vars: playbook_name: service-grafana.yaml files: - inventory/ - playbooks/service-grafana.yaml - inventory/service/host_vars/grafana01.org.yaml - inventory/service/group_vars/grafana - playbooks/roles/install-docker/ - playbooks/roles/pip3/ - playbooks/roles/grafana - playbooks/roles/logrotate - playbooks/roles/iptables/ - job: name: infra-prod-service-graphite parent: infra-prod-service-base description: Run service-graphite.yaml playbook. vars: playbook_name: service-graphite.yaml files: - inventory/ - playbooks/service-graphite.yaml - inventory/service/host_vars/graphite02.opendev.org.yaml - inventory/service/group_vars/graphite - playbooks/roles/install-docker/ - playbooks/roles/pip3/ - playbooks/roles/graphite/ - playbooks/roles/iptables/ # Run AFS changes separately so we can make sure to only do one at a time # (turns out quorum is nice to have) - job: name: infra-prod-service-afs parent: infra-prod-service-base description: Run AFS playbook. vars: playbook_name: service-afs.yaml infra_prod_ansible_forks: 1 required-projects: - opendev/ansible-role-puppet - opendev/system-config files: - inventory/ - playbooks/service-afs.yaml - inventory/service/group_vars/afs - inventory/service/group_vars/mirror-update - inventory/service/group_vars/puppet - playbooks/roles/run-puppet/ - playbooks/roles/install-ansible-roles/ - playbooks/roles/puppet-install/ - playbooks/roles/disable-puppet-agent/ - playbooks/roles/iptables/ - playbooks/roles/vos-release/ - playbooks/roles/openafs-server/ - modules/ - manifests/ - job: name: infra-prod-service-kerberos parent: infra-prod-service-base description: Run Kerberos playbook. vars: playbook_name: service-kerberos.yaml infra_prod_ansible_forks: 1 required-projects: - opendev/system-config files: - inventory/ - playbooks/service-kerberos.yaml - inventory/service/group_vars/kerberos-kdc.yaml - playbooks/roles/kerberos-kdc/ - roles/kerberos-client/ - playbooks/roles/iptables/ - job: name: infra-prod-remote-puppet-else parent: infra-prod-service-base description: Run remote-puppet-else.yaml playbook. vars: playbook_name: remote_puppet_else.yaml infra_prod_ansible_forks: 50 required-projects: - opendev/ansible-role-puppet - opendev/system-config files: - hiera/ - inventory/ - playbooks/remote_puppet_else.yaml - inventory/service/group_vars/ - inventory/service/host_vars/ - inventory/service/group_vars/puppet - playbooks/roles/run-puppet/ - playbooks/roles/install-ansible-roles/ - playbooks/roles/puppet-install/ - playbooks/roles/disable-puppet-agent/ - playbooks/roles/iptables/ - modules/ - manifests/ - job: name: infra-prod-run-cloud-launcher parent: infra-prod-service-base description: Run cloud launcher playbook vars: playbook_name: run_cloud_launcher.yaml infra_prod_ansible_forks: 1 required-projects: - opendev/ansible-role-cloud-launcher - opendev/system-config dependencies: - name: infra-prod-service-bridge soft: true files: - playbooks/run_cloud_launcher.yaml - inventory/service/host_vars/bridge.openstack.org.yaml