packit · mfocko · Dec 11, 2024
diff --git a/playbooks/deploy.yml b/playbooks/deploy.yml
@@ -69,395 +69,5 @@
     costcenter: "700"
     registry: 172.30.1.1:5000
     registry_user: developer
-  tasks:
-    - name: Include tasks/project-dir.yml
-      ansible.builtin.include_tasks: tasks/project-dir.yml
-      tags:
-        - always
-
-    - name: Include variables
-      ansible.builtin.include_vars: "{{ project_dir }}/vars/{{ service }}/{{ deployment }}.yml"
-      tags:
-        - always
-
-    - name: Include tasks/check-up-to-date.yml
-      ansible.builtin.include_tasks: tasks/check-up-to-date.yml
-      tags:
-        - always
-
-    - name: Include deployment facts
-      ansible.builtin.include_tasks: tasks/set-deployment-facts.yml
-      tags:
-        - always
-
-    - name: Include tasks/set-facts.yml
-      ansible.builtin.include_tasks: tasks/set-facts.yml
-      tags:
-        - always
-
-    - name: Include extra secret vars
-      ansible.builtin.include_vars:
-        file: "{{ path_to_secrets }}/extra-vars.yml"
-        name: vault
-      tags:
-        - always
-
-    - name: Get k8s token and check it
-      tags:
-        - always
-      block:
-        - name: Get kubeconfig token
-          ansible.builtin.command: oc whoami -t
-          register: kubeconfig_token
-          changed_when: false
-        - name: Check if tokens match
-          ansible.builtin.assert:
-            that:
-              - kubeconfig_token.stdout == api_key
-            msg: "OpenShift API token defined in vars/ does not match token from your current environment."
-
-    - name: Push dev images to local registry
-      when: push_dev_images
-      tags:
-        - packit-service
-        - packit-worker
-        - packit-service-beat
-      block:
-        - name: Set tls-verify to false if podman is used
-          ansible.builtin.set_fact:
-            tls_verify_false: "{{ '--tls-verify=false' if 'podman' in container_engine else '' }}"
-          changed_when: false
-        - name: Login to local cluster
-          ansible.builtin.shell: "{{ container_engine }} login -u {{ registry_user }} -p $(oc whoami -t) {{ registry }} {{ tls_verify_false }}"
-          changed_when: false
-        - name: Inspect service image
-          ansible.builtin.command: "{{ container_engine }} inspect {{ image }}"
-          changed_when: false
-        - name: Tag the image with :dev
-          ansible.builtin.command: "{{ container_engine }} tag {{ image }} {{ registry }}/myproject/packit-service:dev"
-          changed_when: true
-        - name: Push the image
-          ansible.builtin.command: "{{ container_engine }} push {{ registry }}/myproject/packit-service:dev {{ tls_verify_false }}"
-          changed_when: true
-        - name: Inspect worker image
-          ansible.builtin.command: "{{ container_engine }} inspect {{ image_worker }}"
-          changed_when: false
-        - name: Tag the image with :dev
-          ansible.builtin.command: "{{ container_engine }} tag {{ image_worker }} {{ registry }}/myproject/packit-worker:dev"
-          changed_when: true
-        - name: Push the image
-          ansible.builtin.command: "{{ container_engine }} push {{ registry }}/myproject/packit-worker:dev {{ tls_verify_false }}"
-          changed_when: true
-
-    - name: Deploy secrets
-      ansible.builtin.include_tasks: tasks/k8s.yml
-      loop:
-        - "{{ lookup('template', '{{ project_dir }}/openshift/secret-packit-ssh.yml.j2') }}"
-        - "{{ lookup('template', '{{ project_dir }}/openshift/secret-packit-secrets.yml.j2') }}"
-        - "{{ lookup('template', '{{ project_dir }}/openshift/secret-packit-config.yml.j2') }}"
-        - "{{ lookup('template', '{{ project_dir }}/openshift/secret-sentry.yml.j2') }}"
-        - "{{ lookup('template', '{{ project_dir }}/openshift/secret-postgres.yml.j2') }}"
-        - "{{ lookup('template', '{{ project_dir }}/openshift/secret-aws.yml.j2') }}"
-        - "{{ lookup('template', '{{ project_dir }}/openshift/secret-splunk.yml.j2') }}"
-        - "{{ lookup('template', '{{ project_dir }}/openshift/secret-centpkg-sig.yml.j2') }}"
-        - "{{ lookup('template', '{{ project_dir }}/openshift/github-app-private-key.yml.j2') }}"
-      tags:
-        - secrets
-
-    - name: Set up sandbox namespace
-      when: with_sandbox
-      block:
-        - name: Create sandbox namespace
-          k8s:
-            resource_definition: "{{ lookup('template', '{{ project_dir }}/openshift/sandbox-namespace.yml.j2') }}"
-            host: "{{ host }}"
-            api_key: "{{ api_key }}"
-            validate_certs: "{{ validate_certs }}"
-        - name: Add edit role to service account in sandbox namespace
-          ansible.builtin.command: oc adm policy add-role-to-user edit system:serviceaccount:{{ project }}:default -n {{ sandbox_namespace }}
-          register: rolebinding
-          changed_when: "'added:' in rolebinding.stdout"
-
-    - name: Deploy postgres
-      ansible.builtin.include_tasks: tasks/k8s.yml
-      loop:
-        - "{{ lookup('template', '{{ project_dir }}/openshift/postgres.yml.j2') }}"
-      tags:
-        - postgres
-
-    - name: Deploy key-value database ({{ kv_database }})
-      ansible.builtin.include_tasks: tasks/k8s.yml
-      loop:
-        - "{{ lookup('file', '{{ project_dir }}/openshift/configmap-redis_like_config.yml') }}"
-        - "{{ lookup('template', '{{ project_dir }}/openshift/{{ kv_database }}.yml.j2') }}"
-      when: with_kv_database
-      tags:
-        - kv_database
-
-    - name: Deploy fluentd image stream and config
-      ansible.builtin.include_tasks: tasks/k8s.yml
-      loop:
-        - "{{ lookup('template', '{{ project_dir }}/openshift/fluentd.yml.j2') }}"
-      tags:
-        - packit-service
-        - packit-worker
-      when: with_fluentd_sidecar
-
-    - name: Deploy packit-service
-      ansible.builtin.include_tasks: tasks/k8s.yml
-      loop:
-        - "{{ lookup('template', '{{ project_dir }}/openshift/packit-service.yml.j2') }}"
-      tags:
-        - packit-service
-
-    - name: Deploy repository cache PVCs for packit-workers that serves both queues
-      vars:
-        component: "packit-worker-{{ item }}"
-      k8s:
-        namespace: "{{ sandbox_namespace }}"
-        definition: "{{ lookup('template', '{{ project_dir }}/openshift/sandcastle-volumes-for-cache.yml.j2') }}"
-        host: "{{ host }}"
-        api_key: "{{ api_key }}"
-        validate_certs: "{{ validate_certs }}"
-      loop: "{{ range(0, workers_all_tasks) | list }}"
-      tags:
-        - packit-worker
-      when: workers_all_tasks > 0 and with_repository_cache
-
-    - name: Deploy packit-worker to serve both queues
-      vars:
-        component: packit-worker
-        queues: "short-running,long-running"
-        worker_replicas: "{{ workers_all_tasks }}"
-        worker_requests_memory: "384Mi"
-        worker_requests_cpu: "100m"
-        worker_limits_memory: "1024Mi"
-        worker_limits_cpu: "400m"
-      ansible.builtin.include_tasks: tasks/k8s.yml
-      loop:
-        - "{{ lookup('template', '{{ project_dir }}/openshift/packit-worker.yml.j2') }}"
-      tags:
-        - packit-worker
-      when: workers_all_tasks > 0
-
-    - name: Deploy packit-worker to serve short-running queue
-      vars:
-        component: packit-worker-short-running
-        queues: "short-running"
-        worker_replicas: "{{ workers_short_running }}"
-        # Short-running tasks are just interactions with different services.
-        # They should not require a lot of memory/cpu.
-        worker_requests_memory: "320Mi"
-        worker_requests_cpu: "80m"
-        worker_limits_memory: "640Mi"
-        worker_limits_cpu: "700m"
-      ansible.builtin.include_tasks: tasks/k8s.yml
-      loop:
-        - "{{ lookup('template', '{{ project_dir }}/openshift/packit-worker.yml.j2') }}"
-      tags:
-        - packit-worker
-      when: workers_short_running > 0
-
-    - name: Deploy repository cache PVCs for packit-workers that serves long-running queue
-      vars:
-        component: "packit-worker-long-running-{{ item }}"
-      k8s:
-        namespace: "{{ sandbox_namespace }}"
-        definition: "{{ lookup('template', '{{ project_dir }}/openshift/sandcastle-volumes-for-cache.yml.j2') }}"
-        host: "{{ host }}"
-        api_key: "{{ api_key }}"
-        validate_certs: "{{ validate_certs }}"
-      loop: "{{ range(0, workers_long_running) | list }}"
-      tags:
-        - packit-worker
-      when: workers_long_running > 0 and with_repository_cache
-
-    - name: Deploy packit-worker to serve long-running queue
-      vars:
-        component: packit-worker-long-running
-        queues: "long-running"
-        worker_replicas: "{{ workers_long_running }}"
-        # cloning repos is memory intensive: glibc needs 300M+, kernel 600M+
-        # during cloning, we need to account for git and celery worker processes
-        worker_requests_memory: "768Mi"
-        worker_requests_cpu: "100m"
-        worker_limits_memory: "2048Mi"
-        worker_limits_cpu: "600m"
-      ansible.builtin.include_tasks: tasks/k8s.yml
-      loop:
-        - "{{ lookup('template', '{{ project_dir }}/openshift/packit-worker.yml.j2') }}"
-      tags:
-        - packit-worker
-      when: workers_long_running > 0
-
-    - name: Deploy packit-service-beat
-      ansible.builtin.include_tasks: tasks/k8s.yml
-      loop:
-        - "{{ lookup('template', '{{ project_dir }}/openshift/packit-service-beat.yml.j2') }}"
-      when: with_beat
-      tags:
-        - packit-service-beat
-
-    - name: Deploy dashboard
-      ansible.builtin.include_tasks: tasks/k8s.yml
-      loop:
-        - "{{ lookup('template', '{{ project_dir }}/openshift/dashboard.yml.j2') }}"
-      when: with_dashboard
-      tags:
-        - dashboard
-
-    - name: Create redis-commander secrets
-      k8s:
-        namespace: "{{ project }}"
-        definition: "{{ lookup('template', '{{ project_dir }}/openshift/secret-redis-commander.yml.j2') }}"
-        host: "{{ host }}"
-        api_key: "{{ api_key }}"
-        validate_certs: "{{ validate_certs }}"
-        apply: true
-      tags:
-        - redis-commander
-      notify:
-        - Restart redis-commander deployment
-      when: with_redis_commander
-
-    - name: Deploy redis-commander
-      vars:
-        k8s_apply: true
-      ansible.builtin.include_tasks: tasks/k8s.yml
-      loop:
-        - "{{ lookup('template', '{{ project_dir }}/openshift/redis-commander.yml.j2') }}"
-      when: with_redis_commander
-      tags:
-        - redis-commander
-      register: redis_commander
-
-    - name: Deploy flower
-      ansible.builtin.include_tasks: tasks/k8s.yml
-      loop:
-        - "{{ lookup('template', '{{ project_dir }}/openshift/flower.yml.j2') }}"
-      when: with_flower
-      tags:
-        - flower
-
-    - name: Deploy packit-service-fedmsg
-      ansible.builtin.include_tasks: tasks/k8s.yml
-      loop:
-        - "{{ lookup('template', '{{ project_dir }}/openshift/packit-service-fedmsg.yml.j2') }}"
-      tags:
-        - fedmsg
-      when: with_fedmsg
-
-    - name: Deploy GitHub App Private Key
-      k8s:
-        namespace: "{{ project }}"
-        resource_definition: "{{ lookup('template', '{{ project_dir }}/openshift/github-app-private-key.yml.j2') }}"
-        host: "{{ host }}"
-        api_key: "{{ api_key }}"
-        validate_certs: "{{ validate_certs }}"
-      tags:
-        - tokman
-      notify:
-        - Restart tokman deployment
-      when: with_tokman
-
-    - name: Deploy tokman
-      k8s:
-        namespace: "{{ project }}"
-        definition: "{{ lookup('template', '{{ project_dir }}/openshift/tokman.yml.j2') }}"
-        host: "{{ host }}"
-        api_key: "{{ api_key }}"
-        validate_certs: "{{ validate_certs }}"
-      tags:
-        - tokman
-      register: tokman
-      when: with_tokman
-
-    - name: Deploy aggregating pushgateway
-      ansible.builtin.include_tasks: tasks/k8s.yml
-      loop:
-        - "{{ lookup('template', '{{ project_dir }}/openshift/pushgateway.yml.j2') }}"
-      tags:
-        - pushgateway
-      when: with_pushgateway
-
-    - name: Create htpasswd file and deploy it as a secret
-      tags:
-        - flower
-      when: with_flower
-      block:
-        - name: Create htpasswd file
-          htpasswd:
-            path: "{{ flower_htpasswd_path }}"
-            name: "flower-boss"
-            password: "{{ vault.flower.basic_auth | regex_replace('flower-boss:', '') }}"
-            mode: 0640
-        - name: Deploy flower-htpasswd secret
-          # Don't use tasks/k8s.yml here because the loop item is always evaluated
-          k8s:
-            namespace: "{{ project }}"
-            resource_definition: "{{ lookup('template', '{{ project_dir }}/openshift/secret-flower-htpasswd.yml.j2') }}"
-            host: "{{ host }}"
-            api_key: "{{ api_key }}"
-            validate_certs: "{{ validate_certs }}"
-          notify:
-            - Restart nginx deployment
-
-    - name: Deploy nginx to reverse proxy the pushgateway and flower
-      k8s:
-        namespace: "{{ project }}"
-        definition: "{{ lookup('template', '{{ project_dir }}/openshift/nginx.yml.j2') }}"
-        host: "{{ host }}"
-        api_key: "{{ api_key }}"
-        validate_certs: "{{ validate_certs }}"
-      tags:
-        - pushgateway
-      register: nginx
-      when: with_pushgateway and with_flower
-
-    - name: Wait for worker-0 to be running
-      vars:
-        pod_name: packit-worker-0
-      ansible.builtin.include_tasks: tasks/wait_for_pod.yml
-      when: workers_all_tasks > 0
-
-    - name: Wait for worker-short-running-0 to be running
-      vars:
-        pod_name: packit-worker-short-running-0
-      ansible.builtin.include_tasks: tasks/wait_for_pod.yml
-      when: workers_short_running > 0
-
-    - name: Wait for worker-long-running-0 to be running
-      vars:
-        pod_name: packit-worker-long-running-0
-      ansible.builtin.include_tasks: tasks/wait_for_pod.yml
-      when: workers_long_running > 0
-
-    - name: Wait for deploymentconfig rollouts to complete
-      # timeout 15min to not wait indefinitely in case of a problem
-      ansible.builtin.command: timeout 15m oc rollout status -w deploy/{{ item }}
-      register: oc_rollout_status
-      changed_when: false
-      failed_when: '"successfully rolled out" not in oc_rollout_status.stdout'
-      loop: "{{ deploymentconfigs }}"
-
-  handlers:
-    - name: Restart redis-commander deployment
-      ansible.builtin.command: oc rollout restart deploy/redis-commander
-      # Restart/rollout deployment as a reaction to config change
-      # when the deployment hasn't been changed itself.
-      changed_when: false
-      when: not redis_commander.changed
-
-    - name: Restart tokman deployment
-      ansible.builtin.command: oc rollout restart deploy/tokman
-      # Restart/rollout deployment as a reaction to config change
-      # when the deployment hasn't been changed itself.
-      changed_when: false
-      when: not tokman.changed
-
-    - name: Restart nginx deployment
-      ansible.builtin.command: oc rollout restart deploy/nginx
-      # Restart/rollout deployment as a reaction to config change
-      # when the deployment hasn't been changed itself.
-      changed_when: false
-      when: not nginx.changed
+  roles:
+    - role: deploy