Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Move the fedmsg routing_policy into its own file just like we have in the puppet repo.

Browse source
This commit is contained in:
Ralph Bean 2014-03-07 15:47:09 +00:00
parent bd7ddf1184
commit 3c2c1d7e31
2 changed files with 227 additions and 201 deletions
Download patch file Download diff file Expand all files Collapse all files

227
roles/fedmsg_base/templates/policy.py.j2 Normal file
View file

@ -0,0 +1,227 @@
{% if env == 'staging' %}
suffix = "stg.phx2.fedoraproject.org"
app_hosts = [
"app01.stg.phx2.fedoraproject.org",
"app02.stg.phx2.fedoraproject.org",
]
topic_prefix = "org.fedoraproject.stg."
{% else %}
suffix = "phx2.fedoraproject.org"
app_hosts = [
"app01.phx2.fedoraproject.org",
"app02.phx2.fedoraproject.org",
"app03.phx2.fedoraproject.org",
"app04.phx2.fedoraproject.org",
"app05.fedoraproject.org",
"app07.phx2.fedoraproject.org",
"app08.fedoraproject.org",
]
topic_prefix = "org.fedoraproject.prod."
{% endif %}
vpn_suffix = "vpn.fedoraproject.org"
config = dict(
routing_policy={
# The gist here is that only messages signed by the
# bodhi-app0{1,2,3,4,5,6,7,8} certificates may bear the
# "org.fedoraproject.prod.bodhi.update.request.stable" topic, or else
# they fail validation and are either dropped or marked as invalid
# (depending on the consumer's wishes).
#
# There is another option that we do not set. If `routing_nitpicky` is
# set to True, then a given message's topic *must* appear in this list
# in order for it to pass validation. For instance, we have
# routing_nitpicky set to False by default and no
# "org.fedoraproject.prod.logger.log" topics appear in this policy,
# therefore, any message bearing that topic and *any* certificate signed
# by our CA may pass validation.
#
topic_prefix + "bodhi.update.request.stable": [
"bodhi-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "bodhi.update.request.testing": [
"bodhi-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "bodhi.update.request.unpush": [
"bodhi-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "bodhi.update.comment": [
"bodhi-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "bodhi.buildroot_override.tag": [
"bodhi-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "bodhi.buildroot_override.untag": [
"bodhi-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "bodhi.mashtask.mashing": [
"bodhi-releng04.%s" % suffix,
"bodhi-relepel01.%s" % suffix,
],
topic_prefix + "bodhi.mashtask.complete": [
"bodhi-releng04.%s" % suffix,
"bodhi-relepel01.%s" % suffix,
],
# Compose (rel-eng) messages (use the bodhi certs)
topic_prefix + "compose.rawhide.start": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.rawhide.complete": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.rawhide.mash.start": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.rawhide.mash.complete": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.rawhide.rsync.start": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.rawhide.rsync.complete": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.branched.start": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.branched.complete": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.branched.pungify.start": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.branched.pungify.complete": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.branched.mash.start": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.branched.mash.complete": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.branched.rsync.start": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.branched.rsync.complete": [
"bodhi-releng03.%s" % suffix,
],
#FAS messages
topic_prefix + "fas.user.create": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
topic_prefix + "fas.user.update": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
topic_prefix + "fas.group.edit": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
topic_prefix + "fas.group.update": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
topic_prefix + "fas.group.create": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
topic_prefix + "fas.role.update": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
topic_prefix + "fas.group.member.remove": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
topic_prefix + "fas.group.member.sponsor": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
topic_prefix + "fas.group.member.apply": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
# Git/SCM messages
topic_prefix + "git.receive": [
"scm-pkgs01.%s" % suffix,
],
topic_prefix + "git.lookaside.new": [
"lookaside-pkgs01.%s" % suffix,
],
# Tagger messages
topic_prefix + "fedoratagger.tag.update": [
"fedoratagger-packages0%i.%s" % (i, suffix) for i in range(1, 3)
],
topic_prefix + "fedoratagger.tag.create": [
"fedoratagger-packages0%i.%s" % (i, suffix) for i in range(1, 3)
],
topic_prefix + "fedoratagger.user.rank.update": [
"fedoratagger-packages0%i.%s" % (i, suffix) for i in range(1, 3)
],
# Mediawiki messages
topic_prefix + "wiki.article.edit": [
"mediawiki-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "wiki.upload.complete": [
"mediawiki-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
# Pkgdb messages
topic_prefix + "pkgdb.acl.update": [
"pkgdb-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "pkgdb.acl.request.toggle": [
"pkgdb-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "pkgdb.acl.user.remove": [
"pkgdb-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "pkgdb.owner.update": [
"pkgdb-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "pkgdb.package.new": [
"pkgdb-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "pkgdb.package.update": [
"pkgdb-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "pkgdb.package.retire": [
"pkgdb-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "pkgdb.critpath.update": [
"pkgdb-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
# Planet/venus
topic_prefix + "planet.post.new": [
"planet-people03.vpn.fedoraproject.org",
],
# Supybot/meetbot
topic_prefix + "meetbot.meeting.start": [
"supybot-value03.%s" % suffix,
],
# Only @spot and @rbergeron can use this one
topic_prefix + "announce.announcement": [
"announce-lockbox01.phx2.fedoraproject.org",
],
},
)

