From 34deed65c6033b306922a6cabc23a991a62d32e0 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Tue, 7 May 2019 11:10:20 +0200
Subject: [PATCH] fedocal: Adjust the deployment in openshift

- Create the rabbitmq user
- Create the secret_clients.json in preparation for OIDC support
- Install the fedora-messaging certificates
- Install the fedora-messaging configuration file

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
---
 playbooks/openshift-apps/fedocal.yml          | 28 +++++++++++++++++++
 .../fedocal/templates/client_secrets.json     | 17 +++++++++++
 .../fedocal/templates/configmap.yml           |  3 ++
 .../fedocal/templates/fedora-messaging.toml   | 23 +++++++++++++++
 .../fedocal/templates/secret.yml              | 11 ++++++++
 5 files changed, 82 insertions(+)
 create mode 100644 roles/openshift-apps/fedocal/templates/client_secrets.json
 create mode 100644 roles/openshift-apps/fedocal/templates/fedora-messaging.toml
 create mode 100644 roles/openshift-apps/fedocal/templates/secret.yml

diff --git a/playbooks/openshift-apps/fedocal.yml b/playbooks/openshift-apps/fedocal.yml
index 8135e11f17..918456452a 100644
--- a/playbooks/openshift-apps/fedocal.yml
+++ b/playbooks/openshift-apps/fedocal.yml
@@ -9,21 +9,49 @@
     - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
 
   roles:
+  - role: rabbit/user
+    username: "fedocal{{ env_suffix }}"
+
   - role: openshift/project
     app: fedocal
     description: Fedora calendar apps
     appowners:
     - cverna
     - pingou
+
   - role: openshift/object
     app: fedocal
     template: imagestream.yml
     objectname: imagestream.yml
+
   - role: openshift/object
     app: fedocal
     template: buildconfig.yml
     objectname: buildconfig.yml
 
+  - role: openshift/secret-file
+    app: fedocal
+    secret_name: fedocal-fedora-messaging-key
+    key: fedocal.key
+    privatefile: "rabbitmq/{{env}}/pki/private/fedocal{{env_suffix}}.key"
+
+  - role: openshift/secret-file
+    app: fedocal
+    secret_name: fedocal-fedora-messaging-crt
+    key: fedocal.crt
+    privatefile: "rabbitmq/{{env}}/pki/issued/fedocal{{env_suffix}}.crt"
+
+  - role: openshift/secret-file
+    app: fedocal
+    secret_name: fedocal-fedora-messaging-ca
+    key: fedocal.ca
+    privatefile: "rabbitmq/{{env}}/pki/ca.crt"
+
+  - role: openshift/object
+    app: fedocal
+    template: secret.yml
+    objectname: secret.yml
+
   - role: openshift/object
     app: fedocal
     template: configmap.yml
diff --git a/roles/openshift-apps/fedocal/templates/client_secrets.json b/roles/openshift-apps/fedocal/templates/client_secrets.json
new file mode 100644
index 0000000000..61c43231a7
--- /dev/null
+++ b/roles/openshift-apps/fedocal/templates/client_secrets.json
@@ -0,0 +1,17 @@
+{
+    "web": {
+        "auth_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization",
+        "client_id": "{{ fedocal_oidc_client_id }}",
+{% if env == 'staging' %}
+        "client_secret": "{{ fedocal_oidc_client_secret_stg }}",
+{% else %}
+        "client_secret": "{{ fedocal_oidc_client_secret }}",
+{% endif %}
+        "issuer": "https://id{{env_suffix}}.fedoraproject.org/openidc/",
+        "redirect_uris": [
+            "https://elections{{env_suffix}}.fedoraproject.org/oidc_callback"
+        ],
+        "token_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token",
+        "userinfo_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"
+    }
+}
diff --git a/roles/openshift-apps/fedocal/templates/configmap.yml b/roles/openshift-apps/fedocal/templates/configmap.yml
index 1ad766dcf5..f02d8cd75b 100644
--- a/roles/openshift-apps/fedocal/templates/configmap.yml
+++ b/roles/openshift-apps/fedocal/templates/configmap.yml
@@ -11,3 +11,6 @@ data:
     {{ load_file('alembic.ini') | indent }}
   fedocal.cfg: |-
     {{ load_file('fedocal.cfg') | indent }}
+  fedora-messaging.toml: |-
+    {{ load_file('fedora-messaging.toml') | indent }}
+
diff --git a/roles/openshift-apps/fedocal/templates/fedora-messaging.toml b/roles/openshift-apps/fedocal/templates/fedora-messaging.toml
new file mode 100644
index 0000000000..c662676f78
--- /dev/null
+++ b/roles/openshift-apps/fedocal/templates/fedora-messaging.toml
@@ -0,0 +1,23 @@
+# A sample configuration for fedora-messaging. This file is in the TOML format.
+# For complete details on all configuration options, see the documentation.
+# https://fedora-messaging.readthedocs.io/en/stable/configuration.html
+
+# Broker address
+amqp_url = "amqps://fedocal{{ env_suffix }}:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpubsub"
+
+# The topic_prefix configuration value will add a prefix to the topics of every sent message.
+# This is used for migrating from fedmsg, and should not be used afterwards.
+{% if env == "staging" %}
+topic_prefix = "org.fedoraproject.stg"
+{% else %}
+topic_prefix = "org.fedoraproject.prod"
+{% endif %}
+
+[tls]
+ca_cert = "/etc/pki/rabbitmq/ca/fedocal.ca"
+keyfile = "/etc/pki/rabbitmq/key/fedocal.key"
+certfile = "/etc/pki/rabbitmq/cert/fedocal.crt"
+
+[client_properties]
+app = "fedocal"
+
diff --git a/roles/openshift-apps/fedocal/templates/secret.yml b/roles/openshift-apps/fedocal/templates/secret.yml
new file mode 100644
index 0000000000..593d70c631
--- /dev/null
+++ b/roles/openshift-apps/fedocal/templates/secret.yml
@@ -0,0 +1,11 @@
+{% macro load_file(filename) %}{% include filename %}{%- endmacro -%}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: fedocal-secret
+  labels:
+    app: fedocal
+stringData:
+  client_secrets.json: |-
+    {{ load_file('client_secrets.json') | indent }}
+