Major refactor

Decoupled several things from bootstrap roles into subroles
and added several default and group variables

bootstrap.yml

@@ -1,18 +0,0 @@
----
-# file: bootstrap.yml
-- hosts: infra
-  user: ubuntu
-  sudo: true
-  roles:
-    - { role: set_hostnames }
-
-- hosts: meta-infra_type_puppetmaster
-  user: ubuntu
-  sudo: true
-  roles:
-    - { role: install_required_packages }
-    - { role: clone_system_config }
-    - { role: branch_system_config }
-    - { role: install_puppet_and_modules }
-    - { role: configure_puppetmaster }
-    - { role: generate_puppet_certificates }

bootstrap_puppet_infra_nodes.yml

@@ -0,0 +1,7 @@
+---
+# file: bootstrap_puppet_infra_nodes.yml
+- hosts: infra:!meta-infra_type_puppetmaster
+  user: ubuntu
+  sudo: true
+  roles:
+    - { role: bootstrap_puppet_infra_nodes }

bootstrap_puppetmaster.yml

@@ -0,0 +1,7 @@
+---
+# file: bootstrap_puppetmaster.yml
+- hosts: meta-infra_type_puppetmaster
+  user: ubuntu
+  sudo: true
+  roles:
+    - { role: bootstrap_puppetmaster }

common.yml

@@ -0,0 +1,7 @@
+---
+# file: set_hostnames.yml
+- hosts: infra
+  user: ubuntu
+  sudo: true
+  roles:
+    - { role: common }

deploy_hiera.yml

@@ -0,0 +1,7 @@
+---
+# file: deploy_hiera.yml
+- hosts: meta-infra_type_puppetmaster
+  user: ubuntu
+  sudo: true
+  roles:
+    - { role: deploy_hiera }

deploy_site_pp.yml

@@ -0,0 +1,6 @@
+---
+# file: deploy_site_pp.yml
+- hosts: localhost
+  connection: local
+  roles:
+    - { role: deploy_site_pp }

group_vars/all.yml

@@ -0,0 +1,4 @@
+---
+system_config_repo_url: git@github.com:rcarrillocruz/system-config.git 
+system_config_repo_https_url: https://github.com/rcarrillocruz/system-config.git
+system_config_branch: infra_config

infra_config.yml

@@ -1,5 +1,5 @@
 ---
-infra_config:
+infra_servers:
   - name: puppetdb.infra.test.rcarrillocruz.cloud
     image: 9d25fe2d-cf31-4b05-8c58-f238ec78e633
     flavor: standard.small

provision.yml

@@ -1,6 +0,0 @@
----
-# file: provision.yml
-- hosts: localhost
-  connection: local
-  roles:
-    - { role: provision }

provision_infra_servers.yml

@@ -0,0 +1,6 @@
+---
+# file: provision_infra_servers.yml
+- hosts: localhost
+  connection: local
+  roles:
+    - { role: provision_infra_servers }

roles/bootstrap/defaults/main.yaml

@@ -1,2 +0,0 @@
----
-system_config_repo_url: https://git.openstack.org/openstack-infra/system-config

roles/bootstrap/tasks/branch_system_config.yml

@@ -1,26 +0,0 @@
----
-# Check checked-out branch
-- command: git rev-parse --abbrev-ref HEAD
-  args:
-    chdir: /opt/system-config/production
-  register: checked_out_branch
-  ignore_errors: True
-
-# Check whether "infra_config" branch exists or not
-- command: git show-ref "infra_config"
-  args:
-    chdir: /opt/system-config/production
-  register: infra_config_branch 
-  ignore_errors: True
-
-# If "infra_config" branch exists, switch to it
-- command: git checkout infra_config
-  args:
-    chdir: /opt/system-config/production
-  when: checked_out_branch.stdout != "infra_config" and infra_config_branch.rc == 0
-
-# Create and switch to "infra_config" branch to put non-upstream fixes and values
-- command: git checkout -b infra_config
-  args:
-    chdir: /opt/system-config/production
-  when: infra_config_branch.rc != 0

roles/bootstrap/tasks/clone_system_config.yml

@@ -1,6 +0,0 @@
----
-# Clone system-config 
-- git: repo="{{ system_config_repo_url }}"
-       dest=/opt/system-config/production
-       version=master
-  tags: clone_system_config

roles/bootstrap/tasks/generate_puppet_certificates.yml

@@ -1,9 +0,0 @@
----
-# Generate puppet certificates for infra servers 
-- name:  Generate puppet certificates for infra servers
-  command: puppet cert generate "{{ item }}" 
-  args:
-    creates: "/var/lib/puppet/ssl/certs/{{ item }}.pem"
-  when: item != inventory_hostname
-  with_items: groups['infra']
-  tags: generate_puppet_certificates

