CLE-Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Factor out in vars the openshift user ids

Browse source 
This should make it easier to change them in the next datacenter move.

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
This commit is contained in:
Aurélien Bompard 2025-07-03 18:09:38 +02:00
parent 88c228a362
commit a0d4c1f6df
No known key found for this signature in database
GPG key ID: 31584CFEB9BF64AD
10 changed files with 78 additions and 107 deletions
Download patch file Download diff file Expand all files Collapse all files

18
playbooks/groups/sundries.yml
View file

@ -86,6 +86,24 @@
mount_stg: false
nfs_mount_opts: 'rw,bg,nfsvers=4'
when: master_sundries_node|bool and env != "staging"
- role: nfs/client
mnt_dir: '/srv/solr-storage'
nfs_src_dir: 'solr-storage'
mount_stg: false
nfs_mount_opts: 'rw,bg,nfsvers=4'
when: master_sundries_node|bool and env != "staging"
- role: nfs/client
mnt_dir: '/srv/fedora-packages-static-storage'
nfs_src_dir: 'fedora-packages-static-storage'
mount_stg: false
nfs_mount_opts: 'rw,bg,nfsvers=4'
when: master_sundries_node|bool and env != "staging"
- role: nfs/client
mnt_dir: '/srv/fedora-packages-static-db-storage'
nfs_src_dir: 'fedora-packages-static-db-storage'
mount_stg: false
nfs_mount_opts: 'rw,bg,nfsvers=4'
when: master_sundries_node|bool and env != "staging"
pre_tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml"

24
playbooks/openshift-apps/fedora-packages-static.yml
View file

@ -1,4 +1,27 @@
---
- name: Fix mounted file permissions
hosts: sundries[0]
user: root
gather_facts: false
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
- /srv/web/infra/ansible/roles/openshift-apps/fedora-packages-static/vars/main.yml
tasks:
- name: Fix file permissions
ansible.builtin.file:
path: /srv/{{item}}
state: directory
owner: "{{ openshift_user_id }}"
group: "{{ openshift_user_id }}"
recurse: true
with_items:
- solr-storage
- fedora-packages-static-storage
- fedora-packages-static-db-storage
- name: Make fedora-packages-static
hosts: os_control[0]:os_control_stg[0]
user: root
@ -8,6 +31,7 @@
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
- /srv/web/infra/ansible/roles/openshift-apps/fedora-packages-static/vars/main.yml
roles:
- role: openshift/project

21
playbooks/openshift-apps/maubot.yml
View file

@ -8,6 +8,7 @@
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
- /srv/web/infra/ansible/roles/openshift-apps/maubot/vars/main.yml
tasks:
- name: Maubot DB user
@ -20,6 +21,25 @@
owner: maubot
encoding: UTF-8
- name: Fix meeting logs permissions
hosts: value:value_stg
user: root
gather_facts: false
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
- /srv/web/infra/ansible/roles/openshift-apps/maubot/vars/main.yml
tasks:
- name: Fix meeting logs permissions
ansible.builtin.file:
path: /srv/web/meetbot
state: directory
owner: "{{ openshift_user_id }}"
group: "{{ openshift_user_id }}"
recurse: true
- name: Make the app be real
hosts: os_control_stg:os_control
user: root
@ -29,6 +49,7 @@
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
- /srv/web/infra/ansible/roles/openshift-apps/maubot/vars/main.yml
roles:
- role: rabbit/user

2
roles/openshift-apps/badges/templates/cron-update-rules.yml.j2
View file

@ -69,4 +69,4 @@ spec:
secret:
secretName: fedora-messaging-crt
securityContext:
supplementalGroups: [1001050000]
supplementalGroups: [{{ openshift_user_id }}]

13
roles/openshift-apps/fedora-packages-static/templates/deploymentconfig.yml.j2
View file

