Convert relvalconsumer to fedora-messaging

Following the basic scheme I set up for fedora_openqa, hope it's
all right...

Signed-off-by: Adam Williamson <awilliam@redhat.com>

inventory/group_vars/relvalconsumer

@@ -1,2 +1,3 @@
 # This var should never be set for more than one machine
 relvalconsumer_prod: true
+relvalconsumer_env_suffix:

inventory/group_vars/relvalconsumer_common

@@ -0,0 +1,19 @@
+# we need this for our fedora-messaging consumer as it is not allowed
+# to create queues on the infra AMQP broker, by broker config
+relvalconsumer_amqp_passive: true
+
+# fedora-messaging job scheduler settings: most of these are the same
+# for prod and stg as they both must listen for prod messages. Only
+# the queue names differs
+relvalconsumer_amqp_url: "amqps://openqa:@rabbitmq.fedoraproject.org/%2Fpubsub"
+relvalconsumer_amqp_cacert: /etc/fedora-messaging/cacert.pem
+relvalconsumer_amqp_key: /etc/pki/fedora-messaging/openqa-key.pem
+relvalconsumer_amqp_cert: /etc/pki/fedora-messaging/openqa-cert.pem
+relvalconsumer_amqp_queue: "relvalconsumer{{ relvalconsumer_env_suffix }}"
+relvalconsumer_amqp_routing_keys: ["org.fedoraproject.prod.pungi.compose.status.change",
+                                     "org.fedoraproject.prod.bodhi.update.request.testing",
+                                     "org.fedoraproject.prod.bodhi.update.edit"]
+
+# fedora-messaging email error reporting settings
+relvalconsumer_amqp_mailto: ["adamwill@fedoraproject.org", "lruzicka@fedoraproject.org"]
+relvalconsumer_amqp_smtp: bastion

inventory/group_vars/relvalconsumer_test

@@ -1,2 +1,2 @@
 relvalconsumer_prod: false
-
+relvalconsumer_env_suffix: .test

inventory/inventory

@@ -666,6 +666,10 @@ proxies_internal
 [proxies_stg]
 proxy01.stg.phx2.fedoraproject.org
 
+[relvalconsumer_common]
+openqa01.qa.fedoraproject.org
+openqa-stg01.qa.fedoraproject.org
+
 # This group should only ever contain *ONE* system
 [relvalconsumer]
 openqa01.qa.fedoraproject.org

playbooks/groups/openqa.yml

@@ -106,6 +106,19 @@
       env_suffix: "{{ openqa_env_suffix }}"
     tags: ['rabbit']
     when: deployment_type == "stg"
+    # relvalconsumer queue, we still use openqa auth for this as it's
+    # easy that way
+  - role: rabbit/queue
+    username: "openqa"
+    queue_name: "relvalconsumer{{ relvalconsumer_env_suffix }}_scheduler"
+    routing_keys:
+        - "org.fedoraproject.prod.pungi.compose.status.change"
+    vars:
+      # yes, even the staging scheduler listens to production, it
+      # has to or else it wouldn't schedule any jobs
+      env: "production"
+      env_suffix: ""
+    tags: ['rabbit']
   # nfs client setup
   - role: nfs/client
     mnt_dir: '/var/lib/openqa/testresults'

roles/relvalconsumer/defaults/main.yml

@@ -1 +1,