From ae62e4a4e7982224f1c3cc077bfbcdca90b3df81 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Feb 08 2021 21:09:56 +0000 Subject: rabbitmq_cluster: setup private mbs vhost/user Signed-off-by: Kevin Fenzi --- diff --git a/roles/rabbitmq_cluster/tasks/apps.yml b/roles/rabbitmq_cluster/tasks/apps.yml index d5bead4..91f40e8 100644 --- a/roles/rabbitmq_cluster/tasks/apps.yml +++ b/roles/rabbitmq_cluster/tasks/apps.yml @@ -252,22 +252,110 @@ # CENTOS ODCS END # MBS BEGIN -- name: MBS User +# +- name: Configure the mbs-private-queue virtual host run_once: true - include_role: - name: rabbit/user - vars: - username: mbs{{ env_suffix }} + delegate_to: "rabbitmq01.iad2.fedoraproject.org" + rabbitmq_vhost: + name: /msb-private-queue + state: present + tags: + - msb-private-queue -- name: MBS Queue +- name: Configure the HA policy for the msb-private-queue queues run_once: true - include_role: - name: rabbit/queue - vars: - username: mbs{{ env_suffix }} - queue_name: mbs{{ env_suffix }} - # TTL: 10 days (in miliseconds) - message_ttl: 864000000 - routing_keys: - - "mbs.{{ env_short }}.gitlab.#" + delegate_to: "rabbitmq01.iad2.fedoraproject.org" + rabbitmq_policy: + name: HA + apply_to: queues + pattern: .* + tags: + ha-mode: all + ha-sync-mode: automatic # Auto sync queues to new cluster members + ha-sync-batch-size: 10000 # Larger is faster, but must finish in 1 net_ticktime + vhost: /mbs-private-queue + tags: + - mbs-private-queue + +- name: Add a policy to limit queues to 1GB and remove after a month of no use + run_once: true + delegate_to: "rabbitmq01.iad2.fedoraproject.org" + rabbitmq_policy: + apply_to: queues + name: pubsub_sweeper + state: present + pattern: ".*" + tags: + # Unused queues are killed after 1000 * 60 * 60 * 31 milliseconds (~a month) + expires: 111600000 + # Queues can use at most 1GB of storage + max-length-bytes: 1073741824 + vhost: /mbs-private-queue + tags: + - mbs-private-queue + +- name: Create the mbs-private-queue user for the mbs-private-queue vhost (prod) + run_once: true + delegate_to: "rabbitmq01.iad2.fedoraproject.org" + rabbitmq_user: + user: mbs-private-queue + password: "{{ (env == 'production')|ternary(rabbitmq_mbs_private_queue_admin_password_production, rabbitmq_mbs_private_queue_admin_password_staging) }}" + vhost: /mbs-private-queue + configure_priv: .* + read_priv: .* + write_priv: .* + tags: + - mbs-private-queue + +- name: Dump the admin password in a file for administrative operations + run_once: true + delegate_to: "rabbitmq01.iad2.fedoraproject.org" + copy: + dest: /root/.mbs-private-queue-rabbitmqpass + content: "{{ (env == 'production')|ternary(rabbitmq_mbs_private_queue_admin_password_production, rabbitmq_mbs_private_queue_admin_password_staging) }}" + mode: 0600 + owner: root + group: root + tags: + - mbs-private-queue + +- name: Grant the admin user access to the mbs-private-queue vhost + run_once: true + delegate_to: "rabbitmq01.iad2.fedoraproject.org" + rabbitmq_user: + user: admin + vhost: /mbs-private-queue + configure_priv: .* + read_priv: .* + write_priv: .* + tags: administrator + tags: + - mbs-private-queue + +- name: Grant the nagios-monitoring user access to the mbs-private-queue vhost + run_once: true + delegate_to: "rabbitmq01.iad2.fedoraproject.org" + rabbitmq_user: + user: nagios-monitoring + vhost: /mbs-private-queue + configure_priv: "^$" + read_priv: "^$" + write_priv: "^$" + tags: monitoring + tags: + - mbs-private-queue + +- name: Create a user for mbs-private-queue access + run_once: true + delegate_to: "rabbitmq01.iad2.fedoraproject.org" + rabbitmq_user: + user: "mbs-private-queue{{ env_suffix }}" + vhost: /mbs-private-queue + configure_priv: .* + write_priv: .* + read_priv: .* + state: present + tags: + - mbs-private-queue + # MBS END