Factor out in vars the openshift user ids

This should make it easier to change them in the next datacenter move. Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2025-07-03 18:09:38 +02:00 · 2025-07-03 18:09:38 +02:00 · a0d4c1f6df
commit a0d4c1f6df
parent 88c228a362
10 changed files with 78 additions and 107 deletions
--- a/playbooks/groups/sundries.yml
+++ b/playbooks/groups/sundries.yml
@ -86,6 +86,24 @@
    mount_stg: false
    nfs_mount_opts: 'rw,bg,nfsvers=4'
    when: master_sundries_node|bool and env != "staging"
  - role: nfs/client
    mnt_dir: '/srv/solr-storage'
    nfs_src_dir: 'solr-storage'
    mount_stg: false
    nfs_mount_opts: 'rw,bg,nfsvers=4'
    when: master_sundries_node|bool and env != "staging"
  - role: nfs/client
    mnt_dir: '/srv/fedora-packages-static-storage'
    nfs_src_dir: 'fedora-packages-static-storage'
    mount_stg: false
    nfs_mount_opts: 'rw,bg,nfsvers=4'
    when: master_sundries_node|bool and env != "staging"
  - role: nfs/client
    mnt_dir: '/srv/fedora-packages-static-db-storage'
    nfs_src_dir: 'fedora-packages-static-db-storage'
    mount_stg: false
    nfs_mount_opts: 'rw,bg,nfsvers=4'
    when: master_sundries_node|bool and env != "staging"
  pre_tasks:
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
--- a/playbooks/openshift-apps/fedora-packages-static.yml
+++ b/playbooks/openshift-apps/fedora-packages-static.yml
@ -1,4 +1,27 @@
 ---
 - name: Fix mounted file permissions
  hosts: sundries[0]
  user: root
  gather_facts: false
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - /srv/private/ansible/vars.yml
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
    - /srv/web/infra/ansible/roles/openshift-apps/fedora-packages-static/vars/main.yml
  tasks:
    - name: Fix file permissions
      ansible.builtin.file:
        path: /srv/{{item}}
        state: directory
        owner: "{{ openshift_user_id }}"
        group: "{{ openshift_user_id }}"
        recurse: true
      with_items:
        - solr-storage
        - fedora-packages-static-storage
        - fedora-packages-static-db-storage
 - name: Make fedora-packages-static
  hosts: os_control[0]:os_control_stg[0]
  user: root
@ -8,6 +31,7 @@
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
    - /srv/web/infra/ansible/roles/openshift-apps/fedora-packages-static/vars/main.yml
  roles:
  - role: openshift/project
--- a/playbooks/openshift-apps/maubot.yml
+++ b/playbooks/openshift-apps/maubot.yml
@ -8,6 +8,7 @@
    - /srv/web/infra/ansible/vars/global.yml
    - /srv/private/ansible/vars.yml
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
    - /srv/web/infra/ansible/roles/openshift-apps/maubot/vars/main.yml
  tasks:
    - name: Maubot DB user
@ -20,6 +21,25 @@
        owner: maubot
        encoding: UTF-8
 - name: Fix meeting logs permissions
  hosts: value:value_stg
  user: root
  gather_facts: false
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - /srv/private/ansible/vars.yml
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
    - /srv/web/infra/ansible/roles/openshift-apps/maubot/vars/main.yml
  tasks:
    - name: Fix meeting logs permissions
      ansible.builtin.file:
        path: /srv/web/meetbot
        state: directory
        owner: "{{ openshift_user_id }}"
        group: "{{ openshift_user_id }}"
        recurse: true
 - name: Make the app be real
  hosts: os_control_stg:os_control
  user: root
@ -29,6 +49,7 @@
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
    - /srv/web/infra/ansible/roles/openshift-apps/maubot/vars/main.yml
  roles:
  - role: rabbit/user
--- a/roles/openshift-apps/badges/templates/cron-update-rules.yml.j2
+++ b/roles/openshift-apps/badges/templates/cron-update-rules.yml.j2
@ -69,4 +69,4 @@ spec:
              secret:
                secretName: fedora-messaging-crt
          securityContext:
-            supplementalGroups: [1001050000]
+            supplementalGroups: [{{ openshift_user_id }}]
--- a/roles/openshift-apps/fedora-packages-static/templates/deploymentconfig.yml.j2
+++ b/roles/openshift-apps/fedora-packages-static/templates/deploymentconfig.yml.j2
@ -57,16 +57,15 @@ spec:
          httpGet:
            path: /
            port: 8080
      # oc describe project/fedora-packages-static | grep supplemental-groups
      securityContext:
-        supplementalGroups: [1001200000]
+        supplementalGroups: [{{ openshift_user_id }}]
      volumes:
      - name: data-volume
        persistentVolumeClaim:
-          claimName: fedora-packages-static-storage{{ '-stg' if env == 'staging' else '' }}
+          claimName: fedora-packages-static-storage{{ volume_suffix }}
      - name: db-volume
        persistentVolumeClaim:
-          claimName: fedora-packages-static-db-storage{{ '-stg' if env == 'staging' else '' }}
+          claimName: fedora-packages-static-db-storage{{ volume_suffix }}
  triggers:
