From af2fac397720b7821dee043b082e8dedde163030 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Mon, 24 Jul 2017 22:42:13 +0200 Subject: [PATCH 01/53] Use the overriding templates from pagure-dist-git --- roles/distgit/pagure/templates/pagure.cfg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/distgit/pagure/templates/pagure.cfg b/roles/distgit/pagure/templates/pagure.cfg index b6c3ab98fd..92b3c2bc79 100644 --- a/roles/distgit/pagure/templates/pagure.cfg +++ b/roles/distgit/pagure/templates/pagure.cfg @@ -203,3 +203,5 @@ REQUIRED_GROUPS = { PDC_URL = 'https://pdc.stg.fedoraproject.org/rest_api/v1/' GITOLITE_BACKEND = 'distgit' + +THEME_TEMPLATE_FOLDER = '/usr/share/pagure_dist_git/template/' From 333a155ba9bc8a90ef3b08404ba847dda878f997 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= Date: Tue, 9 May 2017 09:30:08 +0200 Subject: [PATCH 02/53] post-receive-alternativearch - catch removals too Currently the patterns can catch ExcludeArch & co additions and changes in the spec file, but not a clean removal. --- roles/git/hooks/files/post-receive-alternativearch | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/git/hooks/files/post-receive-alternativearch b/roles/git/hooks/files/post-receive-alternativearch index 4b23fb231f..16d8cef4dd 100755 --- a/roles/git/hooks/files/post-receive-alternativearch +++ b/roles/git/hooks/files/post-receive-alternativearch @@ -17,7 +17,8 @@ import sys from email.mime.text import MIMEText abspath = os.path.abspath(os.environ['GIT_DIR']) -PATTERNS = ('+ExclusiveArch:', '+ExcludeArch:', '+%ifarch', '+%ifnarch') +PATTERNS = ('+ExclusiveArch:', '+ExcludeArch:', '+%ifarch', '+%ifnarch', + '-ExclusiveArch:', '-ExcludeArch:', '-%ifarch', '-%ifnarch') FROM_EMAIL = 'githook-noreply@fedoraproject.org' TO_MAIL = 'arch-excludes@lists.fedoraproject.org' CGIT_URL = 'https://src.fedoraproject.org/cgit/%s/commit/?id=%s' From 5106fca4391febecd274f67128b24126af3b0f1c Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Tue, 25 Jul 2017 11:30:46 +0000 Subject: [PATCH 03/53] Updates dist to F26 darkserver stg --- .../host_vars/darkserver-backend01.stg.phx2.fedoraproject.org | 4 ++-- .../host_vars/darkserver-web01.stg.phx2.fedoraproject.org | 4 ++-- .../host_vars/darkserver-web02.stg.phx2.fedoraproject.org | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/inventory/host_vars/darkserver-backend01.stg.phx2.fedoraproject.org b/inventory/host_vars/darkserver-backend01.stg.phx2.fedoraproject.org index a8a96e9297..f81897ebd9 100644 --- a/inventory/host_vars/darkserver-backend01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/darkserver-backend01.stg.phx2.fedoraproject.org @@ -3,8 +3,8 @@ nm: 255.255.255.0 gw: 10.5.126.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 -ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/ eth0_ip: 10.5.126.124 diff --git a/inventory/host_vars/darkserver-web01.stg.phx2.fedoraproject.org b/inventory/host_vars/darkserver-web01.stg.phx2.fedoraproject.org index 84de6c1fbe..ff57668c7d 100644 --- a/inventory/host_vars/darkserver-web01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/darkserver-web01.stg.phx2.fedoraproject.org @@ -3,8 +3,8 @@ nm: 255.255.255.0 gw: 10.5.126.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 -ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/ eth0_ip: 10.5.126.92 diff --git a/inventory/host_vars/darkserver-web02.stg.phx2.fedoraproject.org b/inventory/host_vars/darkserver-web02.stg.phx2.fedoraproject.org index 53e921bdc6..b3c6b6f9df 100644 --- a/inventory/host_vars/darkserver-web02.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/darkserver-web02.stg.phx2.fedoraproject.org @@ -3,8 +3,8 @@ nm: 255.255.255.0 gw: 10.5.126.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 -ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26 +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/ eth0_ip: 10.5.126.120 From 7180f1669ad7fe3a9e76ae24d7885dc675151e3a Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 25 Jul 2017 15:20:38 +0200 Subject: [PATCH 04/53] Move fedmsg-genacls-config.py to a template and configure it for the new world --- roles/distgit/files/fedmsg-genacls-config.py | 4 ---- roles/distgit/tasks/main.yml | 3 ++- roles/distgit/templates/fedmsg-genacls-config.py | 12 ++++++++++++ 3 files changed, 14 insertions(+), 5 deletions(-) delete mode 100644 roles/distgit/files/fedmsg-genacls-config.py create mode 100644 roles/distgit/templates/fedmsg-genacls-config.py diff --git a/roles/distgit/files/fedmsg-genacls-config.py b/roles/distgit/files/fedmsg-genacls-config.py deleted file mode 100644 index b657de1de8..0000000000 --- a/roles/distgit/files/fedmsg-genacls-config.py +++ /dev/null @@ -1,4 +0,0 @@ -config = { - 'genacls.consumer.enabled': True, - 'genacls.consumer.delay': 5, # 5 seconds -} diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml index bad9e62ba0..e30672b353 100644 --- a/roles/distgit/tasks/main.yml +++ b/roles/distgit/tasks/main.yml @@ -243,7 +243,8 @@ - distgit - name: install the fedmsg configuration - copy: src=fedmsg-genacls-config.py dest=/etc/fedmsg.d/genacls.py owner=root group=root mode=0644 + template: src=fedmsg-genacls-config.py dest=/etc/fedmsg.d/genacls.py + owner=root group=root mode=0644 tags: - config - distgit diff --git a/roles/distgit/templates/fedmsg-genacls-config.py b/roles/distgit/templates/fedmsg-genacls-config.py new file mode 100644 index 0000000000..c9bde6c5e4 --- /dev/null +++ b/roles/distgit/templates/fedmsg-genacls-config.py @@ -0,0 +1,12 @@ +config = { + 'genacls.consumer.enabled': True, + 'genacls.consumer.delay': 5, # 5 seconds + + # New world + 'gitoliteprefix.consumer.enabled': True, + 'gitoliteprefix.consumer.delay': 5, # 5 seconds + 'gitoliteprefix.consumer.filename': '/var/tmp/gitolite-prefix.txt', + 'gitoliteprefix.consumer.fasurl': 'https://admin.fedoraproject.org/accounts', + 'gitoliteprefix.consumer.username': "fasreadonly", + 'gitoliteprefix.consumer.password': {{ fasReadOnlyPassword }}, +} From be8af9ae9002a5f6f33bc13893641318d708d25d Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 25 Jul 2017 15:28:43 +0200 Subject: [PATCH 05/53] Somehow string needs quotes... --- roles/distgit/templates/fedmsg-genacls-config.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/distgit/templates/fedmsg-genacls-config.py b/roles/distgit/templates/fedmsg-genacls-config.py index c9bde6c5e4..6d0a644db9 100644 --- a/roles/distgit/templates/fedmsg-genacls-config.py +++ b/roles/distgit/templates/fedmsg-genacls-config.py @@ -8,5 +8,5 @@ config = { 'gitoliteprefix.consumer.filename': '/var/tmp/gitolite-prefix.txt', 'gitoliteprefix.consumer.fasurl': 'https://admin.fedoraproject.org/accounts', 'gitoliteprefix.consumer.username': "fasreadonly", - 'gitoliteprefix.consumer.password': {{ fasReadOnlyPassword }}, + 'gitoliteprefix.consumer.password': '{{ fasReadOnlyPassword }}', } From 1215fccee4310fcf641059ff5c4492cbcaab629b Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Tue, 25 Jul 2017 13:37:09 +0000 Subject: [PATCH 06/53] add skopeo to releng-compose.yml Signed-off-by: Adam Miller --- playbooks/groups/releng-compose.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/playbooks/groups/releng-compose.yml b/playbooks/groups/releng-compose.yml index abfef709b6..d5e358dca3 100644 --- a/playbooks/groups/releng-compose.yml +++ b/playbooks/groups/releng-compose.yml @@ -74,5 +74,10 @@ - include: "{{ tasks_path }}/2fa_client.yml" - include: "{{ tasks_path }}/motd.yml" + - name: install skopeo for container management + package: + name: skopeo + state: latest + handlers: - include: "{{ handlers_path }}/restart_services.yml" From 93ee8721f5430234b9a3c0991cd7b260bf5f53c9 Mon Sep 17 00:00:00 2001 From: "Paul W. Frields" Date: Tue, 25 Jul 2017 13:46:46 +0000 Subject: [PATCH 07/53] fas_client: Adding sgallagh to flock-staff alias --- roles/fas_client/files/aliases.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/fas_client/files/aliases.template b/roles/fas_client/files/aliases.template index 4afae1d8ac..cffbf3421e 100644 --- a/roles/fas_client/files/aliases.template +++ b/roles/fas_client/files/aliases.template @@ -144,7 +144,7 @@ fudcon-paper: fudcon-cfp # flock flockpress: bex,fpl flockinfo: bex,fpl -flock-staff: bex,fpl,duffy +flock-staff: bex,fpl,duffy,sgallagh # gnome backups gnomebackup: backups@gnome.org From 8a117cd76c7c0111cf70e6fe3fd530d2904bc430 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Tue, 25 Jul 2017 15:47:12 +0200 Subject: [PATCH 08/53] Let fedmsg-genacls piles up on the blockerbug FAS account --- roles/distgit/templates/fedmsg-genacls-config.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/distgit/templates/fedmsg-genacls-config.py b/roles/distgit/templates/fedmsg-genacls-config.py index 6d0a644db9..58d3acaede 100644 --- a/roles/distgit/templates/fedmsg-genacls-config.py +++ b/roles/distgit/templates/fedmsg-genacls-config.py @@ -7,6 +7,6 @@ config = { 'gitoliteprefix.consumer.delay': 5, # 5 seconds 'gitoliteprefix.consumer.filename': '/var/tmp/gitolite-prefix.txt', 'gitoliteprefix.consumer.fasurl': 'https://admin.fedoraproject.org/accounts', - 'gitoliteprefix.consumer.username': "fasreadonly", - 'gitoliteprefix.consumer.password': '{{ fasReadOnlyPassword }}', + 'gitoliteprefix.consumer.username': "{{ blockerbugs_fas_user }}", + 'gitoliteprefix.consumer.password': '{{ blockerbugs_fas_password }}', } From 8db42104c55c697696b9acb294050c4a39957b30 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Tue, 25 Jul 2017 15:44:40 +0000 Subject: [PATCH 09/53] restrict skopeo install to non-ppc64 arches, pkg isn't available for ppc64 Signed-off-by: Adam Miller --- playbooks/groups/releng-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/groups/releng-compose.yml b/playbooks/groups/releng-compose.yml index d5e358dca3..391751103d 100644 --- a/playbooks/groups/releng-compose.yml +++ b/playbooks/groups/releng-compose.yml @@ -78,6 +78,7 @@ package: name: skopeo state: latest + when: ansible_architecture != "ppc64" handlers: - include: "{{ handlers_path }}/restart_services.yml" From eb7a00202725d6eb0e01c420dfb1d7835f97a27c Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 25 Jul 2017 17:52:06 +0000 Subject: [PATCH 10/53] First attempt at ansiblization of openshift/modernpaste Signed-off-by: Ricky Elrod --- playbooks/openshift-apps/modernpaste.yml | 18 +++++++ .../modernpaste/files/buildconfig.yml | 34 +++++++++++++ .../modernpaste/files/configmap.yml | 50 +++++++++++++++++++ .../modernpaste/files/deploymentconfig.yml | 50 +++++++++++++++++++ .../modernpaste/files/imagestream.yml | 6 +++ .../modernpaste/files/route.yml | 15 ++++++ .../modernpaste/files/service.yml | 14 ++++++ .../modernpaste/templates/secret.yml | 11 ++++ roles/openshift/object/tasks/main.yml | 18 +++++++ 9 files changed, 216 insertions(+) create mode 100644 playbooks/openshift-apps/modernpaste.yml create mode 100644 roles/openshift-apps/modernpaste/files/buildconfig.yml create mode 100644 roles/openshift-apps/modernpaste/files/configmap.yml create mode 100644 roles/openshift-apps/modernpaste/files/deploymentconfig.yml create mode 100644 roles/openshift-apps/modernpaste/files/imagestream.yml create mode 100644 roles/openshift-apps/modernpaste/files/route.yml create mode 100644 roles/openshift-apps/modernpaste/files/service.yml create mode 100644 roles/openshift-apps/modernpaste/templates/secret.yml create mode 100644 roles/openshift/object/tasks/main.yml diff --git a/playbooks/openshift-apps/modernpaste.yml b/playbooks/openshift-apps/modernpaste.yml new file mode 100644 index 0000000000..7ef4a5d9b0 --- /dev/null +++ b/playbooks/openshift-apps/modernpaste.yml @@ -0,0 +1,18 @@ +- name: make the app be real + hosts: os-masters-stg + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - { role: openshift/object, app: modernpaste, file: imagestream.yml } + - { role: openshift/object, app: modernpaste, template: secret.yml } + - { role: openshift/object, app: modernpaste, file: buildconfig.yml } + - { role: openshift/object, app: modernpaste, file: configmap.yml } + - { role: openshift/object, app: modernpaste, file: service.yml } + - { role: openshift/object, app: modernpaste, file: route.yml } + - { role: openshift/object, app: modernpaste, file: deploymentconfig.yml } diff --git a/roles/openshift-apps/modernpaste/files/buildconfig.yml b/roles/openshift-apps/modernpaste/files/buildconfig.yml new file mode 100644 index 0000000000..198d81c8d2 --- /dev/null +++ b/roles/openshift-apps/modernpaste/files/buildconfig.yml @@ -0,0 +1,34 @@ +- apiVersion: v1 + kind: BuildConfig + metadata: + name: "modernpaste-docker-build" + labels: + environment: "modernpaste" + spec: + runPolicy: Serial + source: + dockerfile: |- + FROM fedora:25 + LABEL \ + name="Modern Paste" \ + vendor="Fedora Infrastructure" \ + license="MIT" + RUN curl -o /etc/yum.repos.d/infra-stg.repo \ + https://infrastructure.fedoraproject.org/cgit/ansible.git/plain/files/common/fedora-infra-tags.repo + RUN yum -y install modern-paste + RUN yum -y install --setopt=tsflags=nodocs \ + python-gunicorn \ + python2-mock \ + python-psycopg2 + WORKDIR /usr/share/modern-paste + RUN sed -i '216,219d;228,229d' app/api/paste.py + RUN mv modern_paste.wsgi modern_paste_wsgi.py + USER 1001 + EXPOSE 8080 + ENTRYPOINT gunicorn --bind 0.0.0.0:8080 --access-logfile=- --chdir /usr/share/modern-paste modern_paste_wsgi:application + strategy: + type: Docker + output: + to: + kind: ImageStreamTag + name: inframodernpaste:latest diff --git a/roles/openshift-apps/modernpaste/files/configmap.yml b/roles/openshift-apps/modernpaste/files/configmap.yml new file mode 100644 index 0000000000..61612167c2 --- /dev/null +++ b/roles/openshift-apps/modernpaste/files/configmap.yml @@ -0,0 +1,50 @@ +- apiVersion: v1 + kind: ConfigMap + metadata: + name: "modernpaste-configmap" + labels: + environment: "modernpaste" + data: + flask_config.py: |- + import config + import constants + import os + + SQLALCHEMY_DATABASE_URI = os.environ.get('DATABASE_URI') + SQLALCHEMY_TRACK_MODIFICATIONS = False + SECRET_KEY = config.FLASK_SECRET_KEY + config.py: |- + import constants + import os + + # Domain from which you will access this app + # If running on a port other than 80, append it after a colon at the end of the domain, e.g. 'domain.com:8080' + DOMAIN = "modernpaste-web-modernpaste.app.os.stg.fedoraproject.org" + + # Use HTTPS by default? + # This is only used for deciding whether to use the http:// or https:// prefix when constructing full URLs, + # and is not related to your web server configuration. + DEFAULT_HTTPS = True + + # The type of build environment + # build_environment.DEV won't minify CSS and Closure-compile JavaScript; build_environment.PROD will. + # Dev and prod environments also use separate databases, modern_paste_dev and modern_paste, respectively. + BUILD_ENVIRONMENT = constants.build_environment.PROD + + # Option to use encrypted IDs rather than integer IDs + # Set this to True if you want paste IDs to be encrypted, e.g. displayed as h0GZ19np17iT~CtpuIH3NcnRi-rYnlYzizqToCmG3BY= + # If False, IDs will be displayed as regular, incrementing integers, e.g. 1, 2, 3, etc. + USE_ENCRYPTED_IDS = True + + # Choose to allow paste attachments + # This will allow for users to attach files and images to pastes. If disabled, the MAX_ATTACHMENT_SIZE and + # ATTACHMENTS_DIR configuration constants will be ignored. + ENABLE_PASTE_ATTACHMENTS = False + + # Allow only paste attachments below a certain size threshold, in MB + # Set this to 0 for an unlimited file size. + MAX_ATTACHMENT_SIZE = 5 + + # Location to store paste attachments + # Please use an absolute path and ensure that it is writable by www-data. + ATTACHMENTS_DIR = '/var/www/modern-paste-attachments' diff --git a/roles/openshift-apps/modernpaste/files/deploymentconfig.yml b/roles/openshift-apps/modernpaste/files/deploymentconfig.yml new file mode 100644 index 0000000000..312f265b1b --- /dev/null +++ b/roles/openshift-apps/modernpaste/files/deploymentconfig.yml @@ -0,0 +1,50 @@ +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: "modernpaste-web" + labels: + environment: "modernpaste" + service: web + spec: + replicas: 1 + selector: + environment: "modernpaste" + service: web + template: + metadata: + labels: + environment: "modernpaste" + service: web + spec: + containers: + - name: web + image: 172.30.53.136:5000/modernpaste/inframodernpaste:latest + ports: + - containerPort: 8080 + volumeMounts: + - name: config-volume + mountPath: /etc/modern-paste + readOnly: true + - name: secret-volume + mountPath: /etc/secret + readOnly: true + env: + - name: ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: "modernpaste-secret" + key: encryption-key + - name: SESSION_KEY + valueFrom: + secretKeyRef: + name: "modernpaste-secret" + key: session-key + - name: DATABASE_URI + valueFrom: + secretKeyRef: + name: "modernpaste-secret" + key: database-uri + #- name: DOMAIN + # value: ${DOMAIN} + readinessProbe: + timeoutSeconds: 1 diff --git a/roles/openshift-apps/modernpaste/files/imagestream.yml b/roles/openshift-apps/modernpaste/files/imagestream.yml new file mode 100644 index 0000000000..bff17900a7 --- /dev/null +++ b/roles/openshift-apps/modernpaste/files/imagestream.yml @@ -0,0 +1,6 @@ +- apiVersion: v1 + kind: ImageStream + metadata: + labels: + environment: "modernpaste" + name: "inframodernpaste" diff --git a/roles/openshift-apps/modernpaste/files/route.yml b/roles/openshift-apps/modernpaste/files/route.yml new file mode 100644 index 0000000000..045d9a63e7 --- /dev/null +++ b/roles/openshift-apps/modernpaste/files/route.yml @@ -0,0 +1,15 @@ +- apiVersion: v1 + kind: Route + metadata: + name: "modernpaste-web" + labels: + environment: "modernpaste" + spec: + port: + targetPort: web + to: + kind: Service + name: "modernpaste-web" + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect diff --git a/roles/openshift-apps/modernpaste/files/service.yml b/roles/openshift-apps/modernpaste/files/service.yml new file mode 100644 index 0000000000..d1eaf9136a --- /dev/null +++ b/roles/openshift-apps/modernpaste/files/service.yml @@ -0,0 +1,14 @@ +- apiVersion: v1 + kind: Service + metadata: + name: "modernpaste-web" + labels: + environment: "modernpaste" + spec: + selector: + environment: "modernpaste" + service: web + ports: + - name: web + port: 8080 + targetPort: 8080 diff --git a/roles/openshift-apps/modernpaste/templates/secret.yml b/roles/openshift-apps/modernpaste/templates/secret.yml new file mode 100644 index 0000000000..0153460875 --- /dev/null +++ b/roles/openshift-apps/modernpaste/templates/secret.yml @@ -0,0 +1,11 @@ +- apiVersion: v1 + kind: Secret + metadata: + name: "modernpaste-secret" + labels: + environment: "modernpaste" + stringData: + encryption-key: "{{modernpaste_stg_encryption_key}}" + session-key: "{{modernpaste_stg_session_key}}" + database-uri: "postgres://{{modernpaste_stg_db_user}}:{{modernpaste_stg_db_password}}@db01/modernpaste" +- diff --git a/roles/openshift/object/tasks/main.yml b/roles/openshift/object/tasks/main.yml new file mode 100644 index 0000000000..5d9bbe6a58 --- /dev/null +++ b/roles/openshift/object/tasks/main.yml @@ -0,0 +1,18 @@ +- name: Create temporary file + tempfile: state=file + register: tmpfile + run_once: true + +- name: Copy template to temporary file ({{tmpfile.path}}) + template: src={{ansible}}/roles/openshift-apps/{{app}}/templates/{{template}} dest={{tmpfile.path}}.yml + when: template is defined + run_once: true + +- name: Copy file to temporary file ({{tmpfile.path}}) + copy: src={{ansible}}/roles/openshift-apps/{{app}}/files/{{file}} dest={{tmpfile.path}}.yml + when: file is defined + run_once: true + +- name: Call `oc apply` on the copied file + shell: oc -n {{app}} apply -f {{tmpfile.path}}.yml + run_once: true From c7f1962ad24cacd2ef55b6cca61ad3d84ac149ad Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 25 Jul 2017 17:54:54 +0000 Subject: [PATCH 11/53] try roles_path Signed-off-by: Ricky Elrod --- roles/openshift/object/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/openshift/object/tasks/main.yml b/roles/openshift/object/tasks/main.yml index 5d9bbe6a58..397ecfe56c 100644 --- a/roles/openshift/object/tasks/main.yml +++ b/roles/openshift/object/tasks/main.yml @@ -4,12 +4,12 @@ run_once: true - name: Copy template to temporary file ({{tmpfile.path}}) - template: src={{ansible}}/roles/openshift-apps/{{app}}/templates/{{template}} dest={{tmpfile.path}}.yml + template: src={{roles_path}}/openshift-apps/{{app}}/templates/{{template}} dest={{tmpfile.path}}.yml when: template is defined run_once: true - name: Copy file to temporary file ({{tmpfile.path}}) - copy: src={{ansible}}/roles/openshift-apps/{{app}}/files/{{file}} dest={{tmpfile.path}}.yml + copy: src={{roles_path}}/openshift-apps/{{app}}/files/{{file}} dest={{tmpfile.path}}.yml when: file is defined run_once: true From 8b8549cf08e31dac0c6e6e8e21cf463b4031d8fa Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 25 Jul 2017 17:59:31 +0000 Subject: [PATCH 12/53] If I could stop doing stupid things, that'd be greaaattt Signed-off-by: Ricky Elrod --- .../modernpaste/files/buildconfig.yml | 68 ++++++------ .../modernpaste/files/configmap.yml | 100 +++++++++--------- .../modernpaste/files/deploymentconfig.yml | 100 +++++++++--------- .../modernpaste/files/imagestream.yml | 12 +-- .../modernpaste/files/route.yml | 28 ++--- .../modernpaste/files/service.yml | 28 ++--- .../modernpaste/templates/secret.yml | 20 ++-- 7 files changed, 178 insertions(+), 178 deletions(-) diff --git a/roles/openshift-apps/modernpaste/files/buildconfig.yml b/roles/openshift-apps/modernpaste/files/buildconfig.yml index 198d81c8d2..030a197ea6 100644 --- a/roles/openshift-apps/modernpaste/files/buildconfig.yml +++ b/roles/openshift-apps/modernpaste/files/buildconfig.yml @@ -1,34 +1,34 @@ -- apiVersion: v1 - kind: BuildConfig - metadata: - name: "modernpaste-docker-build" - labels: - environment: "modernpaste" - spec: - runPolicy: Serial - source: - dockerfile: |- - FROM fedora:25 - LABEL \ - name="Modern Paste" \ - vendor="Fedora Infrastructure" \ - license="MIT" - RUN curl -o /etc/yum.repos.d/infra-stg.repo \ - https://infrastructure.fedoraproject.org/cgit/ansible.git/plain/files/common/fedora-infra-tags.repo - RUN yum -y install modern-paste - RUN yum -y install --setopt=tsflags=nodocs \ - python-gunicorn \ - python2-mock \ - python-psycopg2 - WORKDIR /usr/share/modern-paste - RUN sed -i '216,219d;228,229d' app/api/paste.py - RUN mv modern_paste.wsgi modern_paste_wsgi.py - USER 1001 - EXPOSE 8080 - ENTRYPOINT gunicorn --bind 0.0.0.0:8080 --access-logfile=- --chdir /usr/share/modern-paste modern_paste_wsgi:application - strategy: - type: Docker - output: - to: - kind: ImageStreamTag - name: inframodernpaste:latest +apiVersion: v1 +kind: BuildConfig +metadata: + name: "modernpaste-docker-build" + labels: + environment: "modernpaste" +spec: + runPolicy: Serial + source: + dockerfile: |- + FROM fedora:25 + LABEL \ + name="Modern Paste" \ + vendor="Fedora Infrastructure" \ + license="MIT" + RUN curl -o /etc/yum.repos.d/infra-stg.repo \ + https://infrastructure.fedoraproject.org/cgit/ansible.git/plain/files/common/fedora-infra-tags.repo + RUN yum -y install modern-paste + RUN yum -y install --setopt=tsflags=nodocs \ + python-gunicorn \ + python2-mock \ + python-psycopg2 + WORKDIR /usr/share/modern-paste + RUN sed -i '216,219d;228,229d' app/api/paste.py + RUN mv modern_paste.wsgi modern_paste_wsgi.py + USER 1001 + EXPOSE 8080 + ENTRYPOINT gunicorn --bind 0.0.0.0:8080 --access-logfile=- --chdir /usr/share/modern-paste modern_paste_wsgi:application + strategy: + type: Docker + output: + to: + kind: ImageStreamTag + name: inframodernpaste:latest diff --git a/roles/openshift-apps/modernpaste/files/configmap.yml b/roles/openshift-apps/modernpaste/files/configmap.yml index 61612167c2..8b012520e5 100644 --- a/roles/openshift-apps/modernpaste/files/configmap.yml +++ b/roles/openshift-apps/modernpaste/files/configmap.yml @@ -1,50 +1,50 @@ -- apiVersion: v1 - kind: ConfigMap - metadata: - name: "modernpaste-configmap" - labels: - environment: "modernpaste" - data: - flask_config.py: |- - import config - import constants - import os - - SQLALCHEMY_DATABASE_URI = os.environ.get('DATABASE_URI') - SQLALCHEMY_TRACK_MODIFICATIONS = False - SECRET_KEY = config.FLASK_SECRET_KEY - config.py: |- - import constants - import os - - # Domain from which you will access this app - # If running on a port other than 80, append it after a colon at the end of the domain, e.g. 'domain.com:8080' - DOMAIN = "modernpaste-web-modernpaste.app.os.stg.fedoraproject.org" - - # Use HTTPS by default? - # This is only used for deciding whether to use the http:// or https:// prefix when constructing full URLs, - # and is not related to your web server configuration. - DEFAULT_HTTPS = True - - # The type of build environment - # build_environment.DEV won't minify CSS and Closure-compile JavaScript; build_environment.PROD will. - # Dev and prod environments also use separate databases, modern_paste_dev and modern_paste, respectively. - BUILD_ENVIRONMENT = constants.build_environment.PROD - - # Option to use encrypted IDs rather than integer IDs - # Set this to True if you want paste IDs to be encrypted, e.g. displayed as h0GZ19np17iT~CtpuIH3NcnRi-rYnlYzizqToCmG3BY= - # If False, IDs will be displayed as regular, incrementing integers, e.g. 1, 2, 3, etc. - USE_ENCRYPTED_IDS = True - - # Choose to allow paste attachments - # This will allow for users to attach files and images to pastes. If disabled, the MAX_ATTACHMENT_SIZE and - # ATTACHMENTS_DIR configuration constants will be ignored. - ENABLE_PASTE_ATTACHMENTS = False - - # Allow only paste attachments below a certain size threshold, in MB - # Set this to 0 for an unlimited file size. - MAX_ATTACHMENT_SIZE = 5 - - # Location to store paste attachments - # Please use an absolute path and ensure that it is writable by www-data. - ATTACHMENTS_DIR = '/var/www/modern-paste-attachments' +apiVersion: v1 +kind: ConfigMap +metadata: + name: "modernpaste-configmap" + labels: + environment: "modernpaste" +data: + flask_config.py: |- + import config + import constants + import os + + SQLALCHEMY_DATABASE_URI = os.environ.get('DATABASE_URI') + SQLALCHEMY_TRACK_MODIFICATIONS = False + SECRET_KEY = config.FLASK_SECRET_KEY + config.py: |- + import constants + import os + + # Domain from which you will access this app + # If running on a port other than 80, append it after a colon at the end of the domain, e.g. 'domain.com:8080' + DOMAIN = "modernpaste-web-modernpaste.app.os.stg.fedoraproject.org" + + # Use HTTPS by default? + # This is only used for deciding whether to use the http:// or https:// prefix when constructing full URLs, + # and is not related to your web server configuration. + DEFAULT_HTTPS = True + + # The type of build environment + # build_environment.DEV won't minify CSS and Closure-compile JavaScript; build_environment.PROD will. + # Dev and prod environments also use separate databases, modern_paste_dev and modern_paste, respectively. + BUILD_ENVIRONMENT = constants.build_environment.PROD + + # Option to use encrypted IDs rather than integer IDs + # Set this to True if you want paste IDs to be encrypted, e.g. displayed as h0GZ19np17iT~CtpuIH3NcnRi-rYnlYzizqToCmG3BY= + # If False, IDs will be displayed as regular, incrementing integers, e.g. 1, 2, 3, etc. + USE_ENCRYPTED_IDS = True + + # Choose to allow paste attachments + # This will allow for users to attach files and images to pastes. If disabled, the MAX_ATTACHMENT_SIZE and + # ATTACHMENTS_DIR configuration constants will be ignored. + ENABLE_PASTE_ATTACHMENTS = False + + # Allow only paste attachments below a certain size threshold, in MB + # Set this to 0 for an unlimited file size. + MAX_ATTACHMENT_SIZE = 5 + + # Location to store paste attachments + # Please use an absolute path and ensure that it is writable by www-data. + ATTACHMENTS_DIR = '/var/www/modern-paste-attachments' diff --git a/roles/openshift-apps/modernpaste/files/deploymentconfig.yml b/roles/openshift-apps/modernpaste/files/deploymentconfig.yml index 312f265b1b..4432072d99 100644 --- a/roles/openshift-apps/modernpaste/files/deploymentconfig.yml +++ b/roles/openshift-apps/modernpaste/files/deploymentconfig.yml @@ -1,50 +1,50 @@ -- apiVersion: v1 - kind: DeploymentConfig - metadata: - name: "modernpaste-web" - labels: - environment: "modernpaste" - service: web - spec: - replicas: 1 - selector: - environment: "modernpaste" - service: web - template: - metadata: - labels: - environment: "modernpaste" - service: web - spec: - containers: - - name: web - image: 172.30.53.136:5000/modernpaste/inframodernpaste:latest - ports: - - containerPort: 8080 - volumeMounts: - - name: config-volume - mountPath: /etc/modern-paste - readOnly: true - - name: secret-volume - mountPath: /etc/secret - readOnly: true - env: - - name: ENCRYPTION_KEY - valueFrom: - secretKeyRef: - name: "modernpaste-secret" - key: encryption-key - - name: SESSION_KEY - valueFrom: - secretKeyRef: - name: "modernpaste-secret" - key: session-key - - name: DATABASE_URI - valueFrom: - secretKeyRef: - name: "modernpaste-secret" - key: database-uri - #- name: DOMAIN - # value: ${DOMAIN} - readinessProbe: - timeoutSeconds: 1 +apiVersion: v1 +kind: DeploymentConfig +metadata: + name: "modernpaste-web" + labels: + environment: "modernpaste" + service: web +spec: + replicas: 1 + selector: + environment: "modernpaste" + service: web + template: + metadata: + labels: + environment: "modernpaste" + service: web + spec: + containers: + - name: web + image: 172.30.53.136:5000/modernpaste/inframodernpaste:latest + ports: + - containerPort: 8080 + volumeMounts: + - name: config-volume + mountPath: /etc/modern-paste + readOnly: true + - name: secret-volume + mountPath: /etc/secret + readOnly: true + env: + - name: ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: "modernpaste-secret" + key: encryption-key + - name: SESSION_KEY + valueFrom: + secretKeyRef: + name: "modernpaste-secret" + key: session-key + - name: DATABASE_URI + valueFrom: + secretKeyRef: + name: "modernpaste-secret" + key: database-uri + #- name: DOMAIN + # value: ${DOMAIN} + readinessProbe: + timeoutSeconds: 1 diff --git a/roles/openshift-apps/modernpaste/files/imagestream.yml b/roles/openshift-apps/modernpaste/files/imagestream.yml index bff17900a7..eddd1d232c 100644 --- a/roles/openshift-apps/modernpaste/files/imagestream.yml +++ b/roles/openshift-apps/modernpaste/files/imagestream.yml @@ -1,6 +1,6 @@ -- apiVersion: v1 - kind: ImageStream - metadata: - labels: - environment: "modernpaste" - name: "inframodernpaste" +apiVersion: v1 +kind: ImageStream +metadata: + labels: + environment: "modernpaste" + name: "inframodernpaste" diff --git a/roles/openshift-apps/modernpaste/files/route.yml b/roles/openshift-apps/modernpaste/files/route.yml index 045d9a63e7..99207964e1 100644 --- a/roles/openshift-apps/modernpaste/files/route.yml +++ b/roles/openshift-apps/modernpaste/files/route.yml @@ -1,15 +1,15 @@ -- apiVersion: v1 - kind: Route - metadata: +apiVersion: v1 +kind: Route +metadata: + name: "modernpaste-web" + labels: + environment: "modernpaste" +spec: + port: + targetPort: web + to: + kind: Service name: "modernpaste-web" - labels: - environment: "modernpaste" - spec: - port: - targetPort: web - to: - kind: Service - name: "modernpaste-web" - tls: - termination: edge - insecureEdgeTerminationPolicy: Redirect + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect diff --git a/roles/openshift-apps/modernpaste/files/service.yml b/roles/openshift-apps/modernpaste/files/service.yml index d1eaf9136a..1f038915e7 100644 --- a/roles/openshift-apps/modernpaste/files/service.yml +++ b/roles/openshift-apps/modernpaste/files/service.yml @@ -1,14 +1,14 @@ -- apiVersion: v1 - kind: Service - metadata: - name: "modernpaste-web" - labels: - environment: "modernpaste" - spec: - selector: - environment: "modernpaste" - service: web - ports: - - name: web - port: 8080 - targetPort: 8080 +apiVersion: v1 +kind: Service +metadata: + name: "modernpaste-web" + labels: + environment: "modernpaste" +spec: + selector: + environment: "modernpaste" + service: web + ports: + - name: web + port: 8080 + targetPort: 8080 diff --git a/roles/openshift-apps/modernpaste/templates/secret.yml b/roles/openshift-apps/modernpaste/templates/secret.yml index 0153460875..ce4baea9c1 100644 --- a/roles/openshift-apps/modernpaste/templates/secret.yml +++ b/roles/openshift-apps/modernpaste/templates/secret.yml @@ -1,11 +1,11 @@ -- apiVersion: v1 - kind: Secret - metadata: - name: "modernpaste-secret" - labels: - environment: "modernpaste" - stringData: - encryption-key: "{{modernpaste_stg_encryption_key}}" - session-key: "{{modernpaste_stg_session_key}}" - database-uri: "postgres://{{modernpaste_stg_db_user}}:{{modernpaste_stg_db_password}}@db01/modernpaste" +apiVersion: v1 +kind: Secret +metadata: + name: "modernpaste-secret" + labels: + environment: "modernpaste" +stringData: + encryption-key: "{{modernpaste_stg_encryption_key}}" + session-key: "{{modernpaste_stg_session_key}}" + database-uri: "postgres://{{modernpaste_stg_db_user}}:{{modernpaste_stg_db_password}}@db01/modernpaste" - From c74c138c63c7e64bc698f0e29ca1802a4f0130e2 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 25 Jul 2017 18:02:16 +0000 Subject: [PATCH 13/53] nuke a dash Signed-off-by: Ricky Elrod --- roles/openshift-apps/modernpaste/templates/secret.