Split off some rabbitmq vhosts

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2022-07-05 09:29:29 +02:00 · 2022-07-05 09:29:29 +02:00 · 24c7194f1a
commit 24c7194f1a
parent 4249161ad0
5 changed files with 213 additions and 212 deletions
--- a/playbooks/groups/batcave.yml
+++ b/playbooks/groups/batcave.yml
@ -34,6 +34,8 @@
    sent_topics:
    - ^org\.fedoraproject\.{{ env_short }}\.ansible\..*
    - ^org\.fedoraproject\.{{ env_short }}\.git\..*
+    - ^org\.fedoraproject\.{{ env_short }}\.infragit\..*
+    - ^org\.fedoraproject\.{{ env_short }}\.logger\.log\..*
  - role: rabbit/queue
    username: "mirror_pagure_ansible{{ env_suffix }}"
    queue_name: "mirror_pagure_ansible{{ env_suffix }}"
--- a/roles/rabbitmq_cluster/tasks/apps.yml
+++ b/roles/rabbitmq_cluster/tasks/apps.yml
@ -1,5 +1,6 @@
 #
-# This playbook creates users and queues for specific applications
+# This playbook creates users and queues for specific applications that are not
+# elsewhere in Ansible.
 #


@ -134,123 +135,8 @@
     username: resultsdb-centos{{ env_suffix }}
 # CENTOS RESULTSDB END

-# CENTOS ODCS BEGIN
- name: Configure the centos-odcs virtual host
-  run_once: true
-  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
-  rabbitmq_vhost:
-    name: /centos-odcs
-    state: present
-  tags:
-  - centos-odcs
-
- name: Configure the HA policy for the centos-odcs queues
-  run_once: true
-  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
-  rabbitmq_policy:
-    name: HA
-    apply_to: queues
-    pattern: .*
-    tags:
-      ha-mode: all
-      ha-sync-mode: automatic  # Auto sync queues to new cluster members
-      ha-sync-batch-size: 10000  # Larger is faster, but must finish in 1 net_ticktime
-    vhost: /centos-odcs
-  tags:
-  - centos-odcs
-
- name: Add a policy to limit queues to 1GB and remove after a month of no use
-  run_once: true
-  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
-  rabbitmq_policy:
-    apply_to: queues
-    name: pubsub_sweeper
-    state: present
-    pattern: ".*"
-    tags:
-      # Unused queues are killed after 1000 * 60 * 60 * 31 milliseconds (~a month)
-      expires: 111600000
-      # Queues can use at most 1GB of storage
-      max-length-bytes: 1073741824
-    vhost: /centos-odcs
-  tags:
-  - centos-odcs
-
- name: Create the centos-odcs-admin user for the centos-odcs vhost (prod)
-  run_once: true
-  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
-  rabbitmq_user:
-    user: centos-odcs-admin
-    password: "{{ (env == 'production')|ternary(rabbitmq_centos_odcs_admin_password_production, rabbitmq_centos_odcs_admin_password_staging) }}"
-    vhost: /centos-odcs
-    configure_priv: .*
-    read_priv: .*
-    write_priv: .*
-  tags:
-  - centos-odcs
-
- name: Dump the admin password in a file for administrative operations
-  run_once: true
-  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
-  copy:
-    dest: /root/.centos-odcs-rabbitmqpass
-    content: "{{ (env == 'production')|ternary(rabbitmq_centos_odcs_admin_password_production, rabbitmq_centos_odcs_admin_password_staging) }}"
-    mode: 0600
-    owner: root
-    group: root
-  tags:
-  - centos-odcs
-
- name: Grant the admin user access to the centos-odcs vhost
-  run_once: true
-  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
-  rabbitmq_user:
-    user: admin
-    vhost: /centos-odcs
-    configure_priv: .*
-    read_priv: .*
-    write_priv: .*
-    tags: administrator
-  tags:
-  - centos-odcs
-
- name: Create a user for centos-odcs access
-  run_once: true
-  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
-  rabbitmq_user:
-    user: "centos-odcs-private-queue{{ env_suffix }}"
-    vhost: /centos-odcs
-    configure_priv: .*
-    write_priv: .*
-    read_priv: .*
-    state: present
-  tags:
-  - centos-odcs
-
- name: Create the user in RabbitMQ
-  run_once: true
-  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
-  rabbitmq_user:
-    user: centos-odcs
-    vhost: /centos-odcs
-    read_priv: "^$"  # Publish only, no reading
-    write_priv: "amq\\.topic"
-    configure_priv: "^$"  # No configuration permissions
-    state: present
-  tags:
-  - centos-odcs
-
-# CENTOS ODCS END
-
 # CENTOS robosignatory BEGIN

- name: CentOS Stream robosignatory user
-  run_once: true
-  include_role:
-    name: rabbit/user
-  vars:
-    username: centos-stream-robosignatory
-
 - name: CentOS Stream robosignatory queue
  run_once: true
  include_role:
@ -268,102 +154,6 @@

 # CENTOS STREAM robosignatory END

-# MBS BEGIN
-#
- name: Configure the mbs-private-queue virtual host
-  run_once: true
-  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
-  rabbitmq_vhost:
-    name: /mbs-private-queue
-    state: present
-  tags:
-  - mbs-private-queue
-
- name: Configure the HA policy for the mbs-private-queue queues
-  run_once: true
-  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
-  rabbitmq_policy:
-    name: HA
-    apply_to: queues
-    pattern: .*
-    tags:
-      ha-mode: all
-      ha-sync-mode: automatic  # Auto sync queues to new cluster members
-      ha-sync-batch-size: 10000  # Larger is faster, but must finish in 1 net_ticktime
-    vhost: /mbs-private-queue
-  tags:
-  - mbs-private-queue
-
- name: Add a policy to limit queues to 1GB and remove after a month of no use
-  run_once: true
-  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
-  rabbitmq_policy:
-    apply_to: queues
-    name: pubsub_sweeper
-    state: present
-    pattern: ".*"
-    tags:
-      # Unused queues are killed after 1000 * 60 * 60 * 31 milliseconds (~a month)
-      expires: 111600000
-      # Queues can use at most 1GB of storage
-      max-length-bytes: 1073741824
-    vhost: /mbs-private-queue
-  tags:
-  - mbs-private-queue
-
- name: Create the mbs-private-queue user for the mbs-private-queue vhost (prod)
-  run_once: true
-  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
-  rabbitmq_user:
-    user: mbs-private-queue
-    password: "{{ (env == 'production')|ternary(rabbitmq_mbs_private_queue_admin_password_production, rabbitmq_mbs_private_queue_admin_password_staging) }}"
-    vhost: /mbs-private-queue
-    configure_priv: .*
-    read_priv: .*
-    write_priv: .*
-  tags:
-  - mbs-private-queue
-
- name: Dump the admin password in a file for administrative operations
-  run_once: true
-  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
-  copy:
-    dest: /root/.mbs-private-queue-rabbitmqpass
-    content: "{{ (env == 'production')|ternary(rabbitmq_mbs_private_queue_admin_password_production, rabbitmq_mbs_private_queue_admin_password_staging) }}"
-    mode: 0600
-    owner: root
-    group: root
-  tags:
-  - mbs-private-queue
-
- name: Grant the admin user access to the mbs-private-queue vhost
-  run_once: true
-  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
-  rabbitmq_user:
-    user: admin
-    vhost: /mbs-private-queue
-    configure_priv: .*
-    read_priv: .*
-    write_priv: .*
-    tags: administrator
-  tags:
-  - mbs-private-queue
-
- name: Create a user for mbs-private-queue access
-  run_once: true
-  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
-  rabbitmq_user:
-    user: "mbs-private-queue{{ env_suffix }}"
-    vhost: /mbs-private-queue
-    configure_priv: .*
-    write_priv: .*
-    read_priv: .*
-    state: present
-  tags:
-  - mbs-private-queue
-
-# MBS END
-#
 # ELN BEGIN

