Convert production playbooks to bastion host group

Following-on from Iffb462371939989b03e5d6ac6c5df63aa7708513, instead of directly referring to a hostname when adding the bastion host to the inventory for the production playbooks, this finds it from the first element of the "bastion" group. As we do this twice for the run and post playbooks, abstract it into a role. The host value is currently "bridge.openstack.org" -- as is the existing hard-coding -- thus this is intended to be a no-op change. It is setting the foundation to make replacing the bastion host a simpler process in the future. Change-Id: I286796ebd71173019a627f8fe8d9a25d0bfc575a
2022-09-20 15:27:15 +10:00 · 2022-09-20 15:27:15 +10:00 · 51611845d4
commit 51611845d4
parent 04a129c328
5 changed files with 34 additions and 31 deletions
--- a/playbooks/roles/add-bastion-host/README.rst
+++ b/playbooks/roles/add-bastion-host/README.rst
@ -0,0 +1,4 @@
+Add the bastion host to the inventory dynamically
+
+For roles that run on the bastion host, it should be added to the
+inventory dynamically by the production jobs.
--- a/playbooks/roles/add-bastion-host/tasks/main.yaml
+++ b/playbooks/roles/add-bastion-host/tasks/main.yaml
@ -0,0 +1,21 @@
+- name: Get the bastion hostname
+  set_fact:
+    _bastion_hostname: '{{ groups["bastion"][0] }}'
+
+- name: Show bastion details
+  debug:
+    msg: "Bastion host is {{ _bastion_hostname }}"
+
+- name: Add bastion host to inventory for playbook
+  add_host:
+    name: '{{ _bastion_hostname }}'
+    groups: 'bastion'
+    ansible_python_interpreter: python3
+    ansible_user: zuul
+    # Without setting ansible_host directly, mirror-workspace-git-repos
+    # gets sad because if delegate_to localhost and with add_host that
+    # ends up with ansible_host being localhost.
+    ansible_host: '{{ _bastion_hostname }}'
+    ansible_port: 22
+    # Port 19885 is firewalled
+    zuul_console_disabled: true
--- a/playbooks/zuul/run-production-playbook-post.yaml
+++ b/playbooks/zuul/run-production-playbook-post.yaml
@ -1,19 +1,8 @@
 - hosts: localhost
-  tasks:
-    - name: Add bridge.o.o to inventory for playbook
-      add_host:
-        name: bridge.openstack.org
-        ansible_python_interpreter: python3
-        ansible_user: zuul
-        # Without setting ansible_host directly, mirror-workspace-git-repos
-        # gets sad because if delegate_to localhost and with add_host that
-        # ends up with ansible_host being localhost.
-        ansible_host: bridge.openstack.org
-        ansible_port: 22
-        # Port 19885 is frewalled
-        zuul_console_disabled: true
+  roles:
+    - add-bastion-host

- hosts: bridge.openstack.org
+- hosts: bastion[0]
  tasks:
    - name: Encrypt log
      when: infra_prod_playbook_encrypt_log|default(False)
@ -62,7 +51,7 @@
            state: absent
          when: _encrypt_tempdir is defined

-    # Not using normal zuul job roles as bridge.openstack.org is not a
+    # Not using normal zuul job roles as the bastion host is not a
    # test node with all the normal bits in place.
    - name: Collect log output
      synchronize:
--- a/playbooks/zuul/run-production-playbook.yaml
+++ b/playbooks/zuul/run-production-playbook.yaml
@ -1,19 +1,8 @@
 - hosts: localhost
-  tasks:
-    - name: Add bridge.o.o to inventory for playbook
-      add_host:
-        name: bridge.openstack.org
-        ansible_python_interpreter: python3
-        ansible_user: zuul
-        # Without setting ansible_host directly, mirror-workspace-git-repos
-        # gets sad because if delegate_to localhost and with add_host that
-        # ends up with ansible_host being localhost.
-        ansible_host: bridge.openstack.org
-        ansible_port: 22
-        # Port 19885 is firewalled
-        zuul_console_disabled: true
+  roles:
+    - add-bastion-host

- hosts: bridge.openstack.org
+- hosts: bastion[0]
  tasks:
    - name: Run the production playbook and capture logs
      block:
@ -27,7 +16,7 @@
        become: yes
        shell: 'echo "Running {{ _log_timestamp }}: ansible-playbook -v -f {{ infra_prod_ansible_forks }} /home/zuul/src/opendev.org/opendev/system-config/playbooks/{{ playbook_name }}" > /var/log/ansible/{{ playbook_name }}.log'

-      - name: Run specified playbook on bridge.o.o and redirect output
+      - name: Run specified playbook on bastion host and redirect output
        become: yes
        shell: 'ansible-playbook -v -f {{ infra_prod_ansible_forks }} /home/zuul/src/opendev.org/opendev/system-config/playbooks/{{ playbook_name }} >> /var/log/ansible/{{ playbook_name }}.log'
        register: _run
--- a/zuul.d/infra-prod.yaml
+++ b/zuul.d/infra-prod.yaml
@ -17,7 +17,7 @@
      CD deployment of our infrastructure. Set playbook_name to
      specify the playbook relative to
      /home/zuul/src/opendev.org/opendev/system-config/playbooks
-      on bridge.openstack.org.
+      on the bastion host.
    abstract: true
    semaphores: infra-prod-playbook
    run: playbooks/zuul/run-production-playbook.yaml