83ced7f6e6
Make inventory/service for service-specific things, including the groups.yaml group definitions, and inventory/base for hostvars related to the base system, including the list of hosts. Move the exisitng host_vars into inventory/service, since most of them are likely service-specific. Move group_vars/all.yaml into base/group_vars as almost all of it is related to base things, with the execption of the gerrit public key. A followup patch will move host-specific values into equivilent files in inventory/base. This should let us override hostvars in gate jobs. It should also allow us to do better file matchers - and to be able to organize our playbooks move if we want to. Depends-On: https://review.opendev.org/731583 Change-Id: Iddf57b5be47c2e9de16b83a1bc83bee25db995cf
580 lines
18 KiB
YAML
580 lines
18 KiB
YAML
# Make sure only one run of a system-config playbook happens at a time
|
|
- semaphore:
|
|
name: infra-prod-playbook
|
|
max: 1
|
|
|
|
- job:
|
|
name: infra-prod-playbook
|
|
description: |
|
|
Run specified playbook against productions hosts.
|
|
|
|
This is a parent job designed to be inherited to enabled
|
|
CD deployment of our infrastructure. Set playbook_name to
|
|
specify the playbook relative to
|
|
/home/zuul/src/opendev.org/opendev/system-config/playbooks
|
|
on bridge.openstack.org.
|
|
abstract: true
|
|
semaphore: infra-prod-playbook
|
|
run: playbooks/zuul/run-production-playbook.yaml
|
|
required-projects:
|
|
- opendev/system-config
|
|
vars:
|
|
infra_prod_ansible_forks: 5
|
|
infra_prod_playbook_collect_log: false
|
|
nodeset:
|
|
nodes: []
|
|
|
|
- job:
|
|
name: infra-prod-install-ansible
|
|
parent: infra-prod-playbook
|
|
description: Install ansible on bridge.
|
|
vars:
|
|
playbook_name: install-ansible.yaml
|
|
files:
|
|
- inventory/
|
|
- roles/
|
|
- install_modules.sh
|
|
- modules.env
|
|
- playbooks/install-ansible.yaml
|
|
- playbooks/roles/pip3/
|
|
- playbooks/roles/install-ansible/
|
|
- playbooks/roles/logrotate/
|
|
- playbooks/roles/root-keys/
|
|
- inventory/service/host_vars/bridge.openstack.org.yaml
|
|
- playbooks/zuul/run-production-playbook.yaml
|
|
|
|
- job:
|
|
name: infra-prod-base
|
|
parent: infra-prod-playbook
|
|
description: Run the base playbook everywhere.
|
|
dependencies:
|
|
- name: infra-prod-install-ansible
|
|
soft: true
|
|
vars:
|
|
playbook_name: base.yaml
|
|
infra_prod_ansible_forks: 50
|
|
files:
|
|
- inventory/
|
|
- inventory/service/host_vars/
|
|
- inventory/service/group_vars/
|
|
- playbooks/base.yaml
|
|
- playbooks/roles/base/
|
|
|
|
- job:
|
|
name: infra-prod-letsencrypt
|
|
parent: infra-prod-playbook
|
|
description: Run letsencrypt.yaml playbook.
|
|
vars:
|
|
playbook_name: letsencrypt.yaml
|
|
dependencies:
|
|
- name: infra-prod-install-ansible
|
|
soft: true
|
|
files:
|
|
- inventory/
|
|
- playbooks/letsencrypt.yaml
|
|
# Any touching of host_vars or group_vars can substantively
|
|
# change the certs we're doing, so be greedy here.
|
|
- inventory/service/host_vars/
|
|
- inventory/service/group_vars/
|
|
- playbooks/roles/letsencrypt
|
|
- playbooks/roles/logrotate/
|
|
|
|
- job:
|
|
name: infra-prod-manage-projects
|
|
parent: infra-prod-playbook
|
|
description: |
|
|
Create and update projects in gerrit and gitea.