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/openshift-apps/modernpaste/templates/secret.yml b/roles/openshift-apps/modernpaste/templates/secret.yml index ce4baea9c1..230514c059 100644 --- a/roles/openshift-apps/modernpaste/templates/secret.yml +++ b/roles/openshift-apps/modernpaste/templates/secret.yml @@ -8,4 +8,3 @@ stringData: encryption-key: "{{modernpaste_stg_encryption_key}}" session-key: "{{modernpaste_stg_session_key}}" database-uri: "postgres://{{modernpaste_stg_db_user}}:{{modernpaste_stg_db_password}}@db01/modernpaste" -- From bf4bf2f133c3844773a3333853598bff96642fc4 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 25 Jul 2017 18:09:24 +0000 Subject: [PATCH 14/53] somehow these lines got dropped Signed-off-by: Ricky Elrod --- .../modernpaste/files/deploymentconfig.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/roles/openshift-apps/modernpaste/files/deploymentconfig.yml b/roles/openshift-apps/modernpaste/files/deploymentconfig.yml index 4432072d99..5c08e2cebd 100644 --- a/roles/openshift-apps/modernpaste/files/deploymentconfig.yml +++ b/roles/openshift-apps/modernpaste/files/deploymentconfig.yml @@ -48,3 +48,25 @@ spec: # value: ${DOMAIN} readinessProbe: timeoutSeconds: 1 + initialDelaySeconds: 5 + httpGet: + path: / + port: 8080 + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 30 + httpGet: + path: / + port: 8080 + resources: + limits: + memory: 384Mi + volumes: + - name: config-volume + configMap: + name: "modernpaste-configmap" + - name: secret-volume + secret: + secretName: "modernpaste-secret" + triggers: + - type: ConfigChange From 5bec95f3fa158d073284fbc0965c17606f842432 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 25 Jul 2017 18:09:39 +0000 Subject: [PATCH 15/53] include file/template name in status line Signed-off-by: Ricky Elrod --- roles/openshift/object/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/openshift/object/tasks/main.yml b/roles/openshift/object/tasks/main.yml index 397ecfe56c..bda150f795 100644 --- a/roles/openshift/object/tasks/main.yml +++ b/roles/openshift/object/tasks/main.yml @@ -3,12 +3,12 @@ register: tmpfile run_once: true -- name: Copy template to temporary file ({{tmpfile.path}}) +- name: Copy template {{template}} to temporary file ({{tmpfile.path}}) template: src={{roles_path}}/openshift-apps/{{app}}/templates/{{template}} dest={{tmpfile.path}}.yml when: template is defined run_once: true -- name: Copy file to temporary file ({{tmpfile.path}}) +- name: Copy file {{file}} to temporary file ({{tmpfile.path}}) copy: src={{roles_path}}/openshift-apps/{{app}}/files/{{file}} dest={{tmpfile.path}}.yml when: file is defined run_once: true From 20ff0788b7743d966b46fb0cd23202bfdf5fbc77 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 25 Jul 2017 18:24:49 +0000 Subject: [PATCH 16/53] try this Signed-off-by: Ricky Elrod --- .../modernpaste/files/deploymentconfig.yml | 44 +++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/roles/openshift-apps/modernpaste/files/deploymentconfig.yml b/roles/openshift-apps/modernpaste/files/deploymentconfig.yml index 5c08e2cebd..ead888db1e 100644 --- a/roles/openshift-apps/modernpaste/files/deploymentconfig.yml +++ b/roles/openshift-apps/modernpaste/files/deploymentconfig.yml @@ -48,25 +48,25 @@ spec: # value: ${DOMAIN} readinessProbe: timeoutSeconds: 1 - initialDelaySeconds: 5 - httpGet: - path: / - port: 8080 - livenessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 30 - httpGet: - path: / - port: 8080 - resources: - limits: - memory: 384Mi - volumes: - - name: config-volume - configMap: - name: "modernpaste-configmap" - - name: secret-volume - secret: - secretName: "modernpaste-secret" - triggers: - - type: ConfigChange + initialDelaySeconds: 5 + httpGet: + path: / + port: 8080 + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 30 + httpGet: + path: / + port: 8080 + resources: + limits: + memory: 384Mi + volumes: + - name: config-volume + configMap: + name: "modernpaste-configmap" + - name: secret-volume + secret: + secretName: "modernpaste-secret" + triggers: + - type: ConfigChange From 2d22a26a3b01c73950160d7c9c933c6d8e0473e1 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 25 Jul 2017 18:34:14 +0000 Subject: [PATCH 17/53] add a way to manually start an image build Signed-off-by: Ricky Elrod --- playbooks/openshift-apps/modernpaste.yml | 1 + roles/openshift/start-build/tasks/main.yml | 3 +++ 2 files changed, 4 insertions(+) create mode 100644 roles/openshift/start-build/tasks/main.yml diff --git a/playbooks/openshift-apps/modernpaste.yml b/playbooks/openshift-apps/modernpaste.yml index 7ef4a5d9b0..4cb70e68a9 100644 --- a/playbooks/openshift-apps/modernpaste.yml +++ b/playbooks/openshift-apps/modernpaste.yml @@ -12,6 +12,7 @@ - { role: openshift/object, app: modernpaste, file: imagestream.yml } - { role: openshift/object, app: modernpaste, template: secret.yml } - { role: openshift/object, app: modernpaste, file: buildconfig.yml } + - { role: openshift/start-build, app: modernpaste, name: modernpaste-docker-build } - { role: openshift/object, app: modernpaste, file: configmap.yml } - { role: openshift/object, app: modernpaste, file: service.yml } - { role: openshift/object, app: modernpaste, file: route.yml } diff --git a/roles/openshift/start-build/tasks/main.yml b/roles/openshift/start-build/tasks/main.yml new file mode 100644 index 0000000000..7d4ed2db0a --- /dev/null +++ b/roles/openshift/start-build/tasks/main.yml @@ -0,0 +1,3 @@ +- name: Run `oc start-build` + shell: oc -n {{app}} start-build {{name}} + run_once: true From 54f2f30c434afc47ce805c1193c6f354dc7675be Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 25 Jul 2017 18:40:30 +0000 Subject: [PATCH 18/53] I don't know why lines keep getting dropped from my files, I am apparently bad at copypasting, or my editor is Signed-off-by: Ricky Elrod --- .../modernpaste/files/configmap.yml | 50 -------- .../modernpaste/templates/configmap.yml | 109 ++++++++++++++++++ .../modernpaste/templates/secret.yml | 4 +- 3 files changed, 111 insertions(+), 52 deletions(-) delete mode 100644 roles/openshift-apps/modernpaste/files/configmap.yml create mode 100644 roles/openshift-apps/modernpaste/templates/configmap.yml diff --git a/roles/openshift-apps/modernpaste/files/configmap.yml b/roles/openshift-apps/modernpaste/files/configmap.yml deleted file mode 100644 index 8b012520e5..0000000000 --- a/roles/openshift-apps/modernpaste/files/configmap.yml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "modernpaste-configmap" - labels: - environment: "modernpaste" -data: - flask_config.py: |- - import config - import constants - import os - - SQLALCHEMY_DATABASE_URI = os.environ.get('DATABASE_URI') - SQLALCHEMY_TRACK_MODIFICATIONS = False - SECRET_KEY = config.FLASK_SECRET_KEY - config.py: |- - import constants - import os - - # Domain from which you will access this app - # If running on a port other than 80, append it after a colon at the end of the domain, e.g. 'domain.com:8080' - DOMAIN = "modernpaste-web-modernpaste.app.os.stg.fedoraproject.org" - - # Use HTTPS by default? - # This is only used for deciding whether to use the http:// or https:// prefix when constructing full URLs, - # and is not related to your web server configuration. - DEFAULT_HTTPS = True - - # The type of build environment - # build_environment.DEV won't minify CSS and Closure-compile JavaScript; build_environment.PROD will. - # Dev and prod environments also use separate databases, modern_paste_dev and modern_paste, respectively. - BUILD_ENVIRONMENT = constants.build_environment.PROD - - # Option to use encrypted IDs rather than integer IDs - # Set this to True if you want paste IDs to be encrypted, e.g. displayed as h0GZ19np17iT~CtpuIH3NcnRi-rYnlYzizqToCmG3BY= - # If False, IDs will be displayed as regular, incrementing integers, e.g. 1, 2, 3, etc. - USE_ENCRYPTED_IDS = True - - # Choose to allow paste attachments - # This will allow for users to attach files and images to pastes. If disabled, the MAX_ATTACHMENT_SIZE and - # ATTACHMENTS_DIR configuration constants will be ignored. - ENABLE_PASTE_ATTACHMENTS = False - - # Allow only paste attachments below a certain size threshold, in MB - # Set this to 0 for an unlimited file size. - MAX_ATTACHMENT_SIZE = 5 - - # Location to store paste attachments - # Please use an absolute path and ensure that it is writable by www-data. - ATTACHMENTS_DIR = '/var/www/modern-paste-attachments' diff --git a/roles/openshift-apps/modernpaste/templates/configmap.yml b/roles/openshift-apps/modernpaste/templates/configmap.yml new file mode 100644 index 0000000000..8ce182644e --- /dev/null +++ b/roles/openshift-apps/modernpaste/templates/configmap.yml @@ -0,0 +1,109 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "modernpaste-configmap" + labels: + environment: "modernpaste" +data: + flask_config.py: |- + import config + import constants + import os + + SQLALCHEMY_DATABASE_URI = os.environ.get('DATABASE_URI') + SQLALCHEMY_TRACK_MODIFICATIONS = False + SECRET_KEY = config.FLASK_SECRET_KEY + config.py: |- + import constants + import os + + # Domain from which you will access this app + # If running on a port other than 80, append it after a colon at the end of the domain, e.g. 