From 3c2c1d7e31b80e5a88b79c4706d4d272ba01d11b Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 7 Mar 2014 15:47:09 +0000 Subject: [PATCH] Move the fedmsg routing_policy into its own file just like we have in the puppet repo. --- roles/fedmsg_base/templates/policy.py.j2 | 227 +++++++++++++++++++++++ roles/fedmsg_base/templates/ssl.py.j2 | 201 -------------------- 2 files changed, 227 insertions(+), 201 deletions(-) create mode 100644 roles/fedmsg_base/templates/policy.py.j2 diff --git a/roles/fedmsg_base/templates/policy.py.j2 b/roles/fedmsg_base/templates/policy.py.j2 new file mode 100644 index 0000000000..04d4440198 --- /dev/null +++ b/roles/fedmsg_base/templates/policy.py.j2 @@ -0,0 +1,227 @@ +{% if env == 'staging' %} +suffix = "stg.phx2.fedoraproject.org" +app_hosts = [ + "app01.stg.phx2.fedoraproject.org", + "app02.stg.phx2.fedoraproject.org", +] +topic_prefix = "org.fedoraproject.stg." +{% else %} +suffix = "phx2.fedoraproject.org" +app_hosts = [ + "app01.phx2.fedoraproject.org", + "app02.phx2.fedoraproject.org", + "app03.phx2.fedoraproject.org", + "app04.phx2.fedoraproject.org", + "app05.fedoraproject.org", + "app07.phx2.fedoraproject.org", + "app08.fedoraproject.org", +] +topic_prefix = "org.fedoraproject.prod." +{% endif %} + +vpn_suffix = "vpn.fedoraproject.org" + +config = dict( + routing_policy={ + # The gist here is that only messages signed by the + # bodhi-app0{1,2,3,4,5,6,7,8} certificates may bear the + # "org.fedoraproject.prod.bodhi.update.request.stable" topic, or else + # they fail validation and are either dropped or marked as invalid + # (depending on the consumer's wishes). + # + # There is another option that we do not set. If `routing_nitpicky` is + # set to True, then a given message's topic *must* appear in this list + # in order for it to pass validation. For instance, we have + # routing_nitpicky set to False by default and no + # "org.fedoraproject.prod.logger.log" topics appear in this policy, + # therefore, any message bearing that topic and *any* certificate signed + # by our CA may pass validation. + # + topic_prefix + "bodhi.update.request.stable": [ + "bodhi-%s" % app_hosts[i-1] + for i in range(1, len(app_hosts) + 1) + ], + topic_prefix + "bodhi.update.request.testing": [ + "bodhi-%s" % app_hosts[i-1] + for i in range(1, len(app_hosts) + 1) + ], + topic_prefix + "bodhi.update.request.unpush": [ + "bodhi-%s" % app_hosts[i-1] + for i in range(1, len(app_hosts) + 1) + ], + topic_prefix + "bodhi.update.comment": [ + "bodhi-%s" % app_hosts[i-1] + for i in range(1, len(app_hosts) + 1) + ], + topic_prefix + "bodhi.buildroot_override.tag": [ + "bodhi-%s" % app_hosts[i-1] + for i in range(1, len(app_hosts) + 1) + ], + topic_prefix + "bodhi.buildroot_override.untag": [ + "bodhi-%s" % app_hosts[i-1] + for i in range(1, len(app_hosts) + 1) + ], + topic_prefix + "bodhi.mashtask.mashing": [ + "bodhi-releng04.%s" % suffix, + "bodhi-relepel01.%s" % suffix, + ], + topic_prefix + "bodhi.mashtask.complete": [ + "bodhi-releng04.%s" % suffix, + "bodhi-relepel01.%s" % suffix, + ], + + + # Compose (rel-eng) messages (use the bodhi certs) + topic_prefix + "compose.rawhide.start": [ + "bodhi-releng03.%s" % suffix, + ], + topic_prefix + "compose.rawhide.complete": [ + "bodhi-releng03.%s" % suffix, + ], + topic_prefix + "compose.rawhide.mash.start": [ + "bodhi-releng03.%s" % suffix, + ], + topic_prefix + "compose.rawhide.mash.complete": [ + "bodhi-releng03.%s" % suffix, + ], + topic_prefix + "compose.rawhide.rsync.start": [ + "bodhi-releng03.