opendev/system-config
Code Issues Proposed changes
10f8749239
system-config/playbooks/bootstrap-bridge.yaml
Ian Wienand 04a129c328
bootstrap-bridge: use abstracted hostname 
The prior change Iffb462371939989b03e5d6ac6c5df63aa7708513 added the
"bastion" group for system-config-run-* jobs, and the dependent change
here adds the bridge host to the "bastion" group when it is
dynamically added in opendev/base-jobs.

This playbook can thus refer to the bastion group, rather than having
to hardcode the hostname.

This should have no affect in production as it all still refers to the
existing bridge.openstack.org; but will make it easier to switch in
the (near) future.

Depends-On: https://review.opendev.org/c/opendev/base-jobs/+/861026
Change-Id: Icc52d2544afc1faf519a036cda94a3cae10448ee
2022-10-20 09:49:01 +11:00

100 lines
4.5 KiB
YAML
Raw Blame History

# NOTE: This is included from two paths to setup the bridge/bastion
# host in different circumstances:
#
# 1) Gate tests -- here Zuul is running this on the executor against
# ephemeral nodes. It uses the "bastion" group as defined in the
# system-config-run jobs.
#
# 2) Production -- here we actually run against the real bastion host.
# The host is dynamically added in opendev/base-jobs before this
# runs, and put into a group called "bastion".
#
# In both cases, the "bastion" group has one entry, which is the
# bastion host to run against.
- hosts: bastion[0]:!disabled
name: "Bridge: bootstrap the bastion host"
become: true
tasks:
# Note for production use we expect to take the defaults; unit
# test jobs override this to test with latest upstream ansible.
# For example, if there is a fix on the ansible stable branch we
# need that is unreleased, you could do the following:
#
# install_ansible_name: '{{ bridge_ansible_name | default("git+https://github.com/ansible/ansible.git@stable-2.7") }}'
# install_ansible_version: '{{ bridge_ansible_version | default(None) }}'
- name: Install ansible
include_role:
name: install-ansible
vars:
install_ansible_name: '{{ bridge_ansible_name | default("ansible") }}'
install_ansible_version: '{{ bridge_ansible_version | default("4.0.0") }}'
install_ansible_openstacksdk_name: '{{ bridge_openstacksdk_name | default("openstacksdk") }}'
install_ansible_openstacksdk_version: '{{ bridge_openstacksdk_verison | default("latest") }}'
# NOTE(ianw): At 2018-12, ARA is only enabled during gate
# testing jobs as we decide if or how to store data on
# production bridge.o.o
install_ansible_ara_name: '{{ bridge_ara_name | default("ara[server]") }}'
install_ansible_ara_version: '{{ bridge_ara_version | default("latest") }}'
# This is the key that bridge uses to log into remote hosts.
#
# For production, this root-key variable is kept with the others
# in the Ansible production secrets. Thus we need to deploy via
# the local Ansible we just installed that will load these
# variables. Remote hosts have trusted this from their bringup
# procedure.
#
# In testing, we have been called with "root_rsa_key" variable set
# with an ephemeral key. In this case, we pass it in as a "-e"
# variable directly from the file written on disk. The testing
# ephemeral nodes have been made to trust this by the multinode
# setup.
#
# NOTE(ianw) : Another option here is to keep the root key as a
# secret directly in Zuul, which could be written out directly
# here. Maybe one day we will do something like this.
- name: Create root key variable when testing
when: root_rsa_key is defined
block:
- name: Create vars dict
set_fact:
_root_rsa_key_dict:
root_rsa_key: '{{ root_rsa_key }}'
- name: Save extra-vars
copy:
content: '{{ _root_rsa_key_dict | to_nice_json }}'
dest: '/home/zuul/root-rsa-key.json'
- name: Save abstracted inventory file
copy:
content: |
{{ inventory_hostname }}
[bastion]
{{ inventory_hostname }}
dest: '/home/zuul/bastion-inventory.ini'
- name: Make ansible log directory
file:
path: '/var/log/ansible'
state: directory
owner: root
mode: 0755
- name: Install root key
shell: >-
ansible-playbook -v ${ROOT_RSA_KEY} ${BRIDGE_INVENTORY}
/home/zuul/src/opendev.org/opendev/system-config/playbooks/zuul/run-production-bootstrap-bridge-add-rootkey.yaml
> /var/log/ansible/install-root-key.{{ lookup('pipe', 'date +%Y-%m-%dT%H:%M:%S') }}.log 2>&1
environment:
ROOT_RSA_KEY: '{{ "-e @/home/zuul/root-rsa-key.json" if root_rsa_key is defined else "" }}'
# In production "install-ansible" has setup ansible to point
# to the system-config inventory which has the bastion group
# in it. In the gate, bridge is ephemeral and we haven't yet
# built the inventory to use for testing (that is done in
# zuul/run-base.yaml). Use this constructed inventory.
BRIDGE_INVENTORY: '{{ "-i/home/zuul/bastion-inventory.ini" if root_rsa_key is defined else "" }}'
ANSIBLE_ROLES_PATH: '/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles'
no_log: true
View Git Blame Copy Permalink