diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml
index 5a32cb62a1..f5f3b4d209 100644
--- a/handlers/restart_services.yml
+++ b/handlers/restart_services.yml
@@ -173,3 +173,7 @@
- name: restart idmapd
service: name=nfs-idmapd state=restarted
+
+- name: restart darkserver
+ service: name=darkserver state=restarted
+
diff --git a/inventory/host_vars/darkserver-backend01.stg.phx2.fedoraproject.org b/inventory/host_vars/darkserver-backend01.stg.phx2.fedoraproject.org
index a8a96e9297..f81897ebd9 100644
--- a/inventory/host_vars/darkserver-backend01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/darkserver-backend01.stg.phx2.fedoraproject.org
@@ -3,8 +3,8 @@ nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
-ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
eth0_ip: 10.5.126.124
diff --git a/inventory/host_vars/darkserver-web01.stg.phx2.fedoraproject.org b/inventory/host_vars/darkserver-web01.stg.phx2.fedoraproject.org
index 84de6c1fbe..ff57668c7d 100644
--- a/inventory/host_vars/darkserver-web01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/darkserver-web01.stg.phx2.fedoraproject.org
@@ -3,8 +3,8 @@ nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
-ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
eth0_ip: 10.5.126.92
diff --git a/inventory/host_vars/darkserver-web02.stg.phx2.fedoraproject.org b/inventory/host_vars/darkserver-web02.stg.phx2.fedoraproject.org
index 53e921bdc6..b3c6b6f9df 100644
--- a/inventory/host_vars/darkserver-web02.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/darkserver-web02.stg.phx2.fedoraproject.org
@@ -3,8 +3,8 @@ nm: 255.255.255.0
gw: 10.5.126.254
dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7
-ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
eth0_ip: 10.5.126.120
diff --git a/playbooks/groups/darkserver-backend.yml b/playbooks/groups/darkserver-backend.yml
index 7df789f355..c90249c255 100644
--- a/playbooks/groups/darkserver-backend.yml
+++ b/playbooks/groups/darkserver-backend.yml
@@ -12,7 +12,7 @@
pre_tasks:
- - yum: name=libsemanage-python state=present
+ - dnf: name=libsemanage-python state=present
- name: "Set SElinux booleans"
seboolean: name=httpd_can_network_connect_db state=yes persistent=yes
@@ -65,7 +65,9 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
+ - fedmsg/base
- fedmsg/hub
+ - rabbitmq
- darkserver/backend
- role: collectd/fedmsg-service
process: fedmsg-hub
diff --git a/playbooks/groups/releng-compose.yml b/playbooks/groups/releng-compose.yml
index abfef709b6..391751103d 100644
--- a/playbooks/groups/releng-compose.yml
+++ b/playbooks/groups/releng-compose.yml
@@ -74,5 +74,11 @@
- include: "{{ tasks_path }}/2fa_client.yml"
- include: "{{ tasks_path }}/motd.yml"
+ - name: install skopeo for container management
+ package:
+ name: skopeo
+ state: latest
+ when: ansible_architecture != "ppc64"
+
handlers:
- include: "{{ handlers_path }}/restart_services.yml"
diff --git a/playbooks/openshift-apps/modernpaste.yml b/playbooks/openshift-apps/modernpaste.yml
new file mode 100644
index 0000000000..179c2bd4dc
--- /dev/null
+++ b/playbooks/openshift-apps/modernpaste.yml
@@ -0,0 +1,20 @@
+- name: make the app be real
+ hosts: os-masters-stg
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ roles:
+ - { role: openshift/object, app: modernpaste, file: imagestream.yml }
+ - { role: openshift/object, app: modernpaste, template: secret.yml }
+ - { role: openshift/object, app: modernpaste, file: buildconfig.yml }
+ - { role: openshift/start-build, app: modernpaste, name: modernpaste-docker-build }
+ - { role: openshift/object, app: modernpaste, template: configmap.yml }
+ - { role: openshift/object, app: modernpaste, file: service.yml }
+ - { role: openshift/object, app: modernpaste, file: route.yml }
+ - { role: openshift/object, app: modernpaste, file: deploymentconfig.yml }
+ - { role: openshift/rollout, app: modernpaste, name: modernpaste-web }
diff --git a/playbooks/openshift-apps/waiverdb.yml b/playbooks/openshift-apps/waiverdb.yml
new file mode 100644
index 0000000000..b567ef7e95
--- /dev/null
+++ b/playbooks/openshift-apps/waiverdb.yml
@@ -0,0 +1,25 @@
+- name: make the app be real
+ hosts: os-masters-stg
+ user: root
+ gather_facts: True
