openqa/dispatcher: use private auth in infra

The keys and certs have been created for us to use private auth
so let's do it. This tries to keep things working for non-infra
deployments somehow.

Signed-off-by: Adam Williamson <awilliam@redhat.com>

playbooks/groups/openqa.yml

@@ -42,6 +42,32 @@
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
 
+# fedora-messaging user/queue setup
+  roles:
+  - role: rabbit/user
+    username: "openqa{{ env_suffix }}"
+    when: env == "staging"
+  - role: rabbit/queue
+    username: "openqa{{ env_suffix }}"
+    queue_name: "openqa{{ env_suffix }}_scheduler"
+    routing_keys:
+        - "org.fedoraproject.prod.pungi.compose.status.change"
+        - "org.fedoraproject.prod.bodhi.update.request.testing"
+        - "org.fedoraproject.prod.bodhi.update.edit"
+    when: env == "staging"
+  - role: rabbit/queue
+    username: "openqa{{ env_suffix }}"
+    queue_name: "openqa{{ env_suffix }}_resultsdb_reporter"
+    routing_keys:
+        - "org.fedoraproject.{{ deployment_type }}.openqa.job.done"
+    when: env == "staging"
+  - role: rabbit/queue
+    username: "openqa{{ env_suffix }}"
+    queue_name: "openqa{{ env_suffix }}_wiki_reporter"
+    routing_keys:
+        - "org.fedoraproject.{{ deployment_type }}.openqa.job.done"
+    when: env == "staging"
+
 # relvalconsumer and autocloudreporter aren't particularly related
 # to openQA in any way, we just put those role on these boxes. There's
 # nowhere more obviously correct for rvc and acr should be on an

roles/openqa/dispatcher/tasks/main.yml

@@ -21,9 +21,7 @@
 ##      bool - if true, configure and deploy the fedora-messaging
 ##             consumers; if false, configure and deploy the fedmsg
 ##             consumers. Note you must also set openqa_scheduler_uuid
-##             (no deployment type), openqa_scheduler_stg_uuid
-##             (staging) or openqa_scheduler_prod_uuid (production) if
-##             this is set
+##             for non-Fedora-infra deployments, if this is set
 ##      default - false
 #
 # Optional vars
@@ -48,9 +46,9 @@
 ##               are maintaining the Fedora infrastructure deployment
 # - deployment_type
 ##      string - Fedora Infrastructure thing; for this role, the
-##               fedora_openqa config file will be set appropriately
-##               for infra deployments if this is set, so don't set
-##               it for private deployments
+##               fedora_openqa config file and fedora-messaging config
+##               will be set appropriately for infra deployments if
+##               this is set, so don't set it for private deployments
 #
 # NOTE: There are still currently a couple of assumptions that the
 # openQA server boxes will always act as their own dispatchers, but
@@ -193,21 +191,76 @@
   tags:
   - config
 
-- name: Install fedora-messaging staging CA cert (because it's not in the package)
-  copy: src=stg-cacert.pem dest=/etc/fedora-messaging/stg-cacert.pem owner=root group=root mode=0644
+- name: Install fedora-messaging anon staging CA cert (because it's not in the package)
+  copy: src=stg-cacert.pem dest=/etc/fedora-messaging/cacert.stg.pem owner=root group=root mode=0644
   when: "openqa_fedoramessaging|bool"
   tags:
   - config
 
-- name: Install fedora-messaging staging broker cert (because it's not in the package)
+- name: Install fedora-messaging anon staging broker cert (because it's not in the package)
   copy: src=fedora.stg-cert.pem dest=/etc/fedora-messaging/fedora.stg-cert.pem owner=root group=root mode=0644
-  when: "openqa_fedoramessaging|bool"
+  when: "openqa_fedoramessaging|bool and deployment_type is not defined"
   tags:
   - config
 
