670107045a
This impelements mirrors to live in the opendev.org namespace. The implementation is Ansible native for deployment on a Bionic node. The hostname prefix remains the same (mirrorXX.region.provider.) but the groups.yaml splits the opendev.org mirrors into a separate group. The matches in the puppet group are also updated so to not run puppet on the hosts. The kerberos and openafs client parts do not need any updating and works on the Bionic host. The hosts are setup to provision certificates for themselves from letsencrypt. Note we've added a new handler for mirror nodes to use that restarts apache on certificate issue/renewal. The new "mirror" role is a port of the existing puppet mirror.pp. It installs apache, sets up some modules, makes some symlinks, sets up a cleanup cron job and installs the apache vhost configuration. The vhost configuration is also ported from the extant puppet. It is simplified somewhat; but the biggest change is that we have extracted the main port 80 configuration into a macro which is applied to both port 80 and 443; i.e. the host will have SSL support. The other ports are left alone for now, but can be updated in due course. Thus we should be able to CNAME the existing mirrors to new nodes, and any existing http access can continue. We can update our mirror setup scripts to point to https resources as appropriate. Change-Id: Iec576d631dd5b02f6b9fb445ee600be060f9cf1e
103 lines
4.1 KiB
YAML
103 lines
4.1 KiB
YAML
- import_playbook: ../bridge.yaml
|
|
vars:
|
|
root_rsa_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa') }}"
|
|
ansible_cron_install_cron: false
|
|
|
|
- hosts: bridge.openstack.org
|
|
become: true
|
|
tasks:
|
|
- name: Write inventory on bridge
|
|
include_role:
|
|
name: write-inventory
|
|
vars:
|
|
write_inventory_dest: /etc/ansible/hosts/inventory.yaml
|
|
write_inventory_exclude_hostvars:
|
|
- ansible_user
|
|
- name: Set up /opt/system-config repo
|
|
git:
|
|
repo: /home/zuul/src/opendev.org/opendev/system-config
|
|
dest: /opt/system-config
|
|
force: yes
|
|
# TODO: the next two tasks are update-system-config.yaml and
|
|
# should be removed or refactored out of here to a shared
|
|
# location.
|
|
- name: Clone puppet modules to /etc/puppet/modules
|
|
command: ./install_modules.sh
|
|
args:
|
|
chdir: /opt/system-config
|
|
- name: Install ansible roles to /etc/ansible/roles
|
|
command: ansible-galaxy install --roles-path /etc/ansible/roles --force -r roles.yaml
|
|
args:
|
|
chdir: /opt/system-config
|
|
- name: Add groups config for test nodes
|
|
template:
|
|
src: "templates/gate-groups.yaml.j2"
|
|
dest: "/etc/ansible/hosts/gate-groups.yaml"
|
|
- name: Update ansible.cfg to use job inventory
|
|
ini_file:
|
|
path: /etc/ansible/ansible.cfg
|
|
section: defaults
|
|
option: inventory
|
|
value: /etc/ansible/hosts/inventory.yaml,/opt/system-config/inventory/groups.yaml,/etc/ansible/hosts/gate-groups.yaml
|
|
- name: Update ansible.cfg to use yamlgroup plugin
|
|
ini_file:
|
|
path: /etc/ansible/ansible.cfg
|
|
section: defaults
|
|
option: inventory_plugins
|
|
value: /opt/system-config/playbooks/roles/install-ansible/files/inventory_plugins
|
|
- name: Update ansible.cfg to configure inventory plugins
|
|
ini_file:
|
|
path: /etc/ansible/ansible.cfg
|
|
section: inventory
|
|
option: enable_plugins
|
|
value: yamlgroup,yaml,advanced_host_list,ini
|
|
- name: Make host_vars directory
|
|
file:
|
|
path: "/etc/ansible/hosts/host_vars"
|
|
state: directory
|
|
- name: Make group_vars directory
|
|
file:
|
|
path: "/etc/ansible/hosts/group_vars"
|
|
state: directory
|
|
- name: Write hostvars files
|
|
vars:
|
|
bastion_ipv4: "{{ nodepool['public_ipv4'] }}"
|
|
bastion_ipv6: "{{ nodepool['public_ipv6'] }}"
|
|
bastion_public_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa.pub') }}"
|
|
iptables_test_public_tcp_ports: [19885]
|
|
template:
|
|
src: "templates/{{ item }}.j2"
|
|
dest: "/etc/ansible/hosts/{{ item }}"
|
|
loop:
|
|
- group_vars/all.yaml
|
|
- group_vars/adns.yaml
|
|
- group_vars/nodepool.yaml
|
|
- group_vars/ns.yaml
|
|
- group_vars/registry.yaml
|
|
- group_vars/gitea.yaml
|
|
- group_vars/gitea-lb.yaml
|
|
- group_vars/letsencrypt.yaml
|
|
- group_vars/registry.yaml
|
|
- host_vars/bridge.openstack.org.yaml
|
|
- host_vars/letsencrypt01.opendev.org.yaml
|
|
- host_vars/letsencrypt02.opendev.org.yaml
|
|
- host_vars/mirror01.region.provider.opendev.org.yaml
|
|
- name: Display group membership
|
|
command: ansible localhost -m debug -a 'var=groups'
|
|
- name: Run base.yaml
|
|
command: ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/base.yaml
|
|
- name: Run bridge service playbook
|
|
command: ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/service-bridge.yaml
|
|
- name: Run playbook
|
|
when: run_playbooks is defined
|
|
loop: "{{ run_playbooks }}"
|
|
command: "ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/{{ item }}"
|
|
- name: Run test playbook
|
|
when: run_test_playbook is defined
|
|
shell: "ANSIBLE_ROLES_PATH=/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/{{ run_test_playbook }}"
|
|
- name: Run testinfra to validate configuration
|
|
include_role:
|
|
name: tox
|
|
vars:
|
|
tox_envlist: testinfra
|