riscv-koji secondary hub
Here's a pull request to setup a secondary riscv-koji hub. There are still outstanding issues, but things should be good enough to merge and deploy the initial instance and interate from there. Also I plan to run a --check --diff to make sure there's no changes on primary hubs/etc. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi
parent
27a5e384f8
commit
6675345f58
16 changed files with 179 additions and 24 deletions
|
|
@ -124,8 +124,8 @@
|
|||
- koji_hub
|
||||
- fedora-messaging
|
||||
|
||||
- name: Deploy koji/rabbitmq certificate
|
||||
ansible.builtin.copy: src={{ item.src }}
|
||||
- name: deploy koji/rabbitmq certificate (primary)
|
||||
copy: src={{ item.src }}
|
||||
dest=/etc/pki/rabbitmq/kojicert/{{ item.dest }}
|
||||
owner={{ item.owner }} group=root mode={{ item.mode }}
|
||||
with_items:
|
||||
|
|
@ -141,6 +141,30 @@
|
|||
dest: koji.ca
|
||||
owner: apache
|
||||
mode: "0644"
|
||||
when: inventory_hostname.startswith('koji')
|
||||
tags:
|
||||
- config
|
||||
- koji_hub
|
||||
- fedora-messaging
|
||||
|
||||
- name: deploy koji/rabbitmq certificate (secondary)
|
||||
copy: src={{ item.src }}
|
||||
dest=/etc/pki/rabbitmq/kojicert/{{ item.dest }}
|
||||
owner={{ item.owner }} group=root mode={{ item.mode }}
|
||||
with_items:
|
||||
- src: "{{private}}/files/rabbitmq/{{env}}/pki/issued/riscv-koji{{ env_suffix }}.crt"
|
||||
dest: koji.crt
|
||||
owner: apache
|
||||
mode: "0644"
|
||||
- src: "{{private}}/files/rabbitmq/{{env}}/pki/private/riscv-koji{{ env_suffix }}.key"
|
||||
dest: koji.key
|
||||
owner: apache
|
||||
mode: "600"
|
||||
- src: "{{private}}/files/rabbitmq/{{env}}/pki/ca.crt"
|
||||
dest: koji.ca
|
||||
owner: apache
|
||||
mode: "0644"
|
||||
when: inventory_hostname.startswith('riscv-koji')
|
||||
tags:
|
||||
- config
|
||||
- koji_hub
|
||||
|
|
@ -203,8 +227,8 @@
|
|||
# install keytabs
|
||||
#
|
||||
|
||||
- name: Install koji-hub keytab
|
||||
ansible.builtin.copy: src={{ private }}/files/keytabs/{{ env }}/koji-hub-{{ fedmsg_koji_instance }} dest=/etc/koji-hub/koji-hub.keytab
|
||||
- name: install koji-hub keytab
|
||||
copy: src={{ private }}/files/keytabs/{{ env }}/koji-hub-{{ koji_instance }} dest=/etc/koji-hub/koji-hub.keytab
|
||||
owner=apache group=apache mode=0600
|
||||
notify:
|
||||
- reload httpd
|
||||
|
|
@ -325,13 +349,19 @@
|
|||
- koji_hub
|
||||
when: env == "staging" and ansible_hostname.startswith('koji')
|
||||
|
||||
- name: Make mnt/koji directory
|
||||
- name: make mnt/koji directory (primary)
|
||||
ansible.builtin.file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji owner=root group=root
|
||||
tags:
|
||||
- koji_hub
|
||||
when: ansible_hostname.startswith('koji')
|
||||
|
||||
- name: Check selinux default context for /mnt/fedora_koji in staging
|
||||
- name: make mnt/koji directory (secondary)
|
||||
file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji owner=root group=root
|
||||
tags:
|
||||
- koji_hub
|
||||
when: ansible_hostname.startswith('riscv-koji')
|
||||
|
||||
- name: check selinux default context for /mnt/fedora_koji in staging
|
||||
ansible.builtin.command: matchpathcon /mnt/fedora_koji
|
||||
register: mnt_fedora_koji_context
|
||||
when: env == "staging"
|
||||
|
|
@ -368,7 +398,7 @@
|
|||
- koji_hub
|
||||
when: ansible_distribution == "RedHat" and ansible_distribution_major_version|int == 7
|
||||
|
||||
- name: Make httpd override directory
|
||||
- name: make httpd override directory
|
||||
ansible.builtin.file:
|
||||
state: directory
|
||||
path: /etc/systemd/system/httpd.service.d
|
||||
|
|
@ -421,6 +451,7 @@
|
|||
- koji-gc
|
||||
- koji-prune-signed-copies
|
||||
- koji-sidetag-cleanup
|
||||
when: ansible_hostname.startswith('koji01')
|
||||
tags:
|
||||
- files
|
||||
- koji_hub
|
||||
|
|
|
|||
|
|
@ -13,8 +13,13 @@ topic_prefix = "org.fedoraproject.prod"
|
|||
|
||||
[tls]
|
||||
ca_cert = "/etc/pki/rabbitmq/kojicert/koji.ca"
|
||||
{% if koji_instance == "secondary" %}
|
||||
keyfile = "/etc/pki/rabbitmq/kojicert/riscv-koji.key"
|
||||
certfile = "/etc/pki/rabbitmq/kojicert/riscv-koji.crt"
|
||||
{% else %}
|
||||
keyfile = "/etc/pki/rabbitmq/kojicert/koji.key"
|
||||
certfile = "/etc/pki/rabbitmq/kojicert/koji.crt"
|
||||
{% endif %}
|
||||
|
||||
[client_properties]
|
||||
app = "Koji"
|
||||
|
|
|
|||
|
|
@ -8,15 +8,22 @@ DBHost = db-koji01
|
|||
LogLevel = koji._koji_plugin__koji-fedoramessaging:DEBUG
|
||||
LogFormat = %(asctime)s [%(levelname)s] m=%(method)s u=%(user_name)s p=%(process)s r=%(remoteaddr)s %(name)s: %(message)s
|
||||
DBPass = {{ kojiStgPassword }}
|
||||
{% else %}
|
||||
AuthPrincipal = host/koji{{env_suffix}}.fedoraproject.org
|
||||
{% elif koji_instance = "primary" %}
|
||||
DBHost = db-koji01
|
||||
DBPass = {{ kojiPassword }}
|
||||
{% endif %}
|
||||
AuthPrincipal = host/koji{{env_suffix}}.fedoraproject.org
|
||||
{% if env == "staging" %}
|
||||
ProxyPrincipals = modularity@STG.FEDORAPROJECT.ORG,HTTP/koji.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG,sigul/sign-bridge01.stg.iad2.fedoraproject.org@STG.FEDORAPROJECT.ORG
|
||||
{% else %}
|
||||
DBHost = db-riscv-koji01
|
||||
DBPass = {{ riscvkojiPassword }}
|
||||
AuthPrincipal = host/riscv-koji{{env_suffix}}.fedoraproject.org
|
||||
{% endif %}
|
||||
{% if env == "staging" %}
|
||||
ProxyPrincipals = HTTP/koji.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG,sigul/sign-bridge01.stg.iad2.fedoraproject.org@STG.FEDORAPROJECT.ORG
|
||||
{% elif koji_instance = "primary" %}
|
||||
ProxyPrincipals = HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG,sigul/sign-bridge01.iad2.fedoraproject.org@FEDORAPROJECT.ORG
|
||||
{% else %}
|
||||
ProxyPrincipals = HTTP/riscv-koji.fedoraproject.org@FEDORAPROJECT.ORG,sigul/sign-bridge01.iad2.fedoraproject.org@FEDORAPROJECT.ORG
|
||||
{% endif %}
|
||||
KojiDir = /mnt/koji
|
||||
MemoryWarnThreshold = 10000
|
||||
|
|