|
|
allowed-projects:
|
|
- opendev/system-config
|
|
- openstack/project-config
|
|
required-projects:
|
|
- opendev/system-config
|
|
- openstack/project-config
|
|
vars:
|
|
playbook_name: manage-projects.yaml
|
|
infra_prod_ansible_forks: 10
|
|
infra_prod_playbook_collect_log: true
|
|
|
|
- job:
|
|
name: infra-prod-service-base
|
|
parent: infra-prod-playbook
|
|
description: Base job for most service playbooks.
|
|
abstract: true
|
|
dependencies:
|
|
- name: infra-prod-install-ansible
|
|
soft: true
|
|
- name: infra-prod-letsencrypt
|
|
soft: true
|
|
|
|
- job:
|
|
name: infra-prod-service-bridge
|
|
parent: infra-prod-service-base
|
|
description: Run service-bridge.yaml playbook.
|
|
vars:
|
|
playbook_name: service-bridge.yaml
|
|
files:
|
|
- inventory/
|
|
- playbooks/service-bridge.yaml
|
|
- inventory/service/host_vars/bridge.openstack.org.yaml
|
|
- playbooks/roles/logrotate/
|
|
- playbooks/roles/edit-secrets-script/
|
|
- playbooks/roles/install-kubectl/
|
|
- playbooks/roles/iptables/
|
|
- playbooks/roles/configure-kubectl/
|
|
- playbooks/roles/configure-openstacksdk/
|
|
- playbooks/templates/clouds/bridge_all_clouds.yaml.j2
|
|
|
|
- job:
|
|
name: infra-prod-service-gitea-lb
|
|
parent: infra-prod-service-base
|
|
description: Run service-gitea-lb.yaml playbook.
|
|
vars:
|
|
playbook_name: service-gitea-lb.yaml
|
|
files:
|
|
- inventory/
|
|
- playbooks/service-gitea-lb.yaml
|
|
- inventory/service/group_vars/gitea-lb.yaml
|
|
- playbooks/roles/pip3/
|
|
- playbooks/roles/iptables/
|
|
- playbooks/roles/install-docker/
|
|
- playbooks/roles/haproxy/
|
|
|
|
- job:
|
|
name: infra-prod-service-nameserver
|
|
parent: infra-prod-service-base
|
|
description: Run service-nameserver.yaml playbook.
|
|
vars:
|
|
playbook_name: service-nameserver.yaml
|
|
files:
|
|
- inventory/
|
|
- playbooks/service-nameserver.yaml
|
|
- inventory/service/host_vars/adns1.opendev.org.yaml
|
|
- inventory/service/host_vars/ns1.opendev.org.yaml
|
|
- inventory/service/host_vars/ns2.opendev.org.yaml
|
|
- inventory/service/group_vars/adns.yaml
|
|
- inventory/service/group_vars/ns.yaml
|
|
- playbooks/roles/master-nameserver/
|
|
- playbooks/roles/nameserver/
|
|
- playbooks/roles/iptables/
|
|
|
|
- job:
|
|
name: infra-prod-service-nodepool
|
|
parent: infra-prod-service-base
|
|
description: Run service-nodepool.yaml playbook.
|
|
vars:
|
|
playbook_name: service-nodepool.yaml
|
|
required-projects:
|
|
- opendev/system-config
|
|
- openstack/project-config
|
|
files:
|
|
- inventory/
|
|
- playbooks/service-nodepool.yaml
|
|
- inventory/service/host_vars/nb
|
|
- inventory/service/host_vars/nl
|
|
- inventory/service/group_vars/nodepool
|
|
- inventory/service/group_vars/puppet
|
|
- playbooks/roles/install-ansible-roles/
|
|
- playbooks/roles/run-puppet/
|
|
- playbooks/roles/configure-kubectl/
|
|
- playbooks/roles/configure-openstacksdk/
|
|
- playbooks/roles/install-docker/
|
|
- playbooks/roles/iptables/
|
|
- playbooks/roles/nodepool
|
|
- playbooks/templates/clouds/nodepool_
|
|
|
|
- job:
|
|
name: infra-prod-service-etherpad
|
|
parent: infra-prod-service-base
|
|
description: Run service-etherpad.yaml playbook.
