Update promote/publish secrets and jobs

This updates the promote and publish secrets and jobs to no longer rely on jinja templates in secrets since Zuul removed support for that. Instead, we use python string formatting, and pass in only known safe static variables (ie, the "zuul" hierarchy). Change-Id: Icf267c0313b451d20f28075717a0380c570fe30d
2021-06-22 17:31:59 -07:00 · 2021-06-22 17:31:59 -07:00 · b2645bbea4
commit b2645bbea4
parent 71b2fe11c1
4 changed files with 53 additions and 14 deletions
--- a/playbooks/artifacts/promote.yaml
+++ b/playbooks/artifacts/promote.yaml
@ -28,7 +28,14 @@
      register: files
    - name: Set target directory
      set_fact:
-        target_dir: "{{ afs.artifacts_path }}"
+        target_dict: "{{ afs.targets.default }}"
    - name: Set target path
      set_fact:
        target_dir: "{{ target_dict.path.format(zuul=zuul) }}"
    - name: Adjust target path
      when: "target_dict.regex is defined"
      set_fact:
        target_dir: "{{ target_dir | regex_replace(target_dict.regex.pattern, target_dict.regex.sub) }}"
    - name: Get an AFS token
      include_role:
        name: create-afs-token
--- a/playbooks/docs/promote.yaml
+++ b/playbooks/docs/promote.yaml
@ -47,11 +47,18 @@
    - name: Set target directory if master
      when: "zuul.branch == 'master'"
      set_fact:
-        target_dir: "{{ afs.docs_master_path }}"
+        target_dict: "{{ afs.targets.master }}"
    - name: Set target directory if not master
      when: "zuul.branch != 'master'"
      set_fact:
-        target_dir: "{{ afs.docs_branch_path }}"
+        target_dict: "{{ afs.targets.branch }}"
    - name: Set target path
      set_fact:
        target_dir: "{{ target_dict.path.format(zuul=zuul) }}"
    - name: Adjust target path
      when: "target_dict.regex is defined"
      set_fact:
        target_dir: "{{ target_dir | regex_replace(target_dict.regex.pattern, target_dict.regex.sub) }}"
    - name: Get an AFS token
      include_role:
        name: create-afs-token
@ -60,11 +67,19 @@
        path: "{{ target_dir }}"
        state: directory
        mode: 0755
    - name: Set redirect target directory
      when: "target_dict.redirect is defined"
      set_fact:
        redirect_target_dir: "{{ target_dict.redirect.path.format(zuul=zuul) }}"
    - name: Set redirect content
      when: "target_dict.redirect is defined"
      set_fact:
        redirect_content: "{{ target_dict.redirect.content.format(zuul=zuul) }}"
    - name: Create redirect htaccess file
-      when: "afs.docs_redirect_path is defined and zuul.branch == 'master'"
+      when: "target_dict.redirect is defined"
      copy:
-        dest: "{{ afs.docs_redirect_path }}"
+        dest: "{{ redirect_target_dir }}"
-        content: "{{ afs.docs_redirect_content }}"
+        content: "{{ redirect_content }}"
        mode: 0644
    - name: Upload to AFS
      include_role:
--- a/playbooks/tox-docs/publish.yaml
+++ b/playbooks/tox-docs/publish.yaml
@ -8,9 +8,16 @@
        name: write-root-marker
      vars:
        root_marker_dir: "{{ zuul.executor.log_root }}/docs"
-    - name: Set target directory
+    - name: Select target configuration
      set_fact:
-        target_dir: "{{ afs.docs_tag_path }}"
+        target_dict: "{{ afs.targets.tag }}"
    - name: Set target path
      set_fact:
        target_dir: "{{ target_dict.path.format(zuul=zuul) }}"
    - name: Adjust target path
      when: "target_dict.regex is defined"
      set_fact:
        target_dir: "{{ target_dir | regex_replace(target_dict.regex.pattern, target_dict.regex.sub) }}"
    - name: Get an AFS token
      include_role:
        name: create-afs-token
--- a/zuul.d/secrets.yaml
+++ b/zuul.d/secrets.yaml
@ -13,11 +13,19 @@
          BLNr7dnEAAz+yGqLLDYzAiV6IOVDuFutSK35YWisEu0QZDIyP9TOzh17+49tIbWyPZFiw
          Gj8RrLn2EwsAQSXSYIGv2F0gjHKPugg8bFKS2E9rEnRGFEIutel6hnI9mlCUfU=
      service_name: service/opendev-zuul@OPENSTACK.ORG
-      docs_master_path: "/afs/.openstack.org/project/opendev.org/docs/{{ zuul.project.name }}/latest"
+      targets:
-      docs_branch_path: "/afs/.openstack.org/project/opendev.org/docs/{{ zuul.project.name }}/{{ zuul.branch | default('_error') | regex_replace('stable/', '') }}"
+        master:
-      docs_tag_path: "/afs/.openstack.org/project/opendev.org/docs/{{ zuul.project.name }}/{{ zuul.tag | default('_error')  }}"
+          path: "/afs/.openstack.org/project/opendev.org/docs/{zuul[project][name]}/latest"
-      docs_redirect_path: "/afs/.openstack.org/project/opendev.org/docs/{{ zuul.project.name }}/.htaccess"
+          redirect:
-      docs_redirect_content: "RedirectMatch 302 ^/{{ zuul.project.name }}/?$ /{{ zuul.project.name }}/latest/"
+            path: "/afs/.openstack.org/project/opendev.org/docs/{zuul[project][name]}/.htaccess"
            content: "RedirectMatch 302 ^/{zuul[project][name]}/?$ /{zuul[project][name]}/latest/"
        branch:
          path: "/afs/.openstack.org/project/opendev.org/docs/{zuul[project][name]}/{zuul[branch]}"
          regex:
            pattern: 'stable/(.*)$'
            sub: '\1'
        tag:
          path: "/afs/.openstack.org/project/opendev.org/docs/{zuul[project][name]}/{zuul[tag]}"
 - secret:
    name: opendev-zuul-tarballs
@ -34,7 +42,9 @@
          BLNr7dnEAAz+yGqLLDYzAiV6IOVDuFutSK35YWisEu0QZDIyP9TOzh17+49tIbWyPZFiw
          Gj8RrLn2EwsAQSXSYIGv2F0gjHKPugg8bFKS2E9rEnRGFEIutel6hnI9mlCUfU=
      service_name: service/opendev-zuul@OPENSTACK.ORG
-      artifacts_path: "/afs/.openstack.org/project/tarballs.opendev.org/{{ zuul.project.name }}"
+      targets:
        default:
          path: "/afs/.openstack.org/project/tarballs.opendev.org/{zuul[project][name]}"
 - secret:
    name: opendev-pypi