From 700fb3c1aecfd7b5bc788426aee1597acbb50caa Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Jun 13 2019 20:55:04 +0000 Subject: openqa/dispatcher: use private auth in infra The keys and certs have been created for us to use private auth so let's do it. This tries to keep things working for non-infra deployments somehow. Signed-off-by: Adam Williamson --- diff --git a/playbooks/groups/openqa.yml b/playbooks/groups/openqa.yml index 6d246a0..2b1ab37 100644 --- a/playbooks/groups/openqa.yml +++ b/playbooks/groups/openqa.yml @@ -42,6 +42,32 @@ - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml +# fedora-messaging user/queue setup + roles: + - role: rabbit/user + username: "openqa{{ env_suffix }}" + when: env == "staging" + - role: rabbit/queue + username: "openqa{{ env_suffix }}" + queue_name: "openqa{{ env_suffix }}_scheduler" + routing_keys: + - "org.fedoraproject.prod.pungi.compose.status.change" + - "org.fedoraproject.prod.bodhi.update.request.testing" + - "org.fedoraproject.prod.bodhi.update.edit" + when: env == "staging" + - role: rabbit/queue + username: "openqa{{ env_suffix }}" + queue_name: "openqa{{ env_suffix }}_resultsdb_reporter" + routing_keys: + - "org.fedoraproject.{{ deployment_type }}.openqa.job.done" + when: env == "staging" + - role: rabbit/queue + username: "openqa{{ env_suffix }}" + queue_name: "openqa{{ env_suffix }}_wiki_reporter" + routing_keys: + - "org.fedoraproject.{{ deployment_type }}.openqa.job.done" + when: env == "staging" + # relvalconsumer and autocloudreporter aren't particularly related # to openQA in any way, we just put those role on these boxes. There's # nowhere more obviously correct for rvc and acr should be on an diff --git a/roles/openqa/dispatcher/tasks/main.yml b/roles/openqa/dispatcher/tasks/main.yml index 0eec52b..7f7164b 100644 --- a/roles/openqa/dispatcher/tasks/main.yml +++ b/roles/openqa/dispatcher/tasks/main.yml @@ -21,9 +21,7 @@ ## bool - if true, configure and deploy the fedora-messaging ## consumers; if false, configure and deploy the fedmsg ## consumers. Note you must also set openqa_scheduler_uuid -## (no deployment type), openqa_scheduler_stg_uuid -## (staging) or openqa_scheduler_prod_uuid (production) if -## this is set +## for non-Fedora-infra deployments, if this is set ## default - false # # Optional vars @@ -48,9 +46,9 @@ ## are maintaining the Fedora infrastructure deployment # - deployment_type ## string - Fedora Infrastructure thing; for this role, the -## fedora_openqa config file will be set appropriately -## for infra deployments if this is set, so don't set -## it for private deployments +## fedora_openqa config file and fedora-messaging config +## will be set appropriately for infra deployments if +## this is set, so don't set it for private deployments # # NOTE: There are still currently a couple of assumptions that the # openQA server boxes will always act as their own dispatchers, but @@ -193,21 +191,76 @@ tags: - config -- name: Install fedora-messaging staging CA cert (because it's not in the package) - copy: src=stg-cacert.pem dest=/etc/fedora-messaging/stg-cacert.pem owner=root group=root mode=0644 +- name: Install fedora-messaging anon staging CA cert (because it's not in the package) + copy: src=stg-cacert.pem dest=/etc/fedora-messaging/cacert.stg.pem owner=root group=root mode=0644 when: "openqa_fedoramessaging|bool" tags: - config -- name: Install fedora-messaging staging broker cert (because it's not in the package) +- name: Install fedora-messaging anon staging broker cert (because it's not in the package) copy: src=fedora.stg-cert.pem dest=/etc/fedora-messaging/fedora.stg-cert.pem owner=root group=root