diff --git a/playbooks/groups/sundries.yml b/playbooks/groups/sundries.yml index 36bb5bbbfc..1cf1e60788 100644 --- a/playbooks/groups/sundries.yml +++ b/playbooks/groups/sundries.yml @@ -86,6 +86,24 @@ mount_stg: false nfs_mount_opts: 'rw,bg,nfsvers=4' when: master_sundries_node|bool and env != "staging" + - role: nfs/client + mnt_dir: '/srv/solr-storage' + nfs_src_dir: 'solr-storage' + mount_stg: false + nfs_mount_opts: 'rw,bg,nfsvers=4' + when: master_sundries_node|bool and env != "staging" + - role: nfs/client + mnt_dir: '/srv/fedora-packages-static-storage' + nfs_src_dir: 'fedora-packages-static-storage' + mount_stg: false + nfs_mount_opts: 'rw,bg,nfsvers=4' + when: master_sundries_node|bool and env != "staging" + - role: nfs/client + mnt_dir: '/srv/fedora-packages-static-db-storage' + nfs_src_dir: 'fedora-packages-static-db-storage' + mount_stg: false + nfs_mount_opts: 'rw,bg,nfsvers=4' + when: master_sundries_node|bool and env != "staging" pre_tasks: - import_tasks: "{{ tasks_path }}/yumrepos.yml" diff --git a/playbooks/openshift-apps/fedora-packages-static.yml b/playbooks/openshift-apps/fedora-packages-static.yml index 18526437af..3f0940367b 100644 --- a/playbooks/openshift-apps/fedora-packages-static.yml +++ b/playbooks/openshift-apps/fedora-packages-static.yml @@ -1,4 +1,27 @@ --- +- name: Fix mounted file permissions + hosts: sundries[0] + user: root + gather_facts: false + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + - /srv/web/infra/ansible/roles/openshift-apps/fedora-packages-static/vars/main.yml + + tasks: + - name: Fix file permissions + ansible.builtin.file: + path: /srv/{{item}} + state: directory + owner: "{{ openshift_user_id }}" + group: "{{ openshift_user_id }}" + recurse: true + with_items: + - solr-storage + - fedora-packages-static-storage + - fedora-packages-static-db-storage + - name: Make fedora-packages-static hosts: os_control[0]:os_control_stg[0] user: root @@ -8,6 +31,7 @@ - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + - /srv/web/infra/ansible/roles/openshift-apps/fedora-packages-static/vars/main.yml roles: - role: openshift/project diff --git a/playbooks/openshift-apps/maubot.yml b/playbooks/openshift-apps/maubot.yml index efb9cee0ef..3a0e7c1e37 100644 --- a/playbooks/openshift-apps/maubot.yml +++ b/playbooks/openshift-apps/maubot.yml @@ -8,6 +8,7 @@ - /srv/web/infra/ansible/vars/global.yml - /srv/private/ansible/vars.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + - /srv/web/infra/ansible/roles/openshift-apps/maubot/vars/main.yml tasks: - name: Maubot DB user @@ -20,6 +21,25 @@ owner: maubot encoding: UTF-8 +- name: Fix meeting logs permissions + hosts: value:value_stg + user: root + gather_facts: false + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + - /srv/web/infra/ansible/roles/openshift-apps/maubot/vars/main.yml + + tasks: + - name: Fix meeting logs permissions + ansible.builtin.file: + path: /srv/web/meetbot + state: directory + owner: "{{ openshift_user_id }}" + group: "{{ openshift_user_id }}" + recurse: true + - name: Make the app be real hosts: os_control_stg:os_control user: root @@ -29,6 +49,7 @@ - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + - /srv/web/infra/ansible/roles/openshift-apps/maubot/vars/main.yml roles: - role: rabbit/user diff --git a/roles/openshift-apps/badges/templates/cron-update-rules.yml.j2 b/roles/openshift-apps/badges/templates/cron-update-rules.yml.j2 index e73385e51d..20e3eddd8a 100644 --- a/roles/openshift-apps/badges/templates/cron-update-rules.yml.j2 +++ b/roles/openshift-apps/badges/templates/cron-update-rules.yml.j2 @@ -69,4 +69,4 @@ spec: secret: secretName: fedora-messaging-crt securityContext: - supplementalGroups: [1001050000] + supplementalGroups: [{{ openshift_user_id }}] diff --git a/roles/openshift-apps/fedora-packages-static/templates/deploymentconfig.yml.j2 b/roles/openshift-apps/fedora-packages-static/templates/deploymentconfig.yml.j2 index fa8b9cd260..1f833f92c8 100644 --- a/roles/openshift-apps/fedora-packages-static/templates/deploymentconfig.yml.j2 +++ b/roles/openshift-apps/fedora-packages-static/templates/deploymentconfig.yml.j2 @@ -57,16 +57,15 @@ spec: httpGet: path: / port: 8080 - # oc describe project/fedora-packages-static | grep supplemental-groups securityContext: - supplementalGroups: [1001200000] + supplementalGroups: [{{ openshift_user_id }}] volumes: - name: data-volume persistentVolumeClaim: - claimName: fedora-packages-static-storage{{ '-stg' if env == 'staging' else '' }} + claimName: fedora-packages-static-storage{{ volume_suffix }} - name: db-volume persistentVolumeClaim: - claimName: fedora-packages-static-db-storage{{ '-stg' if env == 'staging' else '' }} + claimName: fedora-packages-static-db-storage{{ volume_suffix }} triggers: - type: ConfigChange @@ -128,14 +127,12 @@ spec: httpGet: path: / port: 8983 - # Add solr's default gid to nfs group - # oc describe project/fedora-packages-static | grep supplemental-groups securityContext: - supplementalGroups: [8983,1001200000] + supplementalGroups: [{{ openshift_user_id }}] volumes: - name: data-volume persistentVolumeClaim: - claimName: solr-storage{{ '-stg' if env == 'staging' else '' }} + claimName: solr-storage{{ volume_suffix }} - name: config-volume configMap: name: fedora-packages-static-solr-configmap diff --git a/roles/openshift-apps/fedora-packages-static/vars/main.yml b/roles/openshift-apps/fedora-packages-static/vars/main.yml new file mode 100644 index 0000000000..089235b005 --- /dev/null +++ b/roles/openshift-apps/fedora-packages-static/vars/main.yml @@ -0,0 +1,3 @@ +- volume_suffix: "{{ '-stg' if env == 'staging' else '' }}" +# oc describe project/fedora-packages-static | grep supplemental-groups +- openshift_user_id: "{{ (env == 'production')|ternary('1001200000', '1000960000') }}" diff --git a/roles/openshift-apps/maubot/files/deploymentconfig.yml b/roles/openshift-apps/maubot/files/deploymentconfig.yml deleted file mode 100644 index fa14cd4448..0000000000 --- a/roles/openshift-apps/maubot/files/deploymentconfig.yml +++ /dev/null @@ -1,97 +0,0 @@ ---- -apiVersion: apps.openshift.io/v1 -kind: DeploymentConfig -metadata: - name: maubot - labels: - app: maubot - service: maubot -spec: - replicas: 1 - selector: - app: maubot - service: maubot - template: - metadata: - labels: - app: maubot - service: maubot - spec: - containers: - - name: maubot - image: maubot:latest - ports: - - containerPort: 8080 - volumeMounts: - - name: config - mountPath: /config - readOnly: true - - name: meetbot-logs - mountPath: /meetbot_logs - - name: ipa-config-volume - mountPath: /etc/ipa - readOnly: true - - name: keytab-volume - mountPath: /etc/keytabs - readOnly: true - - name: fedora-messaging-config-volume - mountPath: /etc/fedora-messaging/ - readOnly: true - - name: fedora-messaging-ca-volume - mountPath: /etc/pki/rabbitmq/ca - readOnly: true - - name: fedora-messaging-key-volume - mountPath: /etc/pki/rabbitmq/key - readOnly: true - - name: fedora-messaging-crt-volume - mountPath: /etc/pki/rabbitmq/crt - readOnly: true - readinessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 5 - httpGet: - path: / - port: 8080 - livenessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 20 - httpGet: - path: / - port: 8080 - securityContext: - supplementalGroups: [2] - volumes: - - name: config - configMap: - name: config - - name: meetbot-logs - persistentVolumeClaim: - claimName: meetbot-logs - - name: ipa-config-volume - configMap: - name: ipa-client-config - - name: keytab-volume - secret: - secretName: maubot-keytab - - name: fedora-messaging-config-volume - configMap: - name: fedora-messaging-configmap - - name: fedora-messaging-ca-volume - secret: - secretName: maubot-fedora-messaging-ca - - name: fedora-messaging-key-volume - secret: - secretName: maubot-fedora-messaging-key - - name: fedora-messaging-crt-volume - secret: - secretName: maubot-fedora-messaging-crt - triggers: - - type: ConfigChange - - type: ImageChange - imageChangeParams: - automatic: true - containerNames: - - maubot - from: - kind: ImageStreamTag - name: maubot:latest diff --git a/roles/openshift-apps/maubot/files/deployment.yml b/roles/openshift-apps/maubot/templates/deployment.yml similarity index 97% rename from roles/openshift-apps/maubot/files/deployment.yml rename to roles/openshift-apps/maubot/templates/deployment.yml index 0cb3c8d73c..ad16f12ab0 100644 --- a/roles/openshift-apps/maubot/files/deployment.yml +++ b/roles/openshift-apps/maubot/templates/deployment.yml @@ -60,7 +60,7 @@ spec: path: / port: 8080 securityContext: - supplementalGroups: [2] + supplementalGroups: [{{ openshift_user_id }}] volumes: - name: config configMap: diff --git a/roles/openshift-apps/maubot/vars/main.yml b/roles/openshift-apps/maubot/vars/main.yml new file mode 100644 index 0000000000..0175cf87ac --- /dev/null +++ b/roles/openshift-apps/maubot/vars/main.yml @@ -0,0 +1,3 @@ +# oc describe project/fedora-packages-static | grep supplemental-groups +- openshift_user_id: 1000840000 + diff --git a/vars/apps/badges.yml b/vars/apps/badges.yml index 8c231abeb7..790ffd86ec 100644 --- a/vars/apps/badges.yml +++ b/vars/apps/badges.yml @@ -12,3 +12,5 @@ badges_award_cronjobs: schedule: "40 2 * * 3" - name: badges-dev schedule: "40 2 * * 4" +# oc describe project/fedora-packages-static | grep supplemental-groups +- openshift_user_id: 1000840000