First attempt at a webhook2fedmsg deployment

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>

playbooks/openshift-apps/webhook2fedmsg.yml

@@ -0,0 +1,108 @@
+#
+# Webhook to Fedora Messaging
+#
+
+- name: setup the database
+  hosts: db01.iad2.fedoraproject.org:db01.stg.iad2.fedoraproject.org
+  gather_facts: no
+  become: yes
+  become_user: postgres
+  vars_files:
+    - /srv/web/infra/ansible/vars/global.yml
+    - /srv/private/ansible/vars.yml
+    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  tasks:
+    - name: webhook2fedmsg DB user
+      postgresql_user:
+        name: webhook2fedmsg
+        password: "{{ (env == 'production')|ternary(webhook2fedmsg_prod_db_password, webhook2fedmsg_stg_db_password) }}"
+    - name: webhook2fedmsg database creation
+      postgresql_db:
+        name: webhook2fedmsg
+        owner: webhook2fedmsg
+        encoding: UTF-8
+
+- name: make the app be real
+  hosts: os_control[0]:os_control_stg[0]
+  user: root
+  gather_facts: False
+
+  vars_files:
+    - /srv/web/infra/ansible/vars/global.yml
+    - "/srv/private/ansible/vars.yml"
+    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+  - role: rabbit/user
+    username: "webhook2fedmsg{{ env_suffix }}"
+    sent_topics: ^org\.fedoraproject\.{{ env_short }}\.(github|discourse)\..*
+
+  - role: openshift/project
+    app: webhook2fedmsg
+    description: "Relay webhooks to Fedora Messaging"
+    appowners:
+    - ryanlerch
+    - abompard
+    - t0xic0der
+    - kevin
+    tags:
+      - apply-appowners
+  
+  - role: openshift/secret-file
+    app: webhook2fedmsg
+    secret_name: fedora-messaging-ca
+    key: cacert.pem
+    privatefile: "rabbitmq/{{env}}/pki/ca.crt"
+  - role: openshift/secret-file
+    app: webhook2fedmsg
+    secret_name: fedora-messaging-crt
+    key: webhook2fedmsg-cert.pem
+    privatefile: "rabbitmq/{{env}}/pki/issued/webhook2fedmsg{{env_suffix}}.crt"
+  - role: openshift/secret-file
+    app: webhook2fedmsg
+    secret_name: fedora-messaging-key
+    key: webhook2fedmsg-key.pem
+    privatefile: "rabbitmq/{{env}}/pki/private/webhook2fedmsg{{env_suffix}}.key"
+
+  - role: openshift/imagestream
+    app: webhook2fedmsg
+    imagename: webhook2fedmsg
+
+  - role: openshift/object
+    app: webhook2fedmsg
+    template: buildconfig.yml
+    objectname: buildconfig.yml
+  
+  - role: openshift/object
+    app: webhook2fedmsg
+    template: configmap.yml
+    objectname: configmap.yml
+
+  - role: openshift/object
+    app: webhook2fedmsg
+    file: service.yml
+    objectname: service.yml
+
+  - role: openshift/route
+    app: webhook2fedmsg
+    routename: web
+    host: "webhook2fedmsg{{ env_suffix }}.fedoraproject.org"
+    serviceport: web
+    servicename: web
+
+  - role: openshift/object
+    app: webhook2fedmsg
+    template: deploymentconfig.yml
+    objectname: deploymentconfig.yml
+
+  # - role: openshift/start-build
+  #   app: webhook2fedmsg
+  #   buildname: webhook2fedmsg
+  #   tags:
+  #   - never
+  #   - build
+
+  # - role: openshift/rollout
+  #   app: webhook2fedmsg
+  #   dcname: webhook2fedmsg

roles/openshift-apps/webhook2fedmsg/files/imagestream.yml

@@ -0,0 +1,10 @@
+---
+apiVersion: image.openshift.io/v1
+kind: ImageStream
+metadata:
+  name: webhook2fedmsg
+spec:
+  lookupPolicy:
+    local: false
+status:
+  dockerImageRepository: ""

roles/openshift-apps/webhook2fedmsg/files/service.yml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: web
+  labels:
+    app: webhook2fedmsg
+spec:
+  ports:
+    - name: web
+      port: 8080
+      targetPort: 8080
+  selector:
+    app: webhook2fedmsg
+    deploymentconfig: app