mode=0644 - when: "openqa_fedoramessaging|bool" + when: "openqa_fedoramessaging|bool and deployment_type is not defined" tags: - config -- name: Install fedora-messaging staging broker key (because it's not in the package) +- name: Install fedora-messaging anon staging broker key (because it's not in the package) copy: src=fedora.stg-key.pem dest=/etc/fedora-messaging/fedora.stg-key.pem owner=root group=root mode=0644 - when: "openqa_fedoramessaging|bool" + when: "openqa_fedoramessaging|bool and deployment_type is not defined" + tags: + - config + +- name: Create /etc/pki/fedora-messaging + file: + dest: /etc/pki/fedora-messaging + mode: 0775 + owner: root + group: root + state: directory + when: "openqa_fedoramessaging|bool and deployment_type is defined" + tags: + - config + +- name: Deploy the Fedora infra fedora-messaging cert + copy: + src: "{{ private }}/files/rabbitmq/{{env}}/pki/issued/openqa{{env_suffix}}.crt" + dest: /etc/pki/fedora-messaging/openqa{{env_suffix}}-cert.pem + mode: 0644 + owner: root + group: root + when: "openqa_fedoramessaging|bool and deployment_type is defined" + tags: + - config + +- name: Deploy the Fedora infra fedora-messaging key + copy: + src: "{{ private }}/files/rabbitmq/{{env}}/pki/private/openqa{{env_suffix}}.key" + dest: /etc/pki/fedora-messaging/openqa{{env_suffix}}-key.pem + mode: 0600 + owner: root + group: root + when: "openqa_fedoramessaging|bool and deployment_type is defined" + tags: + - config + +- name: Deploy the Fedora infra fedora-messaging prod cert on stg (for scheduler) + copy: + src: "{{ private }}/files/rabbitmq/production/pki/issued/openqa.crt" + dest: /etc/pki/fedora-messaging/openqa-cert.pem + mode: 0644 + owner: root + group: root + when: "openqa_fedoramessaging|bool and deployment_type is defined and deployment_type == 'stg'" + tags: + - config + +- name: Deploy the Fedora infra fedora-messaging prod key on stg (for scheduler) + copy: + src: "{{ private }}/files/rabbitmq/production/pki/private/openqa.key" + dest: /etc/pki/fedora-messaging/openqa-key.pem + mode: 0600 + owner: root + group: root + when: "openqa_fedoramessaging|bool and deployment_type is defined and deployment_type == 'stg'" tags: - config diff --git a/roles/openqa/dispatcher/templates/fedora_openqa_resultsdb_reporter.toml.j2 b/roles/openqa/dispatcher/templates/fedora_openqa_resultsdb_reporter.toml.j2 index c9ba458..2727e18 100644 --- a/roles/openqa/dispatcher/templates/fedora_openqa_resultsdb_reporter.toml.j2 +++ b/roles/openqa/dispatcher/templates/fedora_openqa_resultsdb_reporter.toml.j2 @@ -3,18 +3,18 @@ # something unique before using this. # # This file is in the TOML format. -{% if deployment_type is defined and deployment_type == 'stg' %} -amqp_url = "amqps://fedora.stg:@rabbitmq.stg.fedoraproject.org/%2Fpublic_pubsub" +{% if deployment_type is defined %} +amqp_url = "amqps://openqa{{ env_suffix }}:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpublic_pubsub" {% else %} amqp_url = "amqps://fedora:@rabbitmq.fedoraproject.org/%2Fpublic_pubsub" {% endif %} callback = "fedora_openqa.consumer:OpenQAResultsDBReporter" [tls] -{% if deployment_type is defined and deployment_type == 'stg' %} -ca_cert = "/etc/fedora-messaging/stg-cacert.pem" -keyfile = "/etc/fedora-messaging/fedora.stg-key.pem" -certfile = "/etc/fedora-messaging/fedora.stg-cert.pem" +{% if deployment_type is defined %} +ca_cert = "/etc/fedora-messaging/cacert{{ env_suffix }}.pem" +keyfile = "/etc/pki/fedora-messaging/openqa{{ env_suffix }}-key.pem" +certfile = "/etc/pki/fedora-messaging/openqa{{ env_suffix }}-cert.pem" {% else %} ca_cert = "/etc/fedora-messaging/cacert.pem" keyfile = "/etc/fedora-messaging/fedora-key.pem" @@ -30,6 +30,10 @@ durable = true auto_delete = false arguments = {} +{% if deployment_type is defined %} +# Private queue name. +[queues.openqa{{ env_suffix }}_resultsdb_reporter] +{% else %} # Queue names *must* be in the normal UUID format: run "uuidgen" and use the # output as your queue name. If your queue is not exclusive, anyone can connect # and consume from it, causing you to miss messages, so do not share your queue @@ -38,11 +42,6 @@ arguments = {} # # If you require a stronger guarantee about delivery, please talk to Fedora's # Infrastructure team. -{% if deployment_type is defined and deployment_type == 'prod' %} -[queues.{{ openqa_resultsdb_reporter_prod_uuid }}] -{% elif deployment_type is defined and deployment_type == 'stg' %} -[queues.{{ openqa_resultsdb_reporter_stg_uuid }}] -{% else %} [queues.{{ openqa_resultsdb_reporter_uuid }}] {% endif %} durable = false @@ -51,16 +50,14 @@ exclusive = true arguments = {} [[bindings]] -{% if deployment_type is defined and deployment_type == 'prod' %} -queue = "{{ openqa_resultsdb_reporter_prod_uuid }}" -{% elif deployment_type is defined and deployment_type == 'stg' %} -queue = "{{ openqa_resultsdb_reporter_stg_uuid }}" +{% if deployment_type is defined %} +queue = "openqa{{ env_suffix }}_resultsdb_reporter" {% else %} queue = "{{ openqa_resultsdb_reporter_uuid }}" {% endif %} exchange = "amq.topic" -{% if deployment_type is defined and deployment_type == 'stg' %} -routing_keys = ["org.fedoraproject.stg.openqa.job.done"] +{% if deployment_type is defined %} +routing_keys = ["org.fedoraproject.{{ deployment_type }}.openqa.job.done"] {% else %} routing_keys = ["org.fedoraproject.prod.openqa.job.done"] {% endif %} diff --git a/roles/openqa/dispatcher/templates/fedora_openqa_scheduler.toml.j2 b/roles/openqa/dispatcher/templates/fedora_openqa_scheduler.toml.j2 index 41a0253..767c7cb 100644 --- a/roles/openqa/dispatcher/templates/fedora_openqa_scheduler.toml.j2 +++ b/roles/openqa/dispatcher/templates/fedora_openqa_scheduler.toml.j2 @@ -7,16 +7,25 @@ # we listen to the prod broker here even for staging as we need to use # prod messages to schedule jobs in openQA staging, composes and # updates just don't show up on the staging broker. +{% if deployment_type is defined %} +amqp_url = "amqps://openqa:@rabbitmq.fedoraproject.org/%2Fpublic_pubsub" +{% else %} amqp_url = "amqps://fedora:@rabbitmq.fedoraproject.org/%2Fpublic_pubsub" +{% endif %} callback = "fedora_openqa.consumer:OpenQAScheduler" [tls] ca_cert = "/etc/fedora-messaging/cacert.pem" +{% if deployment_type is defined %} +keyfile = "/etc/pki/fedora-messaging/openqa-key.pem" +certfile = "/etc/pki/fedora-messaging/openqa-cert.pem" +{% else %} keyfile = "/etc/fedora-messaging/fedora-key.pem" certfile = "/etc/fedora-messaging/fedora-cert.pem" +{% endif %} [client_properties] -app = "Fedora openQA" +app = "Fedora openQA scheduler" [exchanges."amq.topic"] type = "topic" @@ -24,6 +33,10 @@ durable = true auto_delete = false arguments = {} +{% if deployment_type is defined %} +# Private queue name. +[queues.openqa{{ env_suffix }}_scheduler] +{% else %} # Queue names *must* be in the normal UUID format: run "uuidgen" and use the # output as your queue name. If your queue is not exclusive, anyone can connect # and consume from it, causing you to miss messages, so do not share your queue @@ -32,11 +45,6 @@ arguments = {} # # If you require a stronger guarantee about delivery, please talk to Fedora's # Infrastructure team. -{% if deployment_type is defined and deployment_type == 'prod' %} -[queues.{{ openqa_scheduler_prod_uuid }}] -{% elif deployment_type is defined and deployment_type == 'stg' %} -[queues.