-- name: Install fedora-messaging staging broker key (because it's not in the package)
+- name: Install fedora-messaging anon staging broker key (because it's not in the package)
   copy: src=fedora.stg-key.pem dest=/etc/fedora-messaging/fedora.stg-key.pem owner=root group=root mode=0644
-  when: "openqa_fedoramessaging|bool"
+  when: "openqa_fedoramessaging|bool and deployment_type is not defined"
+  tags:
+  - config
+
+- name: Create /etc/pki/fedora-messaging
+  file:
+    dest: /etc/pki/fedora-messaging
+    mode: 0775
+    owner: root
+    group: root
+    state: directory
+  when: "openqa_fedoramessaging|bool and deployment_type is defined"
+  tags:
+  - config
+
+- name: Deploy the Fedora infra fedora-messaging cert
+  copy:
+    src: "{{ private }}/files/rabbitmq/{{env}}/pki/issued/openqa{{env_suffix}}.crt"
+    dest: /etc/pki/fedora-messaging/openqa{{env_suffix}}-cert.pem
+    mode: 0644
+    owner: root
+    group: root
+  when: "openqa_fedoramessaging|bool and deployment_type is defined"
+  tags:
+  - config
+
+- name: Deploy the Fedora infra fedora-messaging key
+  copy:
+    src: "{{ private }}/files/rabbitmq/{{env}}/pki/private/openqa{{env_suffix}}.key"
+    dest: /etc/pki/fedora-messaging/openqa{{env_suffix}}-key.pem
+    mode: 0600
+    owner: root
+    group: root
+  when: "openqa_fedoramessaging|bool and deployment_type is defined"
+  tags:
+  - config
+
+- name: Deploy the Fedora infra fedora-messaging prod cert on stg (for scheduler)
+  copy:
+    src: "{{ private }}/files/rabbitmq/production/pki/issued/openqa.crt"
+    dest: /etc/pki/fedora-messaging/openqa-cert.pem
+    mode: 0644
+    owner: root
+    group: root
+  when: "openqa_fedoramessaging|bool and deployment_type is defined and deployment_type == 'stg'"
+  tags:
+  - config
+  
+- name: Deploy the Fedora infra fedora-messaging prod key on stg (for scheduler)
+  copy:
+    src: "{{ private }}/files/rabbitmq/production/pki/private/openqa.key"
+    dest: /etc/pki/fedora-messaging/openqa-key.pem
+    mode: 0600
+    owner: root
+    group: root
+  when: "openqa_fedoramessaging|bool and deployment_type is defined and deployment_type == 'stg'"
   tags:
   - config
 

roles/openqa/dispatcher/templates/fedora_openqa_resultsdb_reporter.toml.j2

@@ -3,18 +3,18 @@
 # something unique before using this.
 #
 # This file is in the TOML format.
-{% if deployment_type is defined and deployment_type == 'stg' %}
-amqp_url = "amqps://fedora.stg:@rabbitmq.stg.fedoraproject.org/%2Fpublic_pubsub"
+{% if deployment_type is defined %}
+amqp_url = "amqps://openqa{{ env_suffix }}:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpublic_pubsub"
 {% else %}
 amqp_url = "amqps://fedora:@rabbitmq.fedoraproject.org/%2Fpublic_pubsub"
 {% endif %}
 callback = "fedora_openqa.consumer:OpenQAResultsDBReporter"
 
 [tls]
-{% if deployment_type is defined and deployment_type == 'stg' %}
-ca_cert = "/etc/fedora-messaging/stg-cacert.pem"
-keyfile = "/etc/fedora-messaging/fedora.stg-key.pem"
-certfile = "/etc/fedora-messaging/fedora.stg-cert.pem"
+{% if deployment_type is defined %}
+ca_cert = "/etc/fedora-messaging/cacert{{ env_suffix }}.pem"
+keyfile = "/etc/pki/fedora-messaging/openqa{{ env_suffix }}-key.pem"
+certfile = "/etc/pki/fedora-messaging/openqa{{ env_suffix }}-cert.pem"
 {% else %}
 ca_cert = "/etc/fedora-messaging/cacert.pem"
 keyfile = "/etc/fedora-messaging/fedora-key.pem"
@@ -30,6 +30,10 @@ durable = true
 auto_delete = false
 arguments = {}
 
