53 lines
1.7 KiB
YAML
53 lines
1.7 KiB
YAML
- hosts: localhost
|
||
roles:
|
||
- role: emit-job-header
|
||
zuul_log_path_shard_build: true
|
||
- log-inventory
|
||
|
||
- hosts: all
|
||
tasks:
|
||
- include_role:
|
||
name: start-zuul-console
|
||
|
||
- block:
|
||
# A regular VM way
|
||
- include_role:
|
||
name: validate-host
|
||
- include_role:
|
||
name: prepare-workspace
|
||
- include_role:
|
||
name: add-build-sshkey
|
||
when: "ansible_connection != 'kubectl'"
|
||
- block:
|
||
# A Pod way
|
||
- include_role:
|
||
name: prepare-workspace-openshift
|
||
- include_role:
|
||
name: remove-zuul-sshkey
|
||
run_once: true
|
||
when: "ansible_connection == 'kubectl'"
|
||
|
||
- import_role:
|
||
name: ensure-output-dirs
|
||
when: ansible_user_dir is defined
|
||
|
||
# If there is a registered role (as constructed from project name) try to
|
||
# generate secret-id and leave it at well-known location. The job is then
|
||
# responsible to take it and use. Secret is wrapped with ttl set to job
|
||
# timeout. Try to do so only if there is zuul_vault variable with role_id set
|
||
# in (We do not use role_id, but just presence).
|
||
- hosts: localhost
|
||
tasks:
|
||
- include_role:
|
||
name: create-vault-approle-secret
|
||
vars:
|
||
vault_addr: "{{ zuul_vault_addr }}"
|
||
vault_token: "{{ lookup('file', zuul_base_vault_token_path) }}"
|
||
vault_secret_dest: "{{ zuul.executor.work_root }}/.approle-secret"
|
||
vault_role_name: "{{ ['zuul', zuul.tenant, zuul.project.name] | join('_') | regex_replace('/', '_') }}"
|
||
when:
|
||
- "zuul.post_review | bool"
|
||
- "zuul_vault_addr is defined"
|
||
- "zuul_base_vault_token_path is defined"
|
||
- "zuul_vault is defined and zuul_vault.vault_role_id is defined"
|