From aa42212e7ed21dd9fb94e40f84d5edb99e125dae Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Wed, 8 Sep 2021 11:11:45 +1000
Subject: [PATCH] infra-prod: split out setup steps

This should be a production no-op; it splits the key and source setup
into a separate playbooks, but imports them both in pre.yaml in the
same order.

Currently this job sets up the executor so that it can log into bridge
to run the playbooks, then clones the system-config state into
/home/zuul/src/opendev.org/opendev/system-config on bridge.

This presents a problem for parallel operation; every production job
will overwrite each other's system-config checkout.  This is
unnecessary since they are all working in the context of the same
buildset -- we only need to populate system-config on bridge once at
the start and all deployment jobs can share that checkout.

Thus we add two extra jobs to split up the operation of the existing
opendev-infra-prod-base job.

 opendev-infra-prod-setup-src sets up the keys so the executor can log
  into bridge and also replicates the state of system-config onto
  bridge for this buildset.  This is intended to run once per buildset.

 opendev-infra-prod-setup-keys just sets up the keys so that the
  executor can run production playbooks.  It is intended that
  opendev-infra-prod-setup-src will have already run to put the
  correct changeset of system-config on bridge.o.o.  This way,
  production jobs can run in parallel all using the same copy of the
  source without overwriting it.

These are used in https://review.opendev.org/c/opendev/system-config/+/807808

(This will eventually leave opendev-infra-prod-base unused, it can be
cleaned up in a follow-on)

Change-Id: I1bbf4f1402938216401dd924da62aa869a08875b
---
 doc/source/misc-jobs.rst               |  2 +
 playbooks/infra-prod/pre.yaml          | 62 ++------------------------
 playbooks/infra-prod/setup-keys.yaml   | 18 ++++++++
 playbooks/infra-prod/setup-source.yaml | 39 ++++++++++++++++
 zuul.d/jobs.yaml                       | 20 +++++++++
 5 files changed, 83 insertions(+), 58 deletions(-)
 create mode 100644 playbooks/infra-prod/setup-keys.yaml
 create mode 100644 playbooks/infra-prod/setup-source.yaml

diff --git a/doc/source/misc-jobs.rst b/doc/source/misc-jobs.rst
index 1070998..7b51cf5 100644
--- a/doc/source/misc-jobs.rst
+++ b/doc/source/misc-jobs.rst
@@ -15,3 +15,5 @@ Specialized Jobs
 These jobs are not for general use.
 
 .. zuul:autojob:: opendev-infra-prod-base
+.. zuul:autojob:: opendev-infra-prod-setup-src
+.. zuul:autojob:: opendev-infra-prod-setup-keys
diff --git a/playbooks/infra-prod/pre.yaml b/playbooks/infra-prod/pre.yaml
index 01a85b1..79d4660 100644
--- a/playbooks/infra-prod/pre.yaml
+++ b/playbooks/infra-prod/pre.yaml
@@ -1,59 +1,5 @@
-- hosts: localhost
-  tasks:
-    - name: Add bridge.o.o to inventory
-      add_host:
-        name: bridge.openstack.org
-        ansible_python_interpreter: python3
-        ansible_user: zuul
-        # Without setting ansible_host directly, mirror-workspace-git-repos
-        # gets sad because if delegate_to localhost and with add_host that
-        # ends up with ansible_host being localhost.
-        ansible_host: bridge.openstack.org
-        ansible_port: 22
+- name: Setup keys
+  import_playbook: setup-keys.yaml
 
