diff --git a/playbooks/openshift-apps/webhook2fedmsg.yml b/playbooks/openshift-apps/webhook2fedmsg.yml new file mode 100644 index 0000000000..a95c551be0 --- /dev/null +++ b/playbooks/openshift-apps/webhook2fedmsg.yml @@ -0,0 +1,108 @@ +# +# Webhook to Fedora Messaging +# + +- name: setup the database + hosts: db01.iad2.fedoraproject.org:db01.stg.iad2.fedoraproject.org + gather_facts: no + become: yes + become_user: postgres + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - name: webhook2fedmsg DB user + postgresql_user: + name: webhook2fedmsg + password: "{{ (env == 'production')|ternary(webhook2fedmsg_prod_db_password, webhook2fedmsg_stg_db_password) }}" + - name: webhook2fedmsg database creation + postgresql_db: + name: webhook2fedmsg + owner: webhook2fedmsg + encoding: UTF-8 + +- name: make the app be real + hosts: os_control[0]:os_control_stg[0] + user: root + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - role: rabbit/user + username: "webhook2fedmsg{{ env_suffix }}" + sent_topics: ^org\.fedoraproject\.{{ env_short }}\.(github|discourse)\..* + + - role: openshift/project + app: webhook2fedmsg + description: "Relay webhooks to Fedora Messaging" + appowners: + - ryanlerch + - abompard + - t0xic0der + - kevin + tags: + - apply-appowners + + - role: openshift/secret-file + app: webhook2fedmsg + secret_name: fedora-messaging-ca + key: cacert.pem + privatefile: "rabbitmq/{{env}}/pki/ca.crt" + - role: openshift/secret-file + app: webhook2fedmsg + secret_name: fedora-messaging-crt + key: webhook2fedmsg-cert.pem + privatefile: "rabbitmq/{{env}}/pki/issued/webhook2fedmsg{{env_suffix}}.crt" + - role: openshift/secret-file + app: webhook2fedmsg + secret_name: fedora-messaging-key + key: webhook2fedmsg-key.pem + privatefile: "rabbitmq/{{env}}/pki/private/webhook2fedmsg{{env_suffix}}.key" + + - role: openshift/imagestream + app: webhook2fedmsg + imagename: webhook2fedmsg + + - role: openshift/object + app: webhook2fedmsg + template: buildconfig.yml + objectname: buildconfig.yml + + - role: openshift/object + app: webhook2fedmsg + template: configmap.yml + objectname: configmap.yml + + - role: openshift/object + app: webhook2fedmsg + file: service.yml + objectname: service.yml + + - role: openshift/route + app: webhook2fedmsg + routename: web + host: "webhook2fedmsg{{ env_suffix }}.fedoraproject.org" + serviceport: web + servicename: web + + - role: openshift/object + app: webhook2fedmsg + template: deploymentconfig.yml + objectname: deploymentconfig.yml + + # - role: openshift/start-build + # app: webhook2fedmsg + # buildname: webhook2fedmsg + # tags: + # - never + # - build + + # - role: openshift/rollout + # app: webhook2fedmsg + # dcname: webhook2fedmsg diff --git a/roles/openshift-apps/webhook2fedmsg/files/imagestream.yml b/roles/openshift-apps/webhook2fedmsg/files/imagestream.yml new file mode 100644 index 0000000000..f755f14b32 --- /dev/null +++ b/roles/openshift-apps/webhook2fedmsg/files/imagestream.yml @@ -0,0 +1,10 @@ +--- +apiVersion: image.openshift.io/v1 +kind: ImageStream +metadata: + name: webhook2fedmsg +spec: + lookupPolicy: + local: false +status: + dockerImageRepository: "" diff --git a/roles/openshift-apps/webhook2fedmsg/files/service.yml b/roles/openshift-apps/webhook2fedmsg/files/service.yml new file mode 100644 index 0000000000..29c49d0201 --- /dev/null +++ b/roles/openshift-apps/webhook2fedmsg/files/service.yml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: web + labels: + app: webhook2fedmsg +spec: + ports: + - name: web + port: 8080 + targetPort: 8080 + selector: + app: webhook2fedmsg + deploymentconfig: app diff --git a/roles/openshift-apps/webhook2fedmsg/templates/buildconfig.yml b/roles/openshift-apps/webhook2fedmsg/templates/buildconfig.yml new file mode 100644 index 0000000000..d8278e58c3 --- /dev/null +++ b/roles/openshift-apps/webhook2fedmsg/templates/buildconfig.yml @@ -0,0 +1,30 @@ +apiVersion: build.openshift.io/v1 +kind: BuildConfig +metadata: + name: webhook2fedmsg + labels: + app: webhook2fedmsg + build: webhook2fedmsg +spec: + output: + to: + kind: ImageStreamTag + name: webhook2fedmsg:latest + source: + type: Git + git: + uri: https://github.com/fedora-infra/webhook-to-fedora-messaging.git + ref: "{{ env }}" + strategy: + type: Source + sourceStrategy: + from: + kind: ImageStreamTag + namespace: openshift + name: python:3.11-ubi9 + triggers: + - type: ConfigChange + - type: ImageChange + - type: GitHub + github: + secret: "{{ (env == 'staging')|ternary(webhook2fedmsg_stg_webhook_secret, webhook2fedmsg_prod_webhook_secret) }}" diff --git a/roles/openshift-apps/webhook2fedmsg/templates/config.toml b/roles/openshift-apps/webhook2fedmsg/templates/config.toml new file mode 100644 index 0000000000..ff632d9985 --- /dev/null +++ b/roles/openshift-apps/webhook2fedmsg/templates/config.toml @@ -0,0 +1,38 @@ +[flaskapp] +DEBUG = false +TESTING = false +SQLALCHEMY_DATABASE_URI = "postgresql://webhook2fedmsg:{{ (env == 'staging')|ternary(webhook2fedmsg_stg_db_password, webhook2fedmsg_prod_db_password) }}@db01{{ env_suffix }}.iad2.fedoraproject.org/webhook2fedmsg" +SECRET_KEY = "{{ (env == 'staging')|ternary(webhook2fedmsg_stg_secret_key, webhook2fedmsg_prod_secret_key) }}" +PERMANENT_SESSION_LIFETIME = 604800 +SESSION_COOKIE_HTTPONLY = true +SESSION_COOKIE_SECURE = true +PREFERRED_URL_SCHEME = "https" + + [flaskapp.logsconf] + version = 1 + disable_existing_loggers = false + + [flaskapp.logsconf.handlers] + + [flaskapp.logsconf.handlers.wsgi] + class = "logging.StreamHandler" + stream = "ext://flask.logging.wsgi_errors_stream" + level = "INFO" + formatter = "default" + + [flaskapp.logsconf.formatters] + + [flaskapp.logsconf.formatters.default] + format = "%(asctime)s - %(name)s - %(levelname)s - %(message)s" + datefmt = "[%Y-%m-%d %I:%M:%S %z]" + + [flaskapp.logsconf.root] + handlers = ["wsgi"] + level = "INFO" + + [flaskapp.logsconf.loggers] + + [flaskapp.logsconf.loggers.werkzeug] + handlers = ["wsgi"] + level = "INFO" + propagate = false diff --git a/roles/openshift-apps/webhook2fedmsg/templates/configmap.yml b/roles/openshift-apps/webhook2fedmsg/templates/configmap.yml new file mode 100644 index 0000000000..4ef8623b6a --- /dev/null +++ b/roles/openshift-apps/webhook2fedmsg/templates/configmap.yml @@ -0,0 +1,34 @@ +{% macro load_file(filename) %}{% include filename %}{%- endmacro -%} +--- +apiVersion: v1 +kind: List +metadata: {} +items: +- apiVersion: v1 + kind: ConfigMap + metadata: + name: config + labels: + app: webhook2fedmsg + data: + config.toml: |- + {{ load_file('config.toml') | indent(6) }} +- apiVersion: v1 + kind: ConfigMap + metadata: + name: wsgi-script + labels: + app: webhook2fedmsg + data: + wsgi.py: |- + {{ load_file('wsgi.py') | indent(6) }} + __init__.py: "" +- apiVersion: v1 + kind: ConfigMap + metadata: + name: fedora-messaging-config + labels: + app: webhook2fedmsg + data: + config.toml: |- + {{ load_file('fedora-messaging.toml') | indent(6) }} diff --git a/roles/openshift-apps/webhook2fedmsg/templates/deploymentconfig.yml b/roles/openshift-apps/webhook2fedmsg/templates/deploymentconfig.yml new file mode 100644 index 0000000000..2361cd500a --- /dev/null +++ b/roles/openshift-apps/webhook2fedmsg/templates/deploymentconfig.yml @@ -0,0 +1,98 @@ +--- +apiVersion: apps.openshift.io/v1 +kind: DeploymentConfig +metadata: + labels: + app: webhook2fedmsg + service: webhook2fedmsg + name: app +spec: + replicas: 1 + selector: + app: webhook2fedmsg + deploymentconfig: app + strategy: + resources: {} + template: + metadata: + labels: + app: webhook2fedmsg + deploymentconfig: app + spec: + containers: + - image: webhook2fedmsg:latest + name: app + env: + - name: APP_MODULE + value: "deploy.wsgi" + - name: W2FM_APPCONFIG + value: "/etc/webhook2fedmsg/config.toml" + ports: + - containerPort: 8080 + protocol: TCP + volumeMounts: + - name: config + mountPath: "/etc/webhook2fedmsg" + readOnly: true + - name: script + mountPath: "/opt/app-root/src/deploy" + readOnly: true + - name: fedora-messaging-config + mountPath: "/etc/fedora-messaging" + readOnly: true + - name: fedora-messaging-ca + mountPath: /etc/pki/fedora-messaging/cacert.pem + subPath: cacert.pem + readOnly: true + - name: fedora-messaging-crt + mountPath: /etc/pki/fedora-messaging/webhook2fedmsg-cert.pem + subPath: webhook2fedmsg-cert.pem + readOnly: true + - name: fedora-messaging-key + mountPath: /etc/pki/fedora-messaging/webhook2fedmsg-key.pem + subPath: webhook2fedmsg-key.pem + readOnly: true + # readinessProbe: + # timeoutSeconds: 10 + # initialDelaySeconds: 5 + # periodSeconds: 60 + # httpGet: + # path: "/healthz/ready" + # port: 8080 + # livenessProbe: + # timeoutSeconds: 10 + # initialDelaySeconds: 3 + # periodSeconds: 60 + # httpGet: + # path: "/healthz/live" + # port: 8080 + volumes: + - name: webhook2fedmsg-config + configMap: + name: config + - name: wsgi-script + configMap: + name: wsgi-script + - name: fedora-messaging-config + configMap: + name: fedora-messaging-config + - name: fedora-messaging-ca + secret: + secretName: fedora-messaging-ca + - name: fedora-messaging-crt + secret: + secretName: fedora-messaging-crt + - name: fedora-messaging-key + secret: + secretName: fedora-messaging-key + + triggers: + - type: ConfigChange + - type: ImageChange + imageChangeParams: + automatic: true + containerNames: + - app + from: + kind: ImageStreamTag + name: webhook2fedmsg:latest diff --git a/roles/openshift-apps/webhook2fedmsg/templates/fedora-messaging.toml b/roles/openshift-apps/webhook2fedmsg/templates/fedora-messaging.toml new file mode 100644 index 0000000000..220b6475ae --- /dev/null +++ b/roles/openshift-apps/webhook2fedmsg/templates/fedora-messaging.toml @@ -0,0 +1,41 @@ +amqp_url = "amqps://webhook2fedmsg:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpubsub" + +# Just check if the queue exist, don't try to create it (the server does not allow it). +passive_declares = true + +# The topic_prefix configuration value will add a prefix to the topics of every sent message. +# This is used for migrating from fedmsg, and should not be used afterwards. +{% if env == "staging" %} +topic_prefix = "org.fedoraproject.stg" +{% else %} +topic_prefix = "org.fedoraproject.prod" +{% endif %} + +[tls] +ca_cert = "/etc/pki/fedora-messaging/cacert.pem" +keyfile = "/etc/pki/fedora-messaging/webhook2fedmsg-key.pem" +certfile = "/etc/pki/fedora-messaging/webhook2fedmsg-cert.pem" + +[client_properties] +app = "Webhook to Fedora Messaging" + +[log_config] +version = 1 +disable_existing_loggers = true +[log_config.formatters.simple] +format = "[%(levelname)s %(name)s] %(message)s" +[log_config.handlers.console] +class = "logging.StreamHandler" +formatter = "simple" +stream = "ext://sys.stdout" +[log_config.loggers.fedora_messaging] +level = "INFO" +propagate = false +handlers = ["console"] +[log_config.loggers.webhook_to_fedora_messaging] +level = "INFO" +propagate = false +handlers = ["console"] +[log_config.root] +level = "WARNING" +handlers = ["console"] diff --git a/roles/openshift-apps/webhook2fedmsg/templates/wsgi.py b/roles/openshift-apps/webhook2fedmsg/templates/wsgi.py new file mode 100644 index 0000000000..3bb63f0e74 --- /dev/null +++ b/roles/openshift-apps/webhook2fedmsg/templates/wsgi.py @@ -0,0 +1,4 @@ +from werkzeug.middleware.proxy_fix import ProxyFix +from webhook_to_fedora_messaging.main import create_app +application = create_app() +application.wsgi_app = ProxyFix(application.wsgi_app, x_proto=1, x_host=1)