MTS will be migrated to fedora-messaging soon. As per title, could you please create one so that I can use it to test MTS in stg and then move to prod. MTS is deployed in Fedora Openshift stg now. Thanks!
I've created both staging and prod certs.
You can reference them in ansible with:
cert: "{{private}}/files/rabbitmq/{{env}}/pki/issued/mts{{ env_suffix }}.crt"
key: "{{private}}/files/rabbitmq/{{env}}/pki/private/mts{{ env_suffix }}.key"
Please let us know if you need anything further.
See https://fedora-messaging.readthedocs.io/en/stable/ for more information on fedora-messaging.
:eyeglasses:
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Thanks @kevin
I'll try these certificates once the migration to fedora-messaging is done.
Hi @kevin
cert: "{{private}}/files/rabbitmq/{{env}}/pki/issued/mts{{ env_suffix }}.crt" key: "{{private}}/files/rabbitmq/{{env}}/pki/private/mts{{ env_suffix }}.key"
I put these to fedora-messaging config file in mts role, but they do not exist in container. Anything I misunderstand?
Metadata Update from @cqi: - Issue status updated to: Open (was: Closed)
So, you need to make them secret file objects. Take a look at how bodhi does it:
playbooks/openshift-apps/bodhi.yml:
roles/openshift-apps/bodhi/templates/deploymentconfig.yml:
- name: fedora-messaging-ca-volume mountPath: /etc/pki/fedora-messaging/cacert.pem subPath: cacert.pem readOnly: true - name: fedora-messaging-crt-volume mountPath: /etc/pki/fedora-messaging/bodhi-cert.pem subPath: bodhi-cert.pem readOnly: true - name: fedora-messaging-key-volume mountPath: /etc/pki/fedora-messaging/bodhi-key.pem subPath: bodhi-key.pem readOnly: true
So, basically you copy the secrets into volumes and mount those in the container... make sense?
I updated MTS playbook, reran it and got I got "Could not find or access '/srv/private/ansible/files//srv/private/ansible/files/rabbitmq/staging/pki/private/mts.stg.key'".
Is {{private}}/files/ part optional? I don't see it in bodhi playbook and others'.
{{private}}/files/
I removed {{private}}/files/ and playbook runs successfully.
MTS runs on stg now. A new issue is ACCESS_REFUSED.
ACCESS_REFUSED
2019-09-07 14:49:54,799- pika.adapters.utils.connection_workflow - ERROR - AMQPConnector - reporting failure: AMQPConnectorAMQPHandshakeError: ConnectionClosedByBroker: (403) 'ACCESS_REFUSED - Login was refused using authentication mechanism EXTERNAL. For details see the broker logfile.'
I use mts as username to connect broker.
mts
You need to setup your user/queue... for example from bodhi:
- role: rabbit/user username: "bodhi{{ env_suffix }}" - role: rabbit/queue username: "bodhi{{ env_suffix }}" queue_name: "{{ bodhi_message_queue_name }}" routing_keys: "{{ bodhi_message_routing_keys }}" thresholds: warning: 10 critical: 100
@kevin
So far, role rabbit/user and rabbit/queue are added to playbook, and secret files are also mounted.
rabbit/user
rabbit/queue
I get a new issue:
2019-09-08 09:44:07,392- fedora_messaging._session - INFO - Channel <Channel number=1 CLOSED conn=<SelectConnection OPEN transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x7fc620a39240> params=<URLParameters host=rabbitmq.stg.fedoraproject.org port=5671 virtual_host=/pubsub ssl=True>>> closed (403): ACCESS_REFUSED - access to queue 'mts.stg' in vhost '/pubsub' refused for user 'mts.stg'
What else is required to setup for fedora-messaging?
I believe that you need to have the following option in your fedora-messaging configuration file
passive_declares = true
See for example greenwave --> https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/openshift-apps/greenwave/templates/config.toml#n14
Metadata Update from @kevin: - Issue priority set to: Waiting on Reporter (was: Needs Review)
@cverna That config works for me. Thanks. But, why is that config required? :)
:fireworks:
TBH I am not sure, maybe @abompard can tell us :-)
@abompard any ideas? Is everything working now? Or is there more to do here?
@kevin I've been testing MTS on stg these days. Unfortunately, it cannot receive any messages from bus. I've no idea what's reason. I think this ticket can be closed and I'll file another one for the new issue. Thanks.
@cqi can we close this issue now ?
@cverna Yes, please. :)
Thanks! Hopefully we will get everything working soon. Thanks for sticking through this process and sorry it wasn't smoother.
Login to comment on this ticket.