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ roles:
+ - { role: openshift/object, app: waiverdb, template: project.yml, description: waiverdb }
+ - { role: openshift/object, app: waiverdb, template: secret.yml }
+ #- { role: openshift/secret-file
+ # , app: waiverdb
+ # , secret_name: waiverdb-stg-secret
+ # , key: client_secrets.json
+ # , template: client_secrets.json
+ # }
+ - { role: openshift/object, app: waiverdb, file: imagestream.yml }
+ - { role: openshift/object, app: waiverdb, file: configmap.yml }
+ - { role: openshift/object, app: waiverdb, file: service.yml }
+ - { role: openshift/object, app: waiverdb, file: route.yml }
+ - { role: openshift/object, app: waiverdb, file: deploymentconfig.yml }
+ - { role: openshift/rollout, app: waiverdb, name: waiverdb-stg-web }
diff --git a/roles/anitya/frontend/templates/anitya.cfg b/roles/anitya/frontend/templates/anitya.cfg
index 2d58ec7abd..2c4dfd9e3d 100644
--- a/roles/anitya/frontend/templates/anitya.cfg
+++ b/roles/anitya/frontend/templates/anitya.cfg
@@ -18,6 +18,7 @@ ANITYA_WEB_ADMINS = [
'http://ralph.id.fedoraproject.org/',
'http://pingou.id.fedoraproject.org/',
'http://jcline.id.fedoraproject.org/',
+ 'http://tibbs.id.fedoraproject.org/',
]
# Email addresses to send tracebacks to when an HTTP 500 occurs
diff --git a/roles/bodhi2/backend/templates/atomic-config.py.j2 b/roles/bodhi2/backend/templates/atomic-config.py.j2
index b998bdef3e..d75269cf21 100644
--- a/roles/bodhi2/backend/templates/atomic-config.py.j2
+++ b/roles/bodhi2/backend/templates/atomic-config.py.j2
@@ -71,7 +71,7 @@ config = dict(
'tree': 'docker-host',
'treefile': {
'include': 'fedora-atomic-docker-host.json',
- 'ref': 'fedora-atomic/25/x86_64/updates/docker-host',
+ 'ref': 'fedora-atomic/25/x86_64/docker-host',
'repos': ['fedora-25', 'fedora-25-updates', 'updates'],
'packages': [],
},
diff --git a/roles/darkserver/backend/tasks/main.yml b/roles/darkserver/backend/tasks/main.yml
index 1fc8460c7e..e775501551 100644
--- a/roles/darkserver/backend/tasks/main.yml
+++ b/roles/darkserver/backend/tasks/main.yml
@@ -3,7 +3,7 @@
#
- name: setup darkserver
- yum: name={{ item }} state=present
+ dnf: name={{ item }} state=present
with_items:
- darkserver-importer
notify:
diff --git a/roles/darkserver/backend/templates/darkjobworker.conf.j2 b/roles/darkserver/backend/templates/darkjobworker.conf.j2
index d6644ee141..2d645a26e2 100644
--- a/roles/darkserver/backend/templates/darkjobworker.conf.j2
+++ b/roles/darkserver/backend/templates/darkjobworker.conf.j2
@@ -1,5 +1,5 @@
[darkserver]
-{% if environment == "staging" %}
+{% if env == "staging" %}
host=db01.stg.phx2.fedoraproject.org
password={{ darkserver_stg_writer_password }}
{% else %}
diff --git a/roles/distgit/files/fedmsg-genacls-config.py b/roles/distgit/files/fedmsg-genacls-config.py
deleted file mode 100644
index b657de1de8..0000000000
--- a/roles/distgit/files/fedmsg-genacls-config.py
+++ /dev/null
@@ -1,4 +0,0 @@
-config = {
- 'genacls.consumer.enabled': True,
- 'genacls.consumer.delay': 5, # 5 seconds
-}
diff --git a/roles/distgit/pagure/files/pagure_worker.service b/roles/distgit/pagure/files/pagure_worker.service
index bf83a0966e..7b9473b9cf 100644
--- a/roles/distgit/pagure/files/pagure_worker.service
+++ b/roles/distgit/pagure/files/pagure_worker.service
@@ -8,7 +8,7 @@ ExecStart=/usr/bin/celery worker -A pagure.lib.tasks --loglevel=info --autoreloa
Environment="PAGURE_CONFIG=/etc/pagure/pagure.cfg"
Type=simple
User=pagure
-Group=pagure
+#Group=pagure
Restart=on-failure
[Install]
diff --git a/roles/distgit/pagure/tasks/main.yml b/roles/distgit/pagure/tasks/main.yml
index c9973a8773..b8c33a2f69 100644
--- a/roles/distgit/pagure/tasks/main.yml
+++ b/roles/distgit/pagure/tasks/main.yml
@@ -139,7 +139,7 @@
- name: Override the default pagure_worker.service file to change the user it is run under
copy: src=pagure_worker.service
- dest=/usr/lib/systemd/system/pagure_worker.service
+ dest=/etc/systemd/system/pagure_worker.service
owner=root group=root mode=0755
notify:
- reload systemd
diff --git a/roles/distgit/pagure/templates/0_pagure.conf b/roles/distgit/pagure/templates/0_pagure.conf
index 80bf4d7764..c2452d06eb 100644
--- a/roles/distgit/pagure/templates/0_pagure.conf
+++ b/roles/distgit/pagure/templates/0_pagure.conf
@@ -30,7 +30,7 @@ WSGIDaemonProcess pagureproc user=pagure group=packager maximum-requests=1000 di
git-(upload|receive)-pack))$" \
/usr/libexec/git-core/git-http-backend/$1
-
+
WSGIProcessGroup pagureproc
# Apache 2.4
diff --git a/roles/distgit/pagure/templates/pagure.cfg b/roles/distgit/pagure/templates/pagure.cfg
index b6c3ab98fd..70647221b0 100644
--- a/roles/distgit/pagure/templates/pagure.cfg
+++ b/roles/distgit/pagure/templates/pagure.cfg
@@ -100,7 +100,7 @@ TICKETS_FOLDER = None
REMOTE_GIT_FOLDER = '/srv/git/remotes'
### Configuration file for gitolite
-#GITOLITE_CONFIG = '/srv/git/.gitolite/conf/gitolite.conf'
+GITOLITE_CONFIG = '/srv/git/.gitolite/conf/gitolite.conf.pagure'
### Temp folder to be used to make the clones to work around bug in libgit2:
## refs: https://github.com/libgit2/libgit2/issues/2965
@@ -203,3 +203,5 @@ REQUIRED_GROUPS = {
PDC_URL = 'https://pdc.stg.fedoraproject.org/rest_api/v1/'
GITOLITE_BACKEND = 'distgit'
+
+THEME_TEMPLATE_FOLDER = '/usr/share/pagure_dist_git/template/'
diff --git a/roles/distgit/pagure/templates/pagure.wsgi b/roles/distgit/pagure/templates/pagure.wsgi
index b04abac4d8..b072264090 100644
--- a/roles/distgit/pagure/templates/pagure.wsgi
+++ b/roles/distgit/pagure/templates/pagure.wsgi
@@ -4,7 +4,7 @@
# two possible version of python-sqlalchemy and python-jinja2
# These lines make sure the application uses the correct version.
import __main__
-__main__.__requires__ = ['SQLAlchemy >= 0.8', 'jinja2 >= 2.4']
+__main__.__requires__ = ['SQLAlchemy >= 0.8', 'jinja2 >= 2.4', 'Pygments>=2.1.0']
import pkg_resources
import os
diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml
index bad9e62ba0..e30672b353 100644
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@@ -243,7 +243,8 @@
- distgit
- name: install the fedmsg configuration
- copy: src=fedmsg-genacls-config.py dest=/etc/fedmsg.d/genacls.py owner=root group=root mode=0644
+ template: src=fedmsg-genacls-config.py dest=/etc/fedmsg.d/genacls.py
+ owner=root group=root mode=0644
tags:
- config
- distgit
diff --git a/roles/distgit/templates/fedmsg-genacls-config.py b/roles/distgit/templates/fedmsg-genacls-config.py
new file mode 100644
index 0000000000..58d3acaede
--- /dev/null
+++ b/roles/distgit/templates/fedmsg-genacls-config.py
@@ -0,0 +1,12 @@
+config = {
+ 'genacls.consumer.enabled': True,
+ 'genacls.consumer.delay': 5, # 5 seconds
+
+ # New world
+ 'gitoliteprefix.consumer.enabled': True,
+ 'gitoliteprefix.consumer.delay': 5, # 5 seconds
+ 'gitoliteprefix.consumer.filename': '/var/tmp/gitolite-prefix.txt',
+ 'gitoliteprefix.consumer.fasurl': 'https://admin.fedoraproject.org/accounts',
+ 'gitoliteprefix.consumer.username': "{{ blockerbugs_fas_user }}",
+ 'gitoliteprefix.consumer.password': '{{ blockerbugs_fas_password }}',
+}
diff --git a/roles/fas_client/files/aliases.template b/roles/fas_client/files/aliases.template
index 4afae1d8ac..477b78560e 100644
--- a/roles/fas_client/files/aliases.template
+++ b/roles/fas_client/files/aliases.template
@@ -144,7 +144,7 @@ fudcon-paper: fudcon-cfp
# flock
flockpress: bex,fpl
flockinfo: bex,fpl
-flock-staff: bex,fpl,duffy
+flock-staff: bex,fpl,duffy,sgallagh
# gnome backups
gnomebackup: backups@gnome.org
@@ -162,7 +162,7 @@ infra-security: puiterwijk
webmaster: websites@lists.fedoraproject.org
logo: rlerch@redhat.com,duffy@redhat.com
-ham-radio-exams: nb,jbwillia,robertjw,gholms
+ham-radio-exams: nb,codeblock,gholms
diversity: tatica
# Misc Aliases
diff --git a/roles/git/hooks/files/post-receive-alternativearch b/roles/git/hooks/files/post-receive-alternativearch
index 4b23fb231f..16d8cef4dd 100755
--- a/roles/git/hooks/files/post-receive-alternativearch
+++ b/roles/git/hooks/files/post-receive-alternativearch
@@ -17,7 +17,8 @@ import sys
from email.mime.text import MIMEText
abspath = os.path.abspath(os.environ['GIT_DIR'])
-PATTERNS = ('+ExclusiveArch:', '+ExcludeArch:', '+%ifarch', '+%ifnarch')
+PATTERNS = ('+ExclusiveArch:', '+ExcludeArch:', '+%ifarch', '+%ifnarch',
+ '-ExclusiveArch:', '-ExcludeArch:', '-%ifarch', '-%ifnarch')
FROM_EMAIL = 'githook-noreply@fedoraproject.org'
TO_MAIL = 'arch-excludes@lists.fedoraproject.org'
