From 8a3f9ed982eecfd236504c42f02e592cf4557a3a Mon Sep 17 00:00:00 2001
From: Adam Miller <admiller@redhat.com>
Date: Wed, 14 Dec 2016 23:24:39 +0000
Subject: [PATCH] override osbs default input.json to ensure secure comms
 everywhere

Signed-off-by: Adam Miller <admiller@redhat.com>
---
 playbooks/groups/buildvm.yml                  |  8 +++
 playbooks/groups/osbs-cluster.yml             |  8 +++
 .../files/osbs-site-customize.json            | 19 ------
 roles/osbs-client/tasks/main.yml              |  4 +-
 .../templates/osbs-site-customize.json.j2     | 61 +++++++++++++++++++
 5 files changed, 79 insertions(+), 21 deletions(-)
 delete mode 100644 roles/osbs-client/files/osbs-site-customize.json
 create mode 100644 roles/osbs-client/templates/osbs-site-customize.json.j2

diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml
index c172b8885b..4e6463bff9 100644
--- a/playbooks/groups/buildvm.yml
+++ b/playbooks/groups/buildvm.yml
@@ -81,6 +81,10 @@
           verbose: 0,
           build_json_dir: '/etc/osbs/input/',
           openshift_required_version: 1.1.0,
+          ipa_realm: "{{ipa_realm}}",
+          osbs_url: "{{osbs_url}}",
+          registry: "{{docker_registry}}",
+          parent_registry: "{{source_registry}}"
         },
         default: {
           username: "{{ osbs_koji_stg_username }}",
@@ -113,6 +117,10 @@
           verbose: 0,
           build_json_dir: '/etc/osbs/input/',
           openshift_required_version: 1.1.0,
+          ipa_realm: "{{ipa_realm}}",
+          osbs_url: "{{osbs_url}}",
+          registry: "{{docker_registry}}",
+          parent_registry: "{{source_registry}}"
         },
         default: {
           username: "{{ osbs_koji_prod_username }}",
diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml
index 494e990b1f..7168c87e86 100644
--- a/playbooks/groups/osbs-cluster.yml
+++ b/playbooks/groups/osbs-cluster.yml
@@ -523,6 +523,10 @@
           verbose: 0,
           build_json_dir: '/etc/osbs/input/',
           openshift_required_version: 1.1.0,
+          ipa_realm: "{{ipa_realm}}",
+          osbs_url: "{{osbs_url}}",
+          registry: "{{docker_registry}}",
+          parent_registry: "{{source_registry}}"
         },
         default: {
           username: "{{ osbs_koji_stg_username }}",
@@ -555,6 +559,10 @@
           verbose: 0,
           build_json_dir: '/etc/osbs/input/',
           openshift_required_version: 1.1.0,
+          ipa_realm: "{{ipa_realm}}",
+          osbs_url: "{{osbs_url}}",
+          registry: "{{docker_registry}}",
+          parent_registry: "{{source_registry}}"
         },
         default: {
           username: "{{ osbs_koji_prod_username }}",
diff --git a/roles/osbs-client/files/osbs-site-customize.json b/roles/osbs-client/files/osbs-site-customize.json
deleted file mode 100644
index 8e4ef749a9..0000000000
--- a/roles/osbs-client/files/osbs-site-customize.json
+++ /dev/null
@@ -1,19 +0,0 @@
-{
-    "disable_plugins": [
-        {
-            "plugin_type": "postbuild_plugins",
-            "plugin_name": "pulp_push"
-        },
-        {
-            "plugin_type": "postbuild_plugins",
-            "plugin_name": "pulp_sync"
-        },
-        {
-            "plugin_type": "postbuild_plugins",
-            "plugin_name": "pulp_pull"
-        }
-    ],
-
-    "enable_plugins": [
-    ]
-}
diff --git a/roles/osbs-client/tasks/main.yml b/roles/osbs-client/tasks/main.yml
index 120ec95156..326107b41d 100644
--- a/roles/osbs-client/tasks/main.yml
+++ b/roles/osbs-client/tasks/main.yml
@@ -13,8 +13,8 @@
     state: directory
 
 - name: Upload OSBS Site Customizations plugin conf
-  copy:
-    src: "osbs-site-customize.json"
+  template:
+    src: "osbs-site-customize.json.j2"
     dest: "/etc/osbs/input/prod_customize.json"
     mode: 0400
 
diff --git a/roles/osbs-client/templates/osbs-site-customize.json.j2 b/roles/osbs-client/templates/osbs-site-customize.json.j2
new file mode 100644
index 0000000000..0692dbb219
--- /dev/null
+++ b/roles/osbs-client/templates/osbs-site-customize.json.j2
@@ -0,0 +1,61 @@
+{
+    "disable_plugins": [
+        {
+            "plugin_type": "postbuild_plugins",
+            "plugin_name": "pulp_push"
+        },
+        {
+            "plugin_type": "postbuild_plugins",
+            "plugin_name": "pulp_sync"
+        },
+        {
+            "plugin_type": "postbuild_plugins",
+            "plugin_name": "pulp_pull"
+        }
+    ],
+
+    "enable_plugins": [
+       {
+            "plugin_type": "postbuild_plugins",
+            "plugin_name": "tag_and_push",
+            "plugin_args": {
+                "registries": {
+                    "{{general.registry}}": {
+                        "insecure": false
+                    }
+                }
+            }
+        },
+        {
+            "plugin_type": "prebuild_plugins",
+            "plugin_name": "pull_base_image",
+            "plugin_args": {
+                "parent_registry_insecure": false,
+                "parent_registry": "{{general.parent_registry}}"
+            }
+        },
+        {
+            "plugin_type": "exit_plugins",
+            "plugin_name": "koji_promote",
+            "plugin_args": {
+                  "kojihub": "{{default.koji_hub}}",
+                  "verify_ssl": true,
+                  "target": "rawhide-docker-candidate",
+                  "url": "{{default.openshift_url}}",
+                  "blocksize": 10485760,
+                  "koji_principal": "osbs/{{general.osbs_url}}@{{general.ipa_realm}}",
+                  "koji_keytab": "FILE:/etc/krb5.osbs_{{general.osbs_url}}.keytab",
+                  "use_auth": true
+            }
+        },
+        {
+            "plugin_type": "exit_plugins",
+            "plugin_name": "store_metadata_in_osv3",
+            "plugin_args": {
+                "url": "{{default.openshift_url}}",
+                "verify_ssl": false,
+                "use_auth": true
+            }
+        }
+    ]
+}