Robosig: create rabbitmq queue and set keytab permissions

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>

playbooks/manual/autosign.yml

@@ -25,15 +25,23 @@
   - fas_client
   - collectd/base
   - sudo
-  - fedmsg/base
-  - fedmsg/hub
   - role: nfs/client
     mnt_dir: '/mnt/fedora_koji'
     nfs_src_dir: 'fedora_koji'
     when: env != 'staging'
+  - role: rabbit/queue
+    username: "robosignatory{{ env_suffix }}"
+    queue_name: "robosignatory{{ env_suffix }}"
+    routing_keys:
+    - "org.fedoraproject.*.pungi.compose.ostree"
+    - "org.fedoraproject.*.coreos.build.request.artifacts-sign"
+    - "org.fedoraproject.*.coreos.build.request.ostree-sign"
+    - "org.fedoraproject.*.buildsys.tag"
+  - robosignatory
   - role: keytab/service
     service: autosign
-  - robosignatory
+    owner_user: robosignatory
+    owner_group: robosignatory
 
   pre_tasks:
   - import_tasks: "{{ tasks_path }}/yumrepos.yml"

roles/robosignatory/templates/robosignatory.toml.j2

@@ -86,7 +86,7 @@ handlers = ["console"]
             [consumer_config.koji_instances.primary.options]
             # Only ssl and kerberos are supported at the moment
             authmethod = "kerberos"
-            principal = "autosign/autosign01{{ env_suffix }}.phx2.fedoraproject.org@{{ env_suffix|upper }}FEDORAPROJECT.ORG"
+            principal = "autosign/autosign01{{ env_suffix }}.phx2.fedoraproject.org@{% if env != 'production' %}STG.{% endif %}FEDORAPROJECT.ORG"
             keytab = "/etc/krb5.autosign_autosign01{{ env_suffix }}.phx2.fedoraproject.org.keytab"
             krb_rdns = false