From 07edd9d297dbad8bb9b9bfa1a697eb6e036720ce Mon Sep 17 00:00:00 2001
From: Monty Taylor <mordred@inaugust.com>
Date: Thu, 7 Feb 2019 10:07:56 +0000
Subject: [PATCH] Add opendev kubernetes nodes to ansible inventory

We want our base ansible roles to run on these nodes. However,
k8s-on-openstack manages firewall rules via openstack security
groups, so we don't want to run those there.

There was a discussion about making a minimal set of roles that
are run by default and then a group containing servers that got
the full set ... but that would require a duplicate entry for 99%
of our servers in the inventory, while the "only run a subset" is
the exception case.

Change-Id: I2cbf364305f758cecf11df41398d3d2c05222fda
---
 inventory/groups.yaml    |  2 ++
 inventory/openstack.yaml | 30 ++++++++++++++++++++++++++++++
 playbooks/base.yaml      |  9 ++++++++-
 3 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/inventory/groups.yaml b/inventory/groups.yaml
index a8f59ef383..8e8d183716 100644
--- a/inventory/groups.yaml
+++ b/inventory/groups.yaml
@@ -96,6 +96,8 @@ groups:
     - health*.open*.org
   kdc:
     - kdc[0-9]*.open*.org
+  kubernetes:
+    - opendev-k8s*.opendev.org
   logstash:
     - logstash[0-9]*.open*.org
   logstash-worker:
diff --git a/inventory/openstack.yaml b/inventory/openstack.yaml
index 368652aad9..f68a643d61 100644
--- a/inventory/openstack.yaml
+++ b/inventory/openstack.yaml
@@ -679,6 +679,36 @@ all:
         region_name: ca-ymq-1
       public_v4: 162.253.55.16
       public_v6: 2604:e100:1:0:f816:3eff:fe2c:7447
+    opendev-k8s-master.opendev.org:
+      ansible_host: 38.108.68.20
+      location:
+        cloud: openstackci-vexxhost
+        region_name: sjc1
+      public_v4: 38.108.68.20
+    opendev-k8s-1.opendev.org:
+      ansible_host: 38.108.68.70
+      location:
+        cloud: openstackci-vexxhost
+        region_name: sjc1
+      public_v4: 38.108.68.70
+    opendev-k8s-2.opendev.org:
+      ansible_host: 38.108.68.91
+      location:
+        cloud: openstackci-vexxhost
+        region_name: sjc1
+      public_v4: 38.108.68.91
+    opendev-k8s-3.opendev.org:
+      ansible_host: 38.108.68.72
+      location:
+        cloud: openstackci-vexxhost
+        region_name: sjc1
+      public_v4: 38.108.68.72
+    opendev-k8s-4.opendev.org:
+      ansible_host: 38.108.68.125
+      location:
+        cloud: openstackci-vexxhost
+        region_name: sjc1
+      public_v4: 38.108.68.125
     openstackid-dev.openstack.org:
       ansible_host: 2001:4800:7819:103:be76:4eff:fe05:3d
       location:
diff --git a/playbooks/base.yaml b/playbooks/base.yaml
index 6463c5e1d8..0be64f631c 100644
--- a/playbooks/base.yaml
+++ b/playbooks/base.yaml
@@ -13,8 +13,15 @@
     - timezone
     - unbound
     - exim
-    - iptables
+
+# Do not run firewall rules on kubernetes hosts, they are managed by k8s-on-openstack.
+# TODO(mordred) snmpd should be able to be re-added to kubernetes hosts but we will
+# need to add cacti to sg-opendev-nodes and sg-opendev-master security groups first.
+- hosts: "!disabled:!kubernetes"
+  name: "Base: set up firewall rules"
+  roles:
     - snmpd
+    - iptables
 
 - hosts: bridge.openstack.org:!disabled
   name: "Base: configure cloud credentials on bridge"