'domain.com:8080' + DOMAIN = "modernpaste-web-modernpaste.app.os.stg.fedoraproject.org" + + # Use HTTPS by default? + # This is only used for deciding whether to use the http:// or https:// prefix when constructing full URLs, + # and is not related to your web server configuration. + DEFAULT_HTTPS = True + + # The type of build environment + # build_environment.DEV won't minify CSS and Closure-compile JavaScript; build_environment.PROD will. + # Dev and prod environments also use separate databases, modern_paste_dev and modern_paste, respectively. + BUILD_ENVIRONMENT = constants.build_environment.PROD + + # Option to use encrypted IDs rather than integer IDs + # Set this to True if you want paste IDs to be encrypted, e.g. displayed as h0GZ19np17iT~CtpuIH3NcnRi-rYnlYzizqToCmG3BY= + # If False, IDs will be displayed as regular, incrementing integers, e.g. 1, 2, 3, etc. + USE_ENCRYPTED_IDS = True + + # Choose to allow paste attachments + # This will allow for users to attach files and images to pastes. If disabled, the MAX_ATTACHMENT_SIZE and + # ATTACHMENTS_DIR configuration constants will be ignored. + ENABLE_PASTE_ATTACHMENTS = False + + # Allow only paste attachments below a certain size threshold, in MB + # Set this to 0 for an unlimited file size. + MAX_ATTACHMENT_SIZE = 5 + + # Location to store paste attachments + # Please use an absolute path and ensure that it is writable by www-data. + ATTACHMENTS_DIR = '/var/www/modern-paste-attachments' + + # Choose to enable or disable user registration + # If False, the web interface will not allow access to the user registration page. Additionally, the API endpoint + # for creating new users will respond with an error. + # This is useful for private or internal installations that aren't intended for public use. + ENABLE_USER_REGISTRATION = False + + # Choose to require users to be logged in to post pastes + # If True, the web interface will allow access to the paste post interface only if the user is signed in. Additionally, + # the API endpoint for creating new pastes will respond with an error if not authenticated with an API key tied to an + # existing, active user. + # This is useful for private or internal installations that aren't intended for public use. + REQUIRE_LOGIN_TO_PASTE = False + + # AES key for generating encrypted IDs + # This is only relevant if USE_ENCRYPTED_IDS above is True. If not, this config parameter can be ignored. + # It is recommended, but not strictly required, for you to replace the string below with the output of os.urandom(32), + # so that the encrypted IDs generated for the app are specific to this installation. + #ID_ENCRYPTION_KEY = os.environ.get('ENCRYPTION_KEY') + ID_ENCRYPTION_KEY = '{{modernpaste_stg_encryption_key}}' + + # Flask session secret key + # IMPORTANT NOTE: Open up a Python terminal, and replace the below with the output of os.urandom(32) + # This secret key should be different for every installation of Modern Paste. + #FLASK_SECRET_KEY = os.environ.get('SECRET_KEY') + FLASK_SECRET_KEY = '{{modernpaste_stg_session_key}}' + + # Languages + # A list of all languages you want to support with the app. Add 'text' for plain text support. + # Only use strings from the directory app/static/build/lib/codemirror/mode + LANGUAGES = [ + 'text', + 'clike', + 'cmake', + 'css', + 'd', + 'diff', + 'dockerfile', + 'erlang', + 'go', + 'haskell', + 'htmlmixed', + 'javascript', + 'jinja2', + 'lua', + 'markdown', + 'perl', + 'php', + 'python', + 'rpm', + 'rst', + 'ruby', + 'rust', + 'shell', + 'sql', + 'swift', + 'xml', + 'yaml', + ] diff --git a/roles/openshift-apps/modernpaste/templates/secret.yml b/roles/openshift-apps/modernpaste/templates/secret.yml index 230514c059..2ff48320a0 100644 --- a/roles/openshift-apps/modernpaste/templates/secret.yml +++ b/roles/openshift-apps/modernpaste/templates/secret.yml @@ -5,6 +5,6 @@ metadata: labels: environment: "modernpaste" stringData: - encryption-key: "{{modernpaste_stg_encryption_key}}" - session-key: "{{modernpaste_stg_session_key}}" + #encryption-key: "{{modernpaste_stg_encryption_key}}" + #session-key: "{{modernpaste_stg_session_key}}" database-uri: "postgres://{{modernpaste_stg_db_user}}:{{modernpaste_stg_db_password}}@db01/modernpaste" From 4485ed0feb9c6b9fbb3863b185d6c94271150c36 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 25 Jul 2017 18:43:56 +0000 Subject: [PATCH 19/53] template Signed-off-by: Ricky Elrod --- playbooks/openshift-apps/modernpaste.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/openshift-apps/modernpaste.yml b/playbooks/openshift-apps/modernpaste.yml index 4cb70e68a9..f748ddbef3 100644 --- a/playbooks/openshift-apps/modernpaste.yml +++ b/playbooks/openshift-apps/modernpaste.yml @@ -13,7 +13,7 @@ - { role: openshift/object, app: modernpaste, template: secret.yml } - { role: openshift/object, app: modernpaste, file: buildconfig.yml } - { role: openshift/start-build, app: modernpaste, name: modernpaste-docker-build } - - { role: openshift/object, app: modernpaste, file: configmap.yml } + - { role: openshift/object, app: modernpaste, template: configmap.yml } - { role: openshift/object, app: modernpaste, file: service.yml } - { role: openshift/object, app: modernpaste, file: route.yml } - { role: openshift/object, app: modernpaste, file: deploymentconfig.yml } From af929e8fcd3543626b7f5529e2638fac6ec8a74a Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 25 Jul 2017 19:11:35 +0000 Subject: [PATCH 20/53] Uncomment these for now Signed-off-by: Ricky Elrod --- roles/openshift-apps/modernpaste/templates/secret.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/openshift-apps/modernpaste/templates/secret.yml b/roles/openshift-apps/modernpaste/templates/secret.yml index 2ff48320a0..230514c059 100644 --- a/roles/openshift-apps/modernpaste/templates/secret.yml +++ b/roles/openshift-apps/modernpaste/templates/secret.yml @@ -5,6 +5,6 @@ metadata: labels: environment: "modernpaste" stringData: - #encryption-key: "{{modernpaste_stg_encryption_key}}" - #session-key: "{{modernpaste_stg_session_key}}" + encryption-key: "{{modernpaste_stg_encryption_key}}" + session-key: "{{modernpaste_stg_session_key}}" database-uri: "postgres://{{modernpaste_stg_db_user}}:{{modernpaste_stg_db_password}}@db01/modernpaste" From 0a166c16c3353e97662782a6e23eee5f9af9dfee Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 25 Jul 2017 19:22:18 +0000 Subject: [PATCH 21/53] stop using os secrets here Signed-off-by: Ricky Elrod --- roles/openshift-apps/modernpaste/templates/configmap.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openshift-apps/modernpaste/templates/configmap.yml b/roles/openshift-apps/modernpaste/templates/configmap.yml index 8ce182644e..25d4be4109 100644 --- a/roles/openshift-apps/modernpaste/templates/configmap.yml +++ b/roles/openshift-apps/modernpaste/templates/configmap.yml @@ -10,7 +10,7 @@ data: import constants import os - SQLALCHEMY_DATABASE_URI = os.environ.get('DATABASE_URI') + SQLALCHEMY_DATABASE_URI = "postgres://{{modernpaste_stg_db_user}}:{{modernpaste_stg_db_password}}@db01/modernpaste" SQLALCHEMY_TRACK_MODIFICATIONS = False SECRET_KEY = config.FLASK_SECRET_KEY config.py: |- From f962b2ede04cf60da719bc7654a6f8a0fac3846f Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 25 Jul 2017 19:41:28 +0000 Subject: [PATCH 22/53] use a more verbose db hostname Signed-off-by: Ricky Elrod --- roles/openshift-apps/modernpaste/templates/configmap.yml | 2 +- roles/openshift-apps/modernpaste/templates/secret.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/openshift-apps/modernpaste/templates/configmap.yml b/roles/openshift-apps/modernpaste/templates/configmap.yml index 25d4be4109..1146bbd87a 100644 --- a/roles/openshift-apps/modernpaste/templates/configmap.yml +++ b/roles/openshift-apps/modernpaste/templates/configmap.yml @@ -10,7 +10,7 @@ data: import constants import os - SQLALCHEMY_DATABASE_URI = "postgres://{{modernpaste_stg_db_user}}:{{modernpaste_stg_db_password}}@db01/modernpaste" + SQLALCHEMY_DATABASE_URI = "postgres://{{modernpaste_stg_db_user}}:{{modernpaste_stg_db_password}}@db01.stg.phx2.fedoraproject.org/modernpaste" SQLALCHEMY_TRACK_MODIFICATIONS = False SECRET_KEY = config.FLASK_SECRET_KEY config.py: |- diff --git a/roles/openshift-apps/modernpaste/templates/secret.yml b/roles/openshift-apps/modernpaste/templates/secret.yml index 230514c059..f8859142b2 100644 --- a/roles/openshift-apps/modernpaste/templates/secret.yml +++ b/roles/openshift-apps/modernpaste/templates/secret.yml @@ -7,4 +7,4 @@ metadata: stringData: encryption-key: "{{modernpaste_stg_encryption_key}}" session-key: "{{modernpaste_stg_session_key}}" - database-uri: "postgres://{{modernpaste_stg_db_user}}:{{modernpaste_stg_db_password}}@db01/modernpaste" + database-uri: "postgres://{{modernpaste_stg_db_user}}:{{modernpaste_stg_db_password}}@db01.stg.phx2.fedoraproject.org/modernpaste" From 9153bf1ae3f5177e72b79eae6467a2b2de33f643 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 25 Jul 2017 19:45:41 +0000 Subject: [PATCH 23/53] add a way to `oc rollout latest` Signed-off-by: Ricky Elrod --- playbooks/openshift-apps/modernpaste.yml | 1 + roles/openshift/rollout/tasks/main.yml | 3 +++ 2 files changed, 4 insertions(+) create mode 100644 roles/openshift/rollout/tasks/main.yml diff --git a/playbooks/openshift-apps/modernpaste.yml b/playbooks/openshift-apps/modernpaste.yml index f748ddbef3..179c2bd4dc 100644 --- a/playbooks/openshift-apps/modernpaste.yml +++ b/playbooks/openshift-apps/modernpaste.yml @@ -17,3 +17,4 @@ - { role: openshift/object, app: modernpaste, file: service.yml } - { role: openshift/object, app: modernpaste, file: route.yml } - { role: openshift/object, app: modernpaste, file: deploymentconfig.yml } + - { role: openshift/rollout, app: modernpaste, name: modernpaste-web } diff --git a/roles/openshift/rollout/tasks/main.yml b/roles/openshift/rollout/tasks/main.yml new file mode 100644 index 0000000000..01da41e25b --- /dev/null +++ b/roles/openshift/rollout/tasks/main.yml @@ -0,0 +1,3 @@ +- name: Run `oc rollout latest` + shell: oc -n {{app}} rollout latest {{name}} + run_once: true From afab85e9f1494ec3cafb0dd8574c2316937e7517 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 25 Jul 2017 19:53:49 +0000 Subject: [PATCH 24/53] make it delete the temp files Signed-off-by: Ricky Elrod --- roles/openshift/object/tasks/main.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/roles/openshift/object/tasks/main.yml b/roles/openshift/object/tasks/main.yml index bda150f795..99a0be59ab 100644 --- a/roles/openshift/object/tasks/main.yml +++ b/roles/openshift/object/tasks/main.yml @@ -1,18 +1,23 @@ - name: Create temporary file tempfile: state=file register: tmpfile + suffix: yml run_once: true - name: Copy template {{template}} to temporary file ({{tmpfile.path}}) - template: src={{roles_path}}/openshift-apps/{{app}}/templates/{{template}} dest={{tmpfile.path}}.yml + template: src={{roles_path}}/openshift-apps/{{app}}/templates/{{template}} dest={{tmpfile.path}} when: template is defined run_once: true - name: Copy file {{file}} to temporary file ({{tmpfile.path}}) - copy: src={{roles_path}}/openshift-apps/{{app}}/files/{{file}} dest={{tmpfile.path}}.yml + copy: src={{roles_path}}/openshift-apps/{{app}}/files/{{file}} dest={{tmpfile.path}} when: file is defined run_once: true - name: Call `oc apply` on the copied file - shell: oc -n {{app}} apply -f {{tmpfile.path}}.yml + shell: oc -n {{app}} apply -f {{tmpfile.path}} + run_once: true + +- name: Delete temporary file + file: path={{tmpfile.path}} state=absent run_once: true From fe6ab4dbc45b89b669fdd9efc719ad2f12d6f5e3 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 25 Jul 2017 19:54:33 +0000 Subject: [PATCH 25/53] Except that's not how ansible works Signed-off-by: Ricky Elrod --- roles/openshift/object/tasks/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/openshift/object/tasks/main.yml b/roles/openshift/object/tasks/main.yml index 99a0be59ab..05abb526f9 100644 --- a/roles/openshift/object/tasks/main.yml +++ b/roles/openshift/object/tasks/main.yml @@ -1,7 +1,6 @@ - name: Create temporary file - tempfile: state=file + tempfile: state=file suffix=yml register: tmpfile - suffix: yml run_once: true - name: Copy template {{template}} to temporary file ({{tmpfile.path}}) From 11f06b960ffd5ded759a830309c00994f24c6e8b Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Tue, 25 Jul 2017 19:55:30 +0000 Subject: [PATCH 26/53] and add a dot Signed-off-by: Ricky Elrod --- roles/openshift/object/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openshift/object/tasks/main.yml b/roles/openshift/object/tasks/main.yml index 