- job:
    name: system-config-run
    description: |
      Run the "base" playbook for system-config hosts.

      This is a parent job designed to be inherited.
    abstract: true
    pre-run: playbooks/zuul/run-base-pre.yaml
    run: playbooks/zuul/run-base.yaml
    post-run: playbooks/zuul/run-base-post.yaml
    vars:
      zuul_copy_output: "{{ copy_output | combine(host_copy_output | default({})) }}"
      stage_dir: "{{ ansible_user_dir }}/zuul-output"
      copy_output:
        '/var/log/syslog': logs_txt
        '/var/log/messages': logs_txt
        '/var/log/docker': logs
        '/var/log/containers': logs
      install_ansible_collections:
        - namespace: opentelekomcloud
          name: apimon
          repo: stackmon/ansible-collection-apimon
        - namespace: opentelekomcloud
          name: cloud
          repo: opentelekomcloud/ansible-collection-cloud
        - namespace: opentelekomcloud
          name: gitcontrol
          repo: opentelekomcloud/ansible-collection-gitcontrol
        - namespace: openstack
          name: cloud
          repo: openstack/ansible-collections-openstack
          git_provider: opendev.org
    required-projects:
      - name: github.com/opentelekomcloud/ansible-collection-cloud
        override-checkout: main
      - name: github.com/stackmon/ansible-collection-apimon
        override-checkout: main
      - name: github.com/opentelekomcloud/ansible-collection-gitcontrol
        override-checkout: main
      - name: opendev.org/openstack/ansible-collections-openstack
        override-checkout: master
    host-vars:
      bridge*.eco.tsi-dev.otc-service.com:
        install_ansible_collections:
          - namespace: opentelekomcloud
            name: apimon
            repo: stackmon/ansible-collection-apimon
          - namespace: opentelekomcloud
            name: cloud
            repo: opentelekomcloud/ansible-collection-cloud
          - namespace: opentelekomcloud
            name: gitcontrol
            repo: opentelekomcloud/ansible-collection-gitcontrol
          - namespace: openstack
            name: cloud
            repo: openstack/ansible-collections-openstack
            git_provider: opendev.org
        host_copy_output:
          '{{ zuul.project.src_dir }}/junit.xml': logs
          '{{ zuul.project.src_dir }}/test-results.html': logs
          '{{ zuul.project.src_dir }}/inventory/base/gate-hosts.yaml': logs
          '/var/log/screenshots': logs

- job:
    name: system-config-run-base
    parent: system-config-run
    description: |
      Run the "base" playbook on each of the node types
      currently in use.
    nodeset:
      nodes:
        - &bridge_node_x86 {name: bridge99.eco.tsi-dev.otc-service.com, label: ubuntu-jammy}
      groups:
        # Each job should define this group -- to avoid hard-coding
        # the bastion hostname in the job setup, playbooks/tasks refer
        # to it only by this group.  This should only have one entry
        # -- in a couple of places the jobs use the actual hostname
        # and assume element [0] here is that hostname.
        #
        # Note that this shouldn't be confused with the group in
        # inventory/service/groups.yaml -- this group contains the
        # host that Zuul, running on the executor, will setup as the
        # bridge node.  This node will then run a nested Ansible to
        # test the production playbooks -- *that* Ansible has a
        # "bastion" group too
        - &bastion_group { name: prod_bastion, nodes: [ bridge99.eco.tsi-dev.otc-service.com ] }
    files:
      - tox.ini
      - playbooks/
      - roles/
      - testinfra/

- job:
    name: system-config-run-x509-cert
    parent: system-config-run
    description: |
      Run the playbook for the x509 certificates.
    nodeset:
      nodes:
        - <<: *bridge_node_x86
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/x509-certs.yaml
    files:
      - playbooks/bootstrap-bridge.yaml
      - playbooks/x509-certs.yaml
      - playbooks/roles/x509_cert

- job:
    name: system-config-run-acme-ssl
    parent: system-config-run
    description: |
      Run the playbook for the acme-ssl servers.
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: le1
          label: ubuntu-focal
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/acme-certs.yaml
    files:
      - playbooks/bootstrap-bridge.yaml
      - playbooks/acme-ssl.yaml
      - playbooks/roles/acme_create_certs
      - playbooks/roles/acme_request_certs
      - playbooks/roles/acme_install_txt_records
      - playbooks/roles/acme_drop_txt_records

- job:
    name: system-config-run-vault
    parent: system-config-run
    description: |
      Run the playbook for the vault servers.
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: vault1.eco.tsi-dev.otc-service.com
          label: ubuntu-focal
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        # We do not want to create CA part of ZK setup, therefore only invoke additional playbook in the test.
        - playbooks/acme-certs.yaml
        - playbooks/service-vault.yaml
    files:
      - playbooks/bootstrap-bridge.yaml
      - playbooks/service-vault.yaml
      - playbooks/roles/hashivault

- job:
    name: system-config-run-gitea
    parent: system-config-run
    description: |
      Run the playbook for the gitea servers.
    nodeset:
      nodes:
        - <<: *bridge_node_x86
        - name: gitea.focal
          label: ubuntu-jammy
      groups:
        - <<: *bastion_group
    vars:
      run_playbooks:
        - playbooks/service-gitea.yaml
    files:
      - playbooks/bootstrap-bridge.yaml
      - playbooks/service-gitea.yaml
      - playbooks/roles/gitea/
      - testinfra/test_gitea.py