cab53d10ac
Clean up references to lists.openstack.org other than as a virtual host on the new lists01.opendev.org Mailman v3 server. Update a few stale references to the old openstack-infra mailing list (and accompanying stale references to the OpenStack Foundation and OpenStack Infra team). Update our mailing list service documentation to reflect the new system rather than the old one. Once this change merges, we can create an archival image of the old server and delete it (as well as removing it from our emergency skip list for Ansible). Side note, the lists.openstack.org server will be 11.5 years old on November 1, created 2012-05-01 21:14:53 UTC. Farewell, old friend! Change-Id: I54eddbaaddc7c88bdea8a1dbc88f27108c223239
251 lines
9.2 KiB
YAML
251 lines
9.2 KiB
YAML
- import_playbook: ../bootstrap-bridge.yaml
|
|
vars:
|
|
root_rsa_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa', rstrip=False) }}"
|
|
ansible_cron_disable_job: true
|
|
cloud_launcher_disable_job: true
|
|
|
|
# setup opendev CA
|
|
- hosts: prod_bastion[0]
|
|
become: true
|
|
tasks:
|
|
- name: Make temporary dir for CA generation
|
|
tempfile:
|
|
state: directory
|
|
register: _ca_tempdir
|
|
|
|
- name: Create CA PEM/crt
|
|
shell: |
|
|
set -x
|
|
# Generate a CA key
|
|
openssl genrsa -out ca.key 2048
|
|
# Create fake CA root certificate
|
|
openssl req -x509 -new -nodes -key ca.key -sha256 -days 30 -subj "/C=US/ST=CA/O=OpenDev Infra" -out ca.crt
|
|
args:
|
|
chdir: '{{ _ca_tempdir.path }}'
|
|
executable: /bin/bash
|
|
|
|
- name: Save key
|
|
slurp:
|
|
src: '{{ _ca_tempdir.path }}/ca.key'
|
|
register: _opendev_ca_key
|
|
|
|
- name: Save certificate
|
|
slurp:
|
|
src: '{{ _ca_tempdir.path }}//ca.crt'
|
|
register: _opendev_ca_certificate
|
|
|
|
- name: Cleanup tempdir
|
|
file:
|
|
path: '{{ _ca_tempdir.path }}'
|
|
state: absent
|
|
when: _ca_tempdir.path is defined
|
|
|
|
- hosts: all
|
|
become: true
|
|
tasks:
|
|
- name: Make CA directory
|
|
file:
|
|
path: '/etc/opendev-ca'
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
|
|
- name: Import files
|
|
shell: 'echo "{{ item.content }}" | base64 -d > {{ item.file }}'
|
|
args:
|
|
creates: '{{ item.file }}'
|
|
loop:
|
|
- file: '/etc/opendev-ca/ca.key'
|
|
content: '{{ hostvars[groups["prod_bastion"][0]]["_opendev_ca_key"]["content"] }}'
|
|
- file: '/etc/opendev-ca/ca.crt'
|
|
content: '{{ hostvars[groups["prod_bastion"][0]]["_opendev_ca_certificate"]["content"] }}'
|
|
|
|
- name: Install and trust certificate
|
|
shell:
|
|
cmd: |
|
|
cp /etc/opendev-ca/ca.crt /usr/local/share/ca-certificates/opendev-infra-ca.crt
|
|
update-ca-certificates
|
|
|
|
- hosts: prod_bastion[0]
|
|
become: true
|
|
tasks:
|
|
- name: Write inventory on bridge
|
|
include_role:
|
|
name: write-inventory
|
|
vars:
|
|
