Convert production playbooks to bastion host group

Following-on from Iffb462371939989b03e5d6ac6c5df63aa7708513, instead
of directly referring to a hostname when adding the bastion host to
the inventory for the production playbooks, this finds it from the
first element of the "bastion" group.

As we do this twice for the run and post playbooks, abstract it into a
role.

The host value is currently "bridge.openstack.org" -- as is the
existing hard-coding -- thus this is intended to be a no-op change.
It is setting the foundation to make replacing the bastion host a
simpler process in the future.

Change-Id: I286796ebd71173019a627f8fe8d9a25d0bfc575a
changes/86/858486/11
Ian Wienand 5 months ago
parent 04a129c328
commit 51611845d4
No known key found for this signature in database

@ -0,0 +1,4 @@
Add the bastion host to the inventory dynamically
For roles that run on the bastion host, it should be added to the
inventory dynamically by the production jobs.

@ -0,0 +1,21 @@
- name: Get the bastion hostname
set_fact:
_bastion_hostname: '{{ groups["bastion"][0] }}'
- name: Show bastion details
debug:
msg: "Bastion host is {{ _bastion_hostname }}"
- name: Add bastion host to inventory for playbook
add_host:
name: '{{ _bastion_hostname }}'
groups: 'bastion'
ansible_python_interpreter: python3
ansible_user: zuul
# Without setting ansible_host directly, mirror-workspace-git-repos
# gets sad because if delegate_to localhost and with add_host that
# ends up with ansible_host being localhost.
ansible_host: '{{ _bastion_hostname }}'
ansible_port: 22
# Port 19885 is firewalled
zuul_console_disabled: true

@ -1,19 +1,8 @@
- hosts: localhost
tasks:
- name: Add bridge.o.o to inventory for playbook
add_host:
name: bridge.openstack.org
ansible_python_interpreter: python3
ansible_user: zuul
# Without setting ansible_host directly, mirror-workspace-git-repos
# gets sad because if delegate_to localhost and with add_host that
# ends up with ansible_host being localhost.
ansible_host: bridge.openstack.org
ansible_port: 22
# Port 19885 is frewalled
zuul_console_disabled: true
roles:
- add-bastion-host
- hosts: bridge.openstack.org
- hosts: bastion[0]
tasks:
- name: Encrypt log
when: infra_prod_playbook_encrypt_log|default(False)
@ -62,7 +51,7 @@
state: absent
when: _encrypt_tempdir is defined
# Not using normal zuul job roles as bridge.openstack.org is not a
# Not using normal zuul job roles as the bastion host is not a
# test node with all the normal bits in place.
- name: Collect log output
synchronize:

@ -1,19 +1,8 @@
- hosts: localhost
tasks:
- name: Add bridge.o.o to inventory for playbook
add_host:
name: bridge.openstack.org
ansible_python_interpreter: python3
ansible_user: zuul
# Without setting ansible_host directly, mirror-workspace-git-repos
# gets sad because if delegate_to localhost and with add_host that
# ends up with ansible_host being localhost.
ansible_host: bridge.openstack.org
ansible_port: 22
# Port 19885 is firewalled
zuul_console_disabled: true
roles:
- add-bastion-host
- hosts: bridge.openstack.org
- hosts: bastion[0]
tasks:
- name: Run the production playbook and capture logs
block:
@ -27,7 +16,7 @@
become: yes
shell: 'echo "Running {{ _log_timestamp }}: ansible-playbook -v -f {{ infra_prod_ansible_forks }} /home/zuul/src/opendev.org/opendev/system-config/playbooks/{{ playbook_name }}" > /var/log/ansible/{{ playbook_name }}.log'
- name: Run specified playbook on bridge.o.o and redirect output
- name: Run specified playbook on bastion host and redirect output
become: yes
shell: 'ansible-playbook -v -f {{ infra_prod_ansible_forks }} /home/zuul/src/opendev.org/opendev/system-config/playbooks/{{ playbook_name }} >> /var/log/ansible/{{ playbook_name }}.log'
register: _run

@ -17,7 +17,7 @@
CD deployment of our infrastructure. Set playbook_name to
specify the playbook relative to
/home/zuul/src/opendev.org/opendev/system-config/playbooks
on bridge.openstack.org.
on the bastion host.
abstract: true
semaphores: infra-prod-playbook
run: playbooks/zuul/run-production-playbook.yaml

Loading…
Cancel
Save