opendev/system-config
Code Issues Proposed changes
system-config/zuul.d/infra-prod.yaml
Clark Boylan 820bd2775a Reparent the bootstrap-bridge job onto a job that sets up git repos 
A while back there was a big refactor where initial infra-prod setup was
updated to differentiate between parent jobs that configure bridge
within zuul then update source repos on bridge and those that only
configure bridge within zuul. The idea being we could have a single job
update git on bridge then allow many ansible playbooks for service setup
to run concurrently.

As part of this refactor the infra-prod-bootstrap-bridge got parented
to the only set up bridge in the executor job which is a problem because
bootstrap-bridge configures known_hosts on bridge which requires up to
date git repos. Correct this mistake by reparenting to the job that does
both things.

This results in a rough job dependency heirarchy that looks like this:

  infra-prod-bootstrap-bridge
    ^
    |
  infra-prod-base
    ^
    |
  infra-prod-letsencrypt | infra-prod-service-that-doesnt-le
    ^
    |
  infra-prod-service-that-does-le

Eventually we should be able to convert everything but
infra-prod-bootstrap-bridge to use the executor setup only variant of
the parent job. That would optimize the amount of git repo setup we are
doing.

To ensure the switch in this change is safe and avoids multiple jobs
attempting to update git repos at the same time we update dependencies
for the zuul-db, zuul-lb, and gitea-lb jobs as they weren't depending on
infra-prod-base previously. They probably should depend on
infra-prod-base anyway as that ensures users, packages, and firewalls
are up to date for example.

Finally, for extra belts and suspenders to avoid multiple simultaneous
synchronizations of the system-config repo we apply the
infra-prod-playbook semaphore to the bootstrap-bridge job. Eventually
this should get cleaned up if we start allowing concurrent ansible runs.