 - name: eln queue
--- a/roles/rabbitmq_cluster/tasks/main.yml
+++ b/roles/rabbitmq_cluster/tasks/main.yml
@ -489,3 +489,15 @@
  tags:
  - rabbitmq_cluster
  - config
+
+# VirtualHost /centos-odcs
+- import_tasks: vhost-centos-odcs.yml
+  tags:
+  - rabbitmq_cluster
+  - config
+
+# VirtualHost /mbs-private-queue
+- import_tasks: vhost-mbs-private-queue.yml
+  tags:
+  - rabbitmq_cluster
+  - config
--- a/roles/rabbitmq_cluster/tasks/vhost-centos-odcs.yml
+++ b/roles/rabbitmq_cluster/tasks/vhost-centos-odcs.yml
@ -0,0 +1,105 @@
+- name: Configure the centos-odcs virtual host
+  run_once: true
+  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
+  rabbitmq_vhost:
+    name: /centos-odcs
+    state: present
+  tags:
+  - centos-odcs
+
+- name: Configure the HA policy for the centos-odcs queues
+  run_once: true
+  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
+  rabbitmq_policy:
+    name: HA
+    apply_to: queues
+    pattern: .*
+    tags:
+      ha-mode: all
+      ha-sync-mode: automatic  # Auto sync queues to new cluster members
+      ha-sync-batch-size: 10000  # Larger is faster, but must finish in 1 net_ticktime
+    vhost: /centos-odcs
+  tags:
+  - centos-odcs
+
+- name: Add a policy to limit queues to 1GB and remove after a month of no use
+  run_once: true
+  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
+  rabbitmq_policy:
+    apply_to: queues
+    name: pubsub_sweeper
+    state: present
+    pattern: ".*"
+    tags:
+      # Unused queues are killed after 1000 * 60 * 60 * 31 milliseconds (~a month)
+      expires: 111600000
+      # Queues can use at most 1GB of storage
+      max-length-bytes: 1073741824
+    vhost: /centos-odcs
+  tags:
+  - centos-odcs
+
+- name: Create the centos-odcs-admin user for the centos-odcs vhost (prod)
+  run_once: true
+  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
+  rabbitmq_user:
+    user: centos-odcs-admin
+    password: "{{ (env == 'production')|ternary(rabbitmq_centos_odcs_admin_password_production, rabbitmq_centos_odcs_admin_password_staging) }}"
+    vhost: /centos-odcs
+    configure_priv: .*
+    read_priv: .*
+    write_priv: .*
+  tags:
+  - centos-odcs
+
+- name: Dump the admin password in a file for administrative operations
+  run_once: true
+  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
+  copy:
+    dest: /root/.centos-odcs-rabbitmqpass
+    content: "{{ (env == 'production')|ternary(rabbitmq_centos_odcs_admin_password_production, rabbitmq_centos_odcs_admin_password_staging) }}"
+    mode: 0600
+    owner: root
+    group: root
+  tags:
+  - centos-odcs
+
+- name: Grant the admin user access to the centos-odcs vhost
+  run_once: true
+  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
+  rabbitmq_user:
+    user: admin
+    vhost: /centos-odcs
+    configure_priv: .*
+    read_priv: .*
+    write_priv: .*
+    tags: administrator
+  tags:
+  - centos-odcs
+
+- name: Create a user for centos-odcs access
+  run_once: true
+  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
+  rabbitmq_user:
+    user: "centos-odcs-private-queue{{ env_suffix }}"
+    vhost: /centos-odcs
+    configure_priv: .*
+    write_priv: .*
+    read_priv: .*
+    state: present
+  tags:
+  - centos-odcs
+
+- name: Create the user in RabbitMQ
+  run_once: true
+  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
+  rabbitmq_user:
+    user: centos-odcs
+    vhost: /centos-odcs
+    read_priv: "^$"  # Publish only, no reading
+    write_priv: "amq\\.topic"
+    configure_priv: "^$"  # No configuration permissions
+    state: present
+  tags:
+  - centos-odcs
+
--- a/roles/rabbitmq_cluster/tasks/vhost-mbs-private-queue.yml
+++ b/roles/rabbitmq_cluster/tasks/vhost-mbs-private-queue.yml
@ -0,0 +1,92 @@
+- name: Configure the mbs-private-queue virtual host
+  run_once: true
+  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
+  rabbitmq_vhost:
+    name: /mbs-private-queue
+    state: present
+  tags:
+  - mbs-private-queue
+
+- name: Configure the HA policy for the mbs-private-queue queues
+  run_once: true
+  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
+  rabbitmq_policy:
+    name: HA
+    apply_to: queues
+    pattern: .*
+    tags:
+      ha-mode: all
+      ha-sync-mode: automatic  # Auto sync queues to new cluster members
+      ha-sync-batch-size: 10000  # Larger is faster, but must finish in 1 net_ticktime
+    vhost: /mbs-private-queue
+  tags:
+  - mbs-private-queue
+
+- name: Add a policy to limit queues to 1GB and remove after a month of no use
+  run_once: true
+  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
+  rabbitmq_policy:
+    apply_to: queues
+    name: pubsub_sweeper
+    state: present
+    pattern: ".*"
+    tags:
+      # Unused queues are killed after 1000 * 60 * 60 * 31 milliseconds (~a month)
+      expires: 111600000
+      # Queues can use at most 1GB of storage
+      max-length-bytes: 1073741824
+    vhost: /mbs-private-queue
+  tags:
+  - mbs-private-queue
+
+- name: Create the mbs-private-queue user for the mbs-private-queue vhost (prod)
+  run_once: true
+  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
+  rabbitmq_user:
+    user: mbs-private-queue
+    password: "{{ (env == 'production')|ternary(rabbitmq_mbs_private_queue_admin_password_production, rabbitmq_mbs_private_queue_admin_password_staging) }}"
+    vhost: /mbs-private-queue
+    configure_priv: .*
+    read_priv: .*
+    write_priv: .*
+  tags:
+  - mbs-private-queue
+
+- name: Dump the admin password in a file for administrative operations
+  run_once: true
+  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
+  copy:
+    dest: /root/.mbs-private-queue-rabbitmqpass
+    content: "{{ (env == 'production')|ternary(rabbitmq_mbs_private_queue_admin_password_production, rabbitmq_mbs_private_queue_admin_password_staging) }}"
+    mode: 0600
+    owner: root
+    group: root
+  tags:
+  - mbs-private-queue
+
+- name: Grant the admin user access to the mbs-private-queue vhost
+  run_once: true
+  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
+  rabbitmq_user:
+    user: admin
+    vhost: /mbs-private-queue
+    configure_priv: .*
+    read_priv: .*
+    write_priv: .*
+    tags: administrator
+  tags:
+  - mbs-private-queue
+
+- name: Create a user for mbs-private-queue access
+  run_once: true
+  delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
+  rabbitmq_user:
+    user: "mbs-private-queue{{ env_suffix }}"
+    vhost: /mbs-private-queue
+    configure_priv: .*
+    write_priv: .*
+    read_priv: .*
+    state: present
+  tags:
+  - mbs-private-queue
+