+{% if deployment_type is defined %}
+# Private queue name.
+[queues.openqa{{ env_suffix }}_resultsdb_reporter]
+{% else %}
 # Queue names *must* be in the normal UUID format: run "uuidgen" and use the
 # output as your queue name. If your queue is not exclusive, anyone can connect
 # and consume from it, causing you to miss messages, so do not share your queue
@@ -38,11 +42,6 @@ arguments = {}
 #
 # If you require a stronger guarantee about delivery, please talk to Fedora's
 # Infrastructure team.
-{% if deployment_type is defined and deployment_type == 'prod' %}
-[queues.{{ openqa_resultsdb_reporter_prod_uuid }}]
-{% elif deployment_type is defined and deployment_type == 'stg' %}
-[queues.{{ openqa_resultsdb_reporter_stg_uuid }}]
-{% else %}
 [queues.{{ openqa_resultsdb_reporter_uuid }}]
 {% endif %}
 durable = false
@@ -51,16 +50,14 @@ exclusive = true
 arguments = {}
 
 [[bindings]]
-{% if deployment_type is defined and deployment_type == 'prod' %}
-queue = "{{ openqa_resultsdb_reporter_prod_uuid }}"
-{% elif deployment_type is defined and deployment_type == 'stg' %}
-queue = "{{ openqa_resultsdb_reporter_stg_uuid }}"
+{% if deployment_type is defined %}
+queue = "openqa{{ env_suffix }}_resultsdb_reporter"
 {% else %}
 queue = "{{ openqa_resultsdb_reporter_uuid }}"
 {% endif %}
 exchange = "amq.topic"
-{% if deployment_type is defined and deployment_type == 'stg' %}
-routing_keys = ["org.fedoraproject.stg.openqa.job.done"]
+{% if deployment_type is defined %}
+routing_keys = ["org.fedoraproject.{{ deployment_type }}.openqa.job.done"]
 {% else %}
 routing_keys = ["org.fedoraproject.prod.openqa.job.done"]
 {% endif %}

roles/openqa/dispatcher/templates/fedora_openqa_scheduler.toml.j2

@@ -7,16 +7,25 @@
 # we listen to the prod broker here even for staging as we need to use
 # prod messages to schedule jobs in openQA staging, composes and
 # updates just don't show up on the staging broker.
+{% if deployment_type is defined %}
+amqp_url = "amqps://openqa:@rabbitmq.fedoraproject.org/%2Fpublic_pubsub"
+{% else %}
 amqp_url = "amqps://fedora:@rabbitmq.fedoraproject.org/%2Fpublic_pubsub"
+{% endif %}
 callback = "fedora_openqa.consumer:OpenQAScheduler"
 
 [tls]
 ca_cert = "/etc/fedora-messaging/cacert.pem"
+{% if deployment_type is defined %}
+keyfile = "/etc/pki/fedora-messaging/openqa-key.pem"
+certfile = "/etc/pki/fedora-messaging/openqa-cert.pem"
+{% else %}
 keyfile = "/etc/fedora-messaging/fedora-key.pem"
 certfile = "/etc/fedora-messaging/fedora-cert.pem"
+{% endif %}
 
 [client_properties]
-app = "Fedora openQA"
+app = "Fedora openQA scheduler"
 
 [exchanges."amq.topic"]
 type = "topic"
@@ -24,6 +33,10 @@ durable = true
 auto_delete = false
 arguments = {}
 
+{% if deployment_type is defined %}
+# Private queue name.
+[queues.openqa{{ env_suffix }}_scheduler]
+{% else %}
 # Queue names *must* be in the normal UUID format: run "uuidgen" and use the
 # output as your queue name. If your queue is not exclusive, anyone can connect
 # and consume from it, causing you to miss messages, so do not share your queue
@@ -32,11 +45,6 @@ arguments = {}
 #
 # If you require a stronger guarantee about delivery, please talk to Fedora's
 # Infrastructure team.
-{% if deployment_type is defined and deployment_type == 'prod' %}
-[queues.{{ openqa_scheduler_prod_uuid }}]
-{% elif deployment_type is defined and deployment_type == 'stg' %}
-[queues.{{ openqa_scheduler_stg_uuid }}]
-{% else %}
 [queues.{{ openqa_scheduler_uuid }}]
 {% endif %}
 durable = false
@@ -45,10 +53,8 @@ exclusive = true
 arguments = {}
 
