Use zuul checkouts of ansible roles from other repos

We have two standalone roles, puppet and cloud-launcher, but we currently install them with galaxy so depends-on patches don't work. We also install them every time we run anything, even if we don't need them for the playbook in question. Add two roles, one to install a set of ansible roles needed by the host in question, and the other to encapsulate the sequence of running puppet, which now includes installing the puppet role, installing puppet, disabling the puppet agent and then running puppet. As a followup, we'll do the same thing with the puppet modules, so that we arent' cloning and rsyncing ALL of the puppet modules all the time no matter what. Change-Id: I69a2e99e869ee39a3da573af421b18ad93056d5b
2 years ago · 4b9d1a88bd
parent 1b126ef48a
commit 4b9d1a88bd
17 changed files with 96 additions and 41 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -1112,6 +1112,7 @@
    description: |
      Run the playbook for an eavesdrop server.
    required-projects:
+      - opendev/ansible-role-puppet
      - opendev/system-config
      - openstack/project-config
    requires: accessbot-container-image
@ -1152,12 +1153,15 @@
        - name: codesearch01.openstack.org
          label: ubuntu-xenial
    required-projects:
+      - opendev/ansible-role-puppet
      - opendev/system-config
      - openstack/project-config
    files:
      - playbooks/install-ansible.yaml
      - playbooks/service-codesearch.yaml
      - playbooks/group_vars/puppet.yaml
+      - playbooks/roles/run-puppet/
+      - playbooks/roles/install-ansible-roles/
      - playbooks/roles/sync-project-config
      - playbooks/roles/puppet-install/
      - playbooks/roles/disable-puppet-agent/
@ -1210,10 +1214,16 @@
          label: ubuntu-bionic
        - name: lists.openstack.org
          label: ubuntu-xenial
+    required-projects:
+      - opendev/ansible-role-puppet
+      - opendev/system-config
    files:
      - playbooks/install-ansible.yaml
      - modules/openstack_project/manifests/lists.pp
      - playbooks/host_vars/lists.openstack.org.yaml
+      - playbooks/group_vars/puppet
+      - playbooks/roles/run-puppet/
+      - playbooks/roles/install-ansible-roles/
      - roles/exim
    vars:
      run_playbooks:
@ -1238,8 +1248,9 @@
        - name: nb04.opendev.org
          label: ubuntu-bionic
    required-projects:
-      - openstack/project-config
+      - opendev/ansible-role-puppet
      - opendev/system-config
+      - openstack/project-config
    host-vars:
      nl01.openstack.org:
        host_copy_output:
@ -1261,6 +1272,9 @@
      - playbooks/group_vars/nodepool.yaml
      - playbooks/group_vars/nodepool-builder.yaml
      - playbooks/group_vars/nodepool-launcher.yaml
+      - playbooks/group_vars/puppet
+      - playbooks/roles/run-puppet/
+      - playbooks/roles/install-ansible-roles/
      - playbooks/roles/configure-openstacksdk/
      - playbooks/roles/nodepool
      - playbooks/templates/clouds/
@ -2080,7 +2094,6 @@
    files:
      - inventory/
      - roles/
-      - roles.yaml
      - install_modules.sh
      - modules.env
      - playbooks/install-ansible.yaml
@ -2228,6 +2241,9 @@
      - playbooks/host_vars/nb
      - playbooks/host_vars/nl
      - playbooks/group_vars/nodepool
+      - playbooks/group_vars/puppet
+      - playbooks/roles/install-ansible-roles/
+      - playbooks/roles/run-puppet/
      - playbooks/roles/configure-kubectl/
      - playbooks/roles/configure-openstacksdk/
      - playbooks/roles/install-docker/
@ -2483,6 +2499,7 @@
    parent: infra-prod-service-base
    description: Run service-codesearch.yaml playbook.
    required-projects:
+      - opendev/ansible-role-puppet
      - opendev/system-config
      - openstack/project-config
    vars:
@ -2492,6 +2509,8 @@
      - playbooks/install-ansible.yaml
      - playbooks/service-codesearch.yaml
      - playbooks/group_vars/puppet.yaml
+      - playbooks/roles/run-puppet/
+      - playbooks/roles/install-ansible-roles/
      - playbooks/roles/sync-project-config
      - playbooks/roles/puppet-install/
      - playbooks/roles/disable-puppet-agent/
@ -2504,6 +2523,7 @@
    parent: infra-prod-service-base
    description: Run service-eavesdrop.yaml playbook.