%s" % suffix, + ], + topic_prefix + "compose.rawhide.rsync.complete": [ + "bodhi-releng03.%s" % suffix, + ], + topic_prefix + "compose.branched.start": [ + "bodhi-releng03.%s" % suffix, + ], + topic_prefix + "compose.branched.complete": [ + "bodhi-releng03.%s" % suffix, + ], + topic_prefix + "compose.branched.pungify.start": [ + "bodhi-releng03.%s" % suffix, + ], + topic_prefix + "compose.branched.pungify.complete": [ + "bodhi-releng03.%s" % suffix, + ], + topic_prefix + "compose.branched.mash.start": [ + "bodhi-releng03.%s" % suffix, + ], + topic_prefix + "compose.branched.mash.complete": [ + "bodhi-releng03.%s" % suffix, + ], + topic_prefix + "compose.branched.rsync.start": [ + "bodhi-releng03.%s" % suffix, + ], + topic_prefix + "compose.branched.rsync.complete": [ + "bodhi-releng03.%s" % suffix, + ], + + + #FAS messages + topic_prefix + "fas.user.create": [ + "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) + ], + topic_prefix + "fas.user.update": [ + "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) + ], + topic_prefix + "fas.group.edit": [ + "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) + ], + topic_prefix + "fas.group.update": [ + "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) + ], + topic_prefix + "fas.group.create": [ + "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) + ], + topic_prefix + "fas.role.update": [ + "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) + ], + topic_prefix + "fas.group.member.remove": [ + "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) + ], + topic_prefix + "fas.group.member.sponsor": [ + "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) + ], + topic_prefix + "fas.group.member.apply": [ + "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) + ], + + # Git/SCM messages + topic_prefix + "git.receive": [ + "scm-pkgs01.%s" % suffix, + ], + topic_prefix + "git.lookaside.new": [ + "lookaside-pkgs01.%s" % suffix, + ], + + # Tagger messages + topic_prefix + "fedoratagger.tag.update": [ + "fedoratagger-packages0%i.%s" % (i, suffix) for i in range(1, 3) + ], + topic_prefix + "fedoratagger.tag.create": [ + "fedoratagger-packages0%i.%s" % (i, suffix) for i in range(1, 3) + ], + topic_prefix + "fedoratagger.user.rank.update": [ + "fedoratagger-packages0%i.%s" % (i, suffix) for i in range(1, 3) + ], + + # Mediawiki messages + topic_prefix + "wiki.article.edit": [ + "mediawiki-%s" % app_hosts[i-1] + for i in range(1, len(app_hosts) + 1) + ], + topic_prefix + "wiki.upload.complete": [ + "mediawiki-%s" % app_hosts[i-1] + for i in range(1, len(app_hosts) + 1) + ], + + # Pkgdb messages + topic_prefix + "pkgdb.acl.update": [ + "pkgdb-%s" % app_hosts[i-1] + for i in range(1, len(app_hosts) + 1) + ], + topic_prefix + "pkgdb.acl.request.toggle": [ + "pkgdb-%s" % app_hosts[i-1] + for i in range(1, len(app_hosts) + 1) + ], + topic_prefix + "pkgdb.acl.user.remove": [ + "pkgdb-%s" % app_hosts[i-1] + for i in range(1, len(app_hosts) + 1) + ], + topic_prefix + "pkgdb.owner.update": [ + "pkgdb-%s" % app_hosts[i-1] + for i in range(1, len(app_hosts) + 1) + ], + topic_prefix + "pkgdb.package.new": [ + "pkgdb-%s" % app_hosts[i-1] + for i in range(1, len(app_hosts) + 1) + ], + topic_prefix + "pkgdb.package.update": [ + "pkgdb-%s" % app_hosts[i-1] + for i in range(1, len(app_hosts) + 1) + ], + topic_prefix + "pkgdb.package.retire": [ + "pkgdb-%s" % app_hosts[i-1] + for i in range(1, len(app_hosts) + 1) + ], + topic_prefix + "pkgdb.critpath.update": [ + "pkgdb-%s" % app_hosts[i-1] + for i in range(1, len(app_hosts) + 1) + ], + + # Planet/venus + topic_prefix + "planet.post.new": [ + "planet-people03.vpn.fedoraproject.org", + ], + + # Supybot/meetbot + topic_prefix + "meetbot.meeting.start": [ + "supybot-value03.