CGIT_URL = 'https://src.fedoraproject.org/cgit/%s/commit/?id=%s'
diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml
index 1c088e4bb8..82c656ad52 100644
--- a/roles/ipsilon/tasks/main.yml
+++ b/roles/ipsilon/tasks/main.yml
@@ -41,6 +41,7 @@
- account-scopes
- mbs
- beaker
+ - waiverdb
notify:
- reload apache
tags:
diff --git a/roles/ipsilon/templates/configuration.conf b/roles/ipsilon/templates/configuration.conf
index 3def4c896c..fe71210898 100644
--- a/roles/ipsilon/templates/configuration.conf
+++ b/roles/ipsilon/templates/configuration.conf
@@ -25,7 +25,7 @@ global enabled=persona,openid,saml2,openidc
{% if env == "production" %}
openidc enabled extensions=fedora-account,mbs,beaker
{% else %}
-openidc enabled extensions=fedora-account,mbs,beaker
+openidc enabled extensions=fedora-account,mbs,beaker,waiverdb
{% endif %}
{% if env == 'staging' %}
diff --git a/roles/kojipkgs/files/kojipkgs.conf b/roles/kojipkgs/files/kojipkgs.conf
index 73174bdcc2..588f6b1f70 100644
--- a/roles/kojipkgs/files/kojipkgs.conf
+++ b/roles/kojipkgs/files/kojipkgs.conf
@@ -89,6 +89,13 @@ Alias /compose /mnt/fedora_koji/koji/compose
Require all granted
+Alias /mass-rebuild "/mnt/fedora_koji/koji/mass-rebuild/"
+
+
+ Options Indexes FollowSymLinks
+ Require all granted
+
+
Alias /images /mnt/fedora_koji/koji/images
diff --git a/roles/openqa/worker/tasks/main.yml b/roles/openqa/worker/tasks/main.yml
index fb24374eb7..5cb4f31af6 100644
--- a/roles/openqa/worker/tasks/main.yml
+++ b/roles/openqa/worker/tasks/main.yml
@@ -23,10 +23,16 @@
dnf: name={{ item }} state=present
with_items:
- libselinux-python
- - edk2-ovmf
+ - git
tags:
- packages
+- name: Install UEFI firmware package (x86_64 only)
+ dnf: name=edk2-ovmf state=present
+ tags:
+ - packages
+ when: "ansible_architecture is defined and ansible_architecture == 'x86_64'"
+
- include: nfs-client.yml
when: openqa_hostname is defined and openqa_hostname != "localhost"
diff --git a/roles/openshift-apps/modernpaste/files/buildconfig.yml b/roles/openshift-apps/modernpaste/files/buildconfig.yml
new file mode 100644
index 0000000000..030a197ea6
--- /dev/null
+++ b/roles/openshift-apps/modernpaste/files/buildconfig.yml
@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: BuildConfig
+metadata:
+ name: "modernpaste-docker-build"
+ labels:
+ environment: "modernpaste"
+spec:
+ runPolicy: Serial
+ source:
+ dockerfile: |-
+ FROM fedora:25
+ LABEL \
+ name="Modern Paste" \
+ vendor="Fedora Infrastructure" \
+ license="MIT"
+ RUN curl -o /etc/yum.repos.d/infra-stg.repo \
+ https://infrastructure.fedoraproject.org/cgit/ansible.git/plain/files/common/fedora-infra-tags.repo
+ RUN yum -y install modern-paste
+ RUN yum -y install --setopt=tsflags=nodocs \
+ python-gunicorn \
+ python2-mock \
+ python-psycopg2
+ WORKDIR /usr/share/modern-paste
+ RUN sed -i '216,219d;228,229d' app/api/paste.py
+ RUN mv modern_paste.wsgi modern_paste_wsgi.py
+ USER 1001
+ EXPOSE 8080
+ ENTRYPOINT gunicorn --bind 0.0.0.0:8080 --access-logfile=- --chdir /usr/share/modern-paste modern_paste_wsgi:application
+ strategy:
+ type: Docker
+ output:
+ to:
+ kind: ImageStreamTag
+ name: inframodernpaste:latest
diff --git a/roles/openshift-apps/modernpaste/files/deploymentconfig.yml b/roles/openshift-apps/modernpaste/files/deploymentconfig.yml
new file mode 100644
index 0000000000..ead888db1e
--- /dev/null
+++ b/roles/openshift-apps/modernpaste/files/deploymentconfig.yml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: DeploymentConfig
+metadata:
+ name: "modernpaste-web"
+ labels:
+ environment: "modernpaste"
+ service: web
+spec:
+ replicas: 1
+ selector:
+ environment: "modernpaste"
+ service: web
+ template:
+ metadata:
+ labels:
+ environment: "modernpaste"
+ service: web
+ spec:
+ containers:
+ - name: web
+ image: 172.30.53.136:5000/modernpaste/inframodernpaste:latest
+ ports:
+ - containerPort: 8080
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/modern-paste
+ readOnly: true
+ - name: secret-volume
+ mountPath: /etc/secret
+ readOnly: true
+ env:
+ - name: ENCRYPTION_KEY
+ valueFrom:
+ secretKeyRef:
+ name: "modernpaste-secret"
+ key: encryption-key
+ - name: SESSION_KEY
+ valueFrom:
+ secretKeyRef:
+ name: "modernpaste-secret"
+ key: session-key
+ - name: DATABASE_URI
