opendev/system-config
Code Issues Proposed changes

Merge "Bootstrap-bridge as top-level job"

Browse Source
This commit is contained in:
Zuul 2025-03-05 16:46:19 +00:00 committed by Gerrit Code Review
commit a5bed9208c
3 changed files with 66 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
playbooks/zuul/run-production-bootstrap-bridge.yaml
View File

@ -3,3 +3,9 @@
- add-bastion-host - add-bastion-host
- import_playbook: ../bootstrap-bridge.yaml - import_playbook: ../bootstrap-bridge.yaml
- name: Wait for child jobs
zuul_return:
data:
zuul:
pause: true

93
zuul.d/infra-prod.yaml
View File

@ -2,14 +2,59 @@
# in projects.yaml because it's easier to keep an overall view of # in projects.yaml because it's easier to keep an overall view of
# what's happening in there. # what's happening in there.
# Make sure only one run of a system-config playbook happens at a time # Make sure only one run happens at a time. The deploy pipeline
# should keep things in order, but this is to stop perodic jobs
# jumping in.
- semaphore: - semaphore:
name: infra-prod-playbook name: infra-prod-deployment
max: 1
# This semaphore limits the total number of production playbook
# jobs that can run on bridge at one time. We want things to run in
# parallel but we have a lot of jobs (particularly in the periodic
# pipeline) that we don't want to run all at once.
- semaphore:
name: infra-prod-playbook-limit
# TODO(clarkb) this semaphore allows us to stage the rollout of
# parallel infra-prod job exceution in two steps. First we reorganize
# everything but roughly keep the same behaviors as before (max: 1).
# When we are happy with that we can bump this to 2 or higher and see
# things run in parallel.
max: 1 max: 1
- job:
name: infra-prod-bootstrap-bridge
parent: opendev-infra-prod-setup-src
semaphores: infra-prod-deployment
description: |
Configure the bastion host (bridge)
This job does minimal configuration on the bastion host
(bridge.openstack.org) to allow it to run system-config
playbooks against our production hosts. It sets up Ansible
and root keys on the host. It also synchronizes the
system-config repo from the executor to the bastion.
Note that this is separate to infra-prod-service-bridge;
bridge in it's role as the bastion host actaully runs that
against itself; it includes things not strictly needed to make
the host able to deploy system-config.
This job is the parent of all deployment jobs, and will pause
until they finish. This prevents conflicts between deployment
jobs from changes and periodic runs (which use HEAD of
master).
run: playbooks/zuul/run-production-bootstrap-bridge.yaml
# Do not set file matchers on this job. We must always run this job
# before any other infra-prod jobs to ensure system-config is up to
# date on bridge before we run our playbooks.
nodeset:
nodes: []
- job: - job:
name: infra-prod-playbook name: infra-prod-playbook
parent: opendev-infra-prod-base parent: opendev-infra-prod-setup-keys
semaphores: infra-prod-playbook-limit
description: | description: |
Run specified playbook against productions hosts. Run specified playbook against productions hosts.
@ -19,7 +64,6 @@
/home/zuul/src/opendev.org/opendev/system-config/playbooks /home/zuul/src/opendev.org/opendev/system-config/playbooks
on the bastion host. on the bastion host.
abstract: true abstract: true
semaphores: infra-prod-playbook
run: playbooks/zuul/run-production-playbook.yaml run: playbooks/zuul/run-production-playbook.yaml
post-run: playbooks/zuul/run-production-playbook-post.yaml post-run: playbooks/zuul/run-production-playbook-post.yaml
required-projects: required-projects:
@ -30,41 +74,12 @@
infra_prod_playbook_encrypt_log: true infra_prod_playbook_encrypt_log: true
nodeset: nodeset:
nodes: [] nodes: []
dependencies:
- job: - name: infra-prod-bootstrap-bridge
name: infra-prod-bootstrap-bridge # This is a hard dependency because we require the bootstrap job to
parent: opendev-infra-prod-setup-src # have run before we start any playbook jobs, otherwise our buildset
description: | # would not hold the bridge semaphore and we may not have the correct
Configure the bastion host (bridge) # system-config state on bridge.
This job does minimal configuration on the bastion host
(bridge.openstack.org) to allow it to run system-config
playbooks against our production hosts. It sets up Ansible
and root keys on the host. It also synchronizes the system-config
repo from the executor to the bastion. This is necessary to
emit an up to date known_hosts file when adding new hosts to
the inventory.
Note that this is separate to infra-prod-service-bridge;
bridge in it's role as the bastion host actaully runs that
against itself; it includes things not strictly needed to make
the host able to deploy system-config.
# While we don't run the infra-prod-playbook in this job we do run
# system-config git repo updates. Until we're ready to stop running
# system-config updates in every job we use this semaphore to ensure
# exclusivity.
semaphores: infra-prod-playbook
run: playbooks/zuul/run-production-bootstrap-bridge.yaml
files:
- playbooks/bootstrap-bridge.yaml
- playbooks/zuul/run-production-bootstrap-bridge.yaml
- playbooks/zuul/run-production-bootstrap-bridge-add-rootkey.yaml
- playbooks/roles/install-ansible/
- playbooks/roles/root-keys/
- inventory/base/hosts.yaml
- inventory/service/group_vars/bastion.yaml
nodeset:
nodes: []
- job: - job:
name: infra-prod-base name: infra-prod-base

12
zuul.d/project.yaml
View File

@ -340,7 +340,10 @@
# NOTE: infra-prod-* jobs have a hierarchy below that ensure # NOTE: infra-prod-* jobs have a hierarchy below that ensure
# they can run in parallel. We are deliberately keeping their # they can run in parallel. We are deliberately keeping their
# dependencies here rather than job definitions to help keep # dependencies here rather than job definitions to help keep
# these relationships clear. # these relationships clear. The one exception to this is the
# base infra-prod-playbook job depends on infra-prod-bootstrap-bridge.
# We make this exception because it is vital that bootstrap-bridge
# run before everything else always.
# This installs the ansible on bridge that all the infra-prod # This installs the ansible on bridge that all the infra-prod
# jobs will run with. Note the jobs use this ansible to then # jobs will run with. Note the jobs use this ansible to then
@ -348,10 +351,7 @@
- infra-prod-bootstrap-bridge - infra-prod-bootstrap-bridge
# From now on, all jobs should depend on base # From now on, all jobs should depend on base
- infra-prod-base: &infra-prod-base - infra-prod-base
dependencies:
- name: infra-prod-bootstrap-bridge
soft: true
# Legacy puppet hosts # Legacy puppet hosts
- infra-prod-remote-puppet-else: &infra-prod-remote-puppet-else - infra-prod-remote-puppet-else: &infra-prod-remote-puppet-else
@ -635,7 +635,7 @@
# Nightly runs of ansible things for catchup # Nightly runs of ansible things for catchup
# Keep in order from above # Keep in order from above
- infra-prod-bootstrap-bridge - infra-prod-bootstrap-bridge
- infra-prod-base: *infra-prod-base - infra-prod-base
- infra-prod-remote-puppet-else: *infra-prod-remote-puppet-else - infra-prod-remote-puppet-else: *infra-prod-remote-puppet-else
- infra-prod-letsencrypt: *infra-prod-letsencrypt - infra-prod-letsencrypt: *infra-prod-letsencrypt
- infra-prod-service-bridge: *infra-prod-service-bridge - infra-prod-service-bridge: *infra-prod-service-bridge