%s" % suffix, + ], + + # Only @spot and @rbergeron can use this one + topic_prefix + "announce.announcement": [ + "announce-lockbox01.phx2.fedoraproject.org", + ], + }, +) + diff --git a/roles/fedmsg_base/templates/ssl.py.j2 b/roles/fedmsg_base/templates/ssl.py.j2 index deddca83d5..24054673cd 100644 --- a/roles/fedmsg_base/templates/ssl.py.j2 +++ b/roles/fedmsg_base/templates/ssl.py.j2 @@ -153,206 +153,5 @@ config = dict( ("copr.copr-be-i-00000407", "copr-copr-be.cloud.fedoraproject.org"), ("copr.copr-be", "copr-copr-be.cloud.fedoraproject.org"), ]), - routing_policy={ - # The gist here is that only messages signed by the - # bodhi-app0{1,2,3,4,5,6,7,8} certificates may bear the - # "org.fedoraproject.prod.bodhi.update.request.stable" topic, or else - # they fail validation and are either dropped or marked as invalid - # (depending on the consumer's wishes). - # - # There is another option that we do not set. If `routing_nitpicky` is - # set to True, then a given message's topic *must* appear in this list - # in order for it to pass validation. For instance, we have - # routing_nitpicky set to False by default and no - # "org.fedoraproject.prod.logger.log" topics appear in this policy, - # therefore, any message bearing that topic and *any* certificate signed - # by our CA may pass validation. - # - topic_prefix + "bodhi.update.request.stable": [ - "bodhi-%s" % app_hosts[i-1] - for i in range(1, len(app_hosts) + 1) - ], - topic_prefix + "bodhi.update.request.testing": [ - "bodhi-%s" % app_hosts[i-1] - for i in range(1, len(app_hosts) + 1) - ], - topic_prefix + "bodhi.update.request.unpush": [ - "bodhi-%s" % app_hosts[i-1] - for i in range(1, len(app_hosts) + 1) - ], - topic_prefix + "bodhi.update.comment": [ - "bodhi-%s" % app_hosts[i-1] - for i in range(1, len(app_hosts) + 1) - ], - topic_prefix + "bodhi.buildroot_override.tag": [ - "bodhi-%s" % app_hosts[i-1] - for i in range(1, len(app_hosts) + 1) - ], - topic_prefix + "bodhi.buildroot_override.untag": [ - "bodhi-%s" % app_hosts[i-1] - for i in range(1, len(app_hosts) + 1) - ], - topic_prefix + "bodhi.mashtask.mashing": [ - "bodhi-releng04.%s" % suffix, - "bodhi-relepel01.%s" % suffix, - ], - topic_prefix + "bodhi.mashtask.complete": [ - "bodhi-releng04.%s" % suffix, - "bodhi-relepel01.%s" % suffix, - ], - - - # Compose (rel-eng) messages (use the bodhi certs) - topic_prefix + "compose.rawhide.start": [ - "bodhi-releng03.%s" % suffix, - ], - topic_prefix + "compose.rawhide.complete": [ - "bodhi-releng03.%s" % suffix, - ], - topic_prefix + "compose.rawhide.mash.start": [ - "bodhi-releng03.%s" % suffix, - ], - topic_prefix + "compose.rawhide.mash.complete": [ - "bodhi-releng03.%s" % suffix, - ], - topic_prefix + "compose.rawhide.rsync.start": [ - "bodhi-releng03.%s" % suffix, - ], - topic_prefix + "compose.rawhide.rsync.complete": [ - "bodhi-releng03.%s" % suffix, - ], - topic_prefix + "compose.branched.start": [ - "bodhi-releng03.%s" % suffix, - ], - topic_prefix + "compose.branched.complete": [ - "bodhi-releng03.%s" % suffix, - ], - topic_prefix + "compose.branched.pungify.start": [ - "bodhi-releng03.%s" % suffix, - ], - topic_prefix + "compose.branched.pungify.complete": [ - "bodhi-releng03.