write_inventory_dest: /home/zuul/src/opendev.org/opendev/system-config/inventory/base/gate-hosts.yaml
|
|
write_inventory_exclude_hostvars:
|
|
- ansible_user
|
|
- ansible_python_interpreter
|
|
write_inventory_additional_hostvars:
|
|
public_v4: nodepool.private_ipv4
|
|
public_v6: nodepool.public_ipv6
|
|
- name: Add groups config for test nodes
|
|
template:
|
|
src: "templates/gate-groups.yaml.j2"
|
|
dest: "/etc/ansible/hosts/gate-groups.yaml"
|
|
- name: Update ansible.cfg to use job inventory
|
|
ini_file:
|
|
path: /etc/ansible/ansible.cfg
|
|
section: defaults
|
|
option: inventory
|
|
value: /home/zuul/src/opendev.org/opendev/system-config/inventory/base/gate-hosts.yaml,/home/zuul/src/opendev.org/opendev/system-config/inventory/service/groups.yaml,/etc/ansible/hosts/gate-groups.yaml
|
|
- name: Make host_vars directory
|
|
file:
|
|
path: "/etc/ansible/hosts/host_vars"
|
|
state: directory
|
|
- name: Make group_vars directory
|
|
file:
|
|
path: "/etc/ansible/hosts/group_vars"
|
|
state: directory
|
|
- name: Write hostvars files
|
|
vars:
|
|
bastion_ipv4: "{{ nodepool['public_ipv4'] }}"
|
|
bastion_ipv6: "{{ nodepool['public_ipv6'] }}"
|
|
bastion_public_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa.pub') }}"
|
|
iptables_test_public_tcp_ports:
|
|
# Zuul web console
|
|
- 19885
|
|
# selenium
|
|
- 4444
|
|
template:
|
|
src: "templates/{{ item }}.j2"
|
|
dest: "/etc/ansible/hosts/{{ item }}"
|
|
loop:
|
|
- group_vars/all.yaml
|
|
- group_vars/adns.yaml
|
|
- group_vars/adns-primary.yaml
|
|
- group_vars/bastion.yaml
|
|
- group_vars/eavesdrop.yaml
|
|
- group_vars/nodepool.yaml
|
|
- group_vars/registry.yaml
|
|
- group_vars/gitea.yaml
|
|
- group_vars/gitea-lb.yaml
|
|
- group_vars/kerberos-kdc.yaml
|
|
- group_vars/keycloak.yaml
|
|
- group_vars/letsencrypt.yaml
|
|
- group_vars/mailman.yaml
|
|
- group_vars/meetpad.yaml
|
|
- group_vars/jvb.yaml
|
|
- group_vars/refstack.yaml
|
|
- group_vars/registry.yaml
|
|
- group_vars/control-plane-clouds.yaml
|
|
- group_vars/afs-client.yaml
|
|
- group_vars/zuul-lb.yaml
|
|
- group_vars/zuul.yaml
|
|
- group_vars/zuul-executor.yaml
|
|
- group_vars/zuul-merger.yaml
|
|
- group_vars/zuul-scheduler.yaml
|
|
- group_vars/zuul-web.yaml
|
|
- host_vars/codesearch01.opendev.org.yaml
|
|
- host_vars/etherpad99.opendev.org.yaml
|
|
- host_vars/letsencrypt01.opendev.org.yaml
|
|
- host_vars/letsencrypt02.opendev.org.yaml
|
|
- host_vars/gitea99.opendev.org.yaml
|
|
- host_vars/grafana01.opendev.org.yaml
|
|
- host_vars/mirror01.openafs.provider.opendev.org.yaml
|
|
- host_vars/mirror02.openafs.provider.opendev.org.yaml
|
|
- host_vars/mirror-update99.opendev.org.yaml
|
|
- host_vars/paste99.opendev.org.yaml
|
|
- host_vars/refstack01.openstack.org.yaml
|
|
- host_vars/review99.opendev.org.yaml
|
|
- name: Write lists99 host_vars.
