Convert production playbooks to bastion host group

Following-on from Iffb462371939989b03e5d6ac6c5df63aa7708513, instead
of directly referring to a hostname when adding the bastion host to
the inventory for the production playbooks, this finds it from the
first element of the "bastion" group.

As we do this twice for the run and post playbooks, abstract it into a
role.

The host value is currently "bridge.openstack.org" -- as is the
existing hard-coding -- thus this is intended to be a no-op change.
It is setting the foundation to make replacing the bastion host a
simpler process in the future.

Change-Id: I286796ebd71173019a627f8fe8d9a25d0bfc575a
This commit is contained in:
Ian Wienand 2022-09-20 15:27:15 +10:00
parent 04a129c328
commit 51611845d4
No known key found for this signature in database
5 changed files with 34 additions and 31 deletions

View File

@ -0,0 +1,4 @@
Add the bastion host to the inventory dynamically
For roles that run on the bastion host, it should be added to the
inventory dynamically by the production jobs.

View File

@ -0,0 +1,21 @@
- name: Get the bastion hostname
set_fact:
_bastion_hostname: '{{ groups["bastion"][0] }}'
- name: Show bastion details
debug:
msg: "Bastion host is {{ _bastion_hostname }}"
- name: Add bastion host to inventory for playbook
add_host:
name: '{{ _bastion_hostname }}'
groups: 'bastion'
ansible_python_interpreter: python3
ansible_user: zuul
# Without setting ansible_host directly, mirror-workspace-git-repos
# gets sad because if delegate_to localhost and with add_host that
# ends up with ansible_host being localhost.
ansible_host: '{{ _bastion_hostname }}'
ansible_port: 22
# Port 19885 is firewalled
zuul_console_disabled: true

View File

@ -1,19 +1,8 @@
- hosts: localhost - hosts: localhost
tasks: roles:
- name: Add bridge.o.o to inventory for playbook - add-bastion-host
add_host:
name: bridge.openstack.org
ansible_python_interpreter: python3
ansible_user: zuul
# Without setting ansible_host directly, mirror-workspace-git-repos
# gets sad because if delegate_to localhost and with add_host that
# ends up with ansible_host being localhost.
ansible_host: bridge.openstack.org
ansible_port: 22
# Port 19885 is frewalled
zuul_console_disabled: true
- hosts: bridge.openstack.org - hosts: bastion[0]
tasks: tasks:
- name: Encrypt log - name: Encrypt log
when: infra_prod_playbook_encrypt_log|default(False) when: infra_prod_playbook_encrypt_log|default(False)
@ -62,7 +51,7 @@
state: absent state: absent
when: _encrypt_tempdir is defined when: _encrypt_tempdir is defined
# Not using normal zuul job roles as bridge.openstack.org is not a # Not using normal zuul job roles as the bastion host is not a
# test node with all the normal bits in place. # test node with all the normal bits in place.
- name: Collect log output - name: Collect log output
synchronize: synchronize:

View File

@ -1,19 +1,8 @@
- hosts: localhost - hosts: localhost
tasks: roles:
- name: Add bridge.o.o to inventory for playbook - add-bastion-host
add_host:
name: bridge.openstack.org
ansible_python_interpreter: python3
ansible_user: zuul
# Without setting ansible_host directly, mirror-workspace-git-repos
# gets sad because if delegate_to localhost and with add_host that
# ends up with ansible_host being localhost.
ansible_host: bridge.openstack.org
ansible_port: 22
# Port 19885 is firewalled
zuul_console_disabled: true
- hosts: bridge.openstack.org - hosts: bastion[0]
tasks: tasks:
- name: Run the production playbook and capture logs - name: Run the production playbook and capture logs
block: block:
@ -27,7 +16,7 @@
become: yes become: yes
shell: 'echo "Running {{ _log_timestamp }}: ansible-playbook -v -f {{ infra_prod_ansible_forks }} /home/zuul/src/opendev.org/opendev/system-config/playbooks/{{ playbook_name }}" > /var/log/ansible/{{ playbook_name }}.log' shell: 'echo "Running {{ _log_timestamp }}: ansible-playbook -v -f {{ infra_prod_ansible_forks }} /home/zuul/src/opendev.org/opendev/system-config/playbooks/{{ playbook_name }}" > /var/log/ansible/{{ playbook_name }}.log'
- name: Run specified playbook on bridge.o.o and redirect output - name: Run specified playbook on bastion host and redirect output
become: yes become: yes
shell: 'ansible-playbook -v -f {{ infra_prod_ansible_forks }} /home/zuul/src/opendev.org/opendev/system-config/playbooks/{{ playbook_name }} >> /var/log/ansible/{{ playbook_name }}.log' shell: 'ansible-playbook -v -f {{ infra_prod_ansible_forks }} /home/zuul/src/opendev.org/opendev/system-config/playbooks/{{ playbook_name }} >> /var/log/ansible/{{ playbook_name }}.log'
register: _run register: _run

View File

@ -17,7 +17,7 @@
CD deployment of our infrastructure. Set playbook_name to CD deployment of our infrastructure. Set playbook_name to
specify the playbook relative to specify the playbook relative to
/home/zuul/src/opendev.org/opendev/system-config/playbooks /home/zuul/src/opendev.org/opendev/system-config/playbooks
on bridge.openstack.org. on the bastion host.
abstract: true abstract: true
semaphores: infra-prod-playbook semaphores: infra-prod-playbook
run: playbooks/zuul/run-production-playbook.yaml run: playbooks/zuul/run-production-playbook.yaml