opendev/system-config
Code Issues Proposed changes
system-config/zuul.d/infra-prod.yaml
Ian Wienand c1aff2ed38 kerberos-kdc: role to manage Kerberos KDC servers 
This adds a role and related testing to manage our Kerberos KDC
servers, intended to replace the puppet modules currently performing
this task.

This role automates realm creation, initial setup, key material
distribution and replica host configuration.  None of this is intended
to run on the production servers which are already setup with an
active database, and the role should be effectively idempotent in
production.

Note that this does not yet switch the production servers into the new
groups; this can be done in a separate step under controlled
conditions and with related upgrades of the host OS to Focal.

Change-Id: I60b40897486b29beafc76025790c501b5055313d
2021-03-17 08:30:52 +11:00

654 lines
20 KiB
YAML
Raw Blame History

# Make sure only one run of a system-config playbook happens at a time
- semaphore:
name: infra-prod-playbook
max: 1
- job:
name: infra-prod-playbook
parent: opendev-infra-prod-base
description: |
Run specified playbook against productions hosts.
This is a parent job designed to be inherited to enabled
CD deployment of our infrastructure. Set playbook_name to
specify the playbook relative to
/home/zuul/src/opendev.org/opendev/system-config/playbooks
on bridge.openstack.org.
abstract: true
semaphore: infra-prod-playbook
run: playbooks/zuul/run-production-playbook.yaml
required-projects:
- opendev/system-config
vars:
infra_prod_ansible_forks: 5
infra_prod_playbook_collect_log: false
nodeset:
nodes: []
- job:
name: infra-prod-install-ansible
parent: infra-prod-playbook
description: Install ansible on bridge.
vars:
playbook_name: install-ansible.yaml
files:
- inventory/
- roles/
- install_modules.sh
- modules.env
- playbooks/install-ansible.yaml
- playbooks/roles/pip3/
- playbooks/roles/install-ansible/
- playbooks/roles/logrotate/
- playbooks/roles/root-keys/
- inventory/service/host_vars/bridge.openstack.org.yaml
- playbooks/zuul/run-production-playbook.yaml
- job:
name: infra-prod-base
parent: infra-prod-playbook
description: Run the base playbook everywhere.
dependencies:
- name: infra-prod-install-ansible
soft: true
vars:
playbook_name: base.yaml
infra_prod_ansible_forks: 50
files:
- inventory/
- inventory/service/host_vars/
- inventory/service/group_vars/
- playbooks/base.yaml
- playbooks/roles/base/
- job:
name: infra-prod-letsencrypt
parent: infra-prod-playbook
description: Run letsencrypt.yaml playbook.
vars:
playbook_name: letsencrypt.yaml
dependencies:
- name: infra-prod-install-ansible
soft: true
files:
- inventory/
- playbooks/letsencrypt.yaml
# Any touching of host_vars or group_vars can substantively
# change the certs we're doing, so be greedy here.
- inventory/service/host_vars/
- inventory/service/group_vars/
- playbooks/roles/letsencrypt
- playbooks/roles/logrotate/
- job:
name: infra-prod-manage-projects
parent: infra-prod-playbook
description: |
Create and update projects in gerrit and gitea.
allowed-projects:
- opendev/system-config
- openstack/project-config
required-projects:
- opendev/system-config
- openstack/project-config
vars:
playbook_name: manage-projects.yaml
infra_prod_ansible_forks: 10
infra_prod_playbook_collect_log: true
- job:
name: infra-prod-service-base
parent: infra-prod-playbook
description: Base job for most service playbooks.
abstract: true
dependencies:
- name: infra-prod-install-ansible
soft: true
- name: infra-prod-letsencrypt
soft: true
- job:
name: infra-prod-service-bridge
parent: infra-prod-service-base
description: Run service-bridge.yaml playbook.
vars:
playbook_name: service-bridge.yaml
files:
- inventory/
- playbooks/service-bridge.yaml
- inventory/service/host_vars/bridge.openstack.org.yaml
- playbooks/roles/logrotate/
- playbooks/roles/edit-secrets-script/
- playbooks/roles/install-kubectl/
- playbooks/roles/iptables/
- playbooks/roles/configure-kubectl/
- playbooks/roles/configure-openstacksdk/
- playbooks/templates/clouds/bridge_all_clouds.yaml.j2
- job:
name: infra-prod-service-gitea-lb
parent: infra-prod-service-base
description: Run service-gitea-lb.yaml playbook.
vars:
playbook_name: service-gitea-lb.yaml
files:
- inventory/
- playbooks/service-gitea-lb.yaml
- inventory/service/group_vars/gitea-lb.yaml
- playbooks/roles/pip3/
- playbooks/roles/iptables/
- playbooks/roles/install-docker/
- playbooks/roles/haproxy/
- job:
name: infra-prod-service-nameserver
parent: infra-prod-service-base
description: Run service-nameserver.yaml playbook.
vars:
playbook_name: service-nameserver.yaml
files:
- inventory/
- playbooks/service-nameserver.yaml
- inventory/service/host_vars/adns1.opendev.org.yaml
- inventory/service/host_vars/ns1.opendev.org.yaml
- inventory/service/host_vars/ns2.opendev.org.yaml
- inventory/service/group_vars/adns.yaml
- inventory/service/group_vars/ns.yaml
- playbooks/roles/master-nameserver/
- playbooks/roles/nameserver/
- playbooks/roles/iptables/
- job:
name: infra-prod-service-nodepool
parent: infra-prod-service-base
description: Run service-nodepool.yaml playbook.
vars:
playbook_name: service-nodepool.yaml
required-projects:
- opendev/system-config
- openstack/project-config
files:
- inventory/
- playbooks/service-nodepool.yaml
- inventory/service/host_vars/nb
- inventory/service/host_vars/nl
- inventory/service/group_vars/nodepool
- inventory/service/group_vars/puppet
- playbooks/roles/install-ansible-roles/
- playbooks/roles/run-puppet/
- playbooks/roles/configure-kubectl/
- playbooks/roles/configure-openstacksdk/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/nodepool
- playbooks/templates/clouds/nodepool_
- job:
name: infra-prod-service-etherpad
parent: infra-prod-service-base
description: Run service-etherpad.yaml playbook.
vars:
playbook_name: service-etherpad.yaml
files:
- inventory/
- playbooks/service-etherpad.yaml
- inventory/service/host_vars/etherpad01.opendev.org.yaml
- inventory/service/group_vars/etherpad
- playbooks/roles/install-docker/
- playbooks/roles/pip3/
- playbooks/roles/etherpad
- playbooks/roles/logrotate
- playbooks/roles/iptables/
- docker/etherpad/
- job:
name: infra-prod-service-meetpad
parent: infra-prod-service-base
description: Run service-meetpad.yaml playbook.
dependencies:
- name: infra-prod-install-ansible
soft: true
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-jitsi-meet
soft: true
vars:
playbook_name: service-meetpad.yaml
files:
- inventory/
- playbooks/service-meetpad.yaml
- inventory/service/host_vars/meetpad01.opendev.org.yaml
- inventory/service/group_vars/meetpad.yaml
- playbooks/roles/pip3/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/jitsi-meet/
- job:
name: infra-prod-service-mirror-update
parent: infra-prod-service-base
description: Run service-mirror-update.yaml playbook.
vars:
playbook_name: service-mirror-update.yaml
files:
- inventory/
- playbooks/service-mirror-update.yaml
- playbooks/roles/kerberos-client/
- playbooks/roles/openafs-client/
- playbooks/roles/mirror-update/
- playbooks/roles/reprepro/
- playbooks/roles/iptables/
- playbooks/roles/logrotate/
- job:
name: infra-prod-service-mirror
parent: infra-prod-service-base
description: Run service-mirror.yaml playbook.
vars:
playbook_name: service-mirror.yaml
files:
- inventory/
- playbooks/service-mirror.yaml
- inventory/service/group_vars/mirror.yaml
- playbooks/roles/kerberos-client/
- playbooks/roles/openafs-client/
- playbooks/roles/mirror/
- playbooks/roles/afs-release/
- playbooks/roles/afsmon/
- playbooks/roles/iptables/
- playbooks/roles/logrotate/
- job:
name: infra-prod-service-static
parent: infra-prod-service-base
description: Run service-static.yaml playbook.
vars:
playbook_name: service-static.yaml
files:
- inventory/
- playbooks/service-static.yaml
- inventory/service/host_vars/static01.opendev.org.yaml
- inventory/service/group_vars/static.yaml
- playbooks/roles/iptables/
- playbooks/roles/kerberos-client/
- playbooks/roles/openafs-client/
- playbooks/roles/static/
- playbooks/roles/zuul-user/
- job:
name: infra-prod-service-borg-backup
parent: infra-prod-service-base
description: Run service-borg-backup.yaml playbook.
vars:
playbook_name: service-borg-backup.yaml
files:
- inventory/
- playbooks/service-borg-backup.yaml
- playbooks/roles/install-borg/
- playbooks/roles/borg-backup/
- playbooks/roles/borg-backup-server/
- playbooks/roles/iptables/
- job:
name: infra-prod-service-registry
parent: infra-prod-service-base
description: Run service-registry.yaml playbook.
vars:
playbook_name: service-registry.yaml
files:
- inventory/
- playbooks/service-registry.yaml
- inventory/service/group_vars/registry.yaml
- playbooks/roles/pip3/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/registry/
- job:
name: infra-prod-service-zuul-preview
parent: infra-prod-service-base
description: Run service-zuul-preview.yaml playbook.
vars:
playbook_name: service-zuul-preview.yaml
files:
- inventory/
- playbooks/service-zuul-preview.yaml
- inventory/service/group_vars/zuul-preview.yaml
- playbooks/roles/pip3/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/zuul-preview/
- job:
name: infra-prod-service-zookeeper
parent: infra-prod-service-base
description: Run service-zookeeper.yaml playbook.
vars:
playbook_name: service-zookeeper.yaml
files:
- inventory/.*
- inventory/service/group_vars/zookeeper.yaml
- ^inventory/service/host_vars/zk\d+\..*
- playbooks/roles/pip3/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/zookeeper/
- job:
name: infra-prod-service-zuul
parent: infra-prod-service-base
description: |
Run service-zuul.yaml playbook.
This configures the main Zuul cluster. It will perform a
smart-reconfigure of the scheduler if the tenant configuration
is changed.
vars:
playbook_name: service-zuul.yaml
dependencies:
- name: infra-prod-install-ansible
soft: true
- name: infra-prod-letsencrypt
soft: true
- name: infra-prod-manage-projects
soft: true
files:
- inventory/.*
- playbooks/install-ansible.yaml
- playbooks/service-zuul.yaml
- inventory/service/group_vars/zuul
- inventory/service/group_vars/zookeeper.yaml
- inventory/service/host_vars/zk\d+
- inventory/service/host_vars/zuul01.openstack.org
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/zookeeper/
- playbooks/roles/zuul
- job:
name: infra-prod-service-review
parent: infra-prod-service-base
description: Run service-review.yaml playbook.
vars:
playbook_name: service-review.yaml
dependencies: &infra_prod_service_review_deps
- name: infra-prod-install-ansible
soft: true
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-gerrit-3.2
soft: true
files:
- inventory/
- playbooks/service-review.yaml
- inventory/service/group_vars/gerrit.yaml
- inventory/service/host_vars/review01.openstack.org.yaml
- playbooks/roles/pip3/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/gerrit/
- job:
name: infra-prod-service-review-dev
parent: infra-prod-service-base
description: Run service-review-dev.yaml playbook.
vars:
playbook_name: service-review-dev.yaml
dependencies: *infra_prod_service_review_deps
files:
- inventory/
- playbooks/service-review-dev.yaml
- inventory/service/group_vars/gerrit.yaml
- inventory/service/host_vars/review-dev01.opendev.org.yaml
- playbooks/roles/pip3/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/gerrit/
- job:
name: infra-prod-service-refstack
parent: infra-prod-service-base
description: Run service-refstack.yaml playbook.
vars:
playbook_name: service-refstack.yaml
dependencies:
- name: infra-prod-install-ansible
soft: true
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-refstack
soft: true
files:
- inventory/
- playbooks/service-refstack.yaml
- inventory/service/group_vars/
- inventory/service/host_vars/refstack[0-9][0-9]
- playbooks/roles/install-docker/
- playbooks/roles/pip3/
- playbooks/roles/refstack/
- playbooks/roles/iptables/
- playbooks/roles/logrotate/
- docker/refstack
- docker/python-base/
- job:
name: infra-prod-service-gitea
parent: infra-prod-service-base
description: Run service-gitea.yaml playbook.
vars:
playbook_name: service-gitea.yaml
dependencies:
- name: infra-prod-install-ansible
soft: true
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-gitea-init
soft: true
- name: system-config-promote-image-gitea
soft: true
files:
- inventory/
- playbooks/service-gitea.yaml
- inventory/service/group_vars/gitea.yaml
- inventory/service/host_vars/gitea[0-9][0-9]
- playbooks/roles/install-docker/
- playbooks/roles/pip3/
- playbooks/roles/gitea/
- playbooks/roles/iptables/
- playbooks/roles/logrotate/
- docker/gitea/
- docker/gitea-init/
- docker/jinja-init/
- docker/python-base/
- job:
name: infra-prod-service-eavesdrop
parent: infra-prod-service-base
description: Run service-eavesdrop.yaml playbook.
required-projects:
- opendev/ansible-role-puppet
- opendev/system-config
- openstack/project-config
dependencies:
- name: infra-prod-install-ansible
soft: true
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-accessbot
soft: true
vars:
playbook_name: service-eavesdrop.yaml
files: &infra_prod_eavesdrop_files
- inventory/
- playbooks/service-eavesdrop.yaml
- playbooks/run-accessbot.yaml
- inventory/service/group_vars/eavesdrop.yaml
- inventory/service/group_vars/puppet.yaml
- playbooks/roles/run-puppet/
- playbooks/roles/install-ansible-roles/
- playbooks/roles/zuul-user
- playbooks/roles/install-docker
- playbooks/roles/iptables/
- playbooks/roles/puppet-install/
- playbooks/roles/disable-puppet-agent/
- playbooks/roles/accessbot
- playbooks/roles/logrotate
- modules/openstack_project/manifests/eavesdrop.pp
- manifests/eavesdrop.pp
- docker/accessbot/
- job:
name: infra-prod-run-accessbot
parent: infra-prod-service-base
description: Run run-accessbot.yaml playbook.