Change-Id: If18c109ed177b34efde00b1097ce0a1d7a4906e2
2025-02-21 08:55:48 -08:00

689 lines
21 KiB
YAML
Raw Blame History

# NOTE: job dependencies keep this running in parallel and are defined
# in projects.yaml because it's easier to keep an overall view of
# what's happening in there.
# Make sure only one run of a system-config playbook happens at a time
- semaphore:
name: infra-prod-playbook
max: 1
- job:
name: infra-prod-playbook
parent: opendev-infra-prod-base
description: |
Run specified playbook against productions hosts.
This is a parent job designed to be inherited to enabled
CD deployment of our infrastructure. Set playbook_name to
specify the playbook relative to
/home/zuul/src/opendev.org/opendev/system-config/playbooks
on the bastion host.
abstract: true
semaphores: infra-prod-playbook
run: playbooks/zuul/run-production-playbook.yaml
post-run: playbooks/zuul/run-production-playbook-post.yaml
required-projects:
- opendev/system-config
vars:
infra_prod_ansible_forks: 10
infra_prod_playbook_collect_log: false
infra_prod_playbook_encrypt_log: true
nodeset:
nodes: []
- job:
name: infra-prod-bootstrap-bridge
parent: opendev-infra-prod-setup-src
description: |
Configure the bastion host (bridge)
This job does minimal configuration on the bastion host
(bridge.openstack.org) to allow it to run system-config
playbooks against our production hosts. It sets up Ansible
and root keys on the host. It also synchronizes the system-config
repo from the executor to the bastion. This is necessary to
emit an up to date known_hosts file when adding new hosts to
the inventory.
Note that this is separate to infra-prod-service-bridge;
bridge in it's role as the bastion host actaully runs that
against itself; it includes things not strictly needed to make
the host able to deploy system-config.
# While we don't run the infra-prod-playbook in this job we do run
# system-config git repo updates. Until we're ready to stop running
# system-config updates in every job we use this semaphore to ensure
# exclusivity.
semaphores: infra-prod-playbook
run: playbooks/zuul/run-production-bootstrap-bridge.yaml
files:
- playbooks/bootstrap-bridge.yaml
- playbooks/zuul/run-production-bootstrap-bridge.yaml
- playbooks/zuul/run-production-bootstrap-bridge-add-rootkey.yaml
- playbooks/roles/install-ansible/
- playbooks/roles/root-keys/
- inventory/base/hosts.yaml
- inventory/service/group_vars/bastion.yaml
nodeset:
nodes: []
- job:
name: infra-prod-base
parent: infra-prod-playbook
description: Run the base playbook everywhere.
vars:
playbook_name: base.yaml
infra_prod_ansible_forks: 50
files:
- inventory/
- inventory/service/host_vars/
- inventory/service/group_vars/
- playbooks/base.yaml
- playbooks/roles/base/
- job:
name: infra-prod-letsencrypt
parent: infra-prod-playbook
description: Run letsencrypt.yaml playbook.
vars:
playbook_name: letsencrypt.yaml
files:
- inventory/
- playbooks/letsencrypt.yaml
# Any touching of host_vars or group_vars can substantively
# change the certs we're doing, so be greedy here.
- inventory/service/host_vars/
- inventory/service/group_vars/
- playbooks/roles/letsencrypt
- playbooks/roles/logrotate/
- job:
name: infra-prod-manage-projects
parent: infra-prod-playbook
timeout: 4800
description: |
Create and update projects in gerrit and gitea.
allowed-projects:
- opendev/system-config
- openstack/project-config
required-projects:
- opendev/system-config
- openstack/project-config
vars:
playbook_name: manage-projects.yaml
infra_prod_ansible_forks: 10
infra_prod_playbook_collect_log: true
- job:
name: infra-prod-service-base
parent: infra-prod-playbook
description: Base job for most service playbooks.
abstract: true
- job:
name: infra-prod-service-bridge
parent: infra-prod-service-base
description: Run service-bridge.yaml playbook.
vars:
playbook_name: service-bridge.yaml
files:
- inventory/base
- playbooks/service-bridge.yaml
- inventory/service/group_vars/bastion.yaml
- playbooks/roles/logrotate/
- playbooks/roles/edit-secrets-script/
- playbooks/roles/install-kubectl/
- playbooks/roles/iptables/
- playbooks/roles/configure-kubectl/
- playbooks/roles/configure-openstacksdk/
- playbooks/templates/clouds/bridge_all_clouds.yaml.j2
- job:
name: infra-prod-service-gitea-lb
parent: infra-prod-service-base
description: Run service-gitea-lb.yaml playbook.
vars:
playbook_name: service-gitea-lb.yaml
files:
- inventory/base
- playbooks/service-gitea-lb.yaml
- inventory/service/group_vars/gitea-lb.yaml
- playbooks/roles/pip3/
- playbooks/roles/iptables/
- playbooks/roles/install-docker/
- playbooks/roles/haproxy/
- job:
name: infra-prod-service-nameserver
