Robosig: create rabbitmq queue and set keytab permissions

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2019-10-02 14:19:58 +02:00 · 2019-10-02 14:19:58 +02:00 · 968acd61f1
commit 968acd61f1
parent 01e7981d28
2 changed files with 12 additions and 4 deletions
--- a/playbooks/manual/autosign.yml
+++ b/playbooks/manual/autosign.yml
@ -25,15 +25,23 @@
  - fas_client
  - collectd/base
  - sudo
-  - fedmsg/base
-  - fedmsg/hub
  - role: nfs/client
    mnt_dir: '/mnt/fedora_koji'
    nfs_src_dir: 'fedora_koji'
    when: env != 'staging'
+  - role: rabbit/queue
+    username: "robosignatory{{ env_suffix }}"
+    queue_name: "robosignatory{{ env_suffix }}"
+    routing_keys:
+    - "org.fedoraproject.*.pungi.compose.ostree"
+    - "org.fedoraproject.*.coreos.build.request.artifacts-sign"
+    - "org.fedoraproject.*.coreos.build.request.ostree-sign"
+    - "org.fedoraproject.*.buildsys.tag"
+  - robosignatory
  - role: keytab/service
    service: autosign
-  - robosignatory
+    owner_user: robosignatory
+    owner_group: robosignatory

  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
--- a/roles/robosignatory/templates/robosignatory.toml.j2
+++ b/roles/robosignatory/templates/robosignatory.toml.j2
@ -86,7 +86,7 @@ handlers = ["console"]
            [consumer_config.koji_instances.primary.options]
            # Only ssl and kerberos are supported at the moment
            authmethod = "kerberos"
-            principal = "autosign/autosign01{{ env_suffix }}.phx2.fedoraproject.org@{{ env_suffix|upper }}FEDORAPROJECT.ORG"
+            principal = "autosign/autosign01{{ env_suffix }}.phx2.fedoraproject.org@{% if env != 'production' %}STG.{% endif %}FEDORAPROJECT.ORG"
            keytab = "/etc/krb5.autosign_autosign01{{ env_suffix }}.phx2.fedoraproject.org.keytab"
            krb_rdns = false