roles/openshift-apps/webhook2fedmsg/templates/buildconfig.yml

@@ -0,0 +1,30 @@
+apiVersion: build.openshift.io/v1
+kind: BuildConfig
+metadata:
+  name: webhook2fedmsg
+  labels:
+    app: webhook2fedmsg
+    build: webhook2fedmsg
+spec:
+  output:
+    to:
+      kind: ImageStreamTag
+      name: webhook2fedmsg:latest
+  source:
+    type: Git
+    git:
+      uri: https://github.com/fedora-infra/webhook-to-fedora-messaging.git
+      ref: "{{ env }}"
+  strategy:
+    type: Source
+    sourceStrategy:
+      from:
+        kind: ImageStreamTag
+        namespace: openshift
+        name: python:3.11-ubi9
+  triggers:
+  - type: ConfigChange
+  - type: ImageChange
+  - type: GitHub
+    github:
+      secret: "{{ (env == 'staging')|ternary(webhook2fedmsg_stg_webhook_secret, webhook2fedmsg_prod_webhook_secret) }}"

roles/openshift-apps/webhook2fedmsg/templates/config.toml

@@ -0,0 +1,38 @@
+[flaskapp]
+DEBUG = false
+TESTING = false
+SQLALCHEMY_DATABASE_URI = "postgresql://webhook2fedmsg:{{ (env == 'staging')|ternary(webhook2fedmsg_stg_db_password, webhook2fedmsg_prod_db_password) }}@db01{{ env_suffix }}.iad2.fedoraproject.org/webhook2fedmsg"
+SECRET_KEY = "{{ (env == 'staging')|ternary(webhook2fedmsg_stg_secret_key, webhook2fedmsg_prod_secret_key) }}"
+PERMANENT_SESSION_LIFETIME = 604800
+SESSION_COOKIE_HTTPONLY = true
+SESSION_COOKIE_SECURE = true
+PREFERRED_URL_SCHEME = "https"
+
+  [flaskapp.logsconf]
+  version = 1
+  disable_existing_loggers = false
+
+    [flaskapp.logsconf.handlers]
+
+      [flaskapp.logsconf.handlers.wsgi]
+      class = "logging.StreamHandler"
+      stream = "ext://flask.logging.wsgi_errors_stream"
+      level = "INFO"
+      formatter = "default"
+
+    [flaskapp.logsconf.formatters]
+
+      [flaskapp.logsconf.formatters.default]
+      format = "%(asctime)s - %(name)s - %(levelname)s - %(message)s"
+      datefmt = "[%Y-%m-%d %I:%M:%S %z]"
+
+    [flaskapp.logsconf.root]
+    handlers = ["wsgi"]
+    level = "INFO"
+
+    [flaskapp.logsconf.loggers]
+
+      [flaskapp.logsconf.loggers.werkzeug]
+      handlers = ["wsgi"]
+      level = "INFO"
+      propagate = false

roles/openshift-apps/webhook2fedmsg/templates/configmap.yml

@@ -0,0 +1,34 @@
+{% macro load_file(filename) %}{% include filename %}{%- endmacro -%}
+---
+apiVersion: v1
+kind: List
+metadata: {}
+items:
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: config
+    labels:
+      app: webhook2fedmsg
+  data:
+    config.toml: |-
+      {{ load_file('config.toml') | indent(6) }}
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: wsgi-script
+    labels:
+      app: webhook2fedmsg
+  data:
+    wsgi.py: |-
+      {{ load_file('wsgi.py') | indent(6) }}
+  __init__.py: ""
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: fedora-messaging-config
+    labels:
+      app: webhook2fedmsg
+  data:
+    config.toml: |-
+      {{ load_file('fedora-messaging.toml') | indent(6) }}

