fedora-infra / ansible

Clone
Source Code
GIT

#1493 resultsdb-ci-listener: Avoid using the same crt/key as resultsdb
Merged 2 years ago by kevin. Opened 2 years ago by lholecek.
fedora-infra/ lholecek/ansible fix-conflicting-certs  into  main

file modified
+2 -2 
@@ -41,13 +41,13 @@ 
 

        app: resultsdb-ci-listener
 

        secret_name: resultsdb-ci-listener-fedora-messaging-key
 

        key: resultsdb-ci-listener.key
 

-       privatefile: "rabbitmq/{{env}}/pki/private/resultsdb{{env_suffix}}.key"
 

+       privatefile: "rabbitmq/{{env}}/pki/private/resultsdb-ci-listener{{env_suffix}}.key"
 

  

      - role: openshift/secret-file
 

        app: resultsdb-ci-listener
 

        secret_name: resultsdb-ci-listener-fedora-messaging-crt
 

        key: resultsdb-ci-listener.crt
 

-       privatefile: "rabbitmq/{{env}}/pki/issued/resultsdb{{env_suffix}}.crt"
 

+       privatefile: "rabbitmq/{{env}}/pki/issued/resultsdb-ci-listener{{env_suffix}}.crt"
 

  

      - role: openshift/secret-file
 

        app: resultsdb-ci-listener

rebased onto f9baca2159be9c3976b1ba06524dcfd9848ab97f
2 years ago

So, this won't work (at least not in staging)...

The problem is: 

- role: rabbit/queue
  username: "resultsdb{{ env_suffix }}_ci_listener"
  queue_name: "resultsdb{{ env_suffix }}_ci_listener"

so, the name is 'resultsdb.stg_ci_listener in stg.

Then, the name and the queue don't match and then roles/rabbit/queue/tasks/main.yml

does:

  • name: Validate queue name {{ queue_name }}
    assert:
    that:
    • "queue_name.startswith(username)"
      fail_msg: "Your queue name must be prefixed with your username"
      when: username is defined

And it fails. ;(

We normally do want that check. So, how can we restructure this so it works? Perhaps @abompard can chime in. ;)

Not sure if I understand. The username and queue_name are the same so it seems that queue_name.startswith(username) should succeed. How is this related to the privatefile?

Would using the username in privatefile help? I.e.:

privatefile: "rabbitmq/{{ env }}/pki/private/resultsdb{{ env_suffix }}_ci_listener.key"

rebased onto 48c34d9
2 years ago

rebased onto 48c34d9
2 years ago

Hum, you're right. I was thinking of a problem we used to have and fixed. ;( Sorry about that...

So yeah, this should work. I guess lets give it a try in stg.

Pull-Request has been merged by kevin
2 years ago

But why is it using the wrong user here?

[fedora_messaging.twisted.service INFO] Authenticating with server using x509 (certfile: /etc/pki/rabbitmq/crt/resultsdb-ci-listener.crt, keyfile: /etc/pki/rabbitmq/key/resultsdb-ci-listener.key)
[fedora_messaging.cli ERROR] Unable to declare the binding object on the AMQP broker. The broker responded with (403, "ACCESS_REFUSED - access to queue 'resultsdb.stg_ci_listener' in vhost '/pubsub' refused for user 'resultsdb.stg'"). Check permissions for your user.

ok. I got it sorted out. There was a bunch of confusion with certs and _ vs - and I fumbled around and finally fixed it. :)

Please check it over and see if I messed up anything.

All looks good. I haven't seen any errors in logs or restarts after the new deployment. Thanks. :raised_hands:

Metadata
None
No Tags
Changes Summary 1
+2 -2
file changed
playbooks/openshift-apps/resultsdb-ci-listener.yml
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.