Deploy journal-to-fedora-messaging on IPA (staging for now)

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2025-03-28 12:35:51 +01:00 · 2025-03-28 12:35:51 +01:00 · 292c7f6c6e
commit 292c7f6c6e
parent 9c5d4f0768
5 changed files with 172 additions and 0 deletions
--- a/playbooks/groups/ipa.yml
+++ b/playbooks/groups/ipa.yml
@ -25,6 +25,11 @@
  - ipa/client
  - rsyncd
  - sudo
+  # Set up for fedora-messaging
+  - role: rabbit/user
+    user_name: "ipa{{ env_suffix }}"
+    user_sent_topics: ^org\.fedoraproject\.{{ env_short }}\.ipa\..*
+    when: inventory_hostname.startswith('ipa01')

  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
--- a/roles/ipa/server/handlers/main.yml
+++ b/roles/ipa/server/handlers/main.yml
@ -1,3 +1,8 @@
 ---
 - name: Restart ipa
  ansible.builtin.command: ipactl restart
+
+- name: Restart journal-to-fedora-messaging
+  systemd:
+    name: journal-to-fedora-messaging
+    state: restarted
--- a/roles/ipa/server/tasks/journal2fedmsg.yml
+++ b/roles/ipa/server/tasks/journal2fedmsg.yml
@ -0,0 +1,80 @@
+- name: Install needed packages
+  ansible.builtin.package:
+    name: journal-to-fedora-messaging
+    state: present
+  tags:
+  - config
+  - ipa/server
+  - fedora-messaging
+
+- name: Create /etc/pki/fedora-messaging
+  ansible.builtin.file:
+    dest: /etc/pki/fedora-messaging
+    mode: "0775"
+    owner: root
+    group: root
+    state: directory
+  tags:
+  - config
+  - ipa/server
+  - fedora-messaging
+
+- name: Deploy the fedora-messaging CA
+  ansible.builtin.copy:
+    src: "{{ private }}/files/rabbitmq/{{env}}/pki/ca.crt"
+    dest: /etc/pki/fedora-messaging/ca.crt
+    mode: "0644"
+    owner: root
+    group: root
+  tags:
+  - config
+  - ipa/server
+  - fedora-messaging
+
+- name: Deploy the fedora-messaging cert
+  ansible.builtin.copy:
+    src: "{{ private }}/files/rabbitmq/{{env}}/pki/issued/ipa{{env_suffix}}.crt"
+    dest: /etc/pki/fedora-messaging/ipa{{env_suffix}}.crt
+    mode: "0644"
+    owner: root
+    group: root
+  tags:
+  - config
+  - ipa/server
+  - fedora-messaging
+
+- name: Deploy the fedora-messaging key
+  ansible.builtin.copy:
+    src: "{{ private }}/files/rabbitmq/{{env}}/pki/private/ipa{{env_suffix}}.key"
+    dest: /etc/pki/fedora-messaging/ipa{{env_suffix}}.key
+    mode: "0640"
+    owner: root
+    group: journal2fedmsg
+  tags:
+  - config
+  - ipa/server
+  - fedora-messaging
+
+- name: Install fedora-messaging config
+  ansible.builtin.template:
+    src: fedora-messaging.conf.j2
+    dest: /etc/fedora-messaging/config.toml
+    mode: "0644"
+    owner: root
+    group: journal2fedmsg
+  notify:
+  - Restart journal-to-fedora-messaging
+  tags:
+  - ipa/server
+  - config
+  - fedora-messaging
+
+- name: Enable journal-to-fedora-messaging
+  ansible.builtin.service:
+    name: journal-to-fedora-messaging
+    state: started
+    enabled: yes
+  tags:
+  - ipa/server
+  - config
+  - fedora-messaging
--- a/roles/ipa/server/tasks/main.yml
+++ b/roles/ipa/server/tasks/main.yml
@ -690,6 +690,14 @@
 - name: Include script.yml
  ansible.builtin.import_tasks: scripts.yml

+- name: Include journal-to-fedora-messaging setup
+  ansible.builtin.import_tasks: journal2fedmsg.yml
+  when: env == 'staging'
+  tags:
+  - ipa/server
+  - config
+  - toddlers
+

 # User groups

--- a/roles/ipa/server/templates/fedora-messaging.conf.j2
+++ b/roles/ipa/server/templates/fedora-messaging.conf.j2
@ -0,0 +1,74 @@
+## Fedora Messaging configuration for journal-to-fedora-messaging
+
+# Broker address
+amqp_url = "amqps://ipa{{ env_suffix }}:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpubsub"
+passive_declares = true
+
+# The topic_prefix configuration value will add a prefix to the topics of every sent message.
+{% if env == "staging" %}
+topic_prefix = "org.fedoraproject.stg"
+{% else %}
+topic_prefix = "org.fedoraproject.prod"
+{% endif %}
+
+
+# Authentication is TLS-based
+[tls]
+ca_cert = "/etc/pki/fedora-messaging/ca.crt"
+keyfile = "/etc/pki/fedora-messaging/ipa{{ env_suffix }}.key"
+certfile = "/etc/pki/fedora-messaging/ipa{{ env_suffix }}.crt"
+
+[consumer_config]
+
+    journalctl_command = ["journalctl"]
+
+    [[consumer_config.logs]]
+    schema = "journal.ipa.group_add_member.v1"
+    [consumer_config.logs.filters]
+    IPA_API_COMMAND = "group_add_member"
+
+    [[consumer_config.logs]]
+    schema = "journal.ipa.group_remove_member.v1"
+    [consumer_config.logs.filters]
+    IPA_API_COMMAND = "group_remove_member"
+
+
+[client_properties]
+app = "journal-to-fedora-messaging"
+app_url = "https://github.com/fedora-infra/journal-to-fedora-messaging"
+
+
+[log_config]
+version = 1
+disable_existing_loggers = true
+
+[log_config.formatters.simple]
+format = "[%(name)s %(levelname)s] %(message)s"
+
+[log_config.handlers.console]
+class = "logging.StreamHandler"
+formatter = "simple"
+stream = "ext://sys.stdout"
+
+[log_config.loggers.pika]
+level = "WARNING"
+propagate = false
+handlers = ["console"]
+
+[log_config.loggers.fedora_messaging]
+level = "INFO"
+propagate = false
+handlers = ["console"]
+
+[log_config.loggers.journal_to_fedora_messaging]
+{% if env == "staging" %}
+level = "DEBUG"
+{% else %}
+level = "INFO"
+{% endif %}
+propagate = false
+handlers = ["console"]
+
+[log_config.root]
+level = "WARNING"
+handlers = ["console"]