PR#1594: toddlers: enable check-commit-rights on stg - fedora-infra/ansible

fedora-infra / ansible

#1594 toddlers: enable check-commit-rights on stg

Merged 7 months ago by kevin. Opened 9 months ago by mattia.

fedora-infra/ mattia/ansible check-commit-rights into main

toddlers: enable check-commit-rights on stg

Mattia Verga • 7 months ago

eda3e9e

roles/openshift-apps/toddlers/templates/cron_playtime.yml

file modified

+53

		`@@ -264,4 +264,57 @@`
		`- name: fedora-messaging-cert-volume`
		`secret:`
		`secretName: toddlers-fedora-messaging-crt`
		`+ {% else %}`
		`+ ---`
		`+ apiVersion: batch/v1`
		`+ kind: CronJob`
		`+ metadata:`
		`+ name: playtime-check-commit-rights`
		`+ spec:`
		`+ successfulJobsHistoryLimit: 3`
		`+ failedJobsHistoryLimit: 3`
		`+ concurrencyPolicy: Forbid`
		`+ schedule: "0 8 /2 *"`
		`+ startingDeadlineSeconds: 500`
		`+ jobTemplate:`
		`+ spec:`
		`+ template:`
		`+ metadata:`
		`+ labels:`
		`+ parent: "cron_playtime_toddlers"`
		`+ spec:`
		`+ restartPolicy: Never`
		`+ containers:`
		`+ - name: toddlers`
		`+ image: image-registry.openshift-image-registry.svc:5000/toddlers/toddlers:latest`
		`+ command: ["/usr/bin/python3", "/code/toddlers/playtime.py", "check-commit-rights"]`
		`+ env:`
		`+ - name: PYTHONPATH`
		`+ value: "/code"`
		`+ volumeMounts:`
		`+ - name: toddlers-secret-volume`
		`+ mountPath: /etc/fedora-messaging`
		`+ readOnly: true`
		`+ - name: fedora-messaging-ca-volume`
		`+ mountPath: /etc/pki/rabbitmq/ca`
		`+ readOnly: true`
		`+ - name: fedora-messaging-key-volume`
		`+ mountPath: /etc/pki/rabbitmq/key`
		`+ readOnly: true`
		`+ - name: fedora-messaging-cert-volume`
		`+ mountPath: /etc/pki/rabbitmq/cert`
		`+ readOnly: true`
		`+ volumes:`
		`+ - name: toddlers-secret-volume`
		`+ secret:`
		`+ secretName: toddlers-secret`
		`+ - name: fedora-messaging-ca-volume`
		`+ secret:`
		`+ secretName: toddlers-fedora-messaging-ca`
		`+ - name: fedora-messaging-key-volume`
		`+ secret:`
		`+ secretName: toddlers-fedora-messaging-key`
		`+ - name: fedora-messaging-cert-volume`
		`+ secret:`
		`+ secretName: toddlers-fedora-messaging-crt`
		`{% endif %}`

roles/openshift-apps/toddlers/templates/fedora-messaging.toml

file modified

+14

		`@@ -379,3 +379,17 @@`
		`[log_config.root]`
		`level = "ERROR"`
		`handlers = ["console"]`
		`+`
		`+ # Configuration section for check_commit_rights`
		`+ [consumer_config.check_commit_rights]`
		`+ exclude_users = []`
		`+ {% if env == "staging" %}`
		`+ notify_emails = [`
		`+ # "nobody@fedoraproject.org",`
		`+ "fedora_stg@sparebit.simplelogin.com",`
		`+ ]`
		`+ {% else %}`
		`+ notify_emails = [`
		`+ "admin@fedoraproject.org",`
		`+ ]`
		`+ {% endif %}`

mattia commented 9 months ago

Following https://pagure.io/fedora-infra/toddlers/pull-request/128 this will enable the toddler plugin in stg.
I've copy/pasted the configuration from the other active toddlers, they looks like all the same to me.
Also, is there a test email address where to send the output?

Signed-off-by: Mattia Verga mattia.verga@tiscali.it

zuul commented 9 months ago

Build succeeded.
https://fedora.softwarefactory-project.io/zuul/buildset/9f0b8e2b6d204f6d9aefd367cfedb018

fi-ansible-lint-diff : SUCCESS in 4m 56s
fi-yamllint-diff : SUCCESS in 2m 58s

zlopez commented 9 months ago

Looks good to me

@kevin Do we have some e-mail in staging that could be used for testing?

kevin commented 9 months ago

staging doesn't really have it's own email setup. It should send out to normal emails tho... so, just use whatever email address you want to use to look at it while testing.

Where is this intended to be sent?

mattia commented 9 months ago

staging doesn't really have it's own email setup. It should send out to normal emails tho... so, just use whatever email address you want to use to look at it while testing.

Where is this intended to be sent?

When in prod, hopefully to someone within fedora-infra, as it will output something like:

Dear Admin,

The periodic check on user commit rights on src.fp.o has identified {len(not_packagers_set)}
users which aren't member of the packager group. The list of them is here:

{users_list}

Please check is these rights are correct, they can be a leftover from when the users
were removed, or removed themselves, from the packager group.

Have a wonderful day and see you (maybe?) at the next run!

but maybe I can send it directly to the infra mailing list?

For stg, I suppose I could send to an address of mine, if there's no other choice to share test within infra.

kevin commented 9 months ago

Yeah, I guess in prod just admin@fedoraproject.org? or if it's not sensitive I guess the mailing list would be ok. We do also have the 'releng-cron' list where output from a bunch of things goes.

For stg it might be best to use your address at least for debugging... once it's all set you could change it to 'nobody@fedoraproject.org' for /dev/null? or send to the cron list I guess (as long as it's very clear that it's staging)

rebased onto 8b7e98b4b6947d6b4d925dbac1bcfd40666fa30b

9 months ago

zuul commented 9 months ago

Build succeeded.
https://fedora.softwarefactory-project.io/zuul/buildset/2095eabcb193484ebb496c6bcf7f38ec

fi-ansible-lint-diff : SUCCESS in 5m 08s
fi-yamllint-diff : SUCCESS in 3m 10s

zlopez commented 8 months ago

@kevin should we wait with this after the freeze?

kevin commented 8 months ago

Well, if it can be set to only change anything in staging, then we can merge and push to staging anytime.

If it modifies prod we should avoid it until after freeze.

mattia commented 8 months ago

Well, if it can be set to only change anything in staging, then we can merge and push to staging anytime.

If it modifies prod we should avoid it until after freeze.

The {% else %} in cron_playtime.yml will only apply the cron script to staging. The configuration change in fedora-messaging.toml will be applied on both, but it should just be ignored on prod (otherwise I can wrap everythin with a {% if env == "staging" %} if you prefer).