    required-projects:
+      - opendev/ansible-role-puppet
      - opendev/system-config
      - openstack/project-config
    dependencies:
@ -2523,6 +2543,8 @@
      - playbooks/run-accessbot.yaml
      - playbooks/group_vars/eavesdrop.yaml
      - playbooks/group_vars/puppet.yaml
+      - playbooks/roles/run-puppet/
+      - playbooks/roles/install-ansible-roles/
      - playbooks/roles/zuul-user
      - playbooks/roles/install-docker
      - playbooks/roles/puppet-install/
@ -2555,11 +2577,17 @@
    vars:
      playbook_name: remote_puppet_afs.yaml
      infra_prod_ansible_forks: 1
+    required-projects:
+      - opendev/ansible-role-puppet
+      - opendev/system-config
    files:
      - inventory/
      - playbooks/remote_puppet_afs.yaml
      - playbooks/group_vars/afs
      - playbooks/group_vars/mirror-update
+      - playbooks/group_vars/puppet
+      - playbooks/roles/run-puppet/
+      - playbooks/roles/install-ansible-roles/
      - playbooks/roles/puppet-install/
      - playbooks/roles/disable-puppet-agent/
      - playbooks/roles/vos-release/
@ -2573,12 +2601,18 @@
    vars:
      playbook_name: remote_puppet_else.yaml
      infra_prod_ansible_forks: 50
+    required-projects:
+      - opendev/ansible-role-puppet
+      - opendev/system-config
    files:
      - hiera/
      - inventory/
      - playbooks/remote_puppet_else.yaml
      - playbooks/group_vars/
      - playbooks/host_vars/
+      - playbooks/group_vars/puppet
+      - playbooks/roles/run-puppet/
+      - playbooks/roles/install-ansible-roles/
      - playbooks/roles/puppet-install/
      - playbooks/roles/disable-puppet-agent/
      - modules/
@ -2591,6 +2625,9 @@
    vars:
      playbook_name: run_cloud_launcher.yaml
      infra_prod_ansible_forks: 1
+    required-projects:
+      - opendev/ansible-role-cloud-launcher
+      - opendev/system-config
    dependencies:
      - name: infra-prod-service-bridge
        soft: true
--- a/inventory/groups.yaml
+++ b/inventory/groups.yaml
@ -28,6 +28,8 @@ groups:
 #  backup-server:
 #    - backup[0-9]*.opendev.org
  cacti: cacti[0-9]*.open*.org
+  cloud-launcher:
+    - bridge.openstack.org
  codesearch:
    - codesearch[0-9]*.open*.org
  control-plane-clouds:
--- a/playbooks/group_vars/cloud-launcher.yaml
+++ b/playbooks/group_vars/cloud-launcher.yaml
@ -0,0 +1,2 @@
+ansible_roles:
+  - cloud-launcher
--- a/playbooks/group_vars/puppet.yaml
+++ b/playbooks/group_vars/puppet.yaml
@ -10,3 +10,5 @@ puppet_color: 'false'
 mgmt_hieradata: /etc/ansible/hosts
 mgmt_puppet_module_dir: /etc/puppet/modules
 puppet_hieradata_link_dest: /opt/system-config/hieradata
+ansible_roles:
+  - puppet
--- a/playbooks/remote_puppet_afs.yaml
+++ b/playbooks/remote_puppet_afs.yaml
@ -1,14 +1,8 @@
- hosts: "afs:afsdb:!disabled"
-  name: "Base: install and configure puppet on puppet hosts"
-  roles:
-    - puppet-install
-    - disable-puppet-agent
-
 - hosts: "afs:afsdb:!disabled"
  name: "AFS: run puppet on the AFS servers"
  strategy: free
  roles:
-    - puppet
+    - run-puppet

 - hosts: "mirror-update:!disabled"
  name: "Create key for remote vos release"
--- a/playbooks/remote_puppet_else.yaml
+++ b/playbooks/remote_puppet_else.yaml
@ -2,6 +2,4 @@
  name: "Puppet-else: run puppet on all other servers"
  strategy: free
  roles:
-    - puppet-install
-    - disable-puppet-agent
-    - puppet
+    - run-puppet
--- a/playbooks/roles/install-ansible-roles/README.rst
+++ b/playbooks/roles/install-ansible-roles/README.rst
@ -0,0 +1 @@
+Install additional Ansible roles from git repos
--- a/playbooks/roles/install-ansible-roles/defaults/main.yaml
+++ b/playbooks/roles/install-ansible-roles/defaults/main.yaml
@ -0,0 +1,4 @@
+# Roles to install from source
+ansible_roles: []
+ansible_role_src_root: /home/zuul
+ansible_role_dest: /etc/ansible/roles