roles/bootstrap_puppet_infra_nodes/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+# Update packages
+- apt: update_cache=yes 
+
+# Install puppet
+- apt: name=puppet
+
+# Deploy puppet.conf template
+- template: src=puppet.conf.j2 dest=/etc/puppet/puppet.conf
+
+# Run puppet agent to request certificate
+- command: puppet agent --test
+  ignore_errors: True

roles/bootstrap_puppet_infra_nodes/templates/puppet.conf.j2

@@ -0,0 +1,17 @@
+[main]
+server={{ groups['meta-infra_type_puppetmaster'][0] }}
+certname={{ inventory_hostname }}
+logdir=/var/log/puppet
+vardir=/var/lib/puppet
+ssldir=/var/lib/puppet/ssl
+rundir=/var/run/puppet
+factpath=$vardir/lib/facter
+templatedir=$confdir/templates
+prerun_command=/etc/puppet/etckeeper-commit-pre
+postrun_command=/etc/puppet/etckeeper-commit-post
+
+[master]
+# These are needed when the puppetmaster is run by passenger
+# and can safely be removed if webrick is used.
+ssl_client_header = SSL_CLIENT_S_DN 
+ssl_client_verify_header = SSL_CLIENT_VERIFY

roles/bootstrap_puppetmaster/tasks/clone_system_config.yml

@@ -0,0 +1,8 @@
+---
+# Clone system-config 
+- git: repo="{{ system_config_repo_https_url }}"
+       dest=/opt/system-config/production
+       accept_hostkey=True
+       version="{{ system_config_branch }}"
+       force=True
+  tags: clone_system_config

roles/bootstrap_puppetmaster/tasks/configure_puppetmaster.yml

@@ -9,7 +9,7 @@
 # Puppet apply the puppetmaster manifest
 - command: > 
     puppet apply --modulepath='/opt/system-config/production/modules:/etc/puppet/modules'
-    -e 'class {"openstack_project::puppetmaster"':' puppetdb => false }'
+    -e 'class {"openstack_project::puppetmaster"':' 
+    puppetmaster_server => "{{ inventory_hostname }}",
+    puppetdb => false }'
   tags: puppet_apply
-
-- copy: src=puppetmaster.pp dest=/opt/system-config/production/modules/openstack_project/manifests

roles/bootstrap_puppetmaster/tasks/install_required_packages.yml

@@ -0,0 +1,3 @@
+---
+# Install git
+- apt: name=git

roles/bootstrap_puppetmaster/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- include: install_required_packages.yml
+- include: clone_system_config.yml
+- include: install_puppet_and_modules.yml
+- include: configure_puppetmaster.yml

roles/deploy_hiera/files/generate_hiera_common.py

@@ -0,0 +1,20 @@
+#!/usr/bin/env python
+
+import yaml
+import paramiko
+import StringIO
+
+KEY_LENGTH = 2048
+HIERA_SSH_PARAMS = ['puppetmaster_root_rsa_key']
+HIERA_COMMON_YAML_FILE = '/etc/puppet/hieradata/production/common.yaml'
+
+out = StringIO.StringIO()
+d = {}
+
+for h in HIERA_SSH_PARAMS:
+    k = paramiko.RSAKey.generate(KEY_LENGTH)
+    k.write_private_key(out)
+    d[h] = out.getvalue()
+
+with open(HIERA_COMMON_YAML_FILE, "w") as f:
+    yaml.safe_dump(d, f, explicit_start=True, default_flow_style=False)

roles/deploy_hiera/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+# Update apt cache
+- apt: update_cache=yes
+
+# Install python-paramiko
+- apt: name=python-paramiko
+
+- file: path=/etc/puppet/hieradata state=directory
+
+- file: path=/etc/puppet/hieradata/production state=directory
+
+- file: path=/etc/puppet/hieradata/production/fqdn state=directory
+
+# Generate hiera common.yaml values
+- script: generate_hiera_common.py creates=/etc/puppet/hieradata/production/common.yaml

roles/deploy_site_pp/tasks/clone_system_config_locally.yml

@@ -0,0 +1,8 @@
+---
+# Clone system-config locally in the command machine
+- git: repo="{{ system_config_repo_url }}"
+       dest=/tmp/infra-ansible/system-config/production
+       version="{{ system_config_branch }}"
+       accept_hostkey=True
+       force=True
+  tags: clone_system_config_locally

