e182394e97
Change I4789fe99651597b073e35066ec3be312e18659b8 made me realise that with the extant code, nothing will update the /usr/ansible-env environment when we bump the versions. The installation of the Ansible, openstacksdk and ARA packages as part of the "install-ansible" role was done this way to facilitate being able to install all three of these from their main/master/devel branches for the "-devel" job, which is our basic canary for upstream things that might affect us. Because of the way the pip: role works with "state: latest" and mixing on-disk paths with pypi package names, this became a bit of a complex swizzling operation. Some thing have changed since then; particularly us now using a separate venv and upstream Ansible's change to use "collections"; so pulling in a bug-fix for Ansible is not as simple as just cloning github.com/ansible/ansible at a particular tag any more. This means we should reconsider how we're specifying the packages here. This simplifies things to list the required packages in a requirements.txt file, which we install into the venv root. The nice thing about this is that creating requirements.txt with the template: role is idempotent, so we can essentially monitor the file for changes and only (re-)run the pip install into /usr/ansible-env when we change versions (forcing upgrades so we get the versions we want, and fixing the original issue mentioned above). Change-Id: I3696740112fa691d1700040b557f53f6721393e7
88 lines
3.4 KiB
YAML
88 lines
3.4 KiB
YAML
# NOTE: This is included from two paths to setup the bridge/bastion
|
|
# host in different circumstances:
|
|
#
|
|
# 1) Gate tests -- here Zuul is running this on the executor against
|
|
# ephemeral nodes. It uses the "bastion" group as defined in the
|
|
# system-config-run jobs.
|
|
#
|
|
# 2) Production -- here we actually run against the real bastion host.
|
|
# The host is dynamically added in opendev/base-jobs before this
|
|
# runs, and put into a group called "bastion".
|
|
#
|
|
# In both cases, the "bastion" group has one entry, which is the
|
|
# bastion host to run against.
|
|
|
|
- hosts: prod_bastion[0]:!disabled
|
|
name: "Bridge: bootstrap the bastion host"
|
|
become: true
|
|
tasks:
|
|
|
|
- name: Install ansible
|
|
include_role:
|
|
name: install-ansible
|
|
|
|
# This is the key that bridge uses to log into remote hosts.
|
|
#
|
|
# For production, this root-key variable is kept with the others
|
|
# in the Ansible production secrets. Thus we need to deploy via
|
|
# the local Ansible we just installed that will load these
|
|
# variables. Remote hosts have trusted this from their bringup
|
|
# procedure.
|
|
#
|
|
# In testing, we have been called with "root_rsa_key" variable set
|
|
# with an ephemeral key. In this case, we pass it in as a "-e"
|
|
# variable directly from the file written on disk. The testing
|
|
# ephemeral nodes have been made to trust this by the multinode
|
|
# setup.
|
|
#
|
|
# NOTE(ianw) : Another option here is to keep the root key as a
|
|
# secret directly in Zuul, which could be written out directly
|
|
# here. Maybe one day we will do something like this.
|
|
- name: Create root key variable when testing
|
|
when: root_rsa_key is defined
|
|
block:
|
|
- name: Create vars dict
|
|
set_fact:
|
|
_root_rsa_key_dict:
|
|
root_rsa_key: '{{ root_rsa_key }}'
|
|
|
|
- name: Save extra-vars
|
|
copy:
|
|
content: '{{ _root_rsa_key_dict | to_nice_json }}'
|
|
dest: '/home/zuul/root-rsa-key.json'
|
|
|
|
- name: Save abstracted inventory file
|
|
copy:
|
|
content: |
|
|
{{ inventory_hostname }}
|
|
[prod_bastion]
|
|
{{ inventory_hostname }}
|
|
dest: '/home/zuul/bastion-inventory.ini'
|
|
|
|
- name: Make ansible log directory
|
|
file:
|
|
path: '/var/log/ansible'
|
|
state: directory
|
|
owner: root
|
|
mode: 0755
|
|
|
|
- name: Install root key
|
|
shell: >-
|
|
ansible-playbook -v ${ROOT_RSA_KEY} ${BRIDGE_INVENTORY}
|
|
/home/zuul/src/opendev.org/opendev/system-config/playbooks/zuul/run-production-bootstrap-bridge-add-rootkey.yaml
|
|
> /var/log/ansible/install-root-key.{{ lookup('pipe', 'date +%Y-%m-%dT%H:%M:%S') }}.log 2>&1
|
|
environment:
|
|
ROOT_RSA_KEY: '{{ "-e @/home/zuul/root-rsa-key.json" if root_rsa_key is defined else "" }}'
|
|
# In production "install-ansible" has setup ansible to point
|
|
# to the system-config inventory which has the bastion group
|
|
# in it. In the gate, bridge is ephemeral and we haven't yet
|
|
# built the inventory to use for testing (that is done in
|
|
# zuul/run-base.yaml). Use this constructed inventory.
|
|
BRIDGE_INVENTORY: '{{ "-i/home/zuul/bastion-inventory.ini" if root_rsa_key is defined else "" }}'
|
|
ANSIBLE_ROLES_PATH: '/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles'
|
|
no_log: true
|
|
|
|
- name: Setup global known_hosts
|
|
include_role:
|
|
name: add-inventory-known-hosts
|