|
|
vars:
|
|
playbook_name: service-etherpad.yaml
|
|
files:
|
|
- inventory/
|
|
- playbooks/service-etherpad.yaml
|
|
- inventory/service/host_vars/etherpad01.opendev.org.yaml
|
|
- inventory/service/group_vars/etherpad
|
|
- playbooks/roles/install-docker/
|
|
- playbooks/roles/pip3/
|
|
- playbooks/roles/etherpad
|
|
- playbooks/roles/logrotate
|
|
- playbooks/roles/iptables/
|
|
|
|
- job:
|
|
name: infra-prod-service-meetpad
|
|
parent: infra-prod-service-base
|
|
description: Run service-meetpad.yaml playbook.
|
|
dependencies:
|
|
- name: infra-prod-install-ansible
|
|
soft: true
|
|
- name: infra-prod-letsencrypt
|
|
soft: true
|
|
- name: system-config-promote-image-jitsi-meet
|
|
soft: true
|
|
vars:
|
|
playbook_name: service-meetpad.yaml
|
|
files:
|
|
- inventory/
|
|
- playbooks/service-meetpad.yaml
|
|
- inventory/service/host_vars/meetpad01.opendev.org.yaml
|
|
- inventory/service/group_vars/meetpad.yaml
|
|
- playbooks/roles/pip3/
|
|
- playbooks/roles/install-docker/
|
|
- playbooks/roles/iptables/
|
|
- playbooks/roles/jitsi-meet/
|
|
|
|
- job:
|
|
name: infra-prod-service-mirror-update
|
|
parent: infra-prod-service-base
|
|
description: Run service-mirror-update.yaml playbook.
|
|
vars:
|
|
playbook_name: service-mirror-update.yaml
|
|
files:
|
|
- inventory/
|
|
- playbooks/service-mirror-update.yaml
|
|
- playbooks/roles/kerberos-client/
|
|
- playbooks/roles/openafs-client/
|
|
- playbooks/roles/mirror-update/
|
|
- playbooks/roles/iptables/
|
|
- playbooks/roles/logrotate/
|
|
|
|
- job:
|
|
name: infra-prod-service-mirror
|
|
parent: infra-prod-service-base
|
|
description: Run service-mirror.yaml playbook.
|
|
vars:
|
|
playbook_name: service-mirror.yaml
|
|
files:
|
|
- inventory/
|
|
- playbooks/service-mirror.yaml
|
|
- inventory/service/group_vars/mirror.yaml
|
|
- playbooks/roles/kerberos-client/
|
|
- playbooks/roles/openafs-client/
|
|
- playbooks/roles/mirror/
|
|
- playbooks/roles/afs-release/
|
|
- playbooks/roles/afsmon/
|
|
- playbooks/roles/iptables/
|
|
- playbooks/roles/logrotate/
|
|
|
|
- job:
|
|
name: infra-prod-service-static
|
|
parent: infra-prod-service-base
|
|
description: Run service-static.yaml playbook.
|
|
vars:
|
|
playbook_name: service-static.yaml
|
|
files:
|
|
- inventory/
|
|
- playbooks/service-static.yaml
|
|
- inventory/service/host_vars/static01.opendev.org.yaml
|
|
- inventory/service/group_vars/static.yaml
|
|
- playbooks/roles/iptables/
|
|
- playbooks/roles/kerberos-client/
|
|
- playbooks/roles/openafs-client/
|
|
- playbooks/roles/static/
|
|
- playbooks/roles/zuul-user/
|
|
|
|
- job:
|
|
name: infra-prod-service-backup
|
|
parent: infra-prod-service-base
|
|
description: Run service-backup.yaml playbook.
|
|
vars:
|
|
playbook_name: service-backup.yaml
|
|
files:
|
|
- inventory/
|
|
- playbooks/service-backup.yaml
|
|
- playbooks/roles/backup/
|
|
- playbooks/roles/backup-server/
|
|
- playbooks/roles/iptables/
|
|
|
|
- job:
|
|
name: infra-prod-service-registry
|
|
parent: infra-prod-service-base
|
|
description: Run service-registry.yaml playbook.
