From 9176f0f1ba0623ad9db320f623deecbde9311428 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Wed, 10 Oct 2018 13:41:35 +0000
Subject: [PATCH] messaging-bridges: generate fedmsg policy

---
 .../messaging-bridges/templates/configmap.yml          | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/roles/openshift-apps/messaging-bridges/templates/configmap.yml b/roles/openshift-apps/messaging-bridges/templates/configmap.yml
index bcd49b524f..1381796384 100644
--- a/roles/openshift-apps/messaging-bridges/templates/configmap.yml
+++ b/roles/openshift-apps/messaging-bridges/templates/configmap.yml
@@ -236,10 +236,16 @@ data:
         # A mapping of fully qualified topics to a list of cert names for which
         # a valid signature is to be considered authorized.  Messages on topics not
         # listed here are considered automatically authorized.
+        # ** policy dynamically generated from inventory vars
+        # See ansible/filter_plugins/fedmsg.py for this inversion filter.
         "routing_policy": {
-            "org.fedoraproject.prod.announce.announcement": [
-                "announce-lockbox.phx2.fedoraproject.org",
+            {% for topic, certs in groups | invert_fedmsg_policy(hostvars, env) %}
+            "{{topic}}": [
+            {% for cert in certs %}
+                "{{ cert }}",
+            {% endfor %}
             ],
+            {% endfor %}
         },
         # Set this to True if you want messages to be dropped that aren't
         # explicitly whitelisted in the routing_policy.