roles/deploy_site_pp/tasks/commit_push.yml

@@ -0,0 +1,9 @@
+---
+- command: git commit -a -m "deploy_site_pp commit from infra-ansible"
+  args:
+    chdir: /tmp/infra-ansible/system-config/production
+  ignore_errors: True
+
+- command: git push origin {{ system_config_branch }}
+  args:
+    chdir: /tmp/infra-ansible/system-config/production

roles/deploy_site_pp/tasks/create_temp_folder.yml

@@ -0,0 +1,2 @@
+---
+- file: path=/tmp/infra-ansible state=directory

roles/deploy_site_pp/tasks/generate_site_pp.yml

@@ -0,0 +1,3 @@
+---
+# Generate site.pp
+- template: src=site.pp.j2 dest=/tmp/infra-ansible/system-config/production/manifests/site.pp

roles/deploy_site_pp/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- include: create_temp_folder.yml
+- include: clone_system_config_locally.yml
+- include: generate_site_pp.yml
+- include: commit_push.yml

roles/deploy_site_pp/templates/site.pp.j2

@@ -0,0 +1,150 @@
+#
+# Top-level variables
+#
+# There must not be any whitespace between this comment and the variables or
+# in between any two variables in order for them to be correctly parsed and
+# passed around in test.sh
+#
+
+#
+# Default: should at least behave like an openstack server
+#
+node default {
+  class { 'openstack_project::server':
+    sysadmins => hiera('sysadmins', []),
+  }
+}
+
+#
+# Long lived servers:
+#
+node 'review-dev.openstack.org' {
+  class { 'openstack_project::review_dev':
+    project_config_repo             => 'https://git.openstack.org/openstack-infra/project-config',
+    github_oauth_token              => hiera('gerrit_dev_github_token', 'XXX'),
+    github_project_username         => hiera('github_dev_project_username', 'username'),
+    github_project_password         => hiera('github_dev_project_password', 'XXX'),
+    mysql_host                      => hiera('gerrit_dev_mysql_host', 'localhost'),
+    mysql_password                  => hiera('gerrit_dev_mysql_password', 'XXX'),
+    email_private_key               => hiera('gerrit_dev_email_private_key', 'XXX'),
+    contactstore_appsec             => hiera('gerrit_dev_contactstore_appsec', 'XXX'),
+    contactstore_pubkey             => hiera('gerrit_dev_contactstore_pubkey', 'XXX'),
+    ssh_dsa_key_contents            => hiera('gerrit_dev_ssh_dsa_key_contents', 'XXX'),
+    ssh_dsa_pubkey_contents         => hiera('gerrit_dev_ssh_dsa_pubkey_contents', 'XXX'),
+    ssh_rsa_key_contents            => hiera('gerrit_dev_ssh_rsa_key_contents', 'XXX'),
+    ssh_rsa_pubkey_contents         => hiera('gerrit_dev_ssh_rsa_pubkey_contents', 'XXX'),
+    ssh_project_rsa_key_contents    => hiera('gerrit_dev_project_ssh_rsa_key_contents', 'XXX'),
+    ssh_project_rsa_pubkey_contents => hiera('gerrit_dev_project_ssh_rsa_pubkey_contents', 'XXX'),
+    lp_sync_consumer_key            => hiera('gerrit_dev_lp_consumer_key', 'XXX'),
+    lp_sync_token                   => hiera('gerrit_dev_lp_access_token', 'XXX'),
+    lp_sync_secret                  => hiera('gerrit_dev_lp_access_secret', 'XXX'),
+    sysadmins                       => hiera('sysadmins', []),
+  }
+}
+
+node '{{ groups['meta-infra_type_jenkins'][0] }}' {
+  $group = "jenkins"
+  class { 'openstack_project::jenkins':
+    project_config_repo     => 'https://git.openstack.org/openstack-infra/project-config',
+    jenkins_jobs_password   => hiera('jenkins_jobs_password', 'XXX'),
+    jenkins_ssh_private_key => hiera('jenkins_ssh_private_key_contents', 'XXX'),
+    ssl_cert_file           => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
+    ssl_key_file            => '/etc/ssl/private/ssl-cert-snakeoil.key',
+    ssl_chain_file          => '',
+    sysadmins               => hiera('sysadmins', []),
+    zmq_event_receivers     => ['{{ groups['meta-infra_type_nodepool'][0] }}'],
+  }
+}
+
+node '{{ groups['meta-infra_type_puppetmaster'][0] }}' {
+  class { 'openstack_project::puppetmaster':
+    root_rsa_key        => hiera('puppetmaster_root_rsa_key', 'XXX'),
+    sysadmins           => hiera('sysadmins', []),