|
|
vars:
|
|
playbook_name: service-registry.yaml
|
|
files:
|
|
- inventory/
|
|
- playbooks/service-registry.yaml
|
|
- inventory/service/group_vars/registry.yaml
|
|
- playbooks/roles/pip3/
|
|
- playbooks/roles/install-docker/
|
|
- playbooks/roles/iptables/
|
|
- playbooks/roles/registry/
|
|
|
|
- job:
|
|
name: infra-prod-service-zuul-preview
|
|
parent: infra-prod-service-base
|
|
description: Run service-zuul-preview.yaml playbook.
|
|
vars:
|
|
playbook_name: service-zuul-preview.yaml
|
|
files:
|
|
- inventory/
|
|
- playbooks/service-zuul-preview.yaml
|
|
- inventory/service/group_vars/zuul-preview.yaml
|
|
- playbooks/roles/pip3/
|
|
- playbooks/roles/install-docker/
|
|
- playbooks/roles/iptables/
|
|
- playbooks/roles/zuul-preview/
|
|
|
|
- job:
|
|
name: infra-prod-service-zookeeper
|
|
parent: infra-prod-service-base
|
|
description: Run service-zookeeper.yaml playbook.
|
|
vars:
|
|
playbook_name: service-zookeeper.yaml
|
|
files:
|
|
- inventory/.*
|
|
- inventory/service/group_vars/zookeeper.yaml
|
|
- ^inventory/service/host_vars/zk\d+\..*
|
|
- playbooks/roles/pip3/
|
|
- playbooks/roles/install-docker/
|
|
- playbooks/roles/iptables/
|
|
- playbooks/roles/zookeeper/
|
|
|
|
- job:
|
|
name: infra-prod-service-zuul
|
|
parent: infra-prod-service-base
|
|
description: |
|
|
Run service-zuul.yaml playbook.
|
|
|
|
This configures the main Zuul cluster. It will perform a
|
|
smart-reconfigure of the scheduler if the tenant configuration
|
|
is changed.
|
|
vars:
|
|
playbook_name: service-zuul.yaml
|
|
dependencies:
|
|
- name: infra-prod-install-ansible
|
|
soft: true
|
|
- name: infra-prod-letsencrypt
|
|
soft: true
|
|
- name: infra-prod-manage-projects
|
|
soft: true
|
|
files:
|
|
- inventory/.*
|
|
- playbooks/install-ansible.yaml
|
|
- playbooks/service-zuul.yaml
|
|
- inventory/service/group_vars/zuul
|
|
- inventory/service/group_vars/zookeeper.yaml
|
|
- inventory/service/host_vars/zk\d+
|
|
- inventory/service/host_vars/zuul01.openstack.org
|
|
- playbooks/roles/install-docker/
|
|
- playbooks/roles/iptables/
|
|
- playbooks/roles/zookeeper/
|
|
- playbooks/roles/zuul
|
|
|
|
- job:
|
|
name: infra-prod-service-review
|
|
parent: infra-prod-service-base
|
|
description: Run service-review.yaml playbook.
|
|
vars:
|
|
playbook_name: service-review.yaml
|
|
dependencies: &infra_prod_service_review_deps
|
|
- name: infra-prod-install-ansible
|
|
soft: true
|
|
- name: infra-prod-letsencrypt
|
|
soft: true
|
|
- name: system-config-promote-image-gerrit-2.13
|
|
soft: true
|
|
files:
|
|
- inventory/
|
|
- playbooks/service-review.yaml
|
|
- inventory/service/group_vars/gerrit.yaml
|
|
- inventory/service/host_vars/review01.openstack.org.yaml
|
|
- playbooks/roles/pip3/
|
|
- playbooks/roles/install-docker/
|
|
- playbooks/roles/iptables/
|
|
- playbooks/roles/gerrit/
|
|
|
|
- job:
|
|
name: infra-prod-service-review-dev
|
|
parent: infra-prod-service-base
|
|
description: Run service-review-dev.yaml playbook.