+ valueFrom:
+ secretKeyRef:
+ name: "modernpaste-secret"
+ key: database-uri
+ #- name: DOMAIN
+ # value: ${DOMAIN}
+ readinessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 5
+ httpGet:
+ path: /
+ port: 8080
+ livenessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 30
+ httpGet:
+ path: /
+ port: 8080
+ resources:
+ limits:
+ memory: 384Mi
+ volumes:
+ - name: config-volume
+ configMap:
+ name: "modernpaste-configmap"
+ - name: secret-volume
+ secret:
+ secretName: "modernpaste-secret"
+ triggers:
+ - type: ConfigChange
diff --git a/roles/openshift-apps/modernpaste/files/imagestream.yml b/roles/openshift-apps/modernpaste/files/imagestream.yml
new file mode 100644
index 0000000000..eddd1d232c
--- /dev/null
+++ b/roles/openshift-apps/modernpaste/files/imagestream.yml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ImageStream
+metadata:
+ labels:
+ environment: "modernpaste"
+ name: "inframodernpaste"
diff --git a/roles/openshift-apps/modernpaste/files/route.yml b/roles/openshift-apps/modernpaste/files/route.yml
new file mode 100644
index 0000000000..99207964e1
--- /dev/null
+++ b/roles/openshift-apps/modernpaste/files/route.yml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Route
+metadata:
+ name: "modernpaste-web"
+ labels:
+ environment: "modernpaste"
+spec:
+ port:
+ targetPort: web
+ to:
+ kind: Service
+ name: "modernpaste-web"
+ tls:
+ termination: edge
+ insecureEdgeTerminationPolicy: Redirect
diff --git a/roles/openshift-apps/modernpaste/files/service.yml b/roles/openshift-apps/modernpaste/files/service.yml
new file mode 100644
index 0000000000..1f038915e7
--- /dev/null
+++ b/roles/openshift-apps/modernpaste/files/service.yml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: "modernpaste-web"
+ labels:
+ environment: "modernpaste"
+spec:
+ selector:
+ environment: "modernpaste"
+ service: web
+ ports:
+ - name: web
+ port: 8080
+ targetPort: 8080
diff --git a/roles/openshift-apps/modernpaste/templates/configmap.yml b/roles/openshift-apps/modernpaste/templates/configmap.yml
new file mode 100644
index 0000000000..1146bbd87a
--- /dev/null
+++ b/roles/openshift-apps/modernpaste/templates/configmap.yml
@@ -0,0 +1,109 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: "modernpaste-configmap"
+ labels:
+ environment: "modernpaste"
+data:
+ flask_config.py: |-
+ import config
+ import constants
+ import os
+
+ SQLALCHEMY_DATABASE_URI = "postgres://{{modernpaste_stg_db_user}}:{{modernpaste_stg_db_password}}@db01.stg.phx2.fedoraproject.org/modernpaste"
+ SQLALCHEMY_TRACK_MODIFICATIONS = False
+ SECRET_KEY = config.FLASK_SECRET_KEY
+ config.py: |-
+ import constants
+ import os
+
+ # Domain from which you will access this app
+ # If running on a port other than 80, append it after a colon at the end of the domain, e.g. 'domain.com:8080'
+ DOMAIN = "modernpaste-web-modernpaste.app.os.stg.fedoraproject.org"
+
+ # Use HTTPS by default?
+ # This is only used for deciding whether to use the http:// or https:// prefix when constructing full URLs,
+ # and is not related to your web server configuration.
+ DEFAULT_HTTPS = True
+
+ # The type of build environment
+ # build_environment.DEV won't minify CSS and Closure-compile JavaScript; build_environment.PROD will.
+ # Dev and prod environments also use separate databases, modern_paste_dev and modern_paste, respectively.
+ BUILD_ENVIRONMENT = constants.build_environment.PROD
+
+ # Option to use encrypted IDs rather than integer IDs
+ # Set this to True if you want paste IDs to be encrypted, e.g. displayed as h0GZ19np17iT~CtpuIH3NcnRi-rYnlYzizqToCmG3BY=
+ # If False, IDs will be displayed as regular, incrementing integers, e.g. 1, 2, 3, etc.
+ USE_ENCRYPTED_IDS = True
+
+ # Choose to allow paste attachments
+ # This will allow for users to attach files and images to pastes. If disabled, the MAX_ATTACHMENT_SIZE and
+ # ATTACHMENTS_DIR configuration constants will be ignored.
+ ENABLE_PASTE_ATTACHMENTS = False
+
+ # Allow only paste attachments below a certain size threshold, in MB
+ # Set this to 0 for an unlimited file size.
+ MAX_ATTACHMENT_SIZE = 5
+
+ # Location to store paste attachments
+ # Please use an absolute path and ensure that it is writable by www-data.