@ -31,8 +38,10 @@ SeparateSourceTags = f{{ FedoraRawhideNumber }}-build eln-build
|
|||
# Kerb auth
|
||||
{% if env == "staging" %}
|
||||
HostPrincipalFormat = compile/%s@STG.FEDORAPROJECT.ORG
|
||||
{% else %}
|
||||
{% elif koji_instance = "primary" %}
|
||||
HostPrincipalFormat = compile/%s@FEDORAPROJECT.ORG
|
||||
{% else %}
|
||||
HostPrincipalFormat = compile-riscv/%s@FEDORAPROJECT.ORG
|
||||
{% endif %}
|
||||
AuthKeytab = /etc/koji-hub/koji-hub.keytab
|
||||
|
||||
|
|
@ -50,7 +59,13 @@ ProxyDNs = emailAddress=buildsys@fedoraproject.org,CN=kojiweb,OU=Fedora Builders
|
|||
|
||||
## Other options ##
|
||||
LoginCreatesUser = On
|
||||
KojiWebURL = http://koji.fedoraproject.org/koji
|
||||
{% if env == "staging" %}
|
||||
KojiWebURL = https://koji.stg.fedoraproject.org/koji
|
||||
{% elif koji_instance = "primary" %}
|
||||
KojiWebURL = https://koji.fedoraproject.org/koji
|
||||
{% else %}
|
||||
KojiWebURL = https://riscv-koji.fedoraproject.org/koji
|
||||
{% endif %}
|
||||
# The domain name that will be appended to Koji usernames
|
||||
# when creating email notifications
|
||||
EmailDomain = fedoraproject.org
|
||||
|
|
@ -93,6 +108,8 @@ MissingPolicyOk = False
|
|||
#Plugins = darkserver-plugin
|
||||
{% if env == "staging" %}
|
||||
Plugins = osbuild koji-fedoramessaging runroot_hub hub_containerbuild tag2distrepo sidetag_hub save_failed_tree flatpak kiwi
|
||||
{% elif koji_instance = "primary" %}
|
||||
Plugins = osbuild koji-fedoramessaging runroot_hub hub_containerbuild tag2distrepo sidetag_hub save_failed_tree flatpak kiwi
|
||||
{% else %}
|
||||
Plugins = osbuild koji-fedoramessaging runroot_hub hub_containerbuild tag2distrepo sidetag_hub save_failed_tree flatpak kiwi
|
||||
{% endif %}
|
||||
|
|
@ -138,10 +155,6 @@ channel =
|
|||
method build chainbuild !! req
|
||||
has_perm customchannel :: req
|
||||
}
|
||||
{% if env == 'staging' %}
|
||||
# kojid-cloud-scheduler tag setup for stg env only
|
||||
tag buildaws && fromtag buildaws && method build :: use buildaws
|
||||
{% endif %}
|
||||
|
||||
#we want pesign-test-app to always go to the secure-boot channel even for scratch builds
|
||||
source */pesign-test-app* && has_perm secure-boot :: use secure-boot
|
||||
|
|
|
|||
|
|
@ -4,9 +4,15 @@
|
|||
[main]
|
||||
; For Kerberos authentication
|
||||
; the principal to connect with
|
||||
{% if koji_instance == "secondary" %}
|
||||
principal=koji-gc/riscv-koji{{env_suffix}}.fedoraproject.org@{{ipa_realm}}
|
||||
; The location of the keytab for the principal above
|
||||
keytab=/etc/krb5.koji-gc_riscv-koji{{env_suffix}}.fedoraproject.org.keytab
|
||||
{% else %}
|
||||
principal=koji-gc/koji{{env_suffix}}.fedoraproject.org@{{ipa_realm}}
|
||||
; The location of the keytab for the principal above
|
||||
keytab=/etc/krb5.koji-gc_koji{{env_suffix}}.fedoraproject.org.keytab
|
||||
{% endif %}
|
||||
krb_rdns = False
|
||||
smtp_host = bastion.iad2.fedoraproject.org
|
||||
|
||||
|
|
|
|||
|
|
@ -5,9 +5,15 @@
|