|
|
# This file is special because it has raw tags in it that we need to
|
|
# carry through. I can't figure out a better way to do that then copying
|
|
# it directly rather than treating it as a template.
|
|
copy:
|
|
src: "files/host_vars/lists99.opendev.org.yaml"
|
|
dest: "/etc/ansible/hosts/host_vars/lists99.opendev.org.yaml"
|
|
|
|
- name: Display group membership
|
|
command: ansible localhost -m debug -a 'var=groups'
|
|
- name: Run base.yaml
|
|
shell: 'set -o pipefail && ansible-playbook -f 50 -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/base.yaml 2>&1 | tee /var/log/ansible/base.yaml.log'
|
|
args:
|
|
executable: /bin/bash
|
|
- name: Run bridge service playbook
|
|
shell: 'set -o pipefail && ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/service-bridge.yaml 2>&1 | tee /var/log/ansible/service-bridge.yaml.log'
|
|
args:
|
|
executable: /bin/bash
|
|
- name: Run dstat logger playbook
|
|
shell: 'set -o pipefail && ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/playbooks/service-dstatlogger.yaml 2>&1 | tee /var/log/ansible/service-dstatlogger.yaml.log'
|
|
args:
|
|
executable: /bin/bash
|
|
|
|
- name: Run playbook
|
|
when: run_playbooks is defined
|
|
loop: "{{ run_playbooks }}"
|
|
shell: "set -o pipefail && ansible-playbook -f 50 -v /home/zuul/src/opendev.org/opendev/system-config/{{ item }} 2>&1 | tee /var/log/ansible/{{ item | basename }}.log"
|
|
args:
|
|
executable: /bin/bash
|
|
|
|
- name: Build list of playbook logs
|
|
find:
|
|
paths: '/var/log/ansible'
|
|
patterns: '*.yaml.log'
|
|
register: _run_playbooks_logs
|
|
|
|
- name: Encrypt playbook logs
|
|
when: run_playbooks is defined
|
|
include_role:
|
|
name: encrypt-logs
|
|
vars:
|
|
encrypt_logs_files: '{{ _run_playbooks_logs.files | map(attribute="path") | list }}'
|
|
encrypt_logs_artifact_path: '{{ groups["prod_bastion"][0] }}/ansible'
|
|
encrypt_logs_download_script_path: '/var/log/ansible'
|
|
|
|
- name: Run test playbook
|
|
when: run_test_playbook is defined
|
|
shell: "set -o pipefail && ANSIBLE_ROLES_PATH=/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles ansible-playbook -v /home/zuul/src/opendev.org/opendev/system-config/{{ run_test_playbook }} 2>&1 | tee /var/log/ansible/{{ run_test_playbook | basename }}.log"
|
|
args:
|
|
executable: /bin/bash
|
|
|
|
- name: Generate testinfra extra data fixture
|
|
set_fact:
|
|
testinfra_extra_data:
|
|
zuul_job: '{{ zuul.job }}'
|
|
zuul: '{{ zuul }}'
|
|
|
|
- name: Write out testinfra extra data fixture
|
|
copy:
|
|
content: '{{ testinfra_extra_data | to_nice_yaml(indent=2) }}'
|
|
dest: '/home/zuul/testinfra_extra_data_fixture.yaml'
|
|
|
|
- name: Make screenshots directory
|
|
file:
|
|
path: '/var/log/screenshots'
|
|
state: directory
|
|
|
|
- name: Return screenshots artifact
|
|
zuul_return:
|
|
data:
|
|
zuul:
|
|
artifacts:
|
|
- name: Screenshots
|
|
url: '{{ groups["prod_bastion"][0] }}/screenshots'
|
|
|
|
- name: Allow PBR's git calls to operate in system-config, despite not owning it
|
|
command: git config --global safe.directory /home/zuul/src/opendev.org/opendev/system-config
|
|
|
|
- name: Run and collect testinfra
|
|
block:
|
|
- name: Run testinfra to validate configuration
|
|
include_role:
|
|
name: tox
|
|
vars:
|
|
tox_envlist: testinfra
|
|
# This allows us to run from external projects (like testinfra
|
|
# itself)
|
|
tox_environment:
|
|
TESTINFRA_EXTRA_DATA: '/home/zuul/testinfra_extra_data_fixture.yaml'
|
|
zuul_work_dir: src/opendev.org/opendev/system-config
|
|
always:
|
|
- name: Return testinfra report artifact
|
|
zuul_return:
|
|
data:
|
|
zuul:
|
|
artifacts:
|
|
- name: testinfra results
|
|
url: '{{ groups["prod_bastion"][0] }}/test-results.html'
|