67607c679e
Added c9s jobs are non voting, as agreed on PTG to focus on Rocky Linux 9.
Since both CS9 and RL9 have higher default fd limit (1073741816 vs
1048576 in CS8) - lowering that for:
* RMQ - because Erlang allocates memory based on this (see [1], [2], [3]).
* MariaDB - because Galera cluster bootstrap failed
Changed openvswitch_db healthcheck, because for unknown reason
the usual check (using lsof on /run/openvswitch/db.sock) is hanging
on "Bad file descriptor" (even with privileged: true).
[1]: https://github.com/docker-library/rabbitmq/issues/545
[2]: https://github.com/rabbitmq/cluster-operator/issues/959#issuecomment-1043280324
[3]: a8b627aaed
Depends-On: https://review.opendev.org/c/openstack/tenks/+/856296
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/856328
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/856443
Needed-By: https://review.opendev.org/c/openstack/kolla/+/836664
Co-Authored-By: Michał Nasiadka <mnasiadka@gmail.com>
Change-Id: I3f7b480519aea38c3927bee7fb2c23eea178554d
81 lines
2.7 KiB
YAML
81 lines
2.7 KiB
YAML
---
|
|
- hosts: all
|
|
any_errors_fatal: true
|
|
tasks:
|
|
# NOTE(yoctozepto): setting vars as facts for all to have them around in all the plays
|
|
- name: set facts for commonly used variables
|
|
set_fact:
|
|
kolla_ansible_src_dir: "{{ ansible_env.PWD }}/src/{{ zuul.project.canonical_hostname }}/openstack/kolla-ansible"
|
|
upper_constraints_file: "{{ ansible_env.HOME }}/src/opendev.org/openstack/requirements/upper-constraints.txt"
|
|
pip_user_path_env:
|
|
PATH: "{{ ansible_env.HOME + '/.local/bin:' + ansible_env.PATH }}"
|
|
|
|
- hosts: primary
|
|
any_errors_fatal: true
|
|
environment: "{{ pip_user_path_env }}"
|
|
tasks:
|
|
- name: ensure /etc/kolla exists
|
|
file:
|
|
path: "/etc/kolla"
|
|
state: "directory"
|
|
mode: 0777
|
|
become: true
|
|
|
|
- name: ensure python3-pip exists
|
|
package:
|
|
name: python3-pip
|
|
become: true
|
|
|
|
# NOTE(mgoddard): We need a recent pip to install the latest cryptography
|
|
# library. See https://github.com/pyca/cryptography/issues/5753
|
|
- name: install pip 19.1.1+
|
|
pip:
|
|
name: "pip>=19.1.1"
|
|
executable: "pip3"
|
|
extra_args: "--user"
|
|
|
|
- name: install kolla-ansible and dependencies
|
|
pip:
|
|
name:
|
|
- "{{ kolla_ansible_src_dir }}"
|
|
executable: "pip3"
|
|
extra_args: "-c {{ upper_constraints_file }} --user"
|
|
|
|
- name: copy passwords.yml file
|
|
copy:
|
|
src: "{{ kolla_ansible_src_dir }}/etc/kolla/passwords.yml"
|
|
dest: /etc/kolla/passwords.yml
|
|
remote_src: true
|
|
|
|
- name: generate passwords
|
|
command: kolla-genpwd
|
|
|
|
# At this point we have generated all necessary configuration, and are
|
|
# ready to test Hashicorp Vault.
|
|
- name: Run test-hashicorp-vault-passwords.sh script
|
|
script:
|
|
cmd: test-hashicorp-vault-passwords.sh
|
|
executable: /bin/bash
|
|
chdir: "{{ kolla_ansible_src_dir }}"
|
|
environment:
|
|
BASE_DISTRO: "{{ base_distro }}"
|
|
|
|
- name: Read template file
|
|
slurp:
|
|
src: "/etc/kolla/passwords.yml"
|
|
register: template_file
|
|
|
|
- name: Read generated file
|
|
slurp:
|
|
src: "/tmp/passwords-hashicorp-vault.yml"
|
|
register: generated_file
|
|
|
|
# This test will load in the original input file and the one that was
|
|
# generated by Vault and ensure that the keys are the same in both files.
|
|
# This ensures that we are not missing any passwords.
|
|
- name: Check passwords that were written to Vault are as expected
|
|
vars:
|
|
input_passwords: "{{ template_file['content'] | b64decode | from_yaml | sort }}"
|
|
output_passwords: "{{ generated_file['content'] | b64decode | from_yaml | sort }}"
|
|
assert: { that: "input_passwords == output_passwords" }
|