parent: infra-prod-service-base
description: Run service-nameserver.yaml playbook.
vars:
playbook_name: service-nameserver.yaml
files:
- inventory/base
- playbooks/service-nameserver.yaml
- inventory/service/group_vars/adns.yaml
- inventory/service/group_vars/adns-primary.yaml
- inventory/service/group_vars/adns-secondary.yaml
- playbooks/roles/master-nameserver/
- playbooks/roles/nameserver/
- playbooks/roles/iptables/
- job:
name: infra-prod-service-nodepool
parent: infra-prod-service-base
description: Run service-nodepool.yaml playbook.
vars:
playbook_name: service-nodepool.yaml
required-projects:
- opendev/system-config
- openstack/project-config
files:
- inventory/base
- playbooks/service-nodepool.yaml
- inventory/service/host_vars/nb
- inventory/service/host_vars/nl
- inventory/service/group_vars/nodepool
- playbooks/roles/configure-kubectl/
- playbooks/roles/configure-openstacksdk/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/nodepool
- playbooks/templates/clouds/nodepool_
- job:
name: infra-prod-service-etherpad
parent: infra-prod-service-base
description: Run service-etherpad.yaml playbook.
vars:
playbook_name: service-etherpad.yaml
files:
- inventory/base
- playbooks/service-etherpad.yaml
- inventory/service/group_vars/etherpad.yaml
- playbooks/roles/install-docker/
- playbooks/roles/pip3/
- playbooks/roles/etherpad
- playbooks/roles/logrotate
- playbooks/roles/iptables/
- docker/etherpad/
- job:
name: infra-prod-service-keycloak
parent: infra-prod-service-base
description: Run service-keycloak.yaml playbook.
vars:
playbook_name: service-keycloak.yaml
files:
- inventory/base
- playbooks/service-keycloak.yaml
- inventory/service/group_vars/keycloak.yaml
- playbooks/roles/keycloak/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- job:
name: infra-prod-service-meetpad
parent: infra-prod-service-base
description: Run service-meetpad.yaml playbook.
vars:
playbook_name: service-meetpad.yaml
files:
- inventory/base
- playbooks/service-meetpad.yaml
- inventory/service/host_vars/meetpad01.opendev.org.yaml
- inventory/service/group_vars/meetpad.yaml
- playbooks/roles/pip3/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/jitsi-meet/
- job:
name: infra-prod-service-mirror-update
parent: infra-prod-service-base
description: Run service-mirror-update.yaml playbook.
vars:
playbook_name: service-mirror-update.yaml
files:
- inventory/base
- inventory/service/group_vars/mirror.yaml
- inventory/service/host_vars/mirror
- playbooks/service-mirror-update.yaml
- playbooks/roles/mirror-update/
- playbooks/roles/reprepro/
- playbooks/roles/iptables/
- playbooks/roles/logrotate/
- roles/kerberos-client/
- roles/openafs-client/
- job:
name: infra-prod-service-mirror
parent: infra-prod-service-base
description: Run service-mirror.yaml playbook.
vars:
playbook_name: service-mirror.yaml
files:
- inventory/base
- playbooks/service-mirror.yaml
- inventory/service/host_vars/mirror
- inventory/service/group_vars/mirror.yaml
- playbooks/roles/mirror/
- playbooks/roles/afs-release/
- playbooks/roles/afsmon/
- playbooks/roles/iptables/
- playbooks/roles/logrotate/
- roles/openafs-client/
- job:
name: infra-prod-service-paste
parent: infra-prod-service-base
description: Run service-paste.yaml playbook.
vars:
playbook_name: service-paste.yaml
files:
- inventory/base
- playbooks/service-paste.yaml
- inventory/service/group_vars/paste.yaml
- playbooks/roles/install-docker/
- playbooks/roles/pip3/
- playbooks/roles/lodgeit/
- playbooks/roles/iptables/
- job:
name: infra-prod-service-static
parent: infra-prod-service-base
description: Run service-static.yaml playbook.
vars:
playbook_name: service-static.yaml
files:
- inventory/base
- playbooks/service-static.yaml
- inventory/service/group_vars/static.yaml
- playbooks/roles/apache-ua-filter/
- playbooks/roles/iptables/
- playbooks/roles/static/
- playbooks/roles/zuul-user/
- roles/openafs-client/
- job:
name: infra-prod-service-tracing
parent: infra-prod-service-base
description: Run service-tracing.yaml playbook.
vars:
playbook_name: service-tracing.yaml
files:
- inventory/base
- playbooks/service-tracing.yaml
- inventory/service/group_vars/tracing.yaml
- playbooks/roles/jaeger/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- job:
name: infra-prod-service-borg-backup
parent: infra-prod-service-base
description: Run service-borg-backup.yaml playbook.
vars:
playbook_name: service-borg-backup.yaml
files:
- inventory/base
- inventory/service/groups.yaml
- inventory/service/host_vars/backup02.ca-ymq-1.vexxhost.opendev.org.yaml
- inventory/service/host_vars/backup01.ord.rax.opendev.org.yaml
