system-config/playbooks/bootstrap-bridge.yaml

104 lines
4.6 KiB
YAML

# NOTE: This is included from two paths to setup the bridge/bastion
# host in different circumstances:
#
# 1) Gate tests -- here Zuul is running this on the executor against
# ephemeral nodes. It uses the "bastion" group as defined in the
# system-config-run jobs.
#
# 2) Production -- here we actually run against the real bastion host.
# The host is dynamically added in opendev/base-jobs before this
# runs, and put into a group called "bastion".
#
# In both cases, the "bastion" group has one entry, which is the
# bastion host to run against.
- hosts: prod_bastion[0]:!disabled
name: "Bridge: bootstrap the bastion host"
become: true
tasks:
# Note for production use we expect to take the defaults; unit
# test jobs override this to test with latest upstream ansible.
# For example, if there is a fix on the ansible stable branch we
# need that is unreleased, you could do the following:
#
# install_ansible_name: '{{ bridge_ansible_name | default("git+https://github.com/ansible/ansible.git@stable-2.7") }}'
# install_ansible_version: '{{ bridge_ansible_version | default(None) }}'
- name: Install ansible
include_role:
name: install-ansible
vars:
install_ansible_name: '{{ bridge_ansible_name | default("ansible") }}'
install_ansible_version: '{{ bridge_ansible_version | default("4.0.0") }}'
install_ansible_openstacksdk_name: '{{ bridge_openstacksdk_name | default("openstacksdk") }}'
install_ansible_openstacksdk_version: '{{ bridge_openstacksdk_verison | default("latest") }}'
# NOTE(ianw): At 2018-12, ARA is only enabled during gate
# testing jobs as we decide if or how to store data on
# production bridge.o.o
install_ansible_ara_name: '{{ bridge_ara_name | default("ara[server]") }}'
install_ansible_ara_version: '{{ bridge_ara_version | default("latest") }}'
# This is the key that bridge uses to log into remote hosts.
#
# For production, this root-key variable is kept with the others
# in the Ansible production secrets. Thus we need to deploy via
# the local Ansible we just installed that will load these
# variables. Remote hosts have trusted this from their bringup
# procedure.
#
# In testing, we have been called with "root_rsa_key" variable set
# with an ephemeral key. In this case, we pass it in as a "-e"
# variable directly from the file written on disk. The testing
# ephemeral nodes have been made to trust this by the multinode
# setup.
#
# NOTE(ianw) : Another option here is to keep the root key as a
# secret directly in Zuul, which could be written out directly
# here. Maybe one day we will do something like this.
- name: Create root key variable when testing
when: root_rsa_key is defined
block:
- name: Create vars dict
set_fact:
_root_rsa_key_dict:
root_rsa_key: '{{ root_rsa_key }}'
- name: Save extra-vars
copy:
content: '{{ _root_rsa_key_dict | to_nice_json }}'
dest: '/home/zuul/root-rsa-key.json'
- name: Save abstracted inventory file
copy:
content: |
{{ inventory_hostname }}
[prod_bastion]
{{ inventory_hostname }}
dest: '/home/zuul/bastion-inventory.ini'
- name: Make ansible log directory
file:
path: '/var/log/ansible'
state: directory
owner: root
mode: 0755
- name: Install root key
shell: >-
ansible-playbook -v ${ROOT_RSA_KEY} ${BRIDGE_INVENTORY}
/home/zuul/src/opendev.org/opendev/system-config/playbooks/zuul/run-production-bootstrap-bridge-add-rootkey.yaml
> /var/log/ansible/install-root-key.{{ lookup('pipe', 'date +%Y-%m-%dT%H:%M:%S') }}.log 2>&1
environment:
ROOT_RSA_KEY: '{{ "-e @/home/zuul/root-rsa-key.json" if root_rsa_key is defined else "" }}'
# In production "install-ansible" has setup ansible to point
# to the system-config inventory which has the bastion group
# in it. In the gate, bridge is ephemeral and we haven't yet
# built the inventory to use for testing (that is done in
# zuul/run-base.yaml). Use this constructed inventory.
BRIDGE_INVENTORY: '{{ "-i/home/zuul/bastion-inventory.ini" if root_rsa_key is defined else "" }}'
ANSIBLE_ROLES_PATH: '/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles'
no_log: true
- name: Setup global known_hosts
include_role:
name: add-inventory-known-hosts