fedocal: Adjust the deployment in openshift

- Create the rabbitmq user
- Create the secret_clients.json in preparation for OIDC support
- Install the fedora-messaging certificates
- Install the fedora-messaging configuration file

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

playbooks/openshift-apps/fedocal.yml

@@ -9,21 +9,49 @@
     - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
 
   roles:
+  - role: rabbit/user
+    username: "fedocal{{ env_suffix }}"
+
   - role: openshift/project
     app: fedocal
     description: Fedora calendar apps
     appowners:
     - cverna
     - pingou
+
   - role: openshift/object
     app: fedocal
     template: imagestream.yml
     objectname: imagestream.yml
+
   - role: openshift/object
     app: fedocal
     template: buildconfig.yml
     objectname: buildconfig.yml
 
+  - role: openshift/secret-file
+    app: fedocal
+    secret_name: fedocal-fedora-messaging-key
+    key: fedocal.key
+    privatefile: "rabbitmq/{{env}}/pki/private/fedocal{{env_suffix}}.key"
+
+  - role: openshift/secret-file
+    app: fedocal
+    secret_name: fedocal-fedora-messaging-crt
+    key: fedocal.crt
+    privatefile: "rabbitmq/{{env}}/pki/issued/fedocal{{env_suffix}}.crt"
+
+  - role: openshift/secret-file
+    app: fedocal
+    secret_name: fedocal-fedora-messaging-ca
+    key: fedocal.ca
+    privatefile: "rabbitmq/{{env}}/pki/ca.crt"
+
+  - role: openshift/object
+    app: fedocal
+    template: secret.yml
+    objectname: secret.yml
+
   - role: openshift/object
     app: fedocal
     template: configmap.yml

roles/openshift-apps/fedocal/templates/client_secrets.json

@@ -0,0 +1,17 @@
+{
+    "web": {
+        "auth_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization",
+        "client_id": "{{ fedocal_oidc_client_id }}",
+{% if env == 'staging' %}
+        "client_secret": "{{ fedocal_oidc_client_secret_stg }}",
+{% else %}
+        "client_secret": "{{ fedocal_oidc_client_secret }}",
+{% endif %}
+        "issuer": "https://id{{env_suffix}}.fedoraproject.org/openidc/",
+        "redirect_uris": [
+            "https://elections{{env_suffix}}.fedoraproject.org/oidc_callback"
+        ],
+        "token_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token",
+        "userinfo_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"
+    }
+}

roles/openshift-apps/fedocal/templates/configmap.yml

@@ -11,3 +11,6 @@ data:
     {{ load_file('alembic.ini') | indent }}
   fedocal.cfg: |-
     {{ load_file('fedocal.cfg') | indent }}
+  fedora-messaging.toml: |-
+    {{ load_file('fedora-messaging.toml') | indent }}
+

roles/openshift-apps/fedocal/templates/fedora-messaging.toml

@@ -0,0 +1,23 @@
+# A sample configuration for fedora-messaging. This file is in the TOML format.
+# For complete details on all configuration options, see the documentation.
+# https://fedora-messaging.readthedocs.io/en/stable/configuration.html
+
+# Broker address
+amqp_url = "amqps://fedocal{{ env_suffix }}:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpubsub"
+
+# The topic_prefix configuration value will add a prefix to the topics of every sent message.
+# This is used for migrating from fedmsg, and should not be used afterwards.
+{% if env == "staging" %}
+topic_prefix = "org.fedoraproject.stg"
+{% else %}
+topic_prefix = "org.fedoraproject.prod"
+{% endif %}
+
+[tls]
+ca_cert = "/etc/pki/rabbitmq/ca/fedocal.ca"
+keyfile = "/etc/pki/rabbitmq/key/fedocal.key"
+certfile = "/etc/pki/rabbitmq/cert/fedocal.crt"
+
+[client_properties]
+app = "fedocal"
+

roles/openshift-apps/fedocal/templates/secret.yml

@@ -0,0 +1,11 @@
+{% macro load_file(filename) %}{% include filename %}{%- endmacro -%}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: fedocal-secret
+  labels:
+    app: fedocal
+stringData:
+  client_secrets.json: |-
+    {{ load_file('client_secrets.json') | indent }}
+