# NOTE: This is included from two paths to setup the bridge/bastion # host in different circumstances: # # 1) Gate tests -- here Zuul is running this on the executor against # ephemeral nodes. It uses the "bastion" group as defined in the # system-config-run jobs. # # 2) Production -- here we actually run against the real bastion host. # The host is dynamically added in opendev/base-jobs before this # runs, and put into a group called "bastion". # # In both cases, the "bastion" group has one entry, which is the # bastion host to run against. - hosts: prod_bastion[0]:!disabled name: "Bridge: bootstrap the bastion host" become: true tasks: # Note for production use we expect to take the defaults; unit # test jobs override this to test with latest upstream ansible. # For example, if there is a fix on the ansible stable branch we # need that is unreleased, you could do the following: # # install_ansible_name: '{{ bridge_ansible_name | default("git+https://github.com/ansible/ansible.git@stable-2.7") }}' # install_ansible_version: '{{ bridge_ansible_version | default(None) }}' - name: Install ansible include_role: name: install-ansible vars: install_ansible_name: '{{ bridge_ansible_name | default("ansible") }}' install_ansible_version: '{{ bridge_ansible_version | default("<8") }}' install_ansible_openstacksdk_name: '{{ bridge_openstacksdk_name | default("openstacksdk") }}' install_ansible_openstacksdk_version: '{{ bridge_openstacksdk_verison | default("latest") }}' # NOTE(ianw): At 2018-12, ARA is only enabled during gate # testing jobs as we decide if or how to store data on # production bridge.o.o install_ansible_ara_name: '{{ bridge_ara_name | default("ara[server]") }}' install_ansible_ara_version: '{{ bridge_ara_version | default("latest") }}' # This is the key that bridge uses to log into remote hosts. # # For production, this root-key variable is kept with the others # in the Ansible production secrets. Thus we need to deploy via # the local Ansible we just installed that will load these # variables. Remote hosts have trusted this from their bringup # procedure. # # In testing, we have been called with "root_rsa_key" variable set # with an ephemeral key. In this case, we pass it in as a "-e" # variable directly from the file written on disk. The testing # ephemeral nodes have been made to trust this by the multinode # setup. # # NOTE(ianw) : Another option here is to keep the root key as a # secret directly in Zuul, which could be written out directly # here. Maybe one day we will do something like this. - name: Create root key variable when testing when: root_rsa_key is defined block: - name: Create vars dict set_fact: _root_rsa_key_dict: root_rsa_key: '{{ root_rsa_key }}' - name: Save extra-vars copy: content: '{{ _root_rsa_key_dict | to_nice_json }}' dest: '/home/zuul/root-rsa-key.json' - name: Save abstracted inventory file copy: content: | {{ inventory_hostname }} [prod_bastion] {{ inventory_hostname }} dest: '/home/zuul/bastion-inventory.ini' - name: Make ansible log directory file: path: '/var/log/ansible' state: directory owner: root mode: 0755 - name: Install root key shell: >- ansible-playbook -v ${ROOT_RSA_KEY} ${BRIDGE_INVENTORY} /home/zuul/src/opendev.org/opendev/system-config/playbooks/zuul/run-production-bootstrap-bridge-add-rootkey.yaml > /var/log/ansible/install-root-key.{{ lookup('pipe', 'date +%Y-%m-%dT%H:%M:%S') }}.log 2>&1 environment: ROOT_RSA_KEY: '{{ "-e @/home/zuul/root-rsa-key.json" if root_rsa_key is defined else "" }}' # In production "install-ansible" has setup ansible to point # to the system-config inventory which has the bastion group # in it. In the gate, bridge is ephemeral and we haven't yet # built the inventory to use for testing (that is done in # zuul/run-base.yaml). Use this constructed inventory. BRIDGE_INVENTORY: '{{ "-i/home/zuul/bastion-inventory.ini" if root_rsa_key is defined else "" }}' ANSIBLE_ROLES_PATH: '/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles' no_log: true - name: Setup global known_hosts include_role: name: add-inventory-known-hosts