05abb526f9..afc3e1448a 100644 --- a/roles/openshift/object/tasks/main.yml +++ b/roles/openshift/object/tasks/main.yml @@ -1,5 +1,5 @@ - name: Create temporary file - tempfile: state=file suffix=yml + tempfile: state=file suffix=.yml register: tmpfile run_once: true From 96567f1db32ea18764287f42897f812371f2a5b7 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Tue, 25 Jul 2017 21:39:21 +0000 Subject: [PATCH 27/53] expose via http the shiny new location for mass rebuild failures Signed-off-by: Dennis Gilmore --- roles/koji_hub/templates/kojiweb.conf.j2 | 7 +++++++ roles/varnish/templates/kojipkgs.vcl.j2 | 3 +++ 2 files changed, 10 insertions(+) diff --git a/roles/koji_hub/templates/kojiweb.conf.j2 b/roles/koji_hub/templates/kojiweb.conf.j2 index 4e7eb3ceba..83cc8d8c0c 100644 --- a/roles/koji_hub/templates/kojiweb.conf.j2 +++ b/roles/koji_hub/templates/kojiweb.conf.j2 @@ -84,6 +84,13 @@ Alias /packages "/mnt/koji/packages/" Require all granted +Alias /mass-rebuild "/mnt/koji/mass-rebuild/" + + + Options Indexes FollowSymLinks + Require all granted + + # use redirects for compose and packages locations to be consistent with primary hub {% if inventory_hostname == 'arm-koji01.qa.fedoraproject.org' %} # Disable these for now since there's a cert issue and no virtual host definition to redirect to diff --git a/roles/varnish/templates/kojipkgs.vcl.j2 b/roles/varnish/templates/kojipkgs.vcl.j2 index 8062d752bb..de27070a8a 100644 --- a/roles/varnish/templates/kojipkgs.vcl.j2 +++ b/roles/varnish/templates/kojipkgs.vcl.j2 @@ -62,5 +62,8 @@ sub vcl_recv { if (req.url ~ "h264") { return (pipe); } + if (req.url ~ "^/mass-rebuild/") { + return (pipe); + } return (hash); } From 71fdd658e430919e525beadead120bc49793773d Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Tue, 25 Jul 2017 21:53:15 +0000 Subject: [PATCH 28/53] make the changes for the right apache instance :D Signed-off-by: Dennis Gilmore --- roles/koji_hub/templates/kojiweb.conf.j2 | 7 ------- roles/kojipkgs/files/kojipkgs.conf | 7 +++++++ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/koji_hub/templates/kojiweb.conf.j2 b/roles/koji_hub/templates/kojiweb.conf.j2 index 83cc8d8c0c..4e7eb3ceba 100644 --- a/roles/koji_hub/templates/kojiweb.conf.j2 +++ b/roles/koji_hub/templates/kojiweb.conf.j2 @@ -84,13 +84,6 @@ Alias /packages "/mnt/koji/packages/" Require all granted -Alias /mass-rebuild "/mnt/koji/mass-rebuild/" - - - Options Indexes FollowSymLinks - Require all granted - - # use redirects for compose and packages locations to be consistent with primary hub {% if inventory_hostname == 'arm-koji01.qa.fedoraproject.org' %} # Disable these for now since there's a cert issue and no virtual host definition to redirect to diff --git a/roles/kojipkgs/files/kojipkgs.conf b/roles/kojipkgs/files/kojipkgs.conf index 73174bdcc2..588f6b1f70 100644 --- a/roles/kojipkgs/files/kojipkgs.conf +++ b/roles/kojipkgs/files/kojipkgs.conf @@ -89,6 +89,13 @@ Alias /compose /mnt/fedora_koji/koji/compose Require all granted +Alias /mass-rebuild "/mnt/fedora_koji/koji/mass-rebuild/" + + + Options Indexes FollowSymLinks + Require all granted + + Alias /images /mnt/fedora_koji/koji/images From e87463cca37cc3fa81aea6eae5fdad181674cf57 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Tue, 25 Jul 2017 16:43:55 -0700 Subject: [PATCH 29/53] Install git on openQA workers (RHBZ #1467086) This will avoid some unnecessary error messages in logs. --- roles/openqa/worker/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/openqa/worker/tasks/main.yml b/roles/openqa/worker/tasks/main.yml index fb24374eb7..984f267017 100644 --- a/roles/openqa/worker/tasks/main.yml +++ b/roles/openqa/worker/tasks/main.yml @@ -24,6 +24,7 @@ with_items: - libselinux-python - edk2-ovmf + - git tags: - packages From eeef3f1aa8280cc125ac747442ea016dee9dc7cf Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Tue, 25 Jul 2017 17:00:10 -0700 Subject: [PATCH 30/53] openqa/worker: ed2k-ovmf doesn't exist on ppc --- roles/openqa/worker/tasks/main.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/openqa/worker/tasks/main.yml b/roles/openqa/worker/tasks/main.yml index 984f267017..5cb4f31af6 100644 --- a/roles/openqa/worker/tasks/main.yml +++ b/roles/openqa/worker/tasks/main.yml @@ -23,11 +23,16 @@ dnf: name={{ item }} state=present with_items: - libselinux-python - - edk2-ovmf - git tags: - packages +- name: Install UEFI firmware package (x86_64 only) + dnf: name=edk2-ovmf state=present + tags: + - packages + when: "ansible_architecture is defined and ansible_architecture == 'x86_64'" + - include: nfs-client.yml when: openqa_hostname is defined and openqa_hostname != "localhost" From 81d4731aed6bc60ce94fc2e68c56c015a2c9c0ee Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Wed, 26 Jul 2017 10:17:58 +0200 Subject: [PATCH 31/53] Place the overriding systemd service file where it should be --- roles/distgit/pagure/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/distgit/pagure/tasks/main.yml b/roles/distgit/pagure/tasks/main.yml index c9973a8773..b8c33a2f69 100644 --- a/roles/distgit/pagure/tasks/main.yml +++ b/roles/distgit/pagure/tasks/main.yml @@ -139,7 +139,7 @@ - name: Override the default pagure_worker.service file to change the user it is run under copy: src=pagure_worker.service - dest=/usr/lib/systemd/system/pagure_worker.service + dest=/etc/systemd/system/pagure_worker.service owner=root group=root mode=0755 notify: - reload systemd From 3865c0081380112a01f3b0bd6ba2fed1fc022758 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Wed, 26 Jul 2017 10:47:13 +0200 Subject: [PATCH 32/53] Make /pagure work on src.stg --- roles/distgit/pagure/templates/0_pagure.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/distgit/pagure/templates/0_pagure.conf b/roles/distgit/pagure/templates/0_pagure.conf index 80bf4d7764..c2452d06eb 100644 --- a/roles/distgit/pagure/templates/0_pagure.conf +++ b/roles/distgit/pagure/templates/0_pagure.conf @@ -30,7 +30,7 @@ WSGIDaemonProcess pagureproc user=pagure group=packager maximum-requests=1000 di git-(upload|receive)-pack))$" \ /usr/libexec/git-core/git-http-backend/$1 - + WSGIProcessGroup pagureproc # Apache 2.4 From a7deae1ea2411a13f5e6f0828aad64e074a7633d Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Wed, 26 Jul 2017 09:11:56 +0000 Subject: [PATCH 33/53] Updates darkserver backend with rabbitmq role --- playbooks/groups/darkserver-backend.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/groups/darkserver-backend.yml b/playbooks/groups/darkserver-backend.yml index 7df789f355..a4609ab131 100644 --- a/playbooks/groups/darkserver-backend.yml +++ b/playbooks/groups/darkserver-backend.yml @@ -66,6 +66,7 @@ roles: - fedmsg/hub + - rabbitmq - darkserver/backend - role: collectd/fedmsg-service process: fedmsg-hub From d237c72f56e6cba5e98bf78e6728579942a7bf3c Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Wed, 26 Jul 2017 09:43:03 +0000 Subject: [PATCH 34/53] Use package than yum to install --- roles/rabbitmq/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rabbitmq/tasks/main.yml b/roles/rabbitmq/tasks/main.yml index c01634c4e6..34d0ec789b 100644 --- a/roles/rabbitmq/tasks/main.yml +++ b/roles/rabbitmq/tasks/main.yml @@ -1,5 +1,5 @@ - name: install needed packages - yum: pkg={{ item }} state=present + package: pkg={{ item }} state=present with_items: - rabbitmq-server tags: From 181363104e0dda456bdfaa3578930dbf5f435aea Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Wed, 26 Jul 2017 09:43:42 +0000 Subject: [PATCH 35/53] Using dnf to install the packages --- roles/darkserver/backend/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/darkserver/backend/tasks/main.yml b/roles/darkserver/backend/tasks/main.yml index 1fc8460c7e..e775501551 100644 --- a/roles/darkserver/backend/tasks/main.yml +++ b/roles/darkserver/backend/tasks/main.yml @@ -3,7 +3,7 @@ # - name: setup darkserver - yum: name={{ item }} state=present + dnf: name={{ item }} state=present with_items: - darkserver-importer notify: From f306cbbc5e4e0874b2cf821a118bb724febc2692 Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Wed, 26 Jul 2017 09:46:16 +0000 Subject: [PATCH 36/53] Uses dnf to install libsemanage-python --- playbooks/groups/darkserver-backend.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/groups/darkserver-backend.yml b/playbooks/groups/darkserver-backend.yml index a4609ab131..6808b97dae 100644 --- a/playbooks/groups/darkserver-backend.yml +++ b/playbooks/groups/darkserver-backend.yml @@ -12,7 +12,7 @@ pre_tasks: - - yum: name=libsemanage-python state=present + - dnf: name=libsemanage-python state=present - name: "Set SElinux booleans" seboolean: name=httpd_can_network_connect_db state=yes persistent=yes From c85135de1c5c363aa82bcc557b28739cc3f805eb Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Wed, 26 Jul 2017 10:26:43 +0000 Subject: [PATCH 37/53] Starts darkservice in the backend --- roles/darkserver/backend/tasks/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/darkserver/backend/tasks/main.yml b/roles/darkserver/backend/tasks/main.yml index e775501551..c79685e5fd 100644 --- a/roles/darkserver/backend/tasks/main.yml +++ b/roles/darkserver/backend/tasks/main.yml @@ -18,6 +18,9 @@ - name: email.json file copy: src=email.json dest=/etc/darkserver/email.json owner=root group=root mode=0644 +- name: darkserver service + service: name=darkserver state=started enabled=yes + - name: darkjobworker.conf template: src=darkjobworker.conf.j2 dest=/etc/darkserver/darkjobworker.conf owner=root group=root mode=640 notify: restart darkserver From 7d93f73993d48f4e61a734d14e87294308ba96b3 Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Wed, 26 Jul 2017 15:04:11 +0000 Subject: [PATCH 38/53] Adds missing fedmsg/base role --- playbooks/groups/darkserver-backend.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/groups/darkserver-backend.yml b/playbooks/groups/darkserver-backend.yml index 6808b97dae..c90249c255 100644 --- a/playbooks/groups/darkserver-backend.yml +++ b/playbooks/groups/darkserver-backend.yml @@ -65,6 +65,7 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: + - fedmsg/base - fedmsg/hub - rabbitmq - darkserver/backend From 39b719cee1eb86a72884457cfd4e29f7452b114c Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Wed, 26 Jul 2017 17:35:52 +0200 Subject: [PATCH 39/53] Now that we are *done* with f25 it has been requested [1] that we update the daily bodhi push to update the release ref so that anyone choosing to stay on f25 for now will get updated content. [1] https://pagure.io/atomic-wg/issue/303 Signed-off-by: Dusty Mabe --- roles/bodhi2/backend/templates/atomic-config.py.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bodhi2/backend/templates/atomic-config.py.j2 b/roles/bodhi2/backend/templates/atomic-config.py.j2 index b998bdef3e..d75269cf21 100644 --- a/roles/bodhi2/backend/templates/atomic-config.py.j2 +++ b/roles/bodhi2/backend/templates/atomic-config.py.j2 @@ -71,7 +71,7 @@ config = dict( 'tree': 'docker-host', 'treefile': { 'include': 'fedora-atomic-docker-host.json', - 'ref': 'fedora-atomic/25/x86_64/updates/docker-host', + 'ref': 'fedora-atomic/25/x86_64/docker-host', 'repos': ['fedora-25', 'fedora-25-updates', 'updates'], 'packages': [], }, From f7734cba707cefab7165333b29e4e09a722542e6 Mon Sep 17 00:00:00 2001 From: Nick Bebout Date: Wed, 26 Jul 2017 16:28:59 +0000 Subject: [PATCH 40/53] Update ham-radio-exams alias --- roles/fas_client/files/aliases.