Merge remote-tracking branch 'upstream/devel'

Author: scrungus

.github/actions/destroy/action.yml

@@ -18,8 +18,48 @@ runs:
         set -eo pipefail
         source ci.env
         source ./bin/activate "$AZIMUTH_CONFIG_ENVIRONMENT" "$AZIMUTH_ENVIRONMENT"
-        FIP_ID="$(openstack floating ip list --tags "$AZIMUTH_ENVIRONMENT" -f json | jq -r '.[0].ID // ""')"
-        [ -n "$FIP_ID" ] && openstack floating ip delete $FIP_ID
-      env:
-        INGRESS_IP: ${{ steps.ingress-ip.outputs.ip-address }}
+        if [ -n "$INGRESS_IP" ]; then
+          openstack floating ip delete $INGRESS_IP
+        fi
+      if: ${{ always() }}
+
+    - name: Configure S3 lock
+      id: s3-lock-config
+      shell: bash
+      run: |
+        set -e
+        source ci.env
+        source ./bin/activate "$AZIMUTH_CONFIG_ENVIRONMENT" "$AZIMUTH_ENVIRONMENT"
+        if [ -z "$CI_S3_LOCK_HOST" ]; then
+          echo "CI_S3_LOCK_HOST not set - no lock will be used"
+          exit
+        elif [ -z "$CI_S3_LOCK_BUCKET" ]; then
+          echo "CI_S3_LOCK_BUCKET is required when using the lock" >&2
+          exit 1
+        fi
+        echo "host=${CI_S3_LOCK_HOST}" >> "$GITHUB_OUTPUT"
+        echo "access-key=${CI_S3_LOCK_ACCESS_KEY}" >> "$GITHUB_OUTPUT"
+        echo "secret-key=${CI_S3_LOCK_SECRET_KEY}" >> "$GITHUB_OUTPUT"
+        echo "bucket=${CI_S3_LOCK_BUCKET}" >> "$GITHUB_OUTPUT"
+      if: ${{ always() }}
+
+    - name: Release S3 lock
+      uses: stackhpc/github-actions/s3-lock@master
+      with:
+        host: ${{ steps.s3-lock-config.outputs.host }}
+        access-key: ${{ steps.s3-lock-config.outputs.access-key }}
+        secret-key: ${{ steps.s3-lock-config.outputs.secret-key }}
+        bucket: ${{ steps.s3-lock-config.outputs.bucket }}
+        action: release
+      if: ${{ steps.s3-lock-config.outputs.host != '' && always() }}
+
+    - name: Delete S3 credential
+      shell: bash
+      run: |
+        set -e
+        source ./ci.env
+        source ./bin/activate "$AZIMUTH_CONFIG_ENVIRONMENT" "$AZIMUTH_ENVIRONMENT"
+        if [ -n "$CI_S3_LOCK_ACCESS_KEY" ]; then
+          openstack ec2 credentials delete $CI_S3_LOCK_ACCESS_KEY
+        fi
       if: ${{ always() }}

.github/actions/provision/action.yml

@@ -11,3 +11,5 @@ runs:
         source ./ci.env
         source ./bin/activate "$AZIMUTH_CONFIG_ENVIRONMENT" "$AZIMUTH_ENVIRONMENT"
         ansible-playbook stackhpc.azimuth_ops.provision -e @extra-vars.yml
+      env:
+        ANSIBLE_CALLBACKS_ENABLED: ansible.posix.profile_tasks

.github/actions/setup/action.yml

@@ -9,10 +9,18 @@ inputs:
     description: The ref to use for the Azimuth configuration.
     required: true
     default: devel
-  config-environment:
-    description: The config environment to use.
+  target-cloud:
+    description: |-
+      The name of the cloud to target.
+      This is used as both the name of the cloud with the clouds.yaml
+      and to determine the config environment to use.
+      Currently, arcus and leafcloud are supported.
     required: true
-    default: ci
+    default: arcus
+  install-mode:
+    description: The install mode to use. Either singlenode or ha.
+    required: true
+    default: singlenode
   azimuth-ops-version:
     description: >
       The azimuth-ops version to use. If not given, the default version is used.
@@ -26,21 +34,12 @@ inputs:
   os-clouds:
     description: The contents of the clouds.yaml to use.
     required: true
-  os-cloud-name:
-    description: The name of the cloud within the clouds.yaml to use.
-    required: true
-    default: openstack
   environment-prefix:
     description: >
       The environment prefix to use. The run ID will be appended to this,
       separated by a hyphen.
     required: true
     default: ci
-  allocate-ingress-ip:
-    description: >
-      Indicates whether a floating IP should be allocated for ingress.
-    required: true
-    default: "yes"
 runs:
   using: composite
   steps:
@@ -63,9 +62,9 @@ runs:
       run: cat > ./ci.env <<< "$CI_ENV"
       env:
         CI_ENV: |
-          export OS_CLOUD="${{ inputs.os-cloud-name }}"
+          export OS_CLOUD="${{ inputs.target-cloud }}"
           export OS_CLIENT_CONFIG_FILE="$PWD/clouds.yaml"
-          export AZIMUTH_CONFIG_ENVIRONMENT=${{ inputs.config-environment }}
+          export AZIMUTH_CONFIG_ENVIRONMENT=${{ inputs.target-cloud }}${{ inputs.install-mode == 'ha' && '-ha' || '' }}
           export AZIMUTH_ENVIRONMENT="${{ inputs.environment-prefix }}-${{ github.run_id }}"
           export ANSIBLE_FORCE_COLOR=true
 