|
|
vars:
|
|
playbook_name: service-review-dev.yaml
|
|
dependencies: *infra_prod_service_review_deps
|
|
files:
|
|
- inventory/
|
|
- playbooks/service-review-dev.yaml
|
|
- inventory/service/group_vars/gerrit.yaml
|
|
- inventory/service/host_vars/review-dev01.opendev.org.yaml
|
|
- playbooks/roles/pip3/
|
|
- playbooks/roles/install-docker/
|
|
- playbooks/roles/iptables/
|
|
- playbooks/roles/gerrit/
|
|
|
|
- job:
|
|
name: infra-prod-service-gitea
|
|
parent: infra-prod-service-base
|
|
description: Run service-gitea.yaml playbook.
|
|
vars:
|
|
playbook_name: service-gitea.yaml
|
|
dependencies:
|
|
- name: infra-prod-install-ansible
|
|
soft: true
|
|
- name: infra-prod-letsencrypt
|
|
soft: true
|
|
- name: system-config-promote-image-gitea-init
|
|
soft: true
|
|
- name: system-config-promote-image-gitea
|
|
soft: true
|
|
files:
|
|
- inventory/
|
|
- playbooks/service-gitea.yaml
|
|
- inventory/service/group_vars/gitea.yaml
|
|
- inventory/service/host_vars/gitea[0-9][0-9]
|
|
- playbooks/roles/install-docker/
|
|
- playbooks/roles/pip3/
|
|
- playbooks/roles/gitea/
|
|
- playbooks/roles/iptables/
|
|
- playbooks/roles/logrotate/
|
|
- docker/gitea/
|
|
- docker/gitea-init/
|
|
- docker/jinja-init/
|
|
- docker/python-base/
|
|
|
|
- job:
|
|
name: infra-prod-service-codesearch
|
|
parent: infra-prod-service-base
|
|
description: Run service-codesearch.yaml playbook.
|
|
required-projects:
|
|
- opendev/ansible-role-puppet
|
|
- opendev/system-config
|
|
- openstack/project-config
|
|
vars:
|
|
playbook_name: service-codesearch.yaml
|
|
files:
|
|
- inventory/
|
|
- playbooks/install-ansible.yaml
|
|
- playbooks/service-codesearch.yaml
|
|
- inventory/service/group_vars/puppet.yaml
|
|
- playbooks/roles/run-puppet/
|
|
- playbooks/roles/install-ansible-roles/
|
|
- playbooks/roles/iptables/
|
|
- playbooks/roles/sync-project-config
|
|
- playbooks/roles/puppet-install/
|
|
- playbooks/roles/disable-puppet-agent/
|
|
- modules/openstack_project/manifests/codesearch.pp
|
|
- modules/openstack_project/files/resync-hound-config.sh
|
|
- manifests/codesearch.pp
|
|
|
|
- job:
|
|
name: infra-prod-service-eavesdrop
|
|
parent: infra-prod-service-base
|
|
description: Run service-eavesdrop.yaml playbook.
|
|
required-projects:
|
|
- opendev/ansible-role-puppet
|
|
- opendev/system-config
|
|
- openstack/project-config
|
|
dependencies:
|
|
- name: infra-prod-install-ansible
|
|
soft: true
|
|
- name: infra-prod-letsencrypt
|
|
soft: true
|
|
- name: system-config-promote-image-accessbot
|
|
soft: true
|
|
vars:
|
|
playbook_name: service-eavesdrop.yaml
|
|
files: &infra_prod_eavesdrop_files
|
|
- inventory/
|
|
- playbooks/service-eavesdrop.yaml
|
|
- playbooks/run-accessbot.yaml
|
|
- inventory/service/group_vars/eavesdrop.yaml
|
|
- inventory/service/group_vars/puppet.yaml
|
|
- playbooks/roles/run-puppet/
|
|
- playbooks/roles/install-ansible-roles/
|
|
- playbooks/roles/zuul-user
|
|
- playbooks/roles/install-docker
|
|
- playbooks/roles/iptables/
|
|
- playbooks/roles/puppet-install/
|
|
- playbooks/roles/disable-puppet-agent/
|
|
- playbooks/roles/accessbot
|
|
- playbooks/roles/logrotate
|
|
- modules/openstack_project/manifests/eavesdrop.pp
|
|
- manifests/eavesdrop.pp
|
|
- docker/accessbot/
|
|
|
|
- job:
|
|
name: infra-prod-run-accessbot
|
|
parent: infra-prod-service-base
|
|
description: Run run-accessbot.yaml playbook.