--- a/playbooks/roles/install-ansible-roles/tasks/main.yaml
+++ b/playbooks/roles/install-ansible-roles/tasks/main.yaml
@ -0,0 +1,9 @@
+- name: Install ansible roles to /etc/ansible/roles
+  git:
+    repo: '{{ ansible_role_src_root }}/src/opendev.org/opendev/ansible-role-{{ ansible_role }}'
+    dest: '/etc/ansible/roles/{{ ansible_role }}'
+    force: yes
+  delegate_to: localhost
+  loop: '{{ ansible_roles }}'
+  loop_control:
+    loop_var: ansible_role
--- a/playbooks/roles/install-ansible/tasks/main.yaml
+++ b/playbooks/roles/install-ansible/tasks/main.yaml
@ -111,14 +111,6 @@
    src: roles/
    dest: /etc/ansible/roles

- name: Copy roles.yaml into /etc/ansible
-  copy:
-    src: roles.yaml
-    dest: /etc/ansible/roles.yaml
-
- name: Install ansible roles to /etc/ansible/roles
-  command: ansible-galaxy install --roles-path /etc/ansible/roles --force -r /etc/ansible/roles.yaml
-
 - name: Make sure k8s-on-openstack repo is up to date
  git:
    repo: https://github.com/infraly/k8s-on-openstack
--- a/playbooks/roles/run-puppet/README.rst
+++ b/playbooks/roles/run-puppet/README.rst
@ -0,0 +1,12 @@
+Run puppet on remote servers
+
+Omnibus role that takes care of installing the puppet role,
+installing puppet and then running puppet. Uses include_role
+so that the installation of the puppet role can run as the
+first task, then the puppet role can be used in a following
+task.
+
+.. zuul:rolevar:: manifest
+   :default: manifests/site.pp
+
+   Puppet manifest file to run.
--- a/playbooks/roles/run-puppet/tasks/main.yaml
+++ b/playbooks/roles/run-puppet/tasks/main.yaml
@ -0,0 +1,9 @@
+# Use include_role instead of roles: so that we can late-bind the roles list
+- include_role:
+    name: install-ansible-roles
+- include_role:
+    name: puppet-install
+- include_role:
+    name: disable-puppet-agent
+- include_role:
+    name: puppet
--- a/playbooks/run_cloud_launcher.yaml
+++ b/playbooks/run_cloud_launcher.yaml
@ -1,7 +1,13 @@
- hosts: bridge.openstack.org:!disabled
+- hosts: cloud-launcher:!disabled
  name: "Cloud-launcher: Run cloud launcher"
  gather_facts: false
-  roles:
-    - role: cloud-launcher
-      profiles: '{{ cloud_launcher_profiles }}'
-      clouds: '{{ cloud_launcher_clouds }}'
+  tasks:
+    # Use include_role so that the cloud-launcher role install
+    # is late-binding
+    - include_role:
+        name: install-ansible-roles
+    - include_role:
+        name: cloud-launcher
+      vars:
+        profiles: '{{ cloud_launcher_profiles }}'
+        clouds: '{{ cloud_launcher_clouds }}'
--- a/playbooks/service-codesearch.yaml
+++ b/playbooks/service-codesearch.yaml
@ -3,7 +3,5 @@
  strategy: free
  roles:
    - sync-project-config
-    - puppet-install
-    - disable-puppet-agent
-    - name: puppet
+    - name: run-puppet
      manifest: /opt/system-config/production/manifests/codesearch.pp
--- a/playbooks/service-eavesdrop.yaml
+++ b/playbooks/service-eavesdrop.yaml
@ -6,7 +6,5 @@
    - sync-project-config
    - install-docker
    - accessbot
-    - puppet-install
-    - disable-puppet-agent
-    - name: puppet
+    - name: run-puppet
      manifest: /opt/system-config/production/manifests/eavesdrop.pp
--- a/playbooks/service-nodepool.yaml
+++ b/playbooks/service-nodepool.yaml
@ -14,9 +14,7 @@
    - nodepool-base-legacy
    - configure-openstacksdk
    - configure-kubectl
-    - puppet-install
-    - disable-puppet-agent
-    - puppet
+    - run-puppet

 - hosts: nodepool-launcher:!disabled
  name: "Configure nodepool launchers"
--- a/roles.yaml
+++ b/roles.yaml
@ -1,7 +0,0 @@
---
- src: git+https://opendev.org/opendev/ansible-role-puppet.git
-  version: HEAD
-  name: puppet
- src: git+https://opendev.org/opendev/ansible-role-cloud-launcher.git
-  version: HEAD
-  name: cloud-launcher
				`@ -0,0 +1 @@`
				`Install additional Ansible roles from git repos`