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/fas_client/files/aliases.template b/roles/fas_client/files/aliases.template index cffbf3421e..477b78560e 100644 --- a/roles/fas_client/files/aliases.template +++ b/roles/fas_client/files/aliases.template @@ -162,7 +162,7 @@ infra-security: puiterwijk webmaster: websites@lists.fedoraproject.org logo: rlerch@redhat.com,duffy@redhat.com -ham-radio-exams: nb,jbwillia,robertjw,gholms +ham-radio-exams: nb,codeblock,gholms diversity: tatica # Misc Aliases From 592c8c02df306d229b9f6aaa49904f82132d40c9 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Wed, 26 Jul 2017 18:29:24 +0200 Subject: [PATCH 41/53] Enable autosigning for f27-rebuild Signed-off-by: Patrick Uiterwijk --- .../files/robosignatory.production.py | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/roles/robosignatory/files/robosignatory.production.py b/roles/robosignatory/files/robosignatory.production.py index 5d87f4efa5..20dc5d17d8 100644 --- a/roles/robosignatory/files/robosignatory.production.py +++ b/roles/robosignatory/files/robosignatory.production.py @@ -41,16 +41,10 @@ config = { 'tags': [ # Temporary tags { - "from": "f26-rebuild", - "to": "f26-rebuild", - "key": "fedora-26", - "keyid": "64dab85d" - }, - { - "from": "f25-llvm39", - "to": "f25-llvm39", - "key": "fedora-25", - "keyid": "fdb19c98" + "from": "f27-rebuild", + "to": "f27-rebuild", + "key": "fedora-27", + "keyid": "f5282ee4" }, # Infra tags From 62ce79611542b94a470bf346ad29399f35ac255e Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Wed, 26 Jul 2017 22:23:53 +0200 Subject: [PATCH 42/53] Set a real gitolite file --- roles/distgit/pagure/templates/pagure.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/distgit/pagure/templates/pagure.cfg b/roles/distgit/pagure/templates/pagure.cfg index 92b3c2bc79..70647221b0 100644 --- a/roles/distgit/pagure/templates/pagure.cfg +++ b/roles/distgit/pagure/templates/pagure.cfg @@ -100,7 +100,7 @@ TICKETS_FOLDER = None REMOTE_GIT_FOLDER = '/srv/git/remotes' ### Configuration file for gitolite -#GITOLITE_CONFIG = '/srv/git/.gitolite/conf/gitolite.conf' +GITOLITE_CONFIG = '/srv/git/.gitolite/conf/gitolite.conf.pagure' ### Temp folder to be used to make the clones to work around bug in libgit2: ## refs: https://github.com/libgit2/libgit2/issues/2965 From 3aff7686a7adc5f18eda5af60b2ccbe9fcbec160 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Wed, 26 Jul 2017 22:27:08 +0200 Subject: [PATCH 43/53] Try commenting out the group in the systemd service file --- roles/distgit/pagure/files/pagure_worker.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/distgit/pagure/files/pagure_worker.service b/roles/distgit/pagure/files/pagure_worker.service index bf83a0966e..7b9473b9cf 100644 --- a/roles/distgit/pagure/files/pagure_worker.service +++ b/roles/distgit/pagure/files/pagure_worker.service @@ -8,7 +8,7 @@ ExecStart=/usr/bin/celery worker -A pagure.lib.tasks --loglevel=info --autoreloa Environment="PAGURE_CONFIG=/etc/pagure/pagure.cfg" Type=simple User=pagure -Group=pagure +#Group=pagure Restart=on-failure [Install] From 6b46610d750fc1e7b3fc8fd4037fafe770d58c80 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Wed, 26 Jul 2017 22:53:44 +0200 Subject: [PATCH 44/53] Enforce a new version of pygments --- roles/distgit/pagure/templates/pagure.wsgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/distgit/pagure/templates/pagure.wsgi b/roles/distgit/pagure/templates/pagure.wsgi index b04abac4d8..b072264090 100644 --- a/roles/distgit/pagure/templates/pagure.wsgi +++ b/roles/distgit/pagure/templates/pagure.wsgi @@ -4,7 +4,7 @@ # two possible version of python-sqlalchemy and python-jinja2 # These lines make sure the application uses the correct version. import __main__ -__main__.__requires__ = ['SQLAlchemy >= 0.8', 'jinja2 >= 2.4'] +__main__.__requires__ = ['SQLAlchemy >= 0.8', 'jinja2 >= 2.4', 'Pygments>=2.1.0'] import pkg_resources import os From bd14419b63988ee0cb18c7ce2bc6eb50fb676b76 Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Thu, 27 Jul 2017 14:18:31 +0000 Subject: [PATCH 45/53] It is env not environment --- roles/darkserver/backend/templates/darkjobworker.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/darkserver/backend/templates/darkjobworker.conf.j2 b/roles/darkserver/backend/templates/darkjobworker.conf.j2 index d6644ee141..2d645a26e2 100644 --- a/roles/darkserver/backend/templates/darkjobworker.conf.j2 +++ b/roles/darkserver/backend/templates/darkjobworker.conf.j2 @@ -1,5 +1,5 @@ [darkserver] -{% if environment == "staging" %} +{% if env == "staging" %} host=db01.stg.phx2.fedoraproject.org password={{ darkserver_stg_writer_password }} {% else %} From e53ba089e49b9e6162ddbce862f92037517a86ce Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Thu, 27 Jul 2017 14:28:26 +0000 Subject: [PATCH 46/53] Add tibbs as an admin on Anitya Signed-off-by: Jeremy Cline --- roles/anitya/frontend/templates/anitya.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/anitya/frontend/templates/anitya.cfg b/roles/anitya/frontend/templates/anitya.cfg index 2d58ec7abd..2c4dfd9e3d 100644 --- a/roles/anitya/frontend/templates/anitya.cfg +++ b/roles/anitya/frontend/templates/anitya.cfg @@ -18,6 +18,7 @@ ANITYA_WEB_ADMINS = [ 'http://ralph.id.fedoraproject.org/', 'http://pingou.id.fedoraproject.org/', 'http://jcline.id.fedoraproject.org/', + 'http://tibbs.id.fedoraproject.org/', ] # Email addresses to send tracebacks to when an HTTP 500 occurs From 0c164f885ead8d48b4c3c8e1074ff8efef141e0f Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Thu, 27 Jul 2017 15:00:24 +0000 Subject: [PATCH 47/53] Update notify handler for darkserver --- handlers/restart_services.yml | 4 ++++ roles/darkserver/backend/tasks/main.yml | 3 --- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml index 5a32cb62a1..f5f3b4d209 100644 --- a/handlers/restart_services.yml +++ b/handlers/restart_services.yml @@ -173,3 +173,7 @@ - name: restart idmapd service: name=nfs-idmapd state=restarted + +- name: restart darkserver + service: name=darkserver state=restarted + diff --git a/roles/darkserver/backend/tasks/main.yml b/roles/darkserver/backend/tasks/main.yml index c79685e5fd..e775501551 100644 --- a/roles/darkserver/backend/tasks/main.yml +++ b/roles/darkserver/backend/tasks/main.yml @@ -18,9 +18,6 @@ - name: email.json file copy: src=email.json dest=/etc/darkserver/email.json owner=root group=root mode=0644 -- name: darkserver service - service: name=darkserver state=started enabled=yes - - name: darkjobworker.conf template: src=darkjobworker.conf.j2 dest=/etc/darkserver/darkjobworker.conf owner=root group=root mode=640 notify: restart darkserver From 2c0b780d28f5d01e2fe29c1ffff0aa5c2d71e0ca Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Thu, 27 Jul 2017 17:16:03 +0000 Subject: [PATCH 48/53] Add waiverdb scope in stg Signed-off-by: Ricky Elrod --- roles/ipsilon/tasks/main.yml | 1 + roles/ipsilon/templates/configuration.conf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml index 1c088e4bb8..82c656ad52 100644 --- a/roles/ipsilon/tasks/main.yml +++ b/roles/ipsilon/tasks/main.yml @@ -41,6 +41,7 @@ - account-scopes - mbs - beaker + - waiverdb notify: - reload apache tags: diff --git a/roles/ipsilon/templates/configuration.conf b/roles/ipsilon/templates/configuration.conf index 3def4c896c..fe71210898 100644 --- a/roles/ipsilon/templates/configuration.conf +++ b/roles/ipsilon/templates/configuration.conf @@ -25,7 +25,7 @@ global enabled=persona,openid,saml2,openidc {% if env == "production" %} openidc enabled extensions=fedora-account,mbs,beaker {% else %} -openidc enabled extensions=fedora-account,mbs,beaker +openidc enabled extensions=fedora-account,mbs,beaker,waiverdb {% endif %} {% if env == 'staging' %} From b83f6a55104390e2b9ec861f94969cfbe08fb5dd Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Thu, 27 Jul 2017 17:31:04 +0000 Subject: [PATCH 49/53] try waiverdb openshift stuff, what could go wrong Signed-off-by: Ricky Elrod --- playbooks/openshift-apps/waiverdb.yml | 20 +++++ .../waiverdb/files/configmap.yml | 12 +++ .../waiverdb/files/deploymentconfig.yml | 74 +++++++++++++++++++ .../waiverdb/files/imagestream.yml | 10 +++ roles/openshift-apps/waiverdb/files/route.yml | 16 ++++ .../openshift-apps/waiverdb/files/service.yml | 14 ++++ .../waiverdb/templates/client_secrets.json | 10 +++ .../waiverdb/templates/project.yml | 10 +++ .../waiverdb/templates/secret.yml | 9 +++ roles/openshift/secret-file/tasks/main.yml | 22 ++++++ 10 files changed, 197 insertions(+) create mode 100644 playbooks/openshift-apps/waiverdb.yml create mode 100644 roles/openshift-apps/waiverdb/files/configmap.yml create mode 100644 roles/openshift-apps/waiverdb/files/deploymentconfig.yml create mode 100644 roles/openshift-apps/waiverdb/files/imagestream.yml create mode 100644 roles/openshift-apps/waiverdb/files/route.yml create mode 100644 roles/openshift-apps/waiverdb/files/service.yml create mode 100644 roles/openshift-apps/waiverdb/templates/client_secrets.json create mode 100644 roles/openshift-apps/waiverdb/templates/project.yml create mode 100644 roles/openshift-apps/waiverdb/templates/secret.yml create mode 100644 roles/openshift/secret-file/tasks/main.yml diff --git a/playbooks/openshift-apps/waiverdb.yml b/playbooks/openshift-apps/waiverdb.yml new file mode 100644 index 0000000000..faf551b697 --- /dev/null +++ b/playbooks/openshift-apps/waiverdb.yml @@ -0,0 +1,20 @@ +- name: make the app be real + hosts: os-masters-stg + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - { role: openshift/object, app: waiverdb, template: project.yml, description: waiverdb } + - { role: openshift/object, app: waiverdb, template: secret.yml } + - { role: openshift/secret-file, app: waiverdb, key=client_secrets.json, template: client_secrets.json } + - { role: openshift/object, app: waiverdb, file: imagestream.yml } + - { role: openshift/object, app: waiverdb, template: configmap.yml } + - { role: openshift/object, app: waiverdb, file: service.yml } + - { role: openshift/object, app: waiverdb, file: route.yml } + - { role: openshift/object, app: waiverdb, file: deploymentconfig.yml } + - { role: openshift/rollout, app: waiverdb, name: waiverdb-stg-web } diff --git a/roles/openshift-apps/waiverdb/files/configmap.yml b/roles/openshift-apps/waiverdb/files/configmap.yml new file mode 100644 index 0000000000..0248cb7a59 --- /dev/null +++ b/roles/openshift-apps/waiverdb/files/configmap.yml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: waiverdb-stg-configmap + labels: + app: waiverdb +data: + settings.py: |- + DATABASE_URI = 'postgresql+psycopg2://waiverdb@db01.stg.phx2.fedoraproject.org:5432/waiverdb' + AUTH_METHOD = 