roles/openshift-apps/webhook2fedmsg/templates/deploymentconfig.yml

@@ -0,0 +1,98 @@
+---
+apiVersion: apps.openshift.io/v1
+kind: DeploymentConfig
+metadata:
+  labels:
+    app: webhook2fedmsg
+    service: webhook2fedmsg
+  name: app
+spec:
+  replicas: 1
+  selector:
+    app: webhook2fedmsg
+    deploymentconfig: app
+  strategy:
+    resources: {}
+  template:
+    metadata:
+      labels:
+        app: webhook2fedmsg
+        deploymentconfig: app
+    spec:
+      containers:
+      - image: webhook2fedmsg:latest
+        name: app
+        env:
+        - name: APP_MODULE
+          value: "deploy.wsgi"
+        - name: W2FM_APPCONFIG
+          value: "/etc/webhook2fedmsg/config.toml"
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+        volumeMounts:
+        - name: config
+          mountPath: "/etc/webhook2fedmsg"
+          readOnly: true
+        - name: script
+          mountPath: "/opt/app-root/src/deploy"
+          readOnly: true
+        - name: fedora-messaging-config
+          mountPath: "/etc/fedora-messaging"
+          readOnly: true
+        - name: fedora-messaging-ca
+          mountPath: /etc/pki/fedora-messaging/cacert.pem
+          subPath: cacert.pem
+          readOnly: true
+        - name: fedora-messaging-crt
+          mountPath: /etc/pki/fedora-messaging/webhook2fedmsg-cert.pem
+          subPath: webhook2fedmsg-cert.pem
+          readOnly: true
+        - name: fedora-messaging-key
+          mountPath: /etc/pki/fedora-messaging/webhook2fedmsg-key.pem
+          subPath: webhook2fedmsg-key.pem
+          readOnly: true
+        # readinessProbe:
+        #   timeoutSeconds: 10
+        #   initialDelaySeconds: 5
+        #   periodSeconds: 60
+        #   httpGet:
+        #     path: "/healthz/ready"
+        #     port: 8080
+        # livenessProbe:
+        #   timeoutSeconds: 10
+        #   initialDelaySeconds: 3
+        #   periodSeconds: 60
+        #   httpGet:
+        #     path: "/healthz/live"
+        #     port: 8080
+      volumes:
+      - name: webhook2fedmsg-config
+        configMap:
+          name: config
+      - name: wsgi-script
+        configMap:
+          name: wsgi-script
+      - name: fedora-messaging-config
+        configMap:
+          name: fedora-messaging-config
+      - name: fedora-messaging-ca
+        secret:
+          secretName: fedora-messaging-ca
+      - name: fedora-messaging-crt
+        secret:
+          secretName: fedora-messaging-crt
+      - name: fedora-messaging-key
+        secret:
+          secretName: fedora-messaging-key
+
+  triggers:
+  - type: ConfigChange
+  - type: ImageChange
+    imageChangeParams:
+      automatic: true
+      containerNames:
+      - app
+      from:
+        kind: ImageStreamTag
+        name: webhook2fedmsg:latest

roles/openshift-apps/webhook2fedmsg/templates/fedora-messaging.toml

@@ -0,0 +1,41 @@
+amqp_url = "amqps://webhook2fedmsg:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpubsub"
+
+# Just check if the queue exist, don't try to create it (the server does not allow it).
+passive_declares = true
+
+# The topic_prefix configuration value will add a prefix to the topics of every sent message.
+# This is used for migrating from fedmsg, and should not be used afterwards.
+{% if env == "staging" %}
+topic_prefix = "org.fedoraproject.stg"
+{% else %}
+topic_prefix = "org.fedoraproject.prod"
+{% endif %}
+
+[tls]
+ca_cert = "/etc/pki/fedora-messaging/cacert.pem"
+keyfile = "/etc/pki/fedora-messaging/webhook2fedmsg-key.pem"
+certfile = "/etc/pki/fedora-messaging/webhook2fedmsg-cert.pem"
+
+[client_properties]
+app = "Webhook to Fedora Messaging"
+
+[log_config]
+version = 1
+disable_existing_loggers = true
+[log_config.formatters.simple]
+format = "[%(levelname)s %(name)s] %(message)s"
+[log_config.handlers.console]
+class = "logging.StreamHandler"
+formatter = "simple"
+stream = "ext://sys.stdout"
+[log_config.loggers.fedora_messaging]
+level = "INFO"
+propagate = false
+handlers = ["console"]
+[log_config.loggers.webhook_to_fedora_messaging]
+level = "INFO"
+propagate = false
+handlers = ["console"]
+[log_config.root]
+level = "WARNING"
+handlers = ["console"]

roles/openshift-apps/webhook2fedmsg/templates/wsgi.py

@@ -0,0 +1,4 @@
+from werkzeug.middleware.proxy_fix import ProxyFix
+from webhook_to_fedora_messaging.main import create_app
+application = create_app()
+application.wsgi_app = ProxyFix(application.wsgi_app, x_proto=1, x_host=1)