%s" % suffix, - ], - topic_prefix + "compose.branched.mash.start": [ - "bodhi-releng03.%s" % suffix, - ], - topic_prefix + "compose.branched.mash.complete": [ - "bodhi-releng03.%s" % suffix, - ], - topic_prefix + "compose.branched.rsync.start": [ - "bodhi-releng03.%s" % suffix, - ], - topic_prefix + "compose.branched.rsync.complete": [ - "bodhi-releng03.%s" % suffix, - ], - - - #FAS messages - topic_prefix + "fas.user.create": [ - "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) - ], - topic_prefix + "fas.user.update": [ - "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) - ], - topic_prefix + "fas.group.edit": [ - "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) - ], - topic_prefix + "fas.group.update": [ - "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) - ], - topic_prefix + "fas.group.create": [ - "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) - ], - topic_prefix + "fas.role.update": [ - "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) - ], - topic_prefix + "fas.group.member.remove": [ - "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) - ], - topic_prefix + "fas.group.member.sponsor": [ - "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) - ], - topic_prefix + "fas.group.member.apply": [ - "fas-fas0%i.%s" % (i, suffix) for i in range(1, 4) - ], - - # Git/SCM messages - topic_prefix + "git.receive": [ - "scm-pkgs01.%s" % suffix, - ], - topic_prefix + "git.lookaside.new": [ - "lookaside-pkgs01.%s" % suffix, - ], - - # Tagger messages - topic_prefix + "fedoratagger.tag.update": [ - "fedoratagger-packages0%i.%s" % (i, suffix) for i in range(1, 3) - ], - topic_prefix + "fedoratagger.tag.create": [ - "fedoratagger-packages0%i.%s" % (i, suffix) for i in range(1, 3) - ], - topic_prefix + "fedoratagger.user.rank.update": [ - "fedoratagger-packages0%i.%s" % (i, suffix) for i in range(1, 3) - ], - - # Mediawiki messages - topic_prefix + "wiki.article.edit": [ - "mediawiki-%s" % app_hosts[i-1] - for i in range(1, len(app_hosts) + 1) - ], - topic_prefix + "wiki.upload.complete": [ - "mediawiki-%s" % app_hosts[i-1] - for i in range(1, len(app_hosts) + 1) - ], - - # Pkgdb messages - topic_prefix + "pkgdb.acl.update": [ - "pkgdb-%s" % app_hosts[i-1] - for i in range(1, len(app_hosts) + 1) - ], - topic_prefix + "pkgdb.acl.request.toggle": [ - "pkgdb-%s" % app_hosts[i-1] - for i in range(1, len(app_hosts) + 1) - ], - topic_prefix + "pkgdb.acl.user.remove": [ - "pkgdb-%s" % app_hosts[i-1] - for i in range(1, len(app_hosts) + 1) - ], - topic_prefix + "pkgdb.owner.update": [ - "pkgdb-%s" % app_hosts[i-1] - for i in range(1, len(app_hosts) + 1) - ], - topic_prefix + "pkgdb.package.new": [ - "pkgdb-%s" % app_hosts[i-1] - for i in range(1, len(app_hosts) + 1) - ], - topic_prefix + "pkgdb.package.update": [ - "pkgdb-%s" % app_hosts[i-1] - for i in range(1, len(app_hosts) + 1) - ], - topic_prefix + "pkgdb.package.retire": [ - "pkgdb-%s" % app_hosts[i-1] - for i in range(1, len(app_hosts) + 1) - ], - topic_prefix + "pkgdb.critpath.update": [ - "pkgdb-%s" % app_hosts[i-1] - for i in range(1, len(app_hosts) + 1) - ], - - # Planet/venus - topic_prefix + "planet.post.new": [ - "planet-people03.vpn.fedoraproject.org", - ], - - # Supybot/meetbot - topic_prefix + "meetbot.meeting.start": [ - "supybot-value03.%s" % suffix, - ], - - # Only @spot and @rbergeron can use this one - topic_prefix + "announce.announcement": [ - "announce-lockbox01.phx2.fedoraproject.org", - ], - }, )