{{ openqa_scheduler_stg_uuid }}] -{% else %} [queues.{{ openqa_scheduler_uuid }}] {% endif %} durable = false @@ -45,10 +53,8 @@ exclusive = true arguments = {} [[bindings]] -{% if deployment_type is defined and deployment_type == 'prod' %} -queue = "{{ openqa_scheduler_prod_uuid }}" -{% elif deployment_type is defined and deployment_type == 'stg' %} -queue = "{{ openqa_scheduler_stg_uuid }}" +{% if deployment_type is defined %} +queue = "openqa{{ env_suffix }}_scheduler" {% else %} queue = "{{ openqa_scheduler_uuid }}" {% endif %} diff --git a/roles/openqa/dispatcher/templates/fedora_openqa_wiki_reporter.toml.j2 b/roles/openqa/dispatcher/templates/fedora_openqa_wiki_reporter.toml.j2 index c5fa332..cfcf99b 100644 --- a/roles/openqa/dispatcher/templates/fedora_openqa_wiki_reporter.toml.j2 +++ b/roles/openqa/dispatcher/templates/fedora_openqa_wiki_reporter.toml.j2 @@ -3,18 +3,18 @@ # something unique before using this. # # This file is in the TOML format. -{% if deployment_type is defined and deployment_type == 'stg' %} -amqp_url = "amqps://fedora.stg:@rabbitmq.stg.fedoraproject.org/%2Fpublic_pubsub" +{% if deployment_type is defined %} +amqp_url = "amqps://openqa{{ env_suffix }}:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpublic_pubsub" {% else %} amqp_url = "amqps://fedora:@rabbitmq.fedoraproject.org/%2Fpublic_pubsub" {% endif %} callback = "fedora_openqa.consumer:OpenQAWikiReporter" [tls] -{% if deployment_type is defined and deployment_type == 'stg' %} -ca_cert = "/etc/fedora-messaging/stg-cacert.pem" -keyfile = "/etc/fedora-messaging/fedora.stg-key.pem" -certfile = "/etc/fedora-messaging/fedora.stg-cert.pem" +{% if deployment_type is defined %} +ca_cert = "/etc/fedora-messaging/cacert{{ env_suffix }}.pem" +keyfile = "/etc/pki/fedora-messaging/openqa{{ env_suffix }}-key.pem" +certfile = "/etc/pki/fedora-messaging/openqa{{ env_suffix }}-cert.pem" {% else %} ca_cert = "/etc/fedora-messaging/cacert.pem" keyfile = "/etc/fedora-messaging/fedora-key.pem" @@ -30,6 +30,10 @@ durable = true auto_delete = false arguments = {} +{% if deployment_type is defined %} +# Private queue name. +[queues.openqa{{ env_suffix }}_wiki_reporter] +{% else %} # Queue names *must* be in the normal UUID format: run "uuidgen" and use the # output as your queue name. If your queue is not exclusive, anyone can connect # and consume from it, causing you to miss messages, so do not share your queue @@ -38,11 +42,6 @@ arguments = {} # # If you require a stronger guarantee about delivery, please talk to Fedora's # Infrastructure team. -{% if deployment_type is defined and deployment_type == 'prod' %} -[queues.{{ openqa_wiki_reporter_prod_uuid }}] -{% elif deployment_type is defined and deployment_type == 'stg' %} -[queues.{{ openqa_wiki_reporter_stg_uuid }}] -{% else %} [queues.{{ openqa_wiki_reporter_uuid }}] {% endif %} durable = false @@ -51,16 +50,14 @@ exclusive = true arguments = {} [[bindings]] -{% if deployment_type is defined and deployment_type == 'prod' %} -queue = "{{ openqa_wiki_reporter_prod_uuid }}" -{% elif deployment_type is defined and deployment_type == 'stg' %} -queue = "{{ openqa_wiki_reporter_stg_uuid }}" +{% if deployment_type is defined %} +queue = "openqa{{ env_suffix }}_wiki_reporter" {% else %} queue = "{{ openqa_wiki_reporter_uuid }}" {% endif %} exchange = "amq.topic" -{% if deployment_type is defined and deployment_type == 'stg' %} -routing_keys = ["org.fedoraproject.stg.openqa.job.done"] +{% if deployment_type is defined %} +routing_keys = ["org.fedoraproject.{{ deployment_type }}.openqa.job.done"] {% else %} routing_keys = ["org.fedoraproject.prod.openqa.job.done"] {% endif %}