- inventory/service/group_vars/borg-backup.yaml
- inventory/service/group_vars/borg-backup-server.yaml
- playbooks/service-borg-backup.yaml
- playbooks/roles/install-borg/
- playbooks/roles/borg-backup/
- playbooks/roles/borg-backup-server/
- playbooks/roles/iptables/
- job:
name: infra-prod-service-registry
parent: infra-prod-service-base
description: Run service-registry.yaml playbook.
vars:
playbook_name: service-registry.yaml
files:
- inventory/base
- playbooks/service-registry.yaml
- inventory/service/group_vars/registry.yaml
- playbooks/roles/pip3/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/registry/
- job:
name: infra-prod-service-zuul-preview
parent: infra-prod-service-base
description: Run service-zuul-preview.yaml playbook.
vars:
playbook_name: service-zuul-preview.yaml
files:
- inventory/base
- playbooks/service-zuul-preview.yaml
- inventory/service/group_vars/zuul-preview.yaml
- playbooks/roles/pip3/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/zuul-preview/
- job:
name: infra-prod-service-zookeeper
parent: infra-prod-service-base
description: Run service-zookeeper.yaml playbook.
vars:
playbook_name: service-zookeeper.yaml
files:
- inventory/base
- inventory/service/group_vars/zookeeper.yaml
- ^inventory/service/host_vars/zk\d+\..*
- playbooks/roles/pip3/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/zookeeper/
- job:
name: infra-prod-service-zuul
parent: infra-prod-service-base
description: |
Run service-zuul.yaml playbook.
This configures the main Zuul cluster. It will perform a
smart-reconfigure of the scheduler if the tenant configuration
is changed.
vars:
playbook_name: service-zuul.yaml
files:
- inventory/base
- playbooks/service-zuul.yaml
- inventory/service/group_vars/zuul
- inventory/service/group_vars/zookeeper.yaml
- inventory/service/host_vars/zk\d+
- inventory/service/host_vars/zuul\d+.opendev.org
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/zookeeper/
- playbooks/roles/zuul
- roles/kerberos-client/
- roles/openafs-client/
- job:
name: infra-prod-service-zuul-db
parent: infra-prod-service-base
description: Run service-zuul-db.yaml playbook.
vars:
playbook_name: service-zuul-db.yaml
files:
- inventory/base
- playbooks/service-zuul-db.yaml
- inventory/service/group_vars/zuul-db.yaml
- playbooks/roles/iptables/
- playbooks/roles/install-docker/
- playbooks/roles/mariadb/
- job:
name: infra-prod-service-zuul-lb
parent: infra-prod-service-base
description: Run service-zuul-lb.yaml playbook.
vars:
playbook_name: service-zuul-lb.yaml
files:
- inventory/base
- playbooks/service-zuul-lb.yaml
- inventory/service/group_vars/zuul-lb.yaml
- playbooks/roles/pip3/
- playbooks/roles/iptables/
- playbooks/roles/install-docker/
- playbooks/roles/haproxy/
- job:
name: infra-prod-service-review
parent: infra-prod-service-base
description: Run service-review.yaml playbook.
vars:
playbook_name: service-review.yaml
files:
- inventory/base
- playbooks/service-review.yaml
- inventory/service/group_vars/review.yaml
- inventory/service/host_vars/review02.opendev.org.yaml
- playbooks/roles/pip3/
- playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/gerrit/
- zuul.d/docker-images/gerrit.yaml
- job:
name: infra-prod-service-refstack
parent: infra-prod-service-base
description: Run service-refstack.yaml playbook.
vars:
playbook_name: service-refstack.yaml
files:
- inventory/base
- playbooks/service-refstack.yaml
- inventory/service/group_vars/refstack.yaml
- inventory/service/host_vars/refstack[0-9][0-9]
- playbooks/roles/install-docker/
- playbooks/roles/pip3/
- playbooks/roles/refstack/
- playbooks/roles/iptables/
- playbooks/roles/logrotate/
- docker/refstack
- docker/python-base/
- job:
name: infra-prod-service-gitea
parent: infra-prod-service-base
description: Run service-gitea.yaml playbook.
vars:
playbook_name: service-gitea.yaml
files:
- inventory/base
- playbooks/service-gitea.yaml
- inventory/service/group_vars/gitea.yaml
- inventory/service/host_vars/gitea[0-9][0-9]
- playbooks/roles/apache-ua-filter/
- playbooks/roles/install-docker/
- playbooks/roles/pip3/
- playbooks/roles/gitea/
- playbooks/roles/iptables/
- playbooks/roles/logrotate/
- docker/gitea/
- docker/gitea-init/
- docker/jinja-init/
- docker/python-base/
- job:
name: infra-prod-service-eavesdrop
parent: infra-prod-service-base
description: Run service-eavesdrop.yaml playbook.
required-projects:
- opendev/system-config
- openstack/project-config
vars:
playbook_name: service-eavesdrop.yaml
files: &infra_prod_eavesdrop_files
- inventory/base
- playbooks/service-eavesdrop.yaml
- playbooks/run-accessbot.yaml