-- hosts: localhost
-  tasks:
-    - name: Add bridge.o.o hostkey to known hosts
-      known_hosts:
-        name: bridge.openstack.org
-        key: "bridge.openstack.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxRzDkWvvVQtsLTAqAwedRWA84/42KKVdFS0QP8lZFsMpgTXUhjipJ7VcFun5gM87tnt0J71rlN+ospBh0/1wfp2jASEskUyGhXAa5xHjnJN7veUyW+AggEosK/OTunvZgf54p1sQg45Sq/uCjc0Ua0fRMOq2o5z/mgpl6rSjLOlWi9wKA/6axnUbs9w4iD5esyBQ+VcISSJOTqhAo/3UG0NwCU+6Ggwwhg0nl5iCMpQfq4A207IbJ72MkJzlQgW3edsRb5POzdZcGxkTYvVdP3kgHP4Bof3MFFZjBUMz6SuRQyNV5poysMtbtlO0SvgAJNhXr6Vn0GA9XhqFP6+HT"
-
-- hosts: bridge.openstack.org
-  tasks:
-    - name: "Make sure a manaul maint isn't going on"
-      wait_for:
-        path: /home/zuul/DISABLE-ANSIBLE
-        state: absent
-        sleep: 10
-        timeout: 3600 # Wait for an hour before bailing
-
-    - name: "Correct ownership of repos"
-      command: "chown -R zuul:zuul /home/zuul/src"
-      # E303: Skip linting since it triggers on the "chown" command,
-      # but we prefer the shell above
-      tags:
-        - skip_ansible_lint
-      # Ignore the error if the dir doesn't exist
-      ignore_errors: true
-      # Do this as root, because it needs to chown root-owned files
-      become: true
-
-    # This role executes code on the executor, so this needs to be in
-    # a trusted playbook.
-    - name: Synchronize src repos to workspace directory.
-      include_role:
-        name: prepare-workspace-git
-
-    # When running from periodic/hourly we want to explicitly override
-    # to run from the tip of master
-    - name: Should we run from master
-      set_fact:
-        infra_prod_run_from_master: "{{ zuul.pipeline|default('') in ['periodic', 'opendev-prod-hourly'] }}"
-
-    - name: Update from master
-      when: infra_prod_run_from_master|bool
-      git:
-        repo: https://opendev.org/opendev/system-config
-        dest: /home/zuul/src/opendev.org/opendev/system-config
-        force: yes
-        version: master
+- name: Setup source
+  import_playbook: setup-source.yaml
diff --git a/playbooks/infra-prod/setup-keys.yaml b/playbooks/infra-prod/setup-keys.yaml
new file mode 100644
index 0000000..50c8c6d
--- /dev/null
+++ b/playbooks/infra-prod/setup-keys.yaml
@@ -0,0 +1,18 @@
+- hosts: localhost
+  tasks:
+    - name: Add bridge.o.o to inventory
+      add_host:
+        name: bridge.openstack.org
+        ansible_python_interpreter: python3
+        ansible_user: zuul
+        # Without setting ansible_host directly, mirror-workspace-git-repos
+        # gets sad because if delegate_to localhost and with add_host that
+        # ends up with ansible_host being localhost.
+        ansible_host: bridge.openstack.org
+        ansible_port: 22
+
+    - name: Add bridge.o.o hostkey to known hosts
+      known_hosts:
+        name: bridge.openstack.org
+        key: "bridge.openstack.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxRzDkWvvVQtsLTAqAwedRWA84/42KKVdFS0QP8lZFsMpgTXUhjipJ7VcFun5gM87tnt0J71rlN+ospBh0/1wfp2jASEskUyGhXAa5xHjnJN7veUyW+AggEosK/OTunvZgf54p1sQg45Sq/uCjc0Ua0fRMOq2o5z/mgpl6rSjLOlWi9wKA/6axnUbs9w4iD5esyBQ+VcISSJOTqhAo/3UG0NwCU+6Ggwwhg0nl5iCMpQfq4A207IbJ72MkJzlQgW3edsRb5POzdZcGxkTYvVdP3kgHP4Bof3MFFZjBUMz6SuRQyNV5poysMtbtlO0SvgAJNhXr6Vn0GA9XhqFP6+HT"
+
diff --git a/playbooks/infra-prod/setup-source.yaml b/playbooks/infra-prod/setup-source.yaml
new file mode 100644
index 0000000..92391a4
--- /dev/null
+++ b/playbooks/infra-prod/setup-source.yaml
@@ -0,0 +1,39 @@
+- hosts: bridge.openstack.org
+  tasks:
+    - name: "Make sure a manual maintenance isn't going on"
+      wait_for:
+        path: /home/zuul/DISABLE-ANSIBLE
+        state: absent
+        sleep: 10
+        timeout: 3600 # Wait for an hour before bailing
+
+    - name: "Correct ownership of repos"
+      command: "chown -R zuul:zuul /home/zuul/src"
+      # E303: Skip linting since it triggers on the "chown" command,
+      # but we prefer the shell above
+      tags:
+        - skip_ansible_lint
+      # Ignore the error if the dir doesn't exist
+      ignore_errors: true
+      # Do this as root, because it needs to chown root-owned files
+      become: true
+
+    # This role executes code on the executor, so this needs to be in
+    # a trusted playbook.
+    - name: Synchronize src repos to workspace directory.
+      include_role:
+        name: prepare-workspace-git
+
+    # When running from periodic/hourly we want to explicitly override
+    # to run from the tip of master
+    - name: Should we run from master
+      set_fact:
+        infra_prod_run_from_master: "{{ zuul.pipeline|default('') in ['periodic', 'opendev-prod-hourly'] }}"
+
+    - name: Update from master
+      when: infra_prod_run_from_master|bool
+      git:
+        repo: https://opendev.org/opendev/system-config
+        dest: /home/zuul/src/opendev.org/opendev/system-config
+        force: yes
+        version: master
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index 04e7c46..88a88fd 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -600,3 +600,23 @@
       This is not for general use.
     abstract: true
     pre-run: playbooks/infra-prod/pre.yaml
+
+- job:
+    name: opendev-infra-prod-setup-src
+    description: |
+      A base job for replicating source to OpenDev's bridge.
+
+      This is not for general use.
+    abstract: true
+    pre-run:
+      - playbooks/infra-prod/setup-keys.yaml
+      - playbooks/infra-prod/setup-src.yaml
+
+- job:
+    name: opendev-infra-prod-setup-keys
+    description: |
+      A base job for allowing executors to log into OpenDev's bridge.
+
+      This is not for general use.
+    abstract: true
+    pre-run: playbooks/infra-prod/setup-keys.yaml