201
roles/fedmsg_base/templates/ssl.py.j2
View file

@ -153,206 +153,5 @@ config = dict(
("copr.copr-be-i-00000407", "copr-copr-be.cloud.fedoraproject.org"), ("copr.copr-be-i-00000407", "copr-copr-be.cloud.fedoraproject.org"),
("copr.copr-be", "copr-copr-be.cloud.fedoraproject.org"), ("copr.copr-be", "copr-copr-be.cloud.fedoraproject.org"),
]), ]),
routing_policy={
# The gist here is that only messages signed by the
# bodhi-app0{1,2,3,4,5,6,7,8} certificates may bear the
# "org.fedoraproject.prod.bodhi.update.request.stable" topic, or else
# they fail validation and are either dropped or marked as invalid
# (depending on the consumer's wishes).
#
# There is another option that we do not set. If `routing_nitpicky` is
# set to True, then a given message's topic *must* appear in this list
# in order for it to pass validation. For instance, we have
# routing_nitpicky set to False by default and no
# "org.fedoraproject.prod.logger.log" topics appear in this policy,
# therefore, any message bearing that topic and *any* certificate signed
# by our CA may pass validation.
#
topic_prefix + "bodhi.update.request.stable": [
"bodhi-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "bodhi.update.request.testing": [
"bodhi-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "bodhi.update.request.unpush": [
"bodhi-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "bodhi.update.comment": [
"bodhi-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "bodhi.buildroot_override.tag": [
"bodhi-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "bodhi.buildroot_override.untag": [
"bodhi-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "bodhi.mashtask.mashing": [
"bodhi-releng04.%s" % suffix,
"bodhi-relepel01.%s" % suffix,
],
topic_prefix + "bodhi.mashtask.complete": [
"bodhi-releng04.%s" % suffix,
"bodhi-relepel01.%s" % suffix,
],
# Compose (rel-eng) messages (use the bodhi certs)
topic_prefix + "compose.rawhide.start": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.rawhide.complete": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.rawhide.mash.start": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.rawhide.mash.complete": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.rawhide.rsync.start": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.rawhide.rsync.complete": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.branched.start": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.branched.complete": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.branched.pungify.start": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.branched.pungify.complete": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.branched.mash.start": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.branched.mash.complete": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.branched.rsync.start": [
"bodhi-releng03.%s" % suffix,
],
topic_prefix + "compose.branched.rsync.complete": [
"bodhi-releng03.%s" % suffix,
],
#FAS messages
topic_prefix + "fas.user.create": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
topic_prefix + "fas.user.update": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
topic_prefix + "fas.group.edit": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
topic_prefix + "fas.group.update": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
topic_prefix + "fas.group.create": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
topic_prefix + "fas.role.update": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
topic_prefix + "fas.group.member.remove": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
topic_prefix + "fas.group.member.sponsor": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
topic_prefix + "fas.group.member.apply": [
"fas-fas0%i.%s" % (i, suffix) for i in range(1, 4)
],
# Git/SCM messages
topic_prefix + "git.receive": [
"scm-pkgs01.%s" % suffix,
],
topic_prefix + "git.lookaside.new": [
"lookaside-pkgs01.%s" % suffix,
],
# Tagger messages
topic_prefix + "fedoratagger.tag.update": [
"fedoratagger-packages0%i.%s" % (i, suffix) for i in range(1, 3)
],
topic_prefix + "fedoratagger.tag.create": [
"fedoratagger-packages0%i.%s" % (i, suffix) for i in range(1, 3)
],
topic_prefix + "fedoratagger.user.rank.update": [
"fedoratagger-packages0%i.%s" % (i, suffix) for i in range(1, 3)
],
# Mediawiki messages
topic_prefix + "wiki.article.edit": [
"mediawiki-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "wiki.upload.complete": [
"mediawiki-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
# Pkgdb messages
topic_prefix + "pkgdb.acl.update": [
"pkgdb-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "pkgdb.acl.request.toggle": [
"pkgdb-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "pkgdb.acl.user.remove": [
"pkgdb-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "pkgdb.owner.update": [
"pkgdb-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "pkgdb.package.new": [
"pkgdb-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "pkgdb.package.update": [
"pkgdb-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "pkgdb.package.retire": [
"pkgdb-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
topic_prefix + "pkgdb.critpath.update": [
"pkgdb-%s" % app_hosts[i-1]
for i in range(1, len(app_hosts) + 1)
],
# Planet/venus
topic_prefix + "planet.post.new": [
"planet-people03.vpn.fedoraproject.org",
],
# Supybot/meetbot
topic_prefix + "meetbot.meeting.start": [
"supybot-value03.%s" % suffix,
],
# Only @spot and @rbergeron can use this one
topic_prefix + "announce.announcement": [
"announce-lockbox01.phx2.fedoraproject.org",
],
},
) )