#7770 RFR: Deploying compose-tracker in Fedora Openshift
Closed: Fixed 5 days ago by dustymabe. Opened 3 months ago by mohanboddu.

I would like to request to deploy compose-tracker in Fedora Openshift.

It was used to run in @dustymabe openshift instance and used to file tickets in https://pagure.io/dusty/failed-composes/issues but we would like to move to Fedora Infra and the source code will be hosted in https://pagure.io/releng/compose-tracker while the failure tickets are filed at https://pagure.io/releng/failed-composes.

More info: https://pagure.io/fedora-infrastructure/issue/7752

Thanks.


Cool. We need to start with staging... get the app setup and working there, although it may be difficult to test since we don't so any composes there.

Metadata Update from @kevin:
- Issue assigned to kevin
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: OpenShift, request-for-resources

3 months ago

Cool. We need to start with staging... get the app setup and working there, although it may be difficult to test since we don't so any composes there.

IIRC, isn't there a way to send a fake message on the message bus?

Cool. We need to start with staging... get the app setup and working there, although it may be difficult to test since we don't so any composes there.

The app consumes fedmsg so it can just use the input from the prod composes. No need to do a compose in staging I don't think.

Would it be good time to move to fedora-messaging ? I ll be happy to give pointers or help if someone is interested in this work

@cverna I am interested, as I never played with it. Can we do a quick session when you get a chance?

@mohanboddu cool I added a meeting in your calendar for tomorrow ;-)

Would it be good time to move to fedora-messaging ? I ll be happy to give pointers or help if someone is interested in this work

we were on the same page - I filed this before I even saw your request: https://pagure.io/releng/compose-tracker/issue/2

Please let me know whoever is going to work on this, I want to watch and learn how its done and get some training on deployments in infra openshift.

Thanks.

I'm taking this in agreement with @kevin

Metadata Update from @mizdebsk:
- Issue assigned to mizdebsk (was: kevin)

3 months ago

@mizdebsk pointed us at a few places where ansible playbooks exist already:

mizdebsk | dustymabe, all the playbooks for our openshift apps are at
         | https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/playbooks/openshift-apps
mizdebsk | templates for openshift objects are at https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/openshift-apps

@puiterwijk Could you please run the audit check for this ticket.

We will be pushing commits to the ansible for your review and will give you the files.

Thanks.

SOP: https://pagure.io/infra-docs/pull-request/157
I acknowledge that the service is ready for deployment of staging instance.

Things that I needed to do as sysadmin-main (for documentation purposes):

  • created @releng user in stg.pagure.io - manually inserted into pagure database
  • created staging Pagure token for @releng using pagure-admin CLI
  • extended expiry date for the above token, using pagure-admin CLI
  • defined private Ansible variable with the above token
  • set @mohanboddu as owner of releng group in staging Pagure
  • granted RBAC permission to run openshift-apps/compose-tracker.yml playbook
  • ran FAS client on batcave so that changes to sysadmin-releng group were synced from FAS

granted RBAC permission to run openshift-apps/compose-tracker.yml playbook

Just wanted to say, the permission is given to sysadmin-releng group.

Metadata Update from @puiterwijk:
- Issue tagged with: security

2 months ago

discussed with @mohanboddu yesterday. Steps left to getting to prod that I know of (may be additional steps in the RFR SOP):

  1. we wait on security audit
  2. we get @mizdebsk to create releng user token for us and populate ansible private variable
  3. we edit the playbook to make it also deploy to prod
  4. run the playbook

@mizdebsk are we able to do step 2. now or do we need to wait on security audit for that too?

Lets wait for the security audit before deploying to production or even generating production tokens.

Sorry for the delay in providing any feedback about the audit, there had been a few things that were pushed in front.
My current ETA for finishing this audit is by Wednesday June 26, 2019.

Sorry for the delay in providing any feedback about the audit, there had been a few things that were pushed in front.
My current ETA for finishing this audit is by Wednesday June 26, 2019.

Thanks @puiterwijk if we can deploy this to prod before FLOCK that would be awesome.

Sorry, this took a bit longer than I'd hoped due to other things.

This code has been approved for production as of revision a99510882a0945073a3dff205417007b176e456f.
Please do inform us if any major changes are made to the code base that would possible impact the audit results.

Metadata Update from @puiterwijk:
- Issue untagged with: security

2 months ago

thanks @puiterwijk!

Sorry, this took a bit longer than I'd hoped due to other things.
This code has been approved for production as of revision a99510882a0945073a3dff205417007b176e456f.

Thanks @puiterwijk. @mohanboddu - do you want to work with @mizdebsk to get this running in production since I'm out for a while.

Please do inform us if any major changes are made to the code base that would possible impact the audit results.

I think our plans right now are mostly to improve the capabilities and possibly also add support for opening tickets against JIRA (for internal RCM usage). I don't think these things would impact the audit results, but I'll send you a message when we get closer to see what you think.

I hereby acknowledge that the resource is fully configured in Ansible and ready to be deployed in production. @dustymabe let me know when you want to deploy compose-tracker in production.

Metadata Update from @mizdebsk:
- Issue priority set to: Waiting on Reporter (was: Waiting on Assignee)

a month ago

hey @mizdebsk can you create the pagure token for the releng user in prod pagure and update the {{compose_tracker_pagure_token}} variable in the ansible private repo

hey @mizdebsk can you create the pagure token for the releng user in prod pagure and update the {{compose_tracker_pagure_token}} variable in the ansible private repo

Also it appears the {{compose_tracker_pagure_token_stg}} variable has now expired. So can we recreate that one and also make them both not expire?

Metadata Update from @dustymabe:
- Issue priority set to: Waiting on Assignee (was: Waiting on Reporter)

7 days ago

hey @mizdebsk can you create the pagure token for the releng user in prod pagure and update the {{compose_tracker_pagure_token}} variable in the ansible private repo

Also it appears the {{compose_tracker_pagure_token_stg}} variable has now expired. So can we recreate that one and also make them both not expire?

To the person that will look into this: we can't have API tokens that do not
expire but using pagure-admin we can make them expire in a far future :)

I can create one, now that I know how to do that.

I already spoke to @mohanboddu and explained how to create the token:

  • ssh root@pagure01.fedoraproject.org
  • pagure-admin admin-token create releng to create the token
  • pagure-admin admin-token list|grep releng to see the token created
  • pagure-admin admin-token update $token 2019-12-31 to extend expiry time

I created the token and updated the config in ansible-private repo and pushed the change.

is there anything else that I need to do? (Like running any playbook, so that the ansible playbooks will see compose_tracker_pagure_token that I added to ansible-private repo)

I created the token and updated the config in ansible-private repo and pushed the change.

can you also update the stg token since it seems to be expired?

is there anything else that I need to do? (Like running any playbook, so that the ansible playbooks will see compose_tracker_pagure_token that I added to ansible-private repo)

I don't think so

ok @kevin helped me here. I'll deploy this to prod tomorrow

Metadata Update from @dustymabe:
- Issue priority set to: Waiting on Reporter (was: Waiting on Assignee)

6 days ago

The app has been deployed to prod! New issues should start showing up at https://pagure.io/releng/failed-composes/

Metadata Update from @dustymabe:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 days ago

Login to comment on this ticket.

Metadata