- inventory/service/group_vars/eavesdrop.yaml
- playbooks/roles/install-docker
- playbooks/roles/iptables/
- playbooks/roles/accessbot
- playbooks/roles/limnoria
- playbooks/roles/ptgbot
- playbooks/roles/statusbot
- playbooks/roles/logrotate
- playbooks/roles/matrix-eavesdrop
- playbooks/roles/matrix-gerritbot
- playbooks/zuul/templates/group_vars/eavesdrop.yaml.j2
- docker/accessbot/
- docker/ircbot
- docker/matrix-eavesdrop
- job:
name: infra-prod-run-accessbot
parent: infra-prod-service-base
description: Run run-accessbot.yaml playbook.
required-projects:
- opendev/system-config
- openstack/project-config
vars:
playbook_name: run-accessbot.yaml
files:
- accessbot/channels.yaml
- playbooks/run-accessbot.yaml
- playbooks/roles/accessbot
- docker/accessbot/
- job:
name: infra-prod-service-codesearch
parent: infra-prod-service-base
description: Run service-codesearch.yaml playbook.
vars:
playbook_name: service-codesearch.yaml
files:
- docker/hound/
- inventory/base
- playbooks/service-codesearch.yaml
- inventory/service/host_vars/codesearch02.opendev.yaml
- inventory/service/group_vars/codesearch
- playbooks/roles/install-docker/
- playbooks/roles/pip3/
- playbooks/roles/codesearch
- playbooks/roles/logrotate
- playbooks/roles/iptables
- job:
name: infra-prod-service-grafana
parent: infra-prod-service-base
description: Run service-grafana.yaml playbook.
vars:
playbook_name: service-grafana.yaml
files:
- inventory/base
- playbooks/service-grafana.yaml
- inventory/service/host_vars/grafana02.org.yaml
- inventory/service/group_vars/grafana
- playbooks/roles/install-docker/
- playbooks/roles/pip3/
- playbooks/roles/grafana
- playbooks/roles/logrotate
- playbooks/roles/iptables/
- job:
name: infra-prod-service-graphite
parent: infra-prod-service-base
description: Run service-graphite.yaml playbook.
vars:
playbook_name: service-graphite.yaml
files:
- inventory/base
- playbooks/service-graphite.yaml
- inventory/service/host_vars/graphite02.opendev.org.yaml
- inventory/service/group_vars/graphite
- playbooks/roles/install-docker/
- playbooks/roles/pip3/
- playbooks/roles/graphite/
- playbooks/roles/iptables/
- job:
name: infra-prod-service-lists3
parent: infra-prod-service-base
description: Run service-lists3.yaml playbook.
vars:
playbook_name: service-lists3.yaml
files:
- docker/mailman
- inventory/base
- inventory/service/group_vars/mailman3.yaml
- playbooks/roles/iptables/
- playbooks/roles/base/exim
- playbooks/roles/mailman3/
- playbooks/service-lists3.yaml
# Run AFS changes separately so we can make sure to only do one at a time
# (turns out quorum is nice to have)
- job:
name: infra-prod-service-afs
parent: infra-prod-service-base
description: Run AFS playbook.
vars:
playbook_name: service-afs.yaml
infra_prod_ansible_forks: 1
required-projects:
- opendev/system-config
files:
- inventory/base
- playbooks/service-afs.yaml
- inventory/service/group_vars/afs
- inventory/service/group_vars/mirror-update
- playbooks/roles/iptables/
- playbooks/roles/vos-release/
- playbooks/roles/openafs-server/
- modules/
- manifests/
- roles/kerberos-client/
- roles/openafs-client/
- job:
name: infra-prod-service-kerberos
parent: infra-prod-service-base
description: Run Kerberos playbook.
vars:
playbook_name: service-kerberos.yaml
infra_prod_ansible_forks: 1
required-projects:
- opendev/system-config
files:
- inventory/base
- playbooks/service-kerberos.yaml
- inventory/service/group_vars/kerberos-kdc.yaml
- playbooks/roles/kerberos-kdc/
- roles/kerberos-client/
- playbooks/roles/iptables/
- job:
name: infra-prod-remote-puppet-else
parent: infra-prod-service-base
description: Run remote-puppet-else.yaml playbook.
vars:
playbook_name: remote_puppet_else.yaml
infra_prod_ansible_forks: 50
required-projects:
- opendev/ansible-role-puppet
- opendev/system-config
files:
- Gemfile
- Rakefile
- modules.env
- install_modules.sh
- hiera/
- inventory/
- roles/puppet-install/
- playbooks/install_puppet.yaml
- playbooks/update_puppet_version.yaml
- playbooks/remote_puppet_else.yaml
- playbooks/roles/puppet-run/
- playbooks/roles/install-ansible-roles/
- playbooks/roles/disable-puppet-agent/
- playbooks/roles/puppet-setup-ansible/
- playbooks/roles/iptables/
- modules/
- manifests/
- job:
name: infra-prod-run-cloud-launcher
parent: infra-prod-service-base
description: Run cloud launcher playbook
vars:
playbook_name: run_cloud_launcher.yaml
infra_prod_ansible_forks: 1
required-projects:
- opendev/ansible-role-cloud-launcher
- opendev/system-config
files:
- playbooks/run_cloud_launcher.yaml
- inventory/service/group_vars/bastion.yaml
View Git Blame Copy Permalink