|||
|
||||
; For Kerberos authentication
|
||||
; the principal to connect with
|
||||
{% if koji_instance == "secondary" %}
|
||||
principal=kojira/riscv-koji{{env_suffix}}.fedoraproject.org@{{ipa_realm}}
|
||||
; The location of the keytab for the principal above
|
||||
keytab=/etc/krb5.kojira_riscv-koji{{env_suffix}}.fedoraproject.org.keytab
|
||||
{% else %}
|
||||
principal=kojira/koji{{env_suffix}}.fedoraproject.org@{{ipa_realm}}
|
||||
; The location of the keytab for the principal above
|
||||
keytab=/etc/krb5.kojira_koji{{env_suffix}}.fedoraproject.org.keytab
|
||||
{% endif %}
|
||||
|
||||
; The URL for the koji hub server
|
||||
server={{ koji_server_url }}
|
||||
|
|
|
|||
|
|
@ -35,7 +35,11 @@ WSGIDaemonProcess koji lang=C.UTF-8
|
|||
AuthType GSSAPI
|
||||
GssapiSSLonly Off
|
||||
AuthName "GSSAPI Single Sign On Login"
|
||||
{% if koji_instance == "secondary" %}
|
||||
GssapiCredStore keytab:/etc/krb5.HTTP_riscv-koji{{env_suffix}}.fedoraproject.org.keytab
|
||||
{% else %}
|
||||
GssapiCredStore keytab:/etc/krb5.HTTP_koji{{env_suffix}}.fedoraproject.org.keytab
|
||||
{% endif %}
|
||||
Require valid-user
|
||||
</Location>
|
||||
|
||||
|
|
|
|||
|
|
@ -6,9 +6,12 @@ SiteName = koji
|
|||
{% if env == 'staging' %}
|
||||
KojiHubURL = https://koji.stg.fedoraproject.org/kojihub
|
||||
KojiFilesURL = https://kojipkgs.stg.fedoraproject.org/
|
||||
{% else %}
|
||||
{% elif env == 'production' %}
|
||||
KojiHubURL = https://koji.fedoraproject.org/kojihub
|
||||
KojiFilesURL = https://kojipkgs.fedoraproject.org/
|
||||
{% else %}
|
||||
KojiHubURL = https://riscv-koji.fedoraproject.org/kojihub
|
||||
KojiFilesURL = https://riscv-kojipkgs.fedoraproject.org/
|
||||
{% endif %}
|
||||
|
||||
# SSL authentication options
|
||||
|
|
@ -21,8 +24,10 @@ LoginTimeout = 72
|
|||
# This must be changed and uncommented before deployment
|
||||
{% if env == 'staging' %}
|
||||
Secret = {{ kojiSecret }}
|
||||
{% else %}
|
||||
{% elif env == 'production' %}
|
||||
Secret = {{ kojiStgSecret }}
|
||||
{% else %}
|
||||
Secret = {{ riscvkojiSecret }}
|
||||
{% endif %}
|
||||
|
||||
LibPath = /usr/share/koji-web/lib
|
||||
|
|
@ -34,6 +39,9 @@ KojiHubCA = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
|
|||
{% if env == 'staging' %}
|
||||
Tasks = buildContainer,createContainer,flatpakBuild,flatpakBuildArch,runroot,osbuildImage,createKiwiImage,kiwiBuild
|
||||
ParentTasks = buildContainer,flatpakBuild,osbuildImage,kiwiBuild
|
||||
{% elif env == 'production' %}
|
||||
Tasks = buildContainer,createContainer,flatpakBuild,flatpakBuildArch,runroot,osbuildImage,createKiwiImage,kiwiBuild
|
||||
ParentTasks = buildContainer,flatpakBuild,osbuildImage,kiwiBuild
|
||||
{% else %}
|
||||
Tasks = buildContainer,createContainer,flatpakBuild,flatpakBuildArch,runroot,osbuildImage,createKiwiImage,kiwiBuild
|
||||
ParentTasks = buildContainer,flatpakBuild,osbuildImage,kiwiBuild
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue