system-config/zuul.d/infra-prod.yaml
Monty Taylor 83ced7f6e6 Split inventory into multiple dirs and move hostvars
Make inventory/service for service-specific things, including the
groups.yaml group definitions, and inventory/base for hostvars
related to the base system, including the list of hosts.

Move the exisitng host_vars into inventory/service, since most of
them are likely service-specific. Move group_vars/all.yaml into
base/group_vars as almost all of it is related to base things,
with the execption of the gerrit public key.

A followup patch will move host-specific values into equivilent
files in inventory/base.

This should let us override hostvars in gate jobs. It should also
allow us to do better file matchers - and to be able to organize
our playbooks move if we want to.

Depends-On: https://review.opendev.org/731583
Change-Id: Iddf57b5be47c2e9de16b83a1bc83bee25db995cf
2020-06-04 07:44:36 -05:00

580 lines
18 KiB
YAML

# Make sure only one run of a system-config playbook happens at a time
- semaphore:
name: infra-prod-playbook
max: 1
- job:
name: infra-prod-playbook
description: |
Run specified playbook against productions hosts.
This is a parent job designed to be inherited to enabled
CD deployment of our infrastructure. Set playbook_name to
specify the playbook relative to
/home/zuul/src/opendev.org/opendev/system-config/playbooks
on bridge.openstack.org.
abstract: true
semaphore: infra-prod-playbook
run: playbooks/zuul/run-production-playbook.yaml
required-projects:
- opendev/system-config
vars:
infra_prod_ansible_forks: 5
infra_prod_playbook_collect_log: false
nodeset:
nodes: []
- job:
name: infra-prod-install-ansible
parent: infra-prod-playbook
description: Install ansible on bridge.
vars:
playbook_name: install-ansible.yaml
files:
- inventory/
- roles/
- install_modules.sh
- modules.env
- playbooks/install-ansible.yaml
- playbooks/roles/pip3/
- playbooks/roles/install-ansible/
- playbooks/roles/logrotate/
- playbooks/roles/root-keys/
- inventory/service/host_vars/bridge.openstack.org.yaml
- playbooks/zuul/run-production-playbook.yaml
- job:
name: infra-prod-base
parent: infra-prod-playbook
description: Run the base playbook everywhere.
dependencies:
- name: infra-prod-install-ansible
soft: true
vars:
playbook_name: base.yaml
infra_prod_ansible_forks: 50
files:
- inventory/
- inventory/service/host_vars/
- inventory/service/group_vars/
- playbooks/base.yaml
- playbooks/roles/base/
- job:
name: infra-prod-letsencrypt
parent: infra-prod-playbook
description: Run letsencrypt.yaml playbook.
vars:
playbook_name: letsencrypt.yaml
dependencies:
- name: infra-prod-install-ansible
soft: true
files:
- inventory/
- playbooks/letsencrypt.yaml
# Any touching of host_vars or group_vars can substantively
# change the certs we're doing, so be greedy here.
- inventory/service/host_vars/
- inventory/service/group_vars/
- playbooks/roles/letsencrypt
- playbooks/roles/logrotate/
- job:
name: infra-prod-manage-projects
parent: infra-prod-playbook
description: |
Create and update projects in gerrit and gitea.
allowed-projects:
- opendev/system-config
- openstack/project-config
required-projects:
- opendev/system-config
- openstack/project-config
vars:
playbook_name: manage-projects.yaml
infra_prod_ansible_forks: 10
infra_prod_playbook_collect_log: true
- job:
name: infra-prod-service-base
parent: infra-prod-playbook
description: Base job for most service playbooks.
abstract: true
dependencies:
- name: infra-prod-install-ansible
soft: true
- name: infra-prod-letsencrypt
soft: true
- job:
name: infra-prod-service-bridge
parent: infra-prod-service-base
description: Run service-bridge.yaml playbook.
vars:
playbook_name: service-bridge.yaml
files:
- inventory/
- playbooks/service-bridge.yaml
- inventory/service/host_vars/bridge.openstack.org.yaml
- playbooks/roles/logrotate/
- playbooks/roles/edit-secrets-script/
- playbooks/roles/install-kubectl/
- playbooks/roles/iptables/
- playbooks/roles/configure-kubectl/
- playbooks/roles/configure-openstacksdk/
- playbooks/templates/clouds/bridge_all_clouds.yaml.j2
- job:
name: infra-prod-service-gitea-lb
parent: infra-prod-service-base
description: Run service-gitea-lb.yaml playbook.
vars:
playbook_name: service-gitea-lb.yaml
files:
- inventory/
- playbooks/service-gitea-lb.yaml
- inventory/service/group_vars/gitea-lb.yaml
- playbooks/roles/pip3/
- playbooks/roles/iptables/
- playbooks/roles/install-docker/
- playbooks/roles/haproxy/
- job:
name: infra-prod-service-nameserver
parent: infra-prod-service-base
description: Run service-nameserver.yaml playbook.
vars:
playbook_name: service-nameserver.yaml
files:
- inventory/
- playbooks/service-nameserver.yaml
- inventory/service/host_vars/adns1.opendev.org.yaml
- inventory/service/host_vars/ns1.opendev.org.yaml
- inventory/service/host_vars/ns2.opendev.org.yaml
- inventory/service/group_vars/adns.yaml
- inventory/service/group_vars/ns.yaml
- playbooks/roles/master-nameserver/
- playbooks/roles/nameserver/
- playbooks/roles/iptables/
- job:
name: infra-prod-service-nodepool
parent: infra-prod-service-base
description: Run service-nodepool.yaml playbook.
vars:
playbook_name: service-nodepool.yaml
required-projects:
- opendev/system-config
- openstack/project-config
files:
- inventory/
- playbooks/service-nodepool.yaml
- inventory/service/host_vars/nb
- inventory/service/host_vars/nl
- inventory/service/group_vars/nodepool
- inventory/service/group_vars/puppet
- playbooks/roles/install-ansible-roles/
- playbooks/roles/run-puppet/
- playbooks/roles/configure-kubectl/
- playbooks/roles/configure-openstacksdk/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/nodepool
- playbooks/templates/clouds/nodepool_
- job:
name: infra-prod-service-etherpad
parent: infra-prod-service-base
description: Run service-etherpad.yaml playbook.
vars:
playbook_name: service-etherpad.yaml
files:
- inventory/
- playbooks/service-etherpad.yaml
- inventory/service/host_vars/etherpad01.opendev.org.yaml
- inventory/service/group_vars/etherpad
- playbooks/roles/install-docker/
- playbooks/roles/pip3/
- playbooks/roles/etherpad
- playbooks/roles/logrotate
- playbooks/roles/iptables/
- job:
name: infra-prod-service-meetpad
parent: infra-prod-service-base
description: Run service-meetpad.yaml playbook.
dependencies:
- name: infra-prod-install-ansible
soft: true
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-jitsi-meet
soft: true
vars:
playbook_name: service-meetpad.yaml
files:
- inventory/
- playbooks/service-meetpad.yaml
- inventory/service/host_vars/meetpad01.opendev.org.yaml
- inventory/service/group_vars/meetpad.yaml
- playbooks/roles/pip3/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/jitsi-meet/
- job:
name: infra-prod-service-mirror-update
parent: infra-prod-service-base
description: Run service-mirror-update.yaml playbook.
vars:
playbook_name: service-mirror-update.yaml
files:
- inventory/
- playbooks/service-mirror-update.yaml
- playbooks/roles/kerberos-client/
- playbooks/roles/openafs-client/
- playbooks/roles/mirror-update/
- playbooks/roles/iptables/
- playbooks/roles/logrotate/
- job:
name: infra-prod-service-mirror
parent: infra-prod-service-base
description: Run service-mirror.yaml playbook.
vars:
playbook_name: service-mirror.yaml
files:
- inventory/
- playbooks/service-mirror.yaml
- inventory/service/group_vars/mirror.yaml
- playbooks/roles/kerberos-client/
- playbooks/roles/openafs-client/
- playbooks/roles/mirror/
- playbooks/roles/afs-release/
- playbooks/roles/afsmon/
- playbooks/roles/iptables/
- playbooks/roles/logrotate/
- job:
name: infra-prod-service-static
parent: infra-prod-service-base
description: Run service-static.yaml playbook.
vars:
playbook_name: service-static.yaml
files:
- inventory/
- playbooks/service-static.yaml
- inventory/service/host_vars/static01.opendev.org.yaml
- inventory/service/group_vars/static.yaml
- playbooks/roles/iptables/
- playbooks/roles/kerberos-client/
- playbooks/roles/openafs-client/
- playbooks/roles/static/
- playbooks/roles/zuul-user/
- job:
name: infra-prod-service-backup
parent: infra-prod-service-base
description: Run service-backup.yaml playbook.
vars:
playbook_name: service-backup.yaml
files:
- inventory/
- playbooks/service-backup.yaml
- playbooks/roles/backup/
- playbooks/roles/backup-server/
- playbooks/roles/iptables/
- job:
name: infra-prod-service-registry
parent: infra-prod-service-base
description: Run service-registry.yaml playbook.
vars:
playbook_name: service-registry.yaml
files:
- inventory/
- playbooks/service-registry.yaml
- inventory/service/group_vars/registry.yaml
- playbooks/roles/pip3/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/registry/
- job:
name: infra-prod-service-zuul-preview
parent: infra-prod-service-base
description: Run service-zuul-preview.yaml playbook.
vars:
playbook_name: service-zuul-preview.yaml
files:
- inventory/
- playbooks/service-zuul-preview.yaml
- inventory/service/group_vars/zuul-preview.yaml
- playbooks/roles/pip3/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/zuul-preview/
- job:
name: infra-prod-service-zookeeper
parent: infra-prod-service-base
description: Run service-zookeeper.yaml playbook.
vars:
playbook_name: service-zookeeper.yaml
files:
- inventory/.*
- inventory/service/group_vars/zookeeper.yaml
- ^inventory/service/host_vars/zk\d+\..*
- playbooks/roles/pip3/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/zookeeper/
- job:
name: infra-prod-service-zuul
parent: infra-prod-service-base
description: |
Run service-zuul.yaml playbook.
This configures the main Zuul cluster. It will perform a
smart-reconfigure of the scheduler if the tenant configuration
is changed.
vars:
playbook_name: service-zuul.yaml
dependencies:
- name: infra-prod-install-ansible
soft: true
- name: infra-prod-letsencrypt
soft: true
- name: infra-prod-manage-projects
soft: true
files:
- inventory/.*
- playbooks/install-ansible.yaml
- playbooks/service-zuul.yaml
- inventory/service/group_vars/zuul
- inventory/service/group_vars/zookeeper.yaml
- inventory/service/host_vars/zk\d+
- inventory/service/host_vars/zuul01.openstack.org
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/zookeeper/
- playbooks/roles/zuul
- job:
name: infra-prod-service-review
parent: infra-prod-service-base
description: Run service-review.yaml playbook.
vars:
playbook_name: service-review.yaml
dependencies: &infra_prod_service_review_deps
- name: infra-prod-install-ansible
soft: true
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-gerrit-2.13
soft: true
files:
- inventory/
- playbooks/service-review.yaml
- inventory/service/group_vars/gerrit.yaml
- inventory/service/host_vars/review01.openstack.org.yaml
- playbooks/roles/pip3/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/gerrit/
- job:
name: infra-prod-service-review-dev
parent: infra-prod-service-base
description: Run service-review-dev.yaml playbook.
vars:
playbook_name: service-review-dev.yaml
dependencies: *infra_prod_service_review_deps
files:
- inventory/
- playbooks/service-review-dev.yaml
- inventory/service/group_vars/gerrit.yaml
- inventory/service/host_vars/review-dev01.opendev.org.yaml
- playbooks/roles/pip3/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/gerrit/
- job:
name: infra-prod-service-gitea
parent: infra-prod-service-base
description: Run service-gitea.yaml playbook.
vars:
playbook_name: service-gitea.yaml
dependencies:
- name: infra-prod-install-ansible
soft: true
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-gitea-init
soft: true
- name: system-config-promote-image-gitea
soft: true
files:
- inventory/
- playbooks/service-gitea.yaml
- inventory/service/group_vars/gitea.yaml
- inventory/service/host_vars/gitea[0-9][0-9]
- playbooks/roles/install-docker/
- playbooks/roles/pip3/
- playbooks/roles/gitea/
- playbooks/roles/iptables/
- playbooks/roles/logrotate/
- docker/gitea/
- docker/gitea-init/
- docker/jinja-init/
- docker/python-base/
- job:
name: infra-prod-service-codesearch
parent: infra-prod-service-base
description: Run service-codesearch.yaml playbook.
required-projects:
- opendev/ansible-role-puppet
- opendev/system-config
- openstack/project-config
vars:
playbook_name: service-codesearch.yaml
files:
- inventory/
- playbooks/install-ansible.yaml
- playbooks/service-codesearch.yaml
- inventory/service/group_vars/puppet.yaml
- playbooks/roles/run-puppet/
- playbooks/roles/install-ansible-roles/
- playbooks/roles/iptables/
- playbooks/roles/sync-project-config
- playbooks/roles/puppet-install/
- playbooks/roles/disable-puppet-agent/
- modules/openstack_project/manifests/codesearch.pp
- modules/openstack_project/files/resync-hound-config.sh
- manifests/codesearch.pp
- job:
name: infra-prod-service-eavesdrop
parent: infra-prod-service-base
description: Run service-eavesdrop.yaml playbook.
required-projects:
- opendev/ansible-role-puppet
- opendev/system-config
- openstack/project-config
dependencies:
- name: infra-prod-install-ansible
soft: true
- name: infra-prod-letsencrypt
soft: true
- name: system-config-promote-image-accessbot
soft: true
vars:
playbook_name: service-eavesdrop.yaml
files: &infra_prod_eavesdrop_files
- inventory/
- playbooks/service-eavesdrop.yaml
- playbooks/run-accessbot.yaml
- inventory/service/group_vars/eavesdrop.yaml
- inventory/service/group_vars/puppet.yaml
- playbooks/roles/run-puppet/
- playbooks/roles/install-ansible-roles/
- playbooks/roles/zuul-user
- playbooks/roles/install-docker
- playbooks/roles/iptables/
- playbooks/roles/puppet-install/
- playbooks/roles/disable-puppet-agent/
- playbooks/roles/accessbot
- playbooks/roles/logrotate
- modules/openstack_project/manifests/eavesdrop.pp
- manifests/eavesdrop.pp
- docker/accessbot/
- job:
name: infra-prod-run-accessbot
parent: infra-prod-service-base
description: Run run-accessbot.yaml playbook.
required-projects:
- opendev/system-config
- openstack/project-config
dependencies:
- infra-prod-service-eavesdrop
vars:
playbook_name: run-accessbot.yaml
files:
- accessbot/channels.yaml
- playbooks/run-accessbot.yaml
- playbooks/roles/accessbot
- docker/accessbot/
# Run AFS changes separately so we can make sure to only do one at a time
# (turns out quorum is nice to have)
- job:
name: infra-prod-remote-puppet-afs
parent: infra-prod-service-base
description: Run remote-puppet-afs.yaml playbook.
vars:
playbook_name: remote_puppet_afs.yaml
infra_prod_ansible_forks: 1
required-projects:
- opendev/ansible-role-puppet
- opendev/system-config
files:
- inventory/
- playbooks/remote_puppet_afs.yaml
- inventory/service/group_vars/afs
- inventory/service/group_vars/mirror-update
- inventory/service/group_vars/puppet
- playbooks/roles/run-puppet/
- playbooks/roles/install-ansible-roles/
- playbooks/roles/puppet-install/
- playbooks/roles/disable-puppet-agent/
- playbooks/roles/iptables/
- playbooks/roles/vos-release/
- modules/
- manifests/
- job:
name: infra-prod-remote-puppet-else
parent: infra-prod-service-base
description: Run remote-puppet-else.yaml playbook.
vars:
playbook_name: remote_puppet_else.yaml
infra_prod_ansible_forks: 50
required-projects:
- opendev/ansible-role-puppet
- opendev/system-config
files:
- hiera/
- inventory/
- playbooks/remote_puppet_else.yaml
- inventory/service/group_vars/
- inventory/service/host_vars/
- inventory/service/group_vars/puppet
- playbooks/roles/run-puppet/
- playbooks/roles/install-ansible-roles/
- playbooks/roles/puppet-install/
- playbooks/roles/disable-puppet-agent/
- playbooks/roles/iptables/
- modules/
- manifests/
- job:
name: infra-prod-run-cloud-launcher
parent: infra-prod-service-base
description: Run cloud launcher playbook
vars:
playbook_name: run_cloud_launcher.yaml
infra_prod_ansible_forks: 1
required-projects:
- opendev/ansible-role-cloud-launcher
- opendev/system-config
dependencies:
- name: infra-prod-service-bridge
soft: true
files:
- playbooks/run_cloud_launcher.yaml
- inventory/service/host_vars/bridge.openstack.org.yaml