 [[bindings]]
-{% if deployment_type is defined and deployment_type == 'prod' %}
-queue = "{{ openqa_scheduler_prod_uuid }}"
-{% elif deployment_type is defined and deployment_type == 'stg' %}
-queue = "{{ openqa_scheduler_stg_uuid }}"
+{% if deployment_type is defined %}
+queue = "openqa{{ env_suffix }}_scheduler"
 {% else %}
 queue = "{{ openqa_scheduler_uuid }}"
 {% endif %}

roles/openqa/dispatcher/templates/fedora_openqa_wiki_reporter.toml.j2

@@ -3,18 +3,18 @@
 # something unique before using this.
 #
 # This file is in the TOML format.
-{% if deployment_type is defined and deployment_type == 'stg' %}
-amqp_url = "amqps://fedora.stg:@rabbitmq.stg.fedoraproject.org/%2Fpublic_pubsub"
+{% if deployment_type is defined %}
+amqp_url = "amqps://openqa{{ env_suffix }}:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpublic_pubsub"
 {% else %}
 amqp_url = "amqps://fedora:@rabbitmq.fedoraproject.org/%2Fpublic_pubsub"
 {% endif %}
 callback = "fedora_openqa.consumer:OpenQAWikiReporter"
 
 [tls]
-{% if deployment_type is defined and deployment_type == 'stg' %}
-ca_cert = "/etc/fedora-messaging/stg-cacert.pem"
-keyfile = "/etc/fedora-messaging/fedora.stg-key.pem"
-certfile = "/etc/fedora-messaging/fedora.stg-cert.pem"
+{% if deployment_type is defined %}
+ca_cert = "/etc/fedora-messaging/cacert{{ env_suffix }}.pem"
+keyfile = "/etc/pki/fedora-messaging/openqa{{ env_suffix }}-key.pem"
+certfile = "/etc/pki/fedora-messaging/openqa{{ env_suffix }}-cert.pem"
 {% else %}
 ca_cert = "/etc/fedora-messaging/cacert.pem"
 keyfile = "/etc/fedora-messaging/fedora-key.pem"
@@ -30,6 +30,10 @@ durable = true
 auto_delete = false
 arguments = {}
 
+{% if deployment_type is defined %}
+# Private queue name.
+[queues.openqa{{ env_suffix }}_wiki_reporter]
+{% else %}
 # Queue names *must* be in the normal UUID format: run "uuidgen" and use the
 # output as your queue name. If your queue is not exclusive, anyone can connect
 # and consume from it, causing you to miss messages, so do not share your queue
@@ -38,11 +42,6 @@ arguments = {}
 #
 # If you require a stronger guarantee about delivery, please talk to Fedora's
 # Infrastructure team.
-{% if deployment_type is defined and deployment_type == 'prod' %}
-[queues.{{ openqa_wiki_reporter_prod_uuid }}]
-{% elif deployment_type is defined and deployment_type == 'stg' %}
-[queues.{{ openqa_wiki_reporter_stg_uuid }}]
-{% else %}
 [queues.{{ openqa_wiki_reporter_uuid }}]
 {% endif %}
 durable = false
@@ -51,16 +50,14 @@ exclusive = true
 arguments = {}
 
 [[bindings]]
-{% if deployment_type is defined and deployment_type == 'prod' %}
-queue = "{{ openqa_wiki_reporter_prod_uuid }}"
-{% elif deployment_type is defined and deployment_type == 'stg' %}
-queue = "{{ openqa_wiki_reporter_stg_uuid }}"
+{% if deployment_type is defined %}
+queue = "openqa{{ env_suffix }}_wiki_reporter"
 {% else %}
 queue = "{{ openqa_wiki_reporter_uuid }}"
 {% endif %}
 exchange = "amq.topic"
-{% if deployment_type is defined and deployment_type == 'stg' %}
-routing_keys = ["org.fedoraproject.stg.openqa.job.done"]
+{% if deployment_type is defined %}
+routing_keys = ["org.fedoraproject.{{ deployment_type }}.openqa.job.done"]
 {% else %}
 routing_keys = ["org.fedoraproject.prod.openqa.job.done"]
 {% endif %}