required-projects:
- opendev/system-config
- openstack/project-config
dependencies:
- infra-prod-service-eavesdrop
vars:
playbook_name: run-accessbot.yaml
files:
- accessbot/channels.yaml
- playbooks/run-accessbot.yaml
- playbooks/roles/accessbot
- docker/accessbot/
- job:
name: infra-prod-service-codesearch
parent: infra-prod-service-base
description: Run service-codesearch.yaml playbook.
vars:
playbook_name: service-codesearch.yaml
files:
- docker/hound/
- inventory/
- playbooks/service-codesearch.yaml
- inventory/service/host_vars/codesearch01.opendev.yaml
- inventory/service/group_vars/codesearch
- playbooks/roles/install-docker/
- playbooks/roles/pip3/
- playbooks/roles/codesearch
- playbooks/roles/logrotate
- playbooks/roles/iptables
- job:
name: infra-prod-service-grafana
parent: infra-prod-service-base
description: Run service-grafana.yaml playbook.
vars:
playbook_name: service-grafana.yaml
files:
- inventory/
- playbooks/service-grafana.yaml
- inventory/service/host_vars/grafana01.org.yaml
- inventory/service/group_vars/grafana
- playbooks/roles/install-docker/
- playbooks/roles/pip3/
- playbooks/roles/grafana
- playbooks/roles/logrotate
- playbooks/roles/iptables/
- job:
name: infra-prod-service-graphite
parent: infra-prod-service-base
description: Run service-graphite.yaml playbook.
vars:
playbook_name: service-graphite.yaml
files:
- inventory/
- playbooks/service-graphite.yaml
- inventory/service/host_vars/graphite02.opendev.org.yaml
- inventory/service/group_vars/graphite
- playbooks/roles/install-docker/
- playbooks/roles/pip3/
- playbooks/roles/graphite/
- playbooks/roles/iptables/
# Run AFS changes separately so we can make sure to only do one at a time
# (turns out quorum is nice to have)
- job:
name: infra-prod-service-afs
parent: infra-prod-service-base
description: Run AFS playbook.
vars:
playbook_name: service-afs.yaml
infra_prod_ansible_forks: 1
required-projects:
- opendev/ansible-role-puppet
- opendev/system-config
files:
- inventory/
- playbooks/service-afs.yaml
- inventory/service/group_vars/afs
- inventory/service/group_vars/mirror-update
- inventory/service/group_vars/puppet
- playbooks/roles/run-puppet/
- playbooks/roles/install-ansible-roles/
- playbooks/roles/puppet-install/
- playbooks/roles/disable-puppet-agent/
- playbooks/roles/iptables/
- playbooks/roles/vos-release/
- playbooks/roles/openafs-server/
- modules/
- manifests/
- job:
name: infra-prod-service-kerberos
parent: infra-prod-service-base
description: Run Kerberos playbook.
vars:
playbook_name: service-kerberos.yaml
infra_prod_ansible_forks: 1
required-projects:
- opendev/system-config
files:
- inventory/
- playbooks/service-kerberos.yaml
- inventory/service/group_vars/kerberos-kdc.yaml
- playbooks/roles/kerberos-kdc/
- roles/kerberos-client/
- playbooks/roles/iptables/
- job:
name: infra-prod-remote-puppet-else
parent: infra-prod-service-base
description: Run remote-puppet-else.yaml playbook.
vars:
playbook_name: remote_puppet_else.yaml
infra_prod_ansible_forks: 50
required-projects:
- opendev/ansible-role-puppet
- opendev/system-config
files:
- hiera/
- inventory/
- playbooks/remote_puppet_else.yaml
- inventory/service/group_vars/
- inventory/service/host_vars/
- inventory/service/group_vars/puppet
- playbooks/roles/run-puppet/
- playbooks/roles/install-ansible-roles/
- playbooks/roles/puppet-install/
- playbooks/roles/disable-puppet-agent/
- playbooks/roles/iptables/
- modules/
- manifests/
- job:
name: infra-prod-run-cloud-launcher
parent: infra-prod-service-base
description: Run cloud launcher playbook
vars:
playbook_name: run_cloud_launcher.yaml
infra_prod_ansible_forks: 1
required-projects:
- opendev/ansible-role-cloud-launcher
- opendev/system-config
dependencies:
- name: infra-prod-service-bridge
soft: true
files:
- playbooks/run_cloud_launcher.yaml
- inventory/service/host_vars/bridge.openstack.org.yaml
View Git Blame Copy Permalink