|
|
required-projects:
|
|
- opendev/system-config
|
|
- openstack/project-config
|
|
dependencies:
|
|
- infra-prod-service-eavesdrop
|
|
vars:
|
|
playbook_name: run-accessbot.yaml
|
|
files:
|
|
- accessbot/channels.yaml
|
|
- playbooks/run-accessbot.yaml
|
|
- playbooks/roles/accessbot
|
|
- docker/accessbot/
|
|
|
|
# Run AFS changes separately so we can make sure to only do one at a time
|
|
# (turns out quorum is nice to have)
|
|
- job:
|
|
name: infra-prod-remote-puppet-afs
|
|
parent: infra-prod-service-base
|
|
description: Run remote-puppet-afs.yaml playbook.
|
|
vars:
|
|
playbook_name: remote_puppet_afs.yaml
|
|
infra_prod_ansible_forks: 1
|
|
required-projects:
|
|
- opendev/ansible-role-puppet
|
|
- opendev/system-config
|
|
files:
|
|
- inventory/
|
|
- playbooks/remote_puppet_afs.yaml
|
|
- inventory/service/group_vars/afs
|
|
- inventory/service/group_vars/mirror-update
|
|
- inventory/service/group_vars/puppet
|
|
- playbooks/roles/run-puppet/
|
|
- playbooks/roles/install-ansible-roles/
|
|
- playbooks/roles/puppet-install/
|
|
- playbooks/roles/disable-puppet-agent/
|
|
- playbooks/roles/iptables/
|
|
- playbooks/roles/vos-release/
|
|
- modules/
|
|
- manifests/
|
|
|
|
- job:
|
|
name: infra-prod-remote-puppet-else
|
|
parent: infra-prod-service-base
|
|
description: Run remote-puppet-else.yaml playbook.
|
|
vars:
|
|
playbook_name: remote_puppet_else.yaml
|
|
infra_prod_ansible_forks: 50
|
|
required-projects:
|
|
- opendev/ansible-role-puppet
|
|
- opendev/system-config
|
|
files:
|
|
- hiera/
|
|
- inventory/
|
|
- playbooks/remote_puppet_else.yaml
|
|
- inventory/service/group_vars/
|
|
- inventory/service/host_vars/
|
|
- inventory/service/group_vars/puppet
|
|
- playbooks/roles/run-puppet/
|
|
- playbooks/roles/install-ansible-roles/
|
|
- playbooks/roles/puppet-install/
|
|
- playbooks/roles/disable-puppet-agent/
|
|
- playbooks/roles/iptables/
|
|
- modules/
|
|
- manifests/
|
|
|
|
- job:
|
|
name: infra-prod-run-cloud-launcher
|
|
parent: infra-prod-service-base
|
|
description: Run cloud launcher playbook
|
|
vars:
|
|
playbook_name: run_cloud_launcher.yaml
|
|
infra_prod_ansible_forks: 1
|
|
required-projects:
|
|
- opendev/ansible-role-cloud-launcher
|
|
- opendev/system-config
|
|
dependencies:
|
|
- name: infra-prod-service-bridge
|
|
soft: true
|
|
files:
|
|
- playbooks/run_cloud_launcher.yaml
|
|
- inventory/service/host_vars/bridge.openstack.org.yaml
|