opendev/system-config
Code Issues Proposed changes
system-config/playbooks/roles/install-ansible/tasks/main.yaml
Jeremy Stanley 601e4a4a55 Transition to Rackspace API keys 
Rackspace is requiring multi-factor authentication for all users
beginning 2024-03-26. Enabling MFA on our accounts will immediately
render password-based authentication inoperable for the API. In
preparation for this switch, add new cloud entries for the provider
which authenticate by API key so that we can test and move more
smoothly between the two while we work out any unanticipated kinks.

Change-Id: I787df458aa048ad80e246128085b252bb5888285
2024-03-05 19:31:09 +00:00

189 lines
5.1 KiB
YAML
Raw Blame History

# The -devel job in particular already defines
# install_ansbile_requirements in the job definition to pick
# main/devel branch repos checked out from Zuul
- name: Set default ansible install requirements
when: install_ansible_requirements is not defined
block:
- name: Set defaults
set_fact:
_install_ansible_requirements:
- 'ansible<9'
- 'openstacksdk'
- 'rackspaceauth'
- name: Add ARA to defaults if enabled
when: install_ansible_ara_enable
set_fact:
_install_ansible_requirements: '{{ _install_ansible_requirements + ["ara[server]"] }}'
- name: Set variable
# NOTE(ianw) the block when: statement is calcuated for each task
# -- keep this last!
set_fact:
install_ansible_requirements: '{{ _install_ansible_requirements }}'
# NOTE(ianw) 2022-10-26 : ARM64 generally needs this because upstream
# projects don't always ship arm64 wheels. But x86 may need it when
# we have a fresh host with a more recent Python too
- name: Ensure required Ansible build packages
apt:
update_cache: yes
name:
- libffi-dev
- libssl-dev
- build-essential
- python3-dev
- name: Install python-venv package
package:
name:
- python3-venv
state: present
- name: Create venv
include_role:
name: create-venv
vars:
create_venv_path: '/usr/ansible-venv'
# The boostrap job runs this all the time, and we'd like to skip
# trying to update the venv mostly. But we also want to have things
# like ansible specify '<X' so we pick up point releases. By writing
# the current day into the requirements.txt, the template updates once
# a day, and thus we update the venv just once a day.
- name: Get current day
shell: 'date +%Y-%m-%d'
register: _date
- name: Write out requirements file
template:
src: requirements.txt.j2
dest: '/usr/ansible-venv/requirements.txt'
owner: root
group: root
mode: 0644
register: _requirements_updated
- name: Install packages
when: _requirements_updated.changed
pip:
requirements: '/usr/ansible-venv/requirements.txt'
# Always upgrade because only called in response to
# requirements.txt changes.
state: latest
virtualenv: '/usr/ansible-venv'
# From Ansible 2.10 >= most of the fun stuff is in collections. Clone
# our required collections here. Note this is only for our testing of
# the devel branch; if we're using a release we use the Ansible
# distribution package which bundles all this.
- name: Install Ansible collections
include_tasks: install_ansible_collection.yaml
when: install_ansible_collections is defined
loop: '{{ install_ansible_collections }}'
- name: Symlink Ansible globally
file:
src: '{{ item.src }}'
dest: '{{ item.dest }}'
state: link
loop:
- { src: '/usr/ansible-venv/bin/ansible-playbook', dest: '/usr/local/bin/ansible-playbook' }
- { src: '/usr/ansible-venv/bin/ansible', dest: '/usr/local/bin/ansible' }
- name: Ansible version check
command: 'ansible-playbook --version'
register: _ansible_version_check
- name: Sanity check Ansible version
debug:
msg: '{{ _ansible_version_check.stdout }}'
- name: Ansible cmd version check
command: 'ansible --version'
register: _ansible_version_check
- name: Sanity check Ansible version
debug:
msg: '{{ _ansible_version_check.stdout }}'
# This registered variable is templated into ansible.cfg below
# to setup the callback plugins for ARA
- name: Get ARA's location for callback plugins
when: install_ansible_ara_enable
command: /usr/ansible-venv/bin/python3 -m ara.setup.callback_plugins
register: install_ansible_ara_callback_plugins
changed_when: false
# For use by k8s_raw ansible module
# - name: Install openshift client
# pip:
# name: 'openshift'
# TODO(corvus): re-add this once kubernetes 9.0.0 is released
- name: Ensure /etc/ansible and /etc/ansible/hosts
file:
state: directory
path: /etc/ansible/hosts
- name: Ensure /etc/ansible/inventory_plugins
file:
state: directory
path: /etc/ansible/inventory_plugins
- name: Ensure /var/cache/ansible
file:
state: directory
path: /var/cache/ansible
owner: root
group: root
mode: 0770
- name: Ensure ansible log dir is writable
file:
path: /var/log/ansible
state: directory
owner: root
group: root
mode: 0775
- name: Copy ansible.cfg in to place
template:
src: ansible.cfg.j2
dest: /etc/ansible/ansible.cfg
- name: Remove old inventory files
file:
path: '/etc/ansible/hosts/{{ item }}'
state: absent
loop:
- openstack.yaml
- groups.yaml
- name: Copy system-config roles into place
copy:
src: roles/
dest: /etc/ansible/roles
- name: Copy disable-ansible utility script in place
copy:
src: disable-ansible
dest: /usr/local/bin/disable-ansible
mode: 0755
owner: root
group: root
- name: Copy yamlgroup inventory in place
copy:
src: inventory_plugins/yamlgroup.py
dest: /etc/ansible/inventory_plugins/yamlgroup.py
- name: Setup log rotation
include_role:
name: logrotate
vars:
logrotate_file_name: /var/log/ansible/ansible.log
- name: Verify ansible install
command: ansible --version
View Git Blame Copy Permalink