+ ATTACHMENTS_DIR = '/var/www/modern-paste-attachments'
+
+ # Choose to enable or disable user registration
+ # If False, the web interface will not allow access to the user registration page. Additionally, the API endpoint
+ # for creating new users will respond with an error.
+ # This is useful for private or internal installations that aren't intended for public use.
+ ENABLE_USER_REGISTRATION = False
+
+ # Choose to require users to be logged in to post pastes
+ # If True, the web interface will allow access to the paste post interface only if the user is signed in. Additionally,
+ # the API endpoint for creating new pastes will respond with an error if not authenticated with an API key tied to an
+ # existing, active user.
+ # This is useful for private or internal installations that aren't intended for public use.
+ REQUIRE_LOGIN_TO_PASTE = False
+
+ # AES key for generating encrypted IDs
+ # This is only relevant if USE_ENCRYPTED_IDS above is True. If not, this config parameter can be ignored.
+ # It is recommended, but not strictly required, for you to replace the string below with the output of os.urandom(32),
+ # so that the encrypted IDs generated for the app are specific to this installation.
+ #ID_ENCRYPTION_KEY = os.environ.get('ENCRYPTION_KEY')
+ ID_ENCRYPTION_KEY = '{{modernpaste_stg_encryption_key}}'
+
+ # Flask session secret key
+ # IMPORTANT NOTE: Open up a Python terminal, and replace the below with the output of os.urandom(32)
+ # This secret key should be different for every installation of Modern Paste.
+ #FLASK_SECRET_KEY = os.environ.get('SECRET_KEY')
+ FLASK_SECRET_KEY = '{{modernpaste_stg_session_key}}'
+
+ # Languages
+ # A list of all languages you want to support with the app. Add 'text' for plain text support.
+ # Only use strings from the directory app/static/build/lib/codemirror/mode
+ LANGUAGES = [
+ 'text',
+ 'clike',
+ 'cmake',
+ 'css',
+ 'd',
+ 'diff',
+ 'dockerfile',
+ 'erlang',
+ 'go',
+ 'haskell',
+ 'htmlmixed',
+ 'javascript',
+ 'jinja2',
+ 'lua',
+ 'markdown',
+ 'perl',
+ 'php',
+ 'python',
+ 'rpm',
+ 'rst',
+ 'ruby',
+ 'rust',
+ 'shell',
+ 'sql',
+ 'swift',
+ 'xml',
+ 'yaml',
+ ]
diff --git a/roles/openshift-apps/modernpaste/templates/secret.yml b/roles/openshift-apps/modernpaste/templates/secret.yml
new file mode 100644
index 0000000000..f8859142b2
--- /dev/null
+++ b/roles/openshift-apps/modernpaste/templates/secret.yml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: "modernpaste-secret"
+ labels:
+ environment: "modernpaste"
+stringData:
+ encryption-key: "{{modernpaste_stg_encryption_key}}"
+ session-key: "{{modernpaste_stg_session_key}}"
+ database-uri: "postgres://{{modernpaste_stg_db_user}}:{{modernpaste_stg_db_password}}@db01.stg.phx2.fedoraproject.org/modernpaste"
diff --git a/roles/openshift-apps/waiverdb/files/configmap.yml b/roles/openshift-apps/waiverdb/files/configmap.yml
new file mode 100644
index 0000000000..0248cb7a59
--- /dev/null
+++ b/roles/openshift-apps/waiverdb/files/configmap.yml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: waiverdb-stg-configmap
+ labels:
+ app: waiverdb
+data:
+ settings.py: |-
+ DATABASE_URI = 'postgresql+psycopg2://waiverdb@db01.stg.phx2.fedoraproject.org:5432/waiverdb'
+ AUTH_METHOD = 'OIDC'
+ OIDC_CLIENT_SECRETS = '/etc/secret/client_secrets.json'
+ PORT = 8080
diff --git a/roles/openshift-apps/waiverdb/files/deploymentconfig.yml b/roles/openshift-apps/waiverdb/files/deploymentconfig.yml
new file mode 100644
index 0000000000..61003293b8
--- /dev/null
+++ b/roles/openshift-apps/waiverdb/files/deploymentconfig.yml
@@ -0,0 +1,74 @@
+
+apiVersion: v1
+kind: DeploymentConfig
+metadata:
+ name: waiverdb-stg-web
+ labels:
+ app: waiverdb
+ service: web
+spec:
+ replicas: 2
+ selector:
+ app: waiverdb
+ service: web
+ template:
+ metadata:
+ labels:
+ app: waiverdb
+ service: web
+ spec:
+ containers:
+ - name: web
+ image: waiverdb
+ ports:
+ - containerPort: 8080
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/waiverdb
+ readOnly: true
+ - name: secret-volume
+ mountPath: /etc/secret
+ readOnly: true
+ env:
+ - name: DATABASE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: waiverdb-stg-secret
+ key: database-password
+ - name: SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: waiverdb-stg-secret
+ key: flask-secret-key
+ readinessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 5
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ livenessProbe:
+ timeoutSeconds: 1
+ initialDelaySeconds: 30
+ httpGet:
+ path: /healthcheck
+ port: 8080
+ resources:
+ limits:
+ memory: 384Mi
+ volumes:
+ - name: config-volume
+ configMap:
+ name: waiverdb-stg-configmap
+ - name: secret-volume
+ secret:
+ secretName: waiverdb-stg-secret
+ triggers:
+ - type: ImageChange
+ imageChangeParams:
+ automatic: true
+ containerNames:
+ - web
+ from:
+ kind: ImageStreamTag
+ name: waiverdb:latest
+ - type: ConfigChange
diff --git a/roles/openshift-apps/waiverdb/files/imagestream.yml b/roles/openshift-apps/waiverdb/files/imagestream.yml
new file mode 100644
index 0000000000..7523f9939d
--- /dev/null
+++ b/roles/openshift-apps/waiverdb/files/imagestream.yml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ImageStream
+metadata:
+ name: waiverdb
+spec:
+ tags:
+ - name: latest
+ from:
+ kind: DockerImage
+ name: candidate-registry.fedoraproject.org/f25/waiverdb:latest
diff --git a/roles/openshift-apps/waiverdb/files/route.yml b/roles/openshift-apps/waiverdb/files/route.yml
new file mode 100644
index 0000000000..71517f6e3b
--- /dev/null
+++ b/roles/openshift-apps/waiverdb/files/route.yml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Route
+metadata:
+ name: waiverdb-stg-web
+ labels:
+ app: waiverdb
+spec:
+ host: waiverdb.stg.fedoraproject.org
+ port:
+ targetPort: web
+ to:
+ kind: Service
+ name: waiverdb-stg-web
+ tls:
+ termination: edge
+ insecureEdgeTerminationPolicy: Redirect
diff --git a/roles/openshift-apps/waiverdb/files/service.yml b/roles/openshift-apps/waiverdb/files/service.yml
new file mode 100644
index 0000000000..a0390f9810
--- /dev/null
+++ b/roles/openshift-apps/waiverdb/files/service.yml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: waiverdb-stg-web
+ labels:
+ app: waiverdb
+spec:
+ selector:
+ app: waiverdb
+ service: web
+ ports:
+ - name: web
+ port: 8080
+ targetPort: 8080
diff --git a/roles/openshift-apps/waiverdb/templates/client_secrets.json b/roles/openshift-apps/waiverdb/templates/client_secrets.json
new file mode 100644
index 0000000000..6977844f22
--- /dev/null
+++ b/roles/openshift-apps/waiverdb/templates/client_secrets.json
@@ -0,0 +1,10 @@
+{"web": {
+ "redirect_uris": ["https://waiverdb-waiverdb.app.os.stg.fedoraproject.org/"],
+ "token_uri": "https://iddev.fedorainfracloud.org/openidc/Token",
+ "auth_uri": "https://iddev.fedorainfracloud.org/openidc/Authorization",
+ "client_id": "D-e69a1ac7-30fa-4d18-9001-7468c4f34c3c",
+ "client_secret": "qgz8Bzjg6nO7JWCXoB0o8L49KfI5atLF",
+ "userinfo_uri": "https://iddev.fedorainfracloud.org/openidc/UserInfo",
+ "token_introspection_uri": "https://iddev.fedorainfracloud.org/openidc/TokenInfo"
+ }
+}
diff --git a/roles/openshift-apps/waiverdb/templates/project.yml b/roles/openshift-apps/waiverdb/templates/project.yml
new file mode 100644
index 0000000000..aef2ccd932
--- /dev/null
+++ b/roles/openshift-apps/waiverdb/templates/project.yml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Project
+metadata:
+ annotations:
+ openshift.io/description: "{{description}}"
+ openshift.io/display-name: "{{app}}"
+ creationTimestamp: null
+ name: "{{app}}"
+spec: {}
+status: {}
diff --git a/roles/openshift-apps/waiverdb/templates/secret.yml b/roles/openshift-apps/waiverdb/templates/secret.yml
new file mode 100644
index 0000000000..da46756538
--- /dev/null
+++ b/roles/openshift-apps/waiverdb/templates/secret.yml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: "waiverdb-stg-secret"
+ labels:
+ app: "waiverdb"
+stringData:
+ flask-secret-key: "{{stg_waiverdb_secret_key}}"
+ database-password: "{{stg_waiverdb_db_password}}"
+ # This is the same non-secret config we have committed
+ # as conf/client_secrets.json for using in dev environments.