+    version             => '3.6.',
+    puppetmaster_server => '{{ groups['meta-infra_type_puppetmaster'][0] }}',
+    puppetdb            => false,
+  }
+}
+
+node 'puppetdb.openstack.org' {
+  class { 'openstack_project::puppetdb':
+    sysadmins => hiera('sysadmins', []),
+  }
+}
+
+node 'nodepool.openstack.org' {
+  class { 'openstack_project::nodepool_prod':
+    project_config_repo      => 'https://git.openstack.org/openstack-infra/project-config',
+    mysql_password           => hiera('nodepool_mysql_password', 'XXX'),
+    mysql_root_password      => hiera('nodepool_mysql_root_password', 'XXX'),
+    nodepool_ssh_private_key => hiera('jenkins_ssh_private_key_contents', 'XXX'),
+    sysadmins                => hiera('sysadmins', []),
+    statsd_host              => 'graphite.openstack.org',
+    jenkins_api_user         => hiera('jenkins_api_user', 'username'),
+    jenkins_api_key          => hiera('jenkins_api_key', 'XXX'),
+    jenkins_credentials_id   => hiera('jenkins_credentials_id', 'XXX'),
+    rackspace_username       => hiera('nodepool_rackspace_username', 'username'),
+    rackspace_password       => hiera('nodepool_rackspace_password', 'XXX'),
+    rackspace_project        => hiera('nodepool_rackspace_project', 'project'),
+    hpcloud_username         => hiera('nodepool_hpcloud_username', 'username'),
+    hpcloud_password         => hiera('nodepool_hpcloud_password', 'XXX'),
+    hpcloud_project          => hiera('nodepool_hpcloud_project', 'project'),
+    tripleo_username         => hiera('nodepool_tripleo_username', 'username'),
+    tripleo_password         => hiera('nodepool_tripleo_password', 'XXX'),
+    tripleo_project          => hiera('nodepool_tripleo_project', 'project'),
+  }
+}
+
+node /^zm\d+\.openstack\.org$/ {
+  $group = "zuul-merger"
+  class { 'openstack_project::zuul_merger':
+    gearman_server       => 'zuul.openstack.org',
+    gerrit_server        => 'review.openstack.org',
+    gerrit_user          => 'jenkins',
+    gerrit_ssh_host_key  => hiera('gerrit_ssh_rsa_pubkey_contents', 'XXX'),
+    zuul_ssh_private_key => hiera('zuul_ssh_private_key_contents', 'XXX'),
+    sysadmins            => hiera('sysadmins', []),
+  }
+}
+
+node 'zuul-dev.openstack.org' {
+  class { 'openstack_project::zuul_dev':
+    project_config_repo  => 'https://git.openstack.org/openstack-infra/project-config',
+    gerrit_server        => 'review-dev.openstack.org',
+    gerrit_user          => 'jenkins',
+    gerrit_ssh_host_key  => hiera('gerrit_dev_ssh_rsa_pubkey_contents', 'XXX'),
+    zuul_ssh_private_key => hiera('zuul_dev_ssh_private_key_contents', 'XXX'),
+    url_pattern          => 'http://logs.openstack.org/{build.parameters[LOG_PATH]}',
+    zuul_url             => 'http://zuul-dev.openstack.org/p',
+    sysadmins            => hiera('sysadmins', []),
+    statsd_host          => 'graphite.openstack.org',
+    gearman_workers      => [
+      'jenkins.openstack.org',
+      'jenkins01.openstack.org',
+      'jenkins02.openstack.org',
+      'jenkins03.openstack.org',
+      'jenkins04.openstack.org',
+      'jenkins05.openstack.org',
+      'jenkins06.openstack.org',
+      'jenkins07.openstack.org',
+      'jenkins-dev.openstack.org',
+    ],
+  }
+}
+
+node 'pypi.slave.openstack.org' {
+  include openstack_project
+  class { 'openstack_project::pypi_slave':
+    pypi_username          => 'openstackci',
+    pypi_password          => hiera('pypi_password', 'XXX'),
+    jenkins_ssh_public_key => $openstack_project::jenkins_ssh_key,
+    jenkinsci_username     => hiera('jenkins_ci_org_user', 'username'),
+    jenkinsci_password     => hiera('jenkins_ci_org_password', 'XXX'),
+    mavencentral_username  => hiera('mavencentral_org_user', 'username'),
+    mavencentral_password  => hiera('mavencentral_org_password', 'XXX'),
+    puppet_forge_username  => hiera('puppet_forge_username', 'username'),
+    puppet_forge_password  => hiera('puppet_forge_password', 'XXX'),
+  }
+}
+
+# vim:sw=2:ts=2:expandtab:textwidth=79

