run-production-playbook: encrypt logs in temporary staging directory

I didn't consider permissions on the production machine; since we run Ansible as root the extant path can't access the logs. By copying the logfile to encrypt to a staging area we can leave everything else alone for now. Upon reflection it seems like a better idea to do this in an ephemeral location anyway and not leave anything behind. We move the cleanup into an always block too to ensure this. Bump the codesearch playbook to trigger the prod job with these changes. Change-Id: I47f63df04d58b7a87bce445da0c0bdcb80edc8f9
12 months ago · 35e8b1dbcc
parent 2db614c759
commit 35e8b1dbcc
2 changed files with 23 additions and 10 deletions
--- a/playbooks/service-codesearch.yaml
+++ b/playbooks/service-codesearch.yaml
@ -1,4 +1,4 @@
-# NOTE(ianw): 2022-02-21 19:20 AEST : comment to trigger prod run
+# NOTE(ianw): 2022-02-22 08:14 AEST : comment to trigger prod run
 - hosts: "codesearch:!disabled"
  name: "Configure codesearch"
  roles:
--- a/playbooks/zuul/run-production-playbook.yaml
+++ b/playbooks/zuul/run-production-playbook.yaml
@ -30,20 +30,30 @@
          when: infra_prod_playbook_encrypt_log|default(False)
          block:

-            - name: Create temp dir for download script
+            - name: Create temporary staging area for encrypted logs
              tempfile:
                state: directory
-              register: _download_tmpdir
+              register: _encrypt_tempdir
+
+            - name: Copy log to tempdir as Zuul user
+              copy:
+                src: '/var/log/ansible/{{ playbook_name }}.log'
+                dest: '{{ _encrypt_tempdir }}'
+                owner: zuul
+                group: zuul
+                mode: '0644'
+                remote_src: yes
+              become: yes

            - name: Encrypt logs
              include_role:
                name: encrypt-logs
              vars:
                encrypt_logs_files:
-                  - '/var/log/ansible/{{ playbook_name }}.log'
-                # Artifact in root directory
+                  - '{{ _encrypt_tempdir.path }}/{{ playbook_name }}.log'
+                # Artifact URL should just point to root directory, so blank
                encrypt_logs_artifact_path: ''
-                encrypt_logs_download_script_path: '{{ _download_tmpdir.path }}'
+                encrypt_logs_download_script_path: '{{ _encrypt_tempdir.path }}'

            - name: Return logs
              synchronize:
@ -52,13 +62,16 @@
                mode: pull
                verify_host: true
              loop:
-                - [ '{{ zuul.executor.log_root }}/{{ playbook_name }}.log.gpg }}', '/var/log/ansible/{{ playbook_name }}.log.gpg' ]
-                - [ '{{ zuul.executor.log_root }}/download-gpg-logs.sh }}', '{{ _download_tmpdir.path }}/download-logs.sh }}' ]
+                - [ '{{ zuul.executor.log_root }}/{{ playbook_name }}.log.gpg }}', '{{ _encrypt_tempdir.path }}/{{ playbook_name }}.log.gpg' ]
+                - [ '{{ zuul.executor.log_root }}/download-gpg-logs.sh }}', '{{ _encrypt_tempdir.path }}/download-logs.sh }}' ]
+
+          always:

-            - name: Remove tmpdir
+            - name: Remove temporary staging
              file:
-                path: '{{ _download_tmpdir.path }}'
+                path: '{{ _encrypt_tempdir.path }}'
                state: absent
+              when: _encrypt_tempdir is defined

        # Not using normal zuul job roles as bridge.openstack.org is not a
        # test node with all the normal bits in place.