/
staging.yml
137 lines (120 loc) · 4.36 KB
/
staging.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# This playbook is run in zuul to drive the end to end promoter integration test
#
---
- hosts: all
tasks:
- name: Include defaults from the role
include_vars:
file: "{{ zuul.executor.work_root }}/{{ zuul.projects['review.rdoproject.org/rdo-infra/ci-config'].src_dir }}/ci-scripts/infra-setup/roles/promoter/defaults/main.yml" # noqa 204
- name: override defaults for zuul
set_fact:
promoter_user: promoter
remote_path_dlrnapi_secret: "~/dlrnapi_secret"
remote_path_registry_secret: "~/registry_secret"
remote_path_uploader_key: "~/.ssh/id_rsa"
ci_config_local_src_dir: "{{ zuul.executor.work_root }}/{{ zuul.projects['review.rdoproject.org/rdo-infra/ci-config'].src_dir }}"
setup_staging: true
- name: check for auth token from docker
stat:
path: "/home/{{ promoter_user }}/.docker/config.json"
register: docker_token
# TODO(gcerami) change this into a fail when we are ready
- debug:
msg: registry credentials in zuul enviroment require a token from pre authentication
when: not docker_token.stat.exists
# While testing, we usually not provisioning a second disk for the server
# So we emulate the second disk with a loopback device
#
- name: Setup local loop device as docker partition
include_role:
name: promoter
tasks_from: setup_loop
- name: Ensure promoter user exists
become: true
user:
name: "{{ promoter_user }}"
system: true
create_home: true
- name: "Add passwordless sudo permission for {{ promoter_user }} user"
become: true
copy:
dest: "/etc/sudoers.d/{{ promoter_user }}"
content: "{{ promoter_user }} ALL=(ALL) NOPASSWD:ALL"
mode: 0440
- name: "Validate sudoers permissions update"
become: true
changed_when: false
command: "/usr/sbin/visudo -c"
- name: Ensure credentials are created
include_role:
name: _ensure_credentials
- name: Promotion main block
become: true
block:
- name: Run promotion server provisioning role
include_role:
name: promoter
- name: Stage setup
include_role:
name: promoter
tasks_from: setup_staging
- name: Try promotion_run
include_role:
name: promoter
tasks_from: promotion_run
- name: gather stage info
become: true
become_user: "{{ promoter_user }}"
copy:
src: /tmp/stage-info.yaml
dest: "~/"
remote_src: yes
- name: fetch stage info into zuul executor
fetch:
src: /tmp/stage-info.yaml
dest: "{{ zuul.executor.work_root }}/"
flat: yes
- name: Test stage promotion
become: true
become_user: "{{ promoter_user }}"
shell:
cmd: |
export DOCKER_HOST=unix:///var/docker.sock
source ~/{{ promoter_virtualenv }}/bin/activate
python3 ~/ci-config/ci-scripts/dlrnapi_promoter/promoter_integration_checks.py \
--stage-info-file /tmp/stage-info.yaml
changed_when: true
- name: include vars from stage info
include_vars:
file: "{{ zuul.executor.work_root }}/stage-info.yaml"
name: stage_info
- name: Check that no passwords are leaked in the logs
become: true
become_user: "{{ promoter_user }}"
shell: |
cd ~/web/promoter_logs
grep -r -f {{ remote_path_dlrnapi_secret }} .
grep -r -f {{ remote_path_registry_secret }} .
grep -r -f {{ remote_path_uploader_key }} .
register: found_pass
failed_when: found_pass.stdout | length > 0
changed_when: false
- name: Check that stage target registry pass are not leaked (if they are present)
become: true
become_user: "{{ promoter_user }}"
shell: |
cd ~/web/promoter_logs
grep -r -i "pass.*{{ password }}"
register: found_pass
failed_when: found_pass.stdout | length > 0
changed_when: false
loop: "{{ stage_info.registries.targets | map(attribute='password') | list }}"
loop_control:
loop_var: password
- name: 'Copy staging logs to /var/tmp directory'
become: true
become_user: "{{ promoter_user }}"
copy:
src: "/home/{{ promoter_user }}/{{ promoter_logs }}/"
dest: "/var/tmp/promoter_logs"
remote_src: yes