#8111 Request a fedora-messaging certificte for MTS to receive and publish messages from and to message bus
Closed: Fixed 24 days ago by kevin. Opened 2 months ago by cqi.

MTS will be migrated to fedora-messaging soon. As per title, could you please create one so that I can use it to test MTS in stg and then move to prod. MTS is deployed in Fedora Openshift stg now. Thanks!


I've created both staging and prod certs.

You can reference them in ansible with:

cert: "{{private}}/files/rabbitmq/{{env}}/pki/issued/mts{{ env_suffix }}.crt"

key: "{{private}}/files/rabbitmq/{{env}}/pki/private/mts{{ env_suffix }}.key"

Please let us know if you need anything further.

See https://fedora-messaging.readthedocs.io/en/stable/ for more information on fedora-messaging.

:eyeglasses:

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 months ago

Thanks @kevin

I'll try these certificates once the migration to fedora-messaging is done.

Hi @kevin

cert: "{{private}}/files/rabbitmq/{{env}}/pki/issued/mts{{ env_suffix }}.crt"
key: "{{private}}/files/rabbitmq/{{env}}/pki/private/mts{{ env_suffix }}.key"

I put these to fedora-messaging config file in mts role, but they do not exist in container. Anything I misunderstand?

Metadata Update from @cqi:
- Issue status updated to: Open (was: Closed)

a month ago

So, you need to make them secret file objects. Take a look at how bodhi does it:

playbooks/openshift-apps/bodhi.yml:

  • role: openshift/secret-file
    app: bodhi
    secret_name: bodhi-fedora-messaging-ca
    key: cacert.pem
    privatefile: "rabbitmq/{{env}}/pki/ca.crt"
  • role: openshift/secret-file
    app: bodhi
    secret_name: bodhi-fedora-messaging-crt
    key: bodhi-cert.pem
    privatefile: "rabbitmq/{{env}}/pki/issued/bodhi{{env_suffix}}.crt"
  • role: openshift/secret-file
    app: bodhi
    secret_name: bodhi-fedora-messaging-key
    key: bodhi-key.pem
    privatefile: "rabbitmq/{{env}}/pki/private/bodhi{{env_suffix}}.key"

roles/openshift-apps/bodhi/templates/deploymentconfig.yml:

      - name: fedora-messaging-ca-volume
        mountPath: /etc/pki/fedora-messaging/cacert.pem
        subPath: cacert.pem
        readOnly: true
      - name: fedora-messaging-crt-volume
        mountPath: /etc/pki/fedora-messaging/bodhi-cert.pem
        subPath: bodhi-cert.pem
        readOnly: true
      - name: fedora-messaging-key-volume
        mountPath: /etc/pki/fedora-messaging/bodhi-key.pem
        subPath: bodhi-key.pem
        readOnly: true

roles/openshift-apps/bodhi/templates/deploymentconfig.yml:

      - name: fedora-messaging-ca-volume
        mountPath: /etc/pki/fedora-messaging/cacert.pem
        subPath: cacert.pem
        readOnly: true
      - name: fedora-messaging-crt-volume
        mountPath: /etc/pki/fedora-messaging/bodhi-cert.pem
        subPath: bodhi-cert.pem
        readOnly: true
      - name: fedora-messaging-key-volume
        mountPath: /etc/pki/fedora-messaging/bodhi-key.pem
        subPath: bodhi-key.pem
        readOnly: true

So, basically you copy the secrets into volumes and mount those in the container... make sense?

Hi @kevin

I updated MTS playbook, reran it and got I got "Could not find or access '/srv/private/ansible/files//srv/private/ansible/files/rabbitmq/staging/pki/private/mts.stg.key'".

Is {{private}}/files/ part optional? I don't see it in bodhi playbook and others'.

I removed {{private}}/files/ and playbook runs successfully.

MTS runs on stg now. A new issue is ACCESS_REFUSED.

2019-09-07 14:49:54,799- pika.adapters.utils.connection_workflow - ERROR - AMQPConnector - reporting failure: AMQPConnectorAMQPHandshakeError: ConnectionClosedByBroker: (403) 'ACCESS_REFUSED - Login was refused using authentication mechanism EXTERNAL. For details see the broker logfile.'

I use mts as username to connect broker.

You need to setup your user/queue... for example from bodhi:

  - role: rabbit/user
    username: "bodhi{{ env_suffix }}"
  - role: rabbit/queue
    username: "bodhi{{ env_suffix }}"
    queue_name: "{{ bodhi_message_queue_name }}"
    routing_keys: "{{ bodhi_message_routing_keys }}"
    thresholds:
      warning: 10
      critical: 100

@kevin

So far, role rabbit/user and rabbit/queue are added to playbook, and secret files are also mounted.

I get a new issue:

2019-09-08 09:44:07,392- fedora_messaging._session - INFO - Channel <Channel number=1 CLOSED conn=<SelectConnection OPEN transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x7fc620a39240> params=<URLParameters host=rabbitmq.stg.fedoraproject.org port=5671 virtual_host=/pubsub ssl=True>>> closed (403): ACCESS_REFUSED - access to queue 'mts.stg' in vhost '/pubsub' refused for user 'mts.stg'

What else is required to setup for fedora-messaging?

I believe that you need to have the following option in your fedora-messaging configuration file

passive_declares = true

See for example greenwave --> https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/openshift-apps/greenwave/templates/config.toml#n14

Metadata Update from @kevin:
- Issue priority set to: Waiting on Reporter (was: Needs Review)

a month ago

@cverna That config works for me. Thanks. But, why is that config required? :)

:fireworks:

TBH I am not sure, maybe @abompard can tell us :-)

@abompard any ideas? Is everything working now? Or is there more to do here?

@kevin I've been testing MTS on stg these days. Unfortunately, it cannot receive any messages from bus. I've no idea what's reason. I think this ticket can be closed and I'll file another one for the new issue. Thanks.

@cqi can we close this issue now ?

Thanks! Hopefully we will get everything working soon. Thanks for sticking through this process and sorry it wasn't smoother.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

24 days ago

Login to comment on this ticket.

Metadata