+ client_secrets.json: |-
+ {"web": {
+ "redirect_uris": ["https://waiverdb-waiverdb.app.os.stg.fedoraproject.org/"],
+ "token_uri": "https://iddev.fedorainfracloud.org/openidc/Token",
+ "auth_uri": "https://iddev.fedorainfracloud.org/openidc/Authorization",
+ "client_id": "D-e69a1ac7-30fa-4d18-9001-7468c4f34c3c",
+ "client_secret": "qgz8Bzjg6nO7JWCXoB0o8L49KfI5atLF",
+ "userinfo_uri": "https://iddev.fedorainfracloud.org/openidc/UserInfo",
+ "token_introspection_uri": "https://iddev.fedorainfracloud.org/openidc/TokenInfo"}}
diff --git a/roles/openshift/object/tasks/main.yml b/roles/openshift/object/tasks/main.yml
new file mode 100644
index 0000000000..afc3e1448a
--- /dev/null
+++ b/roles/openshift/object/tasks/main.yml
@@ -0,0 +1,22 @@
+- name: Create temporary file
+ tempfile: state=file suffix=.yml
+ register: tmpfile
+ run_once: true
+
+- name: Copy template {{template}} to temporary file ({{tmpfile.path}})
+ template: src={{roles_path}}/openshift-apps/{{app}}/templates/{{template}} dest={{tmpfile.path}}
+ when: template is defined
+ run_once: true
+
+- name: Copy file {{file}} to temporary file ({{tmpfile.path}})
+ copy: src={{roles_path}}/openshift-apps/{{app}}/files/{{file}} dest={{tmpfile.path}}
+ when: file is defined
+ run_once: true
+
+- name: Call `oc apply` on the copied file
+ shell: oc -n {{app}} apply -f {{tmpfile.path}}
+ run_once: true
+
+- name: Delete temporary file
+ file: path={{tmpfile.path}} state=absent
+ run_once: true
diff --git a/roles/openshift/rollout/tasks/main.yml b/roles/openshift/rollout/tasks/main.yml
new file mode 100644
index 0000000000..01da41e25b
--- /dev/null
+++ b/roles/openshift/rollout/tasks/main.yml
@@ -0,0 +1,3 @@
+- name: Run `oc rollout latest`
+ shell: oc -n {{app}} rollout latest {{name}}
+ run_once: true
diff --git a/roles/openshift/secret-file/tasks/main.yml b/roles/openshift/secret-file/tasks/main.yml
new file mode 100644
index 0000000000..697ce185ae
--- /dev/null
+++ b/roles/openshift/secret-file/tasks/main.yml
@@ -0,0 +1,22 @@
+- name: Create temporary file
+ tempfile: state=file
+ register: tmpfile
+ run_once: true
+
+- name: Copy template {{template}} to temporary file ({{tmpfile.path}})
+ template: src={{roles_path}}/openshift-apps/{{app}}/templates/{{template}} dest={{tmpfile.path}}
+ when: template is defined
+ run_once: true
+
+- name: Copy file {{file}} to temporary file ({{tmpfile.path}})
+ copy: src={{roles_path}}/openshift-apps/{{app}}/files/{{file}} dest={{tmpfile.path}}
+ when: file is defined
+ run_once: true
+
+- name: Call `oc secrets new` on the copied file
+ shell: oc -n {{app}} secrets new {{secret_name}} {{key}}={{tmpfile.path}}
+ run_once: true
+
+- name: Delete temporary file
+ file: path={{tmpfile.path}} state=absent
+ run_once: true
diff --git a/roles/openshift/start-build/tasks/main.yml b/roles/openshift/start-build/tasks/main.yml
new file mode 100644
index 0000000000..7d4ed2db0a
--- /dev/null
+++ b/roles/openshift/start-build/tasks/main.yml
@@ -0,0 +1,3 @@
+- name: Run `oc start-build`
+ shell: oc -n {{app}} start-build {{name}}
+ run_once: true
diff --git a/roles/rabbitmq/tasks/main.yml b/roles/rabbitmq/tasks/main.yml
index c01634c4e6..34d0ec789b 100644
--- a/roles/rabbitmq/tasks/main.yml
+++ b/roles/rabbitmq/tasks/main.yml
@@ -1,5 +1,5 @@
- name: install needed packages
- yum: pkg={{ item }} state=present
+ package: pkg={{ item }} state=present
with_items:
- rabbitmq-server
tags:
diff --git a/roles/robosignatory/files/robosignatory.production.py b/roles/robosignatory/files/robosignatory.production.py
index 5d87f4efa5..20dc5d17d8 100644
--- a/roles/robosignatory/files/robosignatory.production.py
+++ b/roles/robosignatory/files/robosignatory.production.py
@@ -41,16 +41,10 @@ config = {
'tags': [
# Temporary tags
{
- "from": "f26-rebuild",
- "to": "f26-rebuild",
- "key": "fedora-26",
- "keyid": "64dab85d"
- },
- {
- "from": "f25-llvm39",
- "to": "f25-llvm39",
- "key": "fedora-25",
- "keyid": "fdb19c98"
+ "from": "f27-rebuild",
+ "to": "f27-rebuild",
+ "key": "fedora-27",
+ "keyid": "f5282ee4"
},
# Infra tags
diff --git a/roles/varnish/templates/kojipkgs.vcl.j2 b/roles/varnish/templates/kojipkgs.vcl.j2
index 8062d752bb..de27070a8a 100644
--- a/roles/varnish/templates/kojipkgs.vcl.j2
+++ b/roles/varnish/templates/kojipkgs.vcl.j2
@@ -62,5 +62,8 @@ sub vcl_recv {
if (req.url ~ "h264") {
return (pipe);
}
+ if (req.url ~ "^/mass-rebuild/") {
+ return (pipe);
+ }
return (hash);
}