From 4d36f9ed505a33d268c9d22376f89a554df4dda6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Mon, 15 May 2023 15:06:01 +0200 Subject: [PATCH] Set the sent_topics for openqa MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Bompard --- playbooks/groups/openqa.yml | 29 +++-------------------------- roles/rabbit/queue/tasks/main.yml | 6 ++++-- roles/rabbit/user/tasks/main.yml | 6 ++++++ 3 files changed, 13 insertions(+), 28 deletions(-) diff --git a/playbooks/groups/openqa.yml b/playbooks/groups/openqa.yml index a1403fd000..7064f2b059 100644 --- a/playbooks/groups/openqa.yml +++ b/playbooks/groups/openqa.yml @@ -45,9 +45,7 @@ username: "openqa" queue_name: "openqa{{ openqa_env_suffix }}_scheduler" routing_keys: "{{ openqa_amqp_scheduler_routing_keys }}" - write_queues: - - "ci" - - "openqa" + sent_topics: ^org\.fedoraproject\.{{ env_short }}\.(openqa|ci)\..* vars: # yes, even the staging scheduler listens to production, it # has to or else it wouldn't schedule any jobs @@ -58,9 +56,7 @@ username: "openqa{{ openqa_env_suffix }}" queue_name: "openqa{{ openqa_env_suffix }}_resultsdb_reporter" routing_keys: "{{ openqa_amqp_resultsdb_reporter_routing_keys }}" - write_queues: - - "ci" - - "openqa" + sent_topics: ^org\.fedoraproject\.{{ env_short }}\.(openqa|ci)\..* vars: # for this role to work correctly we do need to look like a # staging server @@ -68,12 +64,8 @@ env_suffix: "{{ openqa_env_suffix }}" tags: ['rabbit'] - role: rabbit/queue - username: "openqa{{ openqa_env_suffix }}" queue_name: "openqa{{ openqa_env_suffix }}_wiki_reporter" routing_keys: "{{ openqa_amqp_wiki_reporter_routing_keys }}" - write_queues: - - "ci" - - "openqa" vars: # for this role to work correctly we do need to look like a # staging server @@ -83,12 +75,7 @@ # relvalconsumer queue, we still use openqa auth for this as it's # easy that way - role: rabbit/queue - username: "openqa" queue_name: "openqa_relvalconsumer{{ relvalconsumer_env_suffix }}" - routing_keys: "{{ relvalconsumer_amqp_routing_keys }}" - write_queues: - - "ci" - - "openqa" vars: # yes, even the staging scheduler listens to production, it # has to or else it wouldn't schedule any jobs @@ -99,12 +86,8 @@ # relvalamiconsumer queue, we still use openqa auth for this as it's # easy that way - role: rabbit/queue - username: "openqa" queue_name: "openqa_relvalamiconsumer{{ relvalconsumer_env_suffix }}" routing_keys: "{{ relvalamiconsumer_amqp_routing_keys }}" - write_queues: - - "ci" - - "openqa" vars: # yes, even the staging updater listens to production, it # has to as we never publish fedimg.image.publish on stg @@ -119,9 +102,7 @@ username: "openqa{{ checkcompose_env_suffix }}" queue_name: "openqa{{ checkcompose_env_suffix }}_checkcomp" routing_keys: "{{ checkcompose_amqp_routing_keys }}" - write_queues: - - "ci" - - "openqa" + sent_topics: ^org\.fedoraproject\.{{ env_short }}\.(openqa|ci)\..* vars: # for this role to work correctly we do need to look like a # staging server @@ -133,12 +114,8 @@ # fedora_nightlies queue, we still use openqa auth for this as it's # easy that way - role: rabbit/queue - username: "openqa" queue_name: "openqa_fedora_nightlies" routing_keys: "{{ fedora_nightlies_amqp_routing_keys }}" - write_queues: - - "ci" - - "openqa" vars: env: "production" tags: ['rabbit'] diff --git a/roles/rabbit/queue/tasks/main.yml b/roles/rabbit/queue/tasks/main.yml index b20b63ec30..332c78109b 100644 --- a/roles/rabbit/queue/tasks/main.yml +++ b/roles/rabbit/queue/tasks/main.yml @@ -15,8 +15,8 @@ # # Optional parameters: # -# - write_queues (list): A list of queue name prefixes to which the user will -# be allowed to publish. +# - sent_topics (str): A regular expression that must match the topic when a +# message is published by this user. # - thresholds (dict): A dictionary with two keys: "warning" and "critical". # The values are numbers. Generate an alert in Nagios if # the number of messages go above these values. @@ -26,6 +26,7 @@ that: - "queue_name.startswith(username)" fail_msg: "Your queue name must be prefixed with your username" + when: username is defined tags: - fedora-messaging - rabbitmq_cluster @@ -34,6 +35,7 @@ name: rabbit/user vars: publish_only: false + when: username is defined tags: - fedora-messaging - rabbitmq_cluster diff --git a/roles/rabbit/user/tasks/main.yml b/roles/rabbit/user/tasks/main.yml index 22a234862a..26ac38fccf 100644 --- a/roles/rabbit/user/tasks/main.yml +++ b/roles/rabbit/user/tasks/main.yml @@ -8,6 +8,11 @@ # # - username (str): the username to create in RabbitMQ, which should match the # CN of the certificate. +# +# Optional parameters: +# +# - sent_topics (str): A regular expression that must match the topic when a +# message is published by this user. # See https://www.rabbitmq.com/access-control.html#permissions for details on # the RabbitMQ permissions configuration. @@ -15,6 +20,7 @@ - name: Validate username {{ username }} assert: that: + - username is defined - username != "admin" - username != "guest" - username != "nagios-monitoring"