Propose a job for keystone rolling upgrades

This commit adds a new keystone jenkins jobs the leverages the work
done in openstack-ansible-os_keystone to perform a rolling upgrade
across containers. For what it's worth, the job also runs a
performance script that measures availability of keystone
authenticate and validate API during the upgrade.

Change-Id: If5ac3f00cff61357b59b3339f20b273415202def

jenkins/jobs/keystone.yaml

@@ -177,3 +177,70 @@
       - test-results
       - devstack-logs
       - console-log
+
+- builder:
+    name: openstack-ansible-os_keystone-checkout
+    builders:
+      - shell: |
+          #!/bin/bash -xe
+          CLONEMAP=`mktemp`
+          REQS_DIR=`mktemp -d`
+          function cleanup {
+              rm -f $CLONEMAP
+              rm -rf $REQS_DIR
+          }
+          trap cleanup EXIT
+          cat > $CLONEMAP << EOF
+          clonemap:
+            - name: openstack/openstack-ansible-os_keystone
+              dest: .
+            - name: openstack/requirements
+              dest: $REQS_DIR
+          EOF
+          /usr/zuul-env/bin/zuul-cloner -m $CLONEMAP \
+              --cache-dir /opt/git git://git.openstack.org \
+              openstack/openstack-ansible-os_keystone \
+              openstack/requirements
+          cp $REQS_DIR/upper-constraints.txt ./
+
+- job-template:
+    name: '{pipeline}-keystone-osa-rolling-upgrade-{node-release}{suffix}'
+    node: '{node}'
+
+    wrappers:
+      - build-timeout:
+          timeout: 70
+      - timestamps
+
+    builders:
+      - link-logs
+      - net-info
+      - openstack-ansible-os_keystone-checkout
+      - shell: |
+          # Allow Jenkins user to ssh into localhost
+          ssh-keygen -f ~/.ssh/id_rsa -N ""
+          cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
+          ssh-keyscan localhost >> ~/.ssh/known_hosts
+          ssh-keyscan 127.0.0.1 >> ~/.ssh/known_hosts
+      - shell: |
+          # Get the keystone change in review and place it in ~/git/openstack/keystone,
+          # which is where the openstack-ansible-os_keystone role expects the
+          # upgrade source to be.
+          #!/bin/bash -xe
+          cat > $CLONEMAP << EOF
+          clonemap:
+            - name: openstack/keystone
+              dest: .
+          EOF
+          /usr/zuul-env/bin/zuul-cloner -m $CLONEMAP \
+              --cache-dir /opt/git git://git.openstack.org \
+              openstack/keystone
+      - shell: |
+          /usr/local/jenkins/slave_scripts/run-tox.sh upgrade
+
+    publishers:
+      # Even though this isn't a devstack job, capturing the logs can still be
+      # useful.
+      - devstack-logs
+      - test-results
+      - console-log

jenkins/jobs/projects.yaml

@@ -6174,6 +6174,12 @@
           node: ubuntu-xenial-2-node
           node-release: ubuntu-xenial
       - periodic-python-jobs-with-oslo-master
+      - '{pipeline}-keystone-osa-rolling-upgrade-{node-release}{suffix}':
+          pipeline: gate
+          suffix: '-nv'
+          node: ubuntu-xenial-2-node
+          branch-override: default
+          node-release: ubuntu-xenial
 
 - project:
     name: keystone-specs

zuul/layout.yaml

@@ -11262,6 +11262,7 @@ projects:
       - gate-keystone-tox-patch_cover-ubuntu-trusty
       - gate-keystone-tox-patch_cover-ubuntu-xenial
       - gate-keystone-dsvm-grenade-multinode-ubuntu-xenial-nv
+      - gate-keystone-osa-rolling-upgrade-ubuntu-xenial-nv
 
   - name: openstack/keystone-specs
     template: