# NOTE: job dependencies keep this running in parallel and are defined # in projects.yaml because it's easier to keep an overall view of # what's happening in there. # Make sure only one run of a system-config playbook happens at a time - semaphore: name: infra-prod-playbook max: 1 - job: name: infra-prod-playbook parent: opendev-infra-prod-base description: | Run specified playbook against productions hosts. This is a parent job designed to be inherited to enabled CD deployment of our infrastructure. Set playbook_name to specify the playbook relative to /home/zuul/src/opendev.org/opendev/system-config/playbooks on the bastion host. abstract: true semaphores: infra-prod-playbook run: playbooks/zuul/run-production-playbook.yaml post-run: playbooks/zuul/run-production-playbook-post.yaml required-projects: - opendev/system-config vars: infra_prod_ansible_forks: 10 infra_prod_playbook_collect_log: false infra_prod_playbook_encrypt_log: true nodeset: nodes: [] - job: name: infra-prod-bootstrap-bridge parent: opendev-infra-prod-setup-keys description: | Configure the bastion host (bridge) This job does minimal configuration on the bastion host (bridge.openstack.org) to allow it to run system-config playbooks against our production hosts. It sets up Ansible and root keys on the host. Note that this is separate to infra-prod-service-bridge; bridge in it's role as the bastion host actaully runs that against itself; it includes things not strictly needed to make the host able to deploy system-config. run: playbooks/zuul/run-production-bootstrap-bridge.yaml files: - playbooks/bootstrap-bridge.yaml - playbooks/zuul/run-production-bootstrap-bridge.yaml - playbooks/zuul/run-production-bootstrap-bridge-add-rootkey.yaml - playbooks/roles/install-ansible/ - playbooks/roles/root-keys/ - inventory/base/hosts.yaml - inventory/service/group_vars/bastion.yaml - job: name: infra-prod-base parent: infra-prod-playbook description: Run the base playbook everywhere. vars: playbook_name: base.yaml infra_prod_ansible_forks: 50 files: - inventory/ - inventory/service/host_vars/ - inventory/service/group_vars/ - playbooks/base.yaml - playbooks/roles/base/ - job: name: infra-prod-letsencrypt parent: infra-prod-playbook description: Run letsencrypt.yaml playbook. vars: playbook_name: letsencrypt.yaml files: - inventory/ - playbooks/letsencrypt.yaml # Any touching of host_vars or group_vars can substantively # change the certs we're doing, so be greedy here. - inventory/service/host_vars/ - inventory/service/group_vars/ - playbooks/roles/letsencrypt - playbooks/roles/logrotate/ - job: name: infra-prod-manage-projects parent: infra-prod-playbook timeout: 4800 description: | Create and update projects in gerrit and gitea. allowed-projects: - opendev/system-config - openstack/project-config required-projects: - opendev/system-config - openstack/project-config vars: playbook_name: manage-projects.yaml infra_prod_ansible_forks: 10 infra_prod_playbook_collect_log: true - job: name: infra-prod-service-base parent: infra-prod-playbook description: Base job for most service playbooks. abstract: true - job: name: infra-prod-service-bridge parent: infra-prod-service-base description: Run service-bridge.yaml playbook. vars: playbook_name: service-bridge.yaml files: - inventory/base - playbooks/service-bridge.yaml - inventory/service/group_vars/bastion.yaml - playbooks/roles/logrotate/ - playbooks/roles/edit-secrets-script/ - playbooks/roles/install-kubectl/ - playbooks/roles/iptables/ - playbooks/roles/configure-kubectl/ - playbooks/roles/configure-openstacksdk/ - playbooks/templates/clouds/bridge_all_clouds.yaml.j2 - job: name: infra-prod-service-gitea-lb parent: infra-prod-service-base description: Run service-gitea-lb.yaml playbook. vars: playbook_name: service-gitea-lb.yaml files: - inventory/base - playbooks/service-gitea-lb.yaml - inventory/service/group_vars/gitea-lb.yaml - playbooks/roles/pip3/ - playbooks/roles/iptables/ - playbooks/roles/install-docker/ - playbooks/roles/haproxy/ - job: name: infra-prod-service-nameserver parent: infra-prod-service-base description: Run service-nameserver.yaml playbook. vars: playbook_name: service-nameserver.yaml files: - inventory/base - playbooks/service-nameserver.yaml - inventory/service/host_vars/adns1.opendev.org.yaml - inventory/service/host_vars/ns1.opendev.org.yaml - inventory/service/host_vars/ns2.opendev.org.yaml - inventory/service/group_vars/adns.yaml - inventory/service/group_vars/ns.yaml - playbooks/roles/master-nameserver/ - playbooks/roles/nameserver/ - playbooks/roles/iptables/ - job: name: infra-prod-service-nodepool parent: infra-prod-service-base description: Run service-nodepool.yaml playbook. vars: playbook_name: service-nodepool.yaml required-projects: - opendev/system-config - openstack/project-config files: - inventory/base - playbooks/service-nodepool.yaml - inventory/service/host_vars/nb - inventory/service/host_vars/nl - inventory/service/group_vars/nodepool - playbooks/roles/configure-kubectl/ - playbooks/roles/configure-openstacksdk/ - playbooks/roles/install-docker/ - playbooks/roles/iptables/ - playbooks/roles/nodepool - playbooks/templates/clouds/nodepool_ - job: name: infra-prod-service-etherpad parent: infra-prod-service-base description: Run service-etherpad.yaml playbook. vars: playbook_name: service-etherpad.yaml files: - inventory/base - playbooks/service-etherpad.yaml - inventory/service/host_vars/etherpad01.opendev.org.yaml - inventory/service/group_vars/etherpad - playbooks/roles/install-docker/ - playbooks/roles/pip3/ - playbooks/roles/etherpad - playbooks/roles/logrotate - playbooks/roles/iptables/ - docker/etherpad/ - job: name: infra-prod-service-keycloak parent: infra-prod-service-base description: Run service-keycloak.yaml playbook. vars: playbook_name: service-keycloak.yaml files: - inventory/base - playbooks/service-keycloak.yaml - inventory/service/host_vars/keycloak01.opendev.org.yaml - inventory/service/group_vars/keycloak - playbooks/roles/keycloak/ - playbooks/roles/install-docker/ - playbooks/roles/iptables/ - job: name: infra-prod-service-meetpad parent: infra-prod-service-base description: Run service-meetpad.yaml playbook. vars: playbook_name: service-meetpad.yaml files: - inventory/base - playbooks/service-meetpad.yaml - inventory/service/host_vars/meetpad01.opendev.org.yaml - inventory/service/group_vars/meetpad.yaml - playbooks/roles/pip3/ - playbooks/roles/install-docker/ - playbooks/roles/iptables/ - playbooks/roles/jitsi-meet/ - job: name: infra-prod-service-mirror-update parent: infra-prod-service-base description: Run service-mirror-update.yaml playbook. vars: playbook_name: service-mirror-update.yaml files: - inventory/base - inventory/service/group_vars/mirror.yaml - inventory/service/host_vars/mirror - playbooks/service-mirror-update.yaml - playbooks/roles/mirror-update/ - playbooks/roles/reprepro/ - playbooks/roles/iptables/ - playbooks/roles/logrotate/ - roles/kerberos-client/ - roles/openafs-client/ - job: name: infra-prod-service-mirror parent: infra-prod-service-base description: Run service-mirror.yaml playbook. vars: playbook_name: service-mirror.yaml files: - inventory/base - playbooks/service-mirror.yaml - inventory/service/host_vars/mirror - inventory/service/group_vars/mirror.yaml - playbooks/roles/mirror/ - playbooks/roles/afs-release/ - playbooks/roles/afsmon/ - playbooks/roles/iptables/ - playbooks/roles/logrotate/ - roles/openafs-client/ - job: name: infra-prod-service-paste parent: infra-prod-service-base description: Run service-paste.yaml playbook. vars: playbook_name: service-paste.yaml files: - inventory/base - playbooks/service-paste.yaml - inventory/service/group_vars/paste.yaml - playbooks/roles/install-docker/ - playbooks/roles/pip3/ - playbooks/roles/lodgeit/ - playbooks/roles/iptables/ - job: name: infra-prod-service-static parent: infra-prod-service-base description: Run service-static.yaml playbook. vars: playbook_name: service-static.yaml files: - inventory/base - playbooks/service-static.yaml - inventory/service/group_vars/static.yaml - playbooks/roles/iptables/ - playbooks/roles/static/ - playbooks/roles/zuul-user/ - roles/openafs-client/ - job: name: infra-prod-service-tracing parent: infra-prod-service-base description: Run service-tracing.yaml playbook. vars: playbook_name: service-tracing.yaml files: - inventory/base - playbooks/service-tracing.yaml - inventory/service/group_vars/tracing.yaml - playbooks/roles/jaeger/ - playbooks/roles/install-docker/ - playbooks/roles/iptables/ - job: name: infra-prod-service-borg-backup parent: infra-prod-service-base description: Run service-borg-backup.yaml playbook. vars: playbook_name: service-borg-backup.yaml files: - inventory/base - playbooks/service-borg-backup.yaml - playbooks/roles/install-borg/ - playbooks/roles/borg-backup/ - playbooks/roles/borg-backup-server/ - playbooks/roles/iptables/ - job: name: infra-prod-service-registry parent: infra-prod-service-base description: Run service-registry.yaml playbook. vars: playbook_name: service-registry.yaml files: - inventory/base - playbooks/service-registry.yaml - inventory/service/group_vars/registry.yaml - playbooks/roles/pip3/ - playbooks/roles/install-docker/ - playbooks/roles/iptables/ - playbooks/roles/registry/ - job: name: infra-prod-service-zuul-preview parent: infra-prod-service-base description: Run service-zuul-preview.yaml playbook. vars: playbook_name: service-zuul-preview.yaml files: - inventory/base - playbooks/service-zuul-preview.yaml - inventory/service/group_vars/zuul-preview.yaml - playbooks/roles/pip3/ - playbooks/roles/install-docker/ - playbooks/roles/iptables/ - playbooks/roles/zuul-preview/ - job: name: infra-prod-service-zookeeper parent: infra-prod-service-base description: Run service-zookeeper.yaml playbook. vars: playbook_name: service-zookeeper.yaml files: - inventory/base - inventory/service/group_vars/zookeeper.yaml - ^inventory/service/host_vars/zk\d+\..* - playbooks/roles/pip3/ - playbooks/roles/install-docker/ - playbooks/roles/iptables/ - playbooks/roles/zookeeper/ - job: name: infra-prod-service-zuul parent: infra-prod-service-base description: | Run service-zuul.yaml playbook. This configures the main Zuul cluster. It will perform a smart-reconfigure of the scheduler if the tenant configuration is changed. vars: playbook_name: service-zuul.yaml files: - inventory/base - playbooks/service-zuul.yaml - inventory/service/group_vars/zuul - inventory/service/group_vars/zookeeper.yaml - inventory/service/host_vars/zk\d+ - inventory/service/host_vars/zuul\d+.opendev.org - playbooks/roles/install-docker/ - playbooks/roles/iptables/ - playbooks/roles/zookeeper/ - playbooks/roles/zuul - roles/kerberos-client/ - roles/openafs-client/ - job: name: infra-prod-service-zuul-lb parent: infra-prod-service-base description: Run service-zuul-lb.yaml playbook. vars: playbook_name: service-zuul-lb.yaml files: - inventory/base - playbooks/service-zuul-lb.yaml - inventory/service/group_vars/zuul-lb.yaml - playbooks/roles/pip3/ - playbooks/roles/iptables/ - playbooks/roles/install-docker/ - playbooks/roles/haproxy/ - job: name: infra-prod-service-review parent: infra-prod-service-base description: Run service-review.yaml playbook. vars: playbook_name: service-review.yaml files: - inventory/base - playbooks/service-review.yaml - inventory/service/group_vars/review.yaml - inventory/service/host_vars/review02.openstack.org.yaml - playbooks/roles/pip3/ - playbooks/roles/install-docker/ - playbooks/roles/iptables/ - playbooks/roles/gerrit/ - job: name: infra-prod-service-refstack parent: infra-prod-service-base description: Run service-refstack.yaml playbook. vars: playbook_name: service-refstack.yaml files: - inventory/base - playbooks/service-refstack.yaml - inventory/service/group_vars/refstack.yaml - inventory/service/host_vars/refstack[0-9][0-9] - playbooks/roles/install-docker/ - playbooks/roles/pip3/ - playbooks/roles/refstack/ - playbooks/roles/iptables/ - playbooks/roles/logrotate/ - docker/refstack - docker/python-base/ - job: name: infra-prod-service-gitea parent: infra-prod-service-base description: Run service-gitea.yaml playbook. vars: playbook_name: service-gitea.yaml files: - inventory/base - playbooks/service-gitea.yaml - inventory/service/group_vars/gitea.yaml - inventory/service/host_vars/gitea[0-9][0-9] - playbooks/roles/install-docker/ - playbooks/roles/pip3/ - playbooks/roles/gitea/ - playbooks/roles/iptables/ - playbooks/roles/logrotate/ - docker/gitea/ - docker/gitea-init/ - docker/jinja-init/ - docker/python-base/ - job: name: infra-prod-service-eavesdrop parent: infra-prod-service-base description: Run service-eavesdrop.yaml playbook. required-projects: - opendev/system-config - openstack/project-config vars: playbook_name: service-eavesdrop.yaml files: &infra_prod_eavesdrop_files - inventory/base - playbooks/service-eavesdrop.yaml - playbooks/run-accessbot.yaml - inventory/service/group_vars/eavesdrop.yaml - playbooks/roles/install-docker - playbooks/roles/iptables/ - playbooks/roles/accessbot - playbooks/roles/limnoria - playbooks/roles/ptgbot - playbooks/roles/statusbot - playbooks/roles/logrotate - playbooks/roles/matrix-eavesdrop - playbooks/roles/matrix-gerritbot - playbooks/zuul/templates/group_vars/eavesdrop.yaml.j2 - docker/accessbot/ - docker/ircbot - docker/matrix-eavesdrop - job: name: infra-prod-run-accessbot parent: infra-prod-service-base description: Run run-accessbot.yaml playbook. required-projects: - opendev/system-config - openstack/project-config vars: playbook_name: run-accessbot.yaml files: - accessbot/channels.yaml - playbooks/run-accessbot.yaml - playbooks/roles/accessbot - docker/accessbot/ - job: name: infra-prod-service-codesearch parent: infra-prod-service-base description: Run service-codesearch.yaml playbook. vars: playbook_name: service-codesearch.yaml files: - docker/hound/ - inventory/base - playbooks/service-codesearch.yaml - inventory/service/host_vars/codesearch01.opendev.yaml - inventory/service/group_vars/codesearch - playbooks/roles/install-docker/ - playbooks/roles/pip3/ - playbooks/roles/codesearch - playbooks/roles/logrotate - playbooks/roles/iptables - job: name: infra-prod-service-grafana parent: infra-prod-service-base description: Run service-grafana.yaml playbook. vars: playbook_name: service-grafana.yaml files: - inventory/base - playbooks/service-grafana.yaml - inventory/service/host_vars/grafana01.org.yaml - inventory/service/group_vars/grafana - playbooks/roles/install-docker/ - playbooks/roles/pip3/ - playbooks/roles/grafana - playbooks/roles/logrotate - playbooks/roles/iptables/ - job: name: infra-prod-service-graphite parent: infra-prod-service-base description: Run service-graphite.yaml playbook. vars: playbook_name: service-graphite.yaml files: - inventory/base - playbooks/service-graphite.yaml - inventory/service/host_vars/graphite02.opendev.org.yaml - inventory/service/group_vars/graphite - playbooks/roles/install-docker/ - playbooks/roles/pip3/ - playbooks/roles/graphite/ - playbooks/roles/iptables/ - job: name: infra-prod-service-lists parent: infra-prod-service-base description: Run service-lists.yaml playbook. vars: playbook_name: service-lists.yaml files: - inventory/base - inventory/service/host_vars/lists.openstack.org.yaml - inventory/service/host_vars/lists.katacontainers.io.yaml - playbooks/roles/iptables/ - playbooks/roles/base/exim - playbooks/roles/mailman/ - playbooks/service-lists.yaml - job: name: infra-prod-service-lists3 parent: infra-prod-service-base description: Run service-lists3.yaml playbook. vars: playbook_name: service-lists3.yaml files: - inventory/base - inventory/service/host_vars/lists01.opendev.org.yaml - playbooks/roles/iptables/ - playbooks/roles/base/exim - playbooks/roles/mailman3/ - playbooks/service-lists3.yaml # Run AFS changes separately so we can make sure to only do one at a time # (turns out quorum is nice to have) - job: name: infra-prod-service-afs parent: infra-prod-service-base description: Run AFS playbook. vars: playbook_name: service-afs.yaml infra_prod_ansible_forks: 1 required-projects: - opendev/system-config files: - inventory/base - playbooks/service-afs.yaml - inventory/service/group_vars/afs - inventory/service/group_vars/mirror-update - playbooks/roles/iptables/ - playbooks/roles/vos-release/ - playbooks/roles/openafs-server/ - modules/ - manifests/ - roles/kerberos-client/ - roles/openafs-client/ - job: name: infra-prod-service-kerberos parent: infra-prod-service-base description: Run Kerberos playbook. vars: playbook_name: service-kerberos.yaml infra_prod_ansible_forks: 1 required-projects: - opendev/system-config files: - inventory/base - playbooks/service-kerberos.yaml - inventory/service/group_vars/kerberos-kdc.yaml - playbooks/roles/kerberos-kdc/ - roles/kerberos-client/ - playbooks/roles/iptables/ - job: name: infra-prod-remote-puppet-else parent: infra-prod-service-base description: Run remote-puppet-else.yaml playbook. vars: playbook_name: remote_puppet_else.yaml infra_prod_ansible_forks: 50 required-projects: - opendev/ansible-role-puppet - opendev/system-config files: - Gemfile - Rakefile - modules.env - install_modules.sh - hiera/ - inventory/ - roles/puppet-install/ - playbooks/install_puppet.yaml - playbooks/update_puppet_version.yaml - playbooks/remote_puppet_else.yaml - playbooks/roles/puppet-run/ - playbooks/roles/install-ansible-roles/ - playbooks/roles/disable-puppet-agent/ - playbooks/roles/puppet-setup-ansible/ - playbooks/roles/iptables/ - modules/ - manifests/ - job: name: infra-prod-run-cloud-launcher parent: infra-prod-service-base description: Run cloud launcher playbook vars: playbook_name: run_cloud_launcher.yaml infra_prod_ansible_forks: 1 required-projects: - opendev/ansible-role-cloud-launcher - opendev/system-config files: - playbooks/run_cloud_launcher.yaml - inventory/service/group_vars/bastion.yaml