From 2ce9d8e8d37c48485918a1260b514ce9bd53dbbb Mon Sep 17 00:00:00 2001
From: Brendan Reilly <breilly@redhat.com>
Date: Thu, 28 Jan 2021 13:17:12 -0500
Subject: [PATCH] MBS uses SSL auth for celery

---
 inventory/group_vars/mbs_backend      |  2 +-
 inventory/group_vars/mbs_backend_stg  |  2 +-
 roles/mbs/common/tasks/main.yml       |  2 --
 roles/mbs/common/templates/config.py  |  6 ++++++
 roles/rabbitmq_cluster/tasks/apps.yml | 21 +++++++++++++++++++++
 5 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/inventory/group_vars/mbs_backend b/inventory/group_vars/mbs_backend
index 6ce70aaea8..74e273fae0 100644
--- a/inventory/group_vars/mbs_backend
+++ b/inventory/group_vars/mbs_backend
@@ -41,6 +41,6 @@ csi_relationship: |
 
     NOTE - this system has a KRB service principal with elevated koji privileges.
 
-mbs_broker_url: "amqp://mbs{{ env_suffix }}:{{ mbs_backend_amqp_password}}@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fmbs"
+mbs_broker_url: "amqps://mbs{{ env_suffix }}@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fmbs"
 mbs_num_workers: 3
 mbs_systemd_wait_for_rabbitmq: true
diff --git a/inventory/group_vars/mbs_backend_stg b/inventory/group_vars/mbs_backend_stg
index c15a7c4084..97e3afa5ca 100644
--- a/inventory/group_vars/mbs_backend_stg
+++ b/inventory/group_vars/mbs_backend_stg
@@ -48,6 +48,6 @@ csi_relationship: |
 
     NOTE - this system has a KRB service principal with elevated koji privileges.
 
-mbs_broker_url: "amqp://mbs{{ env_suffix }}:{{ mbs_backend_amqp_password}}@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fmbs"
+mbs_broker_url: "amqps://mbs{{ env_suffix }}@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fmbs"
 mbs_num_workers: 3
 mbs_systemd_wait_for_rabbitmq: true
diff --git a/roles/mbs/common/tasks/main.yml b/roles/mbs/common/tasks/main.yml
index c7cd903072..bff6585297 100644
--- a/roles/mbs/common/tasks/main.yml
+++ b/roles/mbs/common/tasks/main.yml
@@ -143,12 +143,10 @@
     delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
     rabbitmq_user:
       user: "mbs{{ env_suffix }}"
-      password: "{{ mbs_backend_amqp_password }}"
       vhost: /mbs
       configure_priv: .*
       read_priv: .*
       write_priv: .*
-      update_password: always
     tags:
       - rabbitmq_cluster
       - config
diff --git a/roles/mbs/common/templates/config.py b/roles/mbs/common/templates/config.py
index d8d9c95518..3a1ebe2e65 100644
--- a/roles/mbs/common/templates/config.py
+++ b/roles/mbs/common/templates/config.py
@@ -20,6 +20,12 @@ class BaseConfiguration(object):
     PORT = 5000
 
     CELERY_BROKER_URL = '{{ mbs_broker_url }}'
+    CELERY_CONFIG = {
+        'certfile': "/etc/module-build-service/mbs-private-queue{{env_suffix}}.crt",
+        'keyfile': "/etc/module-build-service/mbs-private-queue{{env_suffix}}.key",
+        'ca_certs': "/etc/module-build-service/ca.crt",
+        'broker_login_method': "EXTERNAL",
+    }
 
     # Global network-related values, in seconds
     NET_TIMEOUT = 120
diff --git a/roles/rabbitmq_cluster/tasks/apps.yml b/roles/rabbitmq_cluster/tasks/apps.yml
index eace8af4c3..623fa9936a 100644
--- a/roles/rabbitmq_cluster/tasks/apps.yml
+++ b/roles/rabbitmq_cluster/tasks/apps.yml
@@ -254,3 +254,24 @@
   - centos-odcs
 
 # CENTOS ODCS END
+
+# MBS BEGIN
+- name: MBS User
+  run_once: true
+  include_role:
+    name: rabbit/user
+  vars:
+     username: mbs{{ env_suffix }}
+
+- name: MBS Queue
+  run_once: true
+  include_role:
+    name: rabbit/queue
+  vars:
+    username: mbs{{ env_suffix }}
+    queue_name: mbs{{ env_suffix }}
+    # TTL: 10 days (in miliseconds)
+    message_ttl: 864000000
+    routing_keys:
+      - "mbs.{{ env_short }}.gitlab.#"
+# MBS END