@ -57,16 +57,15 @@ spec:
httpGet:
path: /
port: 8080
# oc describe project/fedora-packages-static | grep supplemental-groups
securityContext:
supplementalGroups: [1001200000]
supplementalGroups: [{{ openshift_user_id }}]
volumes:
- name: data-volume
persistentVolumeClaim:
claimName: fedora-packages-static-storage{{ '-stg' if env == 'staging' else '' }}
claimName: fedora-packages-static-storage{{ volume_suffix }}
- name: db-volume
persistentVolumeClaim:
claimName: fedora-packages-static-db-storage{{ '-stg' if env == 'staging' else '' }}
claimName: fedora-packages-static-db-storage{{ volume_suffix }}
triggers:
- type: ConfigChange
@ -128,14 +127,12 @@ spec:
httpGet:
path: /
port: 8983
# Add solr's default gid to nfs group
# oc describe project/fedora-packages-static | grep supplemental-groups
securityContext:
supplementalGroups: [8983,1001200000]
supplementalGroups: [{{ openshift_user_id }}]
volumes:
- name: data-volume
persistentVolumeClaim:
claimName: solr-storage{{ '-stg' if env == 'staging' else '' }}
claimName: solr-storage{{ volume_suffix }}
- name: config-volume
configMap:
name: fedora-packages-static-solr-configmap

3
roles/openshift-apps/fedora-packages-static/vars/main.yml Normal file
View file

@ -0,0 +1,3 @@
- volume_suffix: "{{ '-stg' if env == 'staging' else '' }}"
# oc describe project/fedora-packages-static | grep supplemental-groups
- openshift_user_id: "{{ (env == 'production')|ternary('1001200000', '1000960000') }}"

97
roles/openshift-apps/maubot/files/deploymentconfig.yml
View file

@ -1,97 +0,0 @@
---
apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
name: maubot
labels:
app: maubot
service: maubot
spec:
replicas: 1
selector:
app: maubot
service: maubot
template:
metadata:
labels:
app: maubot
service: maubot
spec:
containers:
- name: maubot
image: maubot:latest
ports:
- containerPort: 8080
volumeMounts:
- name: config
mountPath: /config
readOnly: true
- name: meetbot-logs
mountPath: /meetbot_logs
- name: ipa-config-volume
mountPath: /etc/ipa
readOnly: true
- name: keytab-volume
mountPath: /etc/keytabs
readOnly: true
- name: fedora-messaging-config-volume
mountPath: /etc/fedora-messaging/
readOnly: true
- name: fedora-messaging-ca-volume
mountPath: /etc/pki/rabbitmq/ca
readOnly: true
- name: fedora-messaging-key-volume
mountPath: /etc/pki/rabbitmq/key
readOnly: true
- name: fedora-messaging-crt-volume
mountPath: /etc/pki/rabbitmq/crt
readOnly: true
readinessProbe:
timeoutSeconds: 1
initialDelaySeconds: 5
httpGet:
path: /
port: 8080
livenessProbe:
timeoutSeconds: 1
initialDelaySeconds: 20
httpGet:
path: /
port: 8080
securityContext:
supplementalGroups: [2]
volumes:
- name: config
configMap:
name: config
- name: meetbot-logs
persistentVolumeClaim:
claimName: meetbot-logs
- name: ipa-config-volume
configMap:
name: ipa-client-config
- name: keytab-volume
secret:
secretName: maubot-keytab
- name: fedora-messaging-config-volume
configMap:
name: fedora-messaging-configmap
- name: fedora-messaging-ca-volume
secret:
secretName: maubot-fedora-messaging-ca
- name: fedora-messaging-key-volume
secret:
secretName: maubot-fedora-messaging-key
- name: fedora-messaging-crt-volume
secret:
secretName: maubot-fedora-messaging-crt
triggers:
- type: ConfigChange
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- maubot
from:
kind: ImageStreamTag
name: maubot:latest

2
roles/openshift-apps/maubot/files/deployment.yml → roles/openshift-apps/maubot/templates/deployment.yml
View file

@ -60,7 +60,7 @@ spec:
path: /
port: 8080
securityContext:
supplementalGroups: [2]
supplementalGroups: [{{ openshift_user_id }}]
volumes:
- name: config
configMap:

3
roles/openshift-apps/maubot/vars/main.yml Normal file
View file

@ -0,0 +1,3 @@
# oc describe project/fedora-packages-static | grep supplemental-groups
- openshift_user_id: 1000840000

2
vars/apps/badges.yml
View file

@ -12,3 +12,5 @@ badges_award_cronjobs:
schedule: "40 2 * * 3"
- name: badges-dev
schedule: "40 2 * * 4"
# oc describe project/fedora-packages-static | grep supplemental-groups
- openshift_user_id: 1000840000