'OIDC' + OIDC_CLIENT_SECRETS = '/etc/secret/client_secrets.json' + PORT = 8080 diff --git a/roles/openshift-apps/waiverdb/files/deploymentconfig.yml b/roles/openshift-apps/waiverdb/files/deploymentconfig.yml new file mode 100644 index 0000000000..61003293b8 --- /dev/null +++ b/roles/openshift-apps/waiverdb/files/deploymentconfig.yml @@ -0,0 +1,74 @@ + +apiVersion: v1 +kind: DeploymentConfig +metadata: + name: waiverdb-stg-web + labels: + app: waiverdb + service: web +spec: + replicas: 2 + selector: + app: waiverdb + service: web + template: + metadata: + labels: + app: waiverdb + service: web + spec: + containers: + - name: web + image: waiverdb + ports: + - containerPort: 8080 + volumeMounts: + - name: config-volume + mountPath: /etc/waiverdb + readOnly: true + - name: secret-volume + mountPath: /etc/secret + readOnly: true + env: + - name: DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: waiverdb-stg-secret + key: database-password + - name: SECRET_KEY + valueFrom: + secretKeyRef: + name: waiverdb-stg-secret + key: flask-secret-key + readinessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 5 + httpGet: + path: /healthcheck + port: 8080 + livenessProbe: + timeoutSeconds: 1 + initialDelaySeconds: 30 + httpGet: + path: /healthcheck + port: 8080 + resources: + limits: + memory: 384Mi + volumes: + - name: config-volume + configMap: + name: waiverdb-stg-configmap + - name: secret-volume + secret: + secretName: waiverdb-stg-secret + triggers: + - type: ImageChange + imageChangeParams: + automatic: true + containerNames: + - web + from: + kind: ImageStreamTag + name: waiverdb:latest + - type: ConfigChange diff --git a/roles/openshift-apps/waiverdb/files/imagestream.yml b/roles/openshift-apps/waiverdb/files/imagestream.yml new file mode 100644 index 0000000000..7523f9939d --- /dev/null +++ b/roles/openshift-apps/waiverdb/files/imagestream.yml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ImageStream +metadata: + name: waiverdb +spec: + tags: + - name: latest + from: + kind: DockerImage + name: candidate-registry.fedoraproject.org/f25/waiverdb:latest diff --git a/roles/openshift-apps/waiverdb/files/route.yml b/roles/openshift-apps/waiverdb/files/route.yml new file mode 100644 index 0000000000..71517f6e3b --- /dev/null +++ b/roles/openshift-apps/waiverdb/files/route.yml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Route +metadata: + name: waiverdb-stg-web + labels: + app: waiverdb +spec: + host: waiverdb.stg.fedoraproject.org + port: + targetPort: web + to: + kind: Service + name: waiverdb-stg-web + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect diff --git a/roles/openshift-apps/waiverdb/files/service.yml b/roles/openshift-apps/waiverdb/files/service.yml new file mode 100644 index 0000000000..a0390f9810 --- /dev/null +++ b/roles/openshift-apps/waiverdb/files/service.yml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: waiverdb-stg-web + labels: + app: waiverdb +spec: + selector: + app: waiverdb + service: web + ports: + - name: web + port: 8080 + targetPort: 8080 diff --git a/roles/openshift-apps/waiverdb/templates/client_secrets.json b/roles/openshift-apps/waiverdb/templates/client_secrets.json new file mode 100644 index 0000000000..6977844f22 --- /dev/null +++ b/roles/openshift-apps/waiverdb/templates/client_secrets.json @@ -0,0 +1,10 @@ +{"web": { + "redirect_uris": ["https://waiverdb-waiverdb.app.os.stg.fedoraproject.org/"], + "token_uri": "https://iddev.fedorainfracloud.org/openidc/Token", + "auth_uri": "https://iddev.fedorainfracloud.org/openidc/Authorization", + "client_id": "D-e69a1ac7-30fa-4d18-9001-7468c4f34c3c", + "client_secret": "qgz8Bzjg6nO7JWCXoB0o8L49KfI5atLF", + "userinfo_uri": "https://iddev.fedorainfracloud.org/openidc/UserInfo", + "token_introspection_uri": "https://iddev.fedorainfracloud.org/openidc/TokenInfo" + } +} diff --git a/roles/openshift-apps/waiverdb/templates/project.yml b/roles/openshift-apps/waiverdb/templates/project.yml new file mode 100644 index 0000000000..aef2ccd932 --- /dev/null +++ b/roles/openshift-apps/waiverdb/templates/project.yml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Project +metadata: + annotations: + openshift.io/description: "{{description}}" + openshift.io/display-name: "{{app}}" + creationTimestamp: null + name: "{{app}}" +spec: {} +status: {} diff --git a/roles/openshift-apps/waiverdb/templates/secret.yml b/roles/openshift-apps/waiverdb/templates/secret.yml new file mode 100644 index 0000000000..1739f6ed46 --- /dev/null +++ b/roles/openshift-apps/waiverdb/templates/secret.yml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "waiverdb-stg-secret" + labels: + app: "waiverdb" +stringData: + flask-secret-key: "{{stg_waiverdb_secret_key}}" + database-password: "{{stg_waiverdb_db_password}}" diff --git a/roles/openshift/secret-file/tasks/main.yml b/roles/openshift/secret-file/tasks/main.yml new file mode 100644 index 0000000000..697ce185ae --- /dev/null +++ b/roles/openshift/secret-file/tasks/main.yml @@ -0,0 +1,22 @@ +- name: Create temporary file + tempfile: state=file + register: tmpfile + run_once: true + +- name: Copy template {{template}} to temporary file ({{tmpfile.path}}) + template: src={{roles_path}}/openshift-apps/{{app}}/templates/{{template}} dest={{tmpfile.path}} + when: template is defined + run_once: true + +- name: Copy file {{file}} to temporary file ({{tmpfile.path}}) + copy: src={{roles_path}}/openshift-apps/{{app}}/files/{{file}} dest={{tmpfile.path}} + when: file is defined + run_once: true + +- name: Call `oc secrets new` on the copied file + shell: oc -n {{app}} secrets new {{secret_name}} {{key}}={{tmpfile.path}} + run_once: true + +- name: Delete temporary file + file: path={{tmpfile.path}} state=absent + run_once: true From 24bcf733a9fc286011a2909fe624bdb510d390fe Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Thu, 27 Jul 2017 17:39:04 +0000 Subject: [PATCH 50/53] add secret_name Signed-off-by: Ricky Elrod --- playbooks/openshift-apps/waiverdb.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/playbooks/openshift-apps/waiverdb.yml b/playbooks/openshift-apps/waiverdb.yml index faf551b697..52cefd50ae 100644 --- a/playbooks/openshift-apps/waiverdb.yml +++ b/playbooks/openshift-apps/waiverdb.yml @@ -11,7 +11,12 @@ roles: - { role: openshift/object, app: waiverdb, template: project.yml, description: waiverdb } - { role: openshift/object, app: waiverdb, template: secret.yml } - - { role: openshift/secret-file, app: waiverdb, key=client_secrets.json, template: client_secrets.json } + - { role: openshift/secret-file + , app: waiverdb + , secret_name=waiverdb-stg-secret + , key=client_secrets.json + , template: client_secrets.json + } - { role: openshift/object, app: waiverdb, file: imagestream.yml } - { role: openshift/object, app: waiverdb, template: configmap.yml } - { role: openshift/object, app: waiverdb, file: service.yml } From 006e6494ec97e6848638b8b0481e048a2786115b Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Thu, 27 Jul 2017 17:40:33 +0000 Subject: [PATCH 51/53] Once more, with feeling Signed-off-by: Ricky Elrod --- playbooks/openshift-apps/waiverdb.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/openshift-apps/waiverdb.yml b/playbooks/openshift-apps/waiverdb.yml index 52cefd50ae..e8092361b7 100644 --- a/playbooks/openshift-apps/waiverdb.yml +++ b/playbooks/openshift-apps/waiverdb.yml @@ -13,8 +13,8 @@ - { role: openshift/object, app: waiverdb, template: secret.yml } - { role: openshift/secret-file , app: waiverdb - , secret_name=waiverdb-stg-secret - , key=client_secrets.json + , secret_name: waiverdb-stg-secret + , key: client_secrets.json , template: client_secrets.json } - { role: openshift/object, app: waiverdb, file: imagestream.yml } From 95ab4f1e02c49c89c871079f386df214e5870a7b Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Thu, 27 Jul 2017 17:49:00 +0000 Subject: [PATCH 52/53] Just embed the file for now, until I figure openshift secrets out better Signed-off-by: Ricky Elrod --- playbooks/openshift-apps/waiverdb.yml | 12 ++++++------ roles/openshift-apps/waiverdb/templates/secret.yml | 11 +++++++++++ 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/playbooks/openshift-apps/waiverdb.yml b/playbooks/openshift-apps/waiverdb.yml index e8092361b7..375fe5d2b4 100644 --- a/playbooks/openshift-apps/waiverdb.yml +++ b/playbooks/openshift-apps/waiverdb.yml @@ -11,12 +11,12 @@ roles: - { role: openshift/object, app: waiverdb, template: project.yml, description: waiverdb } - { role: openshift/object, app: waiverdb, template: secret.yml } - - { role: openshift/secret-file - , app: waiverdb - , secret_name: waiverdb-stg-secret - , key: client_secrets.json - , template: client_secrets.json - } + #- { role: openshift/secret-file + # , app: waiverdb + # , secret_name: waiverdb-stg-secret + # , key: client_secrets.json + # , template: client_secrets.json + # } - { role: openshift/object, app: waiverdb, file: imagestream.yml } - { role: openshift/object, app: waiverdb, template: configmap.yml } - { role: openshift/object, app: waiverdb, file: service.yml } diff --git a/roles/openshift-apps/waiverdb/templates/secret.yml b/roles/openshift-apps/waiverdb/templates/secret.yml index 1739f6ed46..da46756538 100644 --- a/roles/openshift-apps/waiverdb/templates/secret.yml +++ b/roles/openshift-apps/waiverdb/templates/secret.yml @@ -7,3 +7,14 @@ metadata: stringData: flask-secret-key: "{{stg_waiverdb_secret_key}}" database-password: "{{stg_waiverdb_db_password}}" + # This is the same non-secret config we have committed + # as conf/client_secrets.json for using in dev environments. + client_secrets.json: |- + {"web": { + "redirect_uris": ["https://waiverdb-waiverdb.app.os.stg.fedoraproject.org/"], + "token_uri": "https://iddev.fedorainfracloud.org/openidc/Token", + "auth_uri": "https://iddev.fedorainfracloud.org/openidc/Authorization", + "client_id": "D-e69a1ac7-30fa-4d18-9001-7468c4f34c3c", + "client_secret": "qgz8Bzjg6nO7JWCXoB0o8L49KfI5atLF", + "userinfo_uri": "https://iddev.fedorainfracloud.org/openidc/UserInfo", + "token_introspection_uri": "https://iddev.fedorainfracloud.org/openidc/TokenInfo"}} From c223c76370ae1bc1946235bee41b1a3652fc9f33 Mon Sep 17 00:00:00 2001 From: Ricky Elrod Date: Thu, 27 Jul 2017 17:50:21 +0000 Subject: [PATCH 53/53] config map is a file not a template Signed-off-by: Ricky Elrod --- playbooks/openshift-apps/waiverdb.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/openshift-apps/waiverdb.yml b/playbooks/openshift-apps/waiverdb.yml index 375fe5d2b4..b567ef7e95 100644 --- a/playbooks/openshift-apps/waiverdb.yml +++ b/playbooks/openshift-apps/waiverdb.yml @@ -18,7 +18,7 @@ # , template: client_secrets.json # } - { role: openshift/object, app: waiverdb, file: imagestream.yml } - - { role: openshift/object, app: waiverdb, template: configmap.yml } + - { role: openshift/object, app: waiverdb, file: configmap.yml } - { role: openshift/object, app: waiverdb, file: service.yml } - { role: openshift/object, app: waiverdb, file: route.yml } - { role: openshift/object, app: waiverdb, file: deploymentconfig.yml }