roles/provision/tasks/main.yml

@@ -1,2 +0,0 @@
----
-- include: create_openstack_instances.yml

roles/provision_infra_servers/defaults/main.yaml

@@ -0,0 +1,32 @@
+---
+infra_servers:
+  - name: puppetdb.infra.test.rcarrillocruz.cloud
+    image: 9d25fe2d-cf31-4b05-8c58-f238ec78e633
+    flavor: standard.small
+    net_name: infra-test-network
+    infra_type: puppetdb
+  - name: puppetmaster.infra.test.rcarrillocruz.cloud
+    image: 9d25fe2d-cf31-4b05-8c58-f238ec78e633
+    flavor: standard.small
+    net_name: infra-test-network
+    infra_type: puppetmaster
+  - name: zuul.infra.test.rcarrillocruz.cloud
+    image: 9d25fe2d-cf31-4b05-8c58-f238ec78e633
+    flavor: standard.small
+    net_name: infra-test-network
+    infra_type: zuul
+  - name: jenkins.infra.test.rcarrillocruz.cloud
+    image: 9d25fe2d-cf31-4b05-8c58-f238ec78e633
+    flavor: standard.small
+    net_name: infra-test-network
+    infra_type: jenkins
+  - name: gerrit.infra.test.rcarrillocruz.cloud
+    image: 9d25fe2d-cf31-4b05-8c58-f238ec78e633
+    flavor: standard.small
+    net_name: infra-test-network
+    infra_type: gerrit
+  - name: nodepool.infra.test.rcarrillocruz.cloud
+    image: 9d25fe2d-cf31-4b05-8c58-f238ec78e633
+    flavor: standard.small
+    net_name: infra-test-network
+    infra_type: nodepool

roles/provision_infra_servers/tasks/main.yml

@@ -1,3 +1,4 @@
+---
 - name: Create OpenStack instances
   os_server:
     state: present
@@ -16,4 +17,4 @@
     meta: 
       group: infra
       infra_type: "{{ item.infra_type }}"
-  with_items: infra_config
+  with_items: infra_servers

roles/run_puppet_infra_nodes/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- command: puppet agent --enable
+
+- command: puppet agent --test
+  ignore_errors: True

roles/set_hostnames/tasks/main.yml

@@ -9,7 +9,7 @@
 
 - name: Add all infra hosts to /etc/hosts
   lineinfile: dest=/etc/hosts
-              line='{{ hostvars[item].ansible_default_ipv4.address }} {{ item }} {{ item.split('.', 1)[0] }}'
+              line='{{ hostvars[item]['openstack']['private_v4'] }} {{ item }} {{ item.split('.', 1)[0] }}'
               insertafter='^127\.0\.0\.1'
               state=present
   with_items: groups['infra']

roles/sign_infra_nodes_certs/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+- command: puppet cert sign {{ item }} creates=/var/lib/puppet/ssl/ca/signed/{{ item }}.pem
+  when: item != inventory_hostname
+  with_items: groups['infra']

run_puppet_infra_nodes.yml

@@ -0,0 +1,7 @@
+---
+# file: run_puppet_infra_nodes
+- hosts: infra:!meta-infra_type_puppetmaster
+  user: ubuntu
+  sudo: true
+  roles:
+    - { role: run_puppet_infra_nodes }

set_hostnames.yml

@@ -0,0 +1,7 @@
+---
+# file: set_hostnames.yml
+- hosts: infra
+  user: ubuntu
+  sudo: true
+  roles:
+    - { role: set_hostnames }

sign_infra_nodes_certs.yml

@@ -0,0 +1,7 @@
+---
+# file: sign_infra_nodes_certs
+- hosts: meta-infra_type_puppetmaster
+  user: ubuntu
+  sudo: true
+  roles:
+    - { role: sign_infra_nodes_certs }

site.yml

@@ -1,7 +1,10 @@
 ---
 # file: site.yml
-- include: provision.yml
+- include: provision_infra_servers.yml
-- include: bootstrap.yml
+- include: set_hostnames.yml
-#- include: gerrit
+- include: deploy_site_pp.yml
-#- include: jenkins
+- include: deploy_hiera.yml
-#- include: nodepool
+- include: bootstrap_puppetmaster.yml
+- include: bootstrap_puppet_infra_nodes.yml
+- include: sign_infra_nodes_certs.yml
+- include: run_puppet_infra_nodes.yml