  - type: ConfigChange
@ -128,14 +127,12 @@ spec:
          httpGet:
            path: /
            port: 8983
      # Add solr's default gid to nfs group
      # oc describe project/fedora-packages-static | grep supplemental-groups
      securityContext:
-        supplementalGroups: [8983,1001200000]
+        supplementalGroups: [{{ openshift_user_id }}]
      volumes:
      - name: data-volume
        persistentVolumeClaim:
-          claimName: solr-storage{{ '-stg' if env == 'staging' else '' }}
+          claimName: solr-storage{{ volume_suffix }}
      - name: config-volume
        configMap:
          name: fedora-packages-static-solr-configmap
--- a/roles/openshift-apps/fedora-packages-static/vars/main.yml
+++ b/roles/openshift-apps/fedora-packages-static/vars/main.yml
@ -0,0 +1,3 @@
 - volume_suffix: "{{ '-stg' if env == 'staging' else '' }}"
 # oc describe project/fedora-packages-static | grep supplemental-groups
 - openshift_user_id: "{{ (env == 'production')|ternary('1001200000', '1000960000') }}"
--- a/roles/openshift-apps/maubot/files/deploymentconfig.yml
+++ b/roles/openshift-apps/maubot/files/deploymentconfig.yml
@ -1,97 +0,0 @@
 ---
 apiVersion: apps.openshift.io/v1
 kind: DeploymentConfig
 metadata:
  name: maubot
  labels:
    app: maubot
    service: maubot
 spec:
  replicas: 1
  selector:
    app: maubot
    service: maubot
  template:
    metadata:
      labels:
        app: maubot
        service: maubot
    spec:
      containers:
        - name: maubot
          image: maubot:latest
          ports:
            - containerPort: 8080
          volumeMounts:
            - name: config
              mountPath: /config
              readOnly: true
            - name: meetbot-logs
              mountPath: /meetbot_logs
            - name: ipa-config-volume
              mountPath: /etc/ipa
              readOnly: true
            - name: keytab-volume
              mountPath: /etc/keytabs
              readOnly: true
            - name: fedora-messaging-config-volume
              mountPath: /etc/fedora-messaging/
              readOnly: true
            - name: fedora-messaging-ca-volume
              mountPath: /etc/pki/rabbitmq/ca
              readOnly: true
            - name: fedora-messaging-key-volume
              mountPath: /etc/pki/rabbitmq/key
              readOnly: true
            - name: fedora-messaging-crt-volume
              mountPath: /etc/pki/rabbitmq/crt
              readOnly: true
          readinessProbe:
            timeoutSeconds: 1
            initialDelaySeconds: 5
            httpGet:
              path: /
              port: 8080
          livenessProbe:
            timeoutSeconds: 1
            initialDelaySeconds: 20
            httpGet:
              path: /
              port: 8080
      securityContext:
        supplementalGroups: [2]
      volumes:
        - name: config
          configMap:
            name: config
        - name: meetbot-logs
          persistentVolumeClaim:
            claimName: meetbot-logs
        - name: ipa-config-volume
          configMap:
            name: ipa-client-config
        - name: keytab-volume
          secret:
            secretName: maubot-keytab
        - name: fedora-messaging-config-volume
          configMap:
            name: fedora-messaging-configmap
        - name: fedora-messaging-ca-volume
          secret:
            secretName: maubot-fedora-messaging-ca
        - name: fedora-messaging-key-volume
          secret:
            secretName: maubot-fedora-messaging-key
        - name: fedora-messaging-crt-volume
          secret:
            secretName: maubot-fedora-messaging-crt
  triggers:
    - type: ConfigChange
    - type: ImageChange
      imageChangeParams:
        automatic: true
        containerNames:
          - maubot
        from:
          kind: ImageStreamTag
          name: maubot:latest
--- a/roles/openshift-apps/maubot/templates/deployment.yml
+++ b/roles/openshift-apps/maubot/templates/deployment.yml
@ -60,7 +60,7 @@ spec:
              path: /
              port: 8080
      securityContext:
-        supplementalGroups: [2]
+        supplementalGroups: [{{ openshift_user_id }}]
      volumes:
        - name: config
          configMap:
--- a/roles/openshift-apps/maubot/vars/main.yml
+++ b/roles/openshift-apps/maubot/vars/main.yml
@ -0,0 +1,3 @@
 # oc describe project/fedora-packages-static | grep supplemental-groups
 - openshift_user_id: 1000840000
--- a/vars/apps/badges.yml
+++ b/vars/apps/badges.yml
@ -12,3 +12,5 @@ badges_award_cronjobs:
    schedule: "40 2 * * 3"
  - name: badges-dev
    schedule: "40 2 * * 4"
 # oc describe project/fedora-packages-static | grep supplemental-groups
 - openshift_user_id: 1000840000
		`@ -0,0 +1,3 @@`
							`# oc describe project/fedora-packages-static \| grep supplemental-groups`
							`- openshift_user_id: 1000840000`