@@ -108,32 +107,61 @@ runs:
         source ./bin/activate "$AZIMUTH_CONFIG_ENVIRONMENT" "$AZIMUTH_ENVIRONMENT"
         ansible-galaxy install -f -r requirements.yml
 
+    # Generate and append the S3 credential to the CI environment file
+    - name: Configure S3 lock
+      id: s3-lock-config
+      shell: bash
+      run: |
+        set -e
+        source ci.env
+        source ./bin/activate "$AZIMUTH_CONFIG_ENVIRONMENT" "$AZIMUTH_ENVIRONMENT"
+        if [ -z "$CI_S3_LOCK_HOST" ]; then
+          echo "CI_S3_LOCK_HOST not set - no lock will be used"
+          exit
+        elif [ -z "$CI_S3_LOCK_BUCKET" ]; then
+          echo "CI_S3_LOCK_BUCKET is required when using the lock" >&2
+          exit 1
+        fi
+        CI_S3_LOCK_ACCESS_KEY="$(openstack ec2 credentials create -f value -c access)"
+        CI_S3_LOCK_SECRET_KEY="$(openstack ec2 credentials show -f value -c secret $CI_S3_LOCK_ACCESS_KEY)"
+        cat >> ci.env <<EOF
+        export CI_S3_LOCK_ACCESS_KEY="$CI_S3_LOCK_ACCESS_KEY"
+        export CI_S3_LOCK_SECRET_KEY="$CI_S3_LOCK_SECRET_KEY"
+        EOF
+        echo "host=${CI_S3_LOCK_HOST}" >> "$GITHUB_OUTPUT"
+        echo "access-key=${CI_S3_LOCK_ACCESS_KEY}" >> "$GITHUB_OUTPUT"
+        echo "secret-key=${CI_S3_LOCK_SECRET_KEY}" >> "$GITHUB_OUTPUT"
+        echo "bucket=${CI_S3_LOCK_BUCKET}" >> "$GITHUB_OUTPUT"
+
+    - name: Acquire S3 lock
+      uses: stackhpc/github-actions/s3-lock@master
+      with:
+        host: ${{ steps.s3-lock-config.outputs.host }}
+        access-key: ${{ steps.s3-lock-config.outputs.access-key }}
+        secret-key: ${{ steps.s3-lock-config.outputs.secret-key }}
+        bucket: ${{ steps.s3-lock-config.outputs.bucket }}
+        action: acquire
+      if: ${{ steps.s3-lock-config.outputs.host != '' }}
+
     - name: Allocate floating IP for ingress
       shell: bash
       run: |
         set -eo pipefail
         source ci.env
         source ./bin/activate "$AZIMUTH_CONFIG_ENVIRONMENT" "$AZIMUTH_ENVIRONMENT"
-        ansible_variable() {
-          ansible -m debug -a "var=$1" -e @extra-vars.yml all |
-            jq -r ".plays[0].tasks[0].hosts.localhost.$1"
-        }
-        INSTALL_MODE="$(ansible_variable install_mode)"
-        EXTNET_ID="$(ansible_variable infra_external_network_id)"
+        EXTNET_ID="$(
+          ansible -m debug -a "var=infra_external_network_id" -e @extra-vars.yml all |
+            jq -r ".plays[0].tasks[0].hosts.localhost.infra_external_network_id"
+        )"
         IP_ADDRESS="$(
           openstack floating ip create $EXTNET_ID \
             --description "ingress IP for $AZIMUTH_ENVIRONMENT" \
-            --tag "$AZIMUTH_ENVIRONMENT" \
             --format value \
             --column floating_ip_address
         )"
-        VAR_NAME="$([ "$INSTALL_MODE" = "ha" ] && echo "capi_cluster_addons_ingress_load_balancer_ip" || echo "infra_fixed_floatingip")"
-        echo "$VAR_NAME: $IP_ADDRESS" >> extra-vars.yml
+        cat >> ci.env <<EOF
+        export INGRESS_IP="$IP_ADDRESS"
+        EOF
       env:
         ANSIBLE_LOAD_CALLBACK_PLUGINS: "true"
         ANSIBLE_STDOUT_CALLBACK: json
-      if: ${{ inputs.allocate-ingress-ip == 'yes' }}
-
-    - name: Output extra-vars.yml for debugging
-      shell: bash
-      run: cat extra-vars.yml

.github/environments/arcus-ha/ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+inventory = ../../../environments/base/inventory,../../../environments/ha/inventory,../../../environments/demo/inventory,../common/inventory,../arcus/inventory,./inventory
+roles_path = ../../../.ansible/roles
+collections_path = ../../../.ansible/collections
+
+host_key_checking = False
+
+[ssh_connection]
+retries = 3

.github/environments/arcus-ha/env

@@ -0,0 +1,2 @@
+CI_S3_LOCK_HOST="object.arcus.openstack.hpc.cam.ac.uk"
+CI_S3_LOCK_BUCKET="azimuth-ci"

.github/environments/arcus-ha/inventory/group_vars/all/variables.yml

@@ -0,0 +1,37 @@
+# Unset the network ID so that a network + router are provisioned
+infra_network_id:
+
+# Unset the infra IP so we can use the ingress IP for the ingress controller
+infra_fixed_floatingip:
+capi_cluster_addons_ingress_load_balancer_ip: "{{ lookup('env', 'INGRESS_IP') }}"
+
+# Flavor auto-detection picks the wrong flavors on Arcus, so override them
+#   The flavor to use for the seed VM (vm.ska.cpu.general.small)
+infra_flavor_id: c8b72062-5d52-4590-9d7a-68a670b44442
+#   The flavor to use for the control plane nodes
+capi_cluster_control_plane_flavor: vm.ska.cpu.general.small
+#   The flavor to use for worker nodes
+capi_cluster_worker_flavor: vm.ska.cpu.general.small
+
+# Although this is a "HA" test, what we are really testing is the spawning
+# of the CAPI cluster and deployment of Azimuth onto that
+# We have also preferred to use 3 small workers rather than 1 or 2 eighth workers,
+# as they are more likely to fit in the gaps between other workloads
+# So one control plane node and two workers is sufficient for that
+capi_cluster_control_plane_count: 1
+capi_cluster_worker_count: 3
+
+# Use a single replica for Consul
+# The risk of failed upgrades is too great, and it is going away soon
+consul_server_replicas: 1
+
+# Enable Velero just to check that installation works
+velero_enabled: true
+velero_s3_url: https://required-but-not-used.com
+velero_bucket_name: not-used
+velero_backup_schedule_enabled: true
+velero_backup_schedule_name: default
+velero_backup_schedule_timings: "0 0 * * *"
+velero_backup_schedule_ttl: "168h"
+velero_aws_access_key_id: required-but-not-used
+velero_aws_secret_access_key : required-but-not-used

environments/ci-ha/inventory/hosts renamed to .github/environments/arcus-ha/inventory/hosts

@@ -0,0 +1,9 @@
+[defaults]
+inventory = ../../../environments/base/inventory,../../../environments/singlenode/inventory,../../../environments/demo/inventory,../common/inventory,./inventory
+roles_path = ../../../.ansible/roles
+collections_path = ../../../.ansible/collections
+
+host_key_checking = False
+
+[ssh_connection]
+retries = 3

.github/environments/arcus/ansible.cfg

@@ -0,0 +1,2 @@
+CI_S3_LOCK_HOST="object.arcus.openstack.hpc.cam.ac.uk"
+CI_S3_LOCK_BUCKET="azimuth-ci"

.github/environments/arcus/env

@@ -4,13 +4,12 @@ infra_external_network_id: "{{ lookup('pipe', 'openstack network show CUDN-Inter
 # Use the pre-existing portal-internal network so that we don't need to steal a router
 infra_network_id: "{{ lookup('pipe', 'openstack network show portal-internal -f value -c id') }}"
 
+# The ingress IP comes from an environment variable
+infra_fixed_floatingip: "{{ lookup('env', 'INGRESS_IP') }}"
+
 # Flavor auto-detection picks the wrong flavors on Arcus, so override them
 #   The flavor to use for the Azimuth AIO VM (vm.ska.cpu.general.eighth)
 infra_flavor_id: 5f9def81-c93f-4c1f-a521-3b810061ff6c
-#   The flavors to use for the Slurm login and control nodes
-#   TODO(mkjpryor) remove these once azimuth-ops has been updated
-azimuth_caas_stackhpc_slurm_appliance_login_flavor_name: vm.ska.cpu.general.small
-azimuth_caas_stackhpc_slurm_appliance_control_flavor_name: "{{ azimuth_caas_stackhpc_slurm_appliance_login_flavor_name }}"
 #   The flavor to use for the workstation test case (vm.ska.cpu.general.small)
 generate_tests_caas_test_case_workstation_param_cluster_flavor: c8b72062-5d52-4590-9d7a-68a670b44442
 #   The flavor to use for the repo2docker test case