MBS uses SSL auth for celery

2021-01-28 13:17:12 -05:00 · 2021-01-28 13:17:12 -05:00 · 2ce9d8e8d3
commit 2ce9d8e8d3
parent 8ed43bb25e
5 changed files with 29 additions and 4 deletions
--- a/inventory/group_vars/mbs_backend
+++ b/inventory/group_vars/mbs_backend
@ -41,6 +41,6 @@ csi_relationship: |

    NOTE - this system has a KRB service principal with elevated koji privileges.

-mbs_broker_url: "amqp://mbs{{ env_suffix }}:{{ mbs_backend_amqp_password}}@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fmbs"
+mbs_broker_url: "amqps://mbs{{ env_suffix }}@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fmbs"
 mbs_num_workers: 3
 mbs_systemd_wait_for_rabbitmq: true
--- a/inventory/group_vars/mbs_backend_stg
+++ b/inventory/group_vars/mbs_backend_stg
@ -48,6 +48,6 @@ csi_relationship: |

    NOTE - this system has a KRB service principal with elevated koji privileges.

-mbs_broker_url: "amqp://mbs{{ env_suffix }}:{{ mbs_backend_amqp_password}}@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fmbs"
+mbs_broker_url: "amqps://mbs{{ env_suffix }}@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fmbs"
 mbs_num_workers: 3
 mbs_systemd_wait_for_rabbitmq: true
--- a/roles/mbs/common/tasks/main.yml
+++ b/roles/mbs/common/tasks/main.yml
@ -143,12 +143,10 @@
    delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
    rabbitmq_user:
      user: "mbs{{ env_suffix }}"
-      password: "{{ mbs_backend_amqp_password }}"
      vhost: /mbs
      configure_priv: .*
      read_priv: .*
      write_priv: .*
-      update_password: always
    tags:
      - rabbitmq_cluster
      - config
--- a/roles/mbs/common/templates/config.py
+++ b/roles/mbs/common/templates/config.py
@ -20,6 +20,12 @@ class BaseConfiguration(object):
    PORT = 5000

    CELERY_BROKER_URL = '{{ mbs_broker_url }}'
+    CELERY_CONFIG = {
+        'certfile': "/etc/module-build-service/mbs-private-queue{{env_suffix}}.crt",
+        'keyfile': "/etc/module-build-service/mbs-private-queue{{env_suffix}}.key",
+        'ca_certs': "/etc/module-build-service/ca.crt",
+        'broker_login_method': "EXTERNAL",
+    }

    # Global network-related values, in seconds
    NET_TIMEOUT = 120
--- a/roles/rabbitmq_cluster/tasks/apps.yml
+++ b/roles/rabbitmq_cluster/tasks/apps.yml
@ -254,3 +254,24 @@
  - centos-odcs

 # CENTOS ODCS END
+
+# MBS BEGIN
+- name: MBS User
+  run_once: true
+  include_role:
+    name: rabbit/user
+  vars:
+     username: mbs{{ env_suffix }}
+
+- name: MBS Queue
+  run_once: true
+  include_role:
+    name: rabbit/queue
+  vars:
+    username: mbs{{ env_suffix }}
+    queue_name: mbs{{ env_suffix }}
+    # TTL: 10 days (in miliseconds)
+    message_ttl: 864000000
+    routing_keys:
+      - "mbs.{{ env_short }}.gitlab.#"
+# MBS END