From 2f0192ebe9347ed2713f21159c67983abedb488f Mon Sep 17 00:00:00 2001
From: Adam Miller <admiller@redhat.com>
Date: Wed, 13 Apr 2016 16:40:37 +0000
Subject: [PATCH] fix osbs openshift internal certs, remove some prod/stg
 duplication with proper variable sub

Signed-off-by: Adam Miller <admiller@redhat.com>
---
 inventory/group_vars/osbs-stg    |  9 ++---
 playbooks/groups/osbs-master.yml | 60 ++++++--------------------------
 2 files changed, 13 insertions(+), 56 deletions(-)

diff --git a/inventory/group_vars/osbs-stg b/inventory/group_vars/osbs-stg
index c6430b2724..f85721145f 100644
--- a/inventory/group_vars/osbs-stg
+++ b/inventory/group_vars/osbs-stg
@@ -9,11 +9,8 @@ tcp_ports: [ 80, 443, 8443]
 fas_client_groups: sysadmin-releng,fi-apprentice
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"
 
-osbs_api_cert: "osbs.stg.fedoraproject.org.crt"
-osbs_api_key: "osbs.stg.fedoraproject.org.key"
-
-osbs_internal_ca: "files/osbs/osbs-stg.certs/osbs.stg.fedoraproject.org.crt"
-
-
 docker_cert_dir: "/etc/docker/certs.d/registry.stg.fedoraproject.org"
 docker_registry: "registry.stg.fedoraproject.org"
+
+osbs_url: "osbs.stg.fedoraproject.org"
+osbs_koji_username: "kojibuilder_stg"
diff --git a/playbooks/groups/osbs-master.yml b/playbooks/groups/osbs-master.yml
index a6d93799ae..c38e097afa 100644
--- a/playbooks/groups/osbs-master.yml
+++ b/playbooks/groups/osbs-master.yml
@@ -45,13 +45,13 @@
 
     - name: install cert for openshift public facing REST API SSL
       copy:
-        src: "{{private}}/files/osbs/osbs-stg.certs/{{osbs_api_cert}}"
-        dest: "/etc/origin/master/named_certificates/{{osbs_api_cert}}"
+        src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
+        dest: "/etc/origin/master/named_certificates/{{osbs_url}}.pem"
 
     - name: install key for openshift public facing REST API SSL
       copy:
-        src: "{{private}}/files/osbs/osbs-stg.certs/{{osbs_api_key}}"
-        dest: "/etc/origin/master/named_certificates/{{osbs_api_key}}"
+        src: "{{private}}/files/osbs/{{env}}/osbs-internal.key"
+        dest: "/etc/origin/master/named_certificates/{{osbs_url}}.key"
 
 - name: setup osbs
   hosts: osbs:osbs-stg
@@ -75,7 +75,7 @@
           osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt',
           osbs_readonly_users: [],
           osbs_readonly_groups: [],
-          osbs_readwrite_users: [ "{{ osbs_koji_stg_username }}" ],
+          osbs_readwrite_users: [ "{{ osbs_koji_username }}" ],
           osbs_readwrite_groups: [],
           osbs_admin_users: [],
           osbs_admin_groups: [],
@@ -92,46 +92,11 @@
           },
           osbs_named_certificates: {
             enabled: true,
-            cert_file: "named_certificates/osbs.stg.fedoraproject.org.crt",
-            key_file: "named_certificates/osbs.stg.fedoraproject.org.key",
-            names: [ "osbs.stg.fedoraproject.org" ],
+            cert_file: "named_certificates/{{osbs_url}}.pem",
+            key_file: "named_certificates/{{osbs_url}}.key",
+            names: [ "{{osbs_url}}" ],
           },
-          osbs_public_api_url: "osbs.stg.fedoraproject.org",
-          when: env == "staging"
-      }
-    - {
-        role: osbs-master,
-          osbs_master_export_port: true,
-          osbs_manage_firewalld: true,
-          osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt',
-          osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key',
-          osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt',
-          osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt',
-          osbs_readonly_users: [],
-          osbs_readonly_groups: [],
-          osbs_readwrite_users: [ "{{ osbs_koji_stg_username }}" ],
-          osbs_readwrite_groups: [],
-          osbs_admin_users: [],
-          osbs_admin_groups: [],
-          osbs_master_max_pods: 3,
-          osbs_update_packages: false,
-          osbs_image_gc_high_threshold: 90,
-          osbs_image_gc_low_threshold: 80,
-          osbs_identity_provider: "htpasswd_provider",
-          osbs_identity_htpasswd: {
-            name: htpasswd_provider,
-            challenge: true,
-            login: true,
-            provider_file: "/etc/origin/htpasswd"
-          },
-          osbs_named_certificates: {
-            enabled: true,
-            cert_file: "named_certificates/osbs.fedoraproject.org.crt",
-            key_file: "named_certificates/osbs.fedoraproject.org.key",
-            names: [ "osbs.stg.fedoraproject.org" ],
-          },
-          osbs_public_api_url: "osbs.fedoraproject.org",
-          when: env == "production"
+          osbs_public_api_url: "{{osbs_url}}",
       }
 
     - {
@@ -295,13 +260,8 @@
       args:
         creates: /etc/osbs_fedora_imagestream_created
 
-    - name: set policy for koji builder in openshift for osbs
-      shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_stg_username }}"
-      when: env == "staging"
-
     - name: set policy for koji builder in openshift for osbs
       shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_username }}"
-      when: env == "production"
 
     - name: set policy for koji builder in openshift for atomic-reactor
       shell: "oadm policy add-role-to-user -n default edit system:serviceaccount:default:builder"
@@ -326,7 +286,7 @@
 
     - name: Upload internal CA for buildroot
       copy:
-        src: "{{private}}/{{osbs_internal_ca}}"
+        src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
         dest: "/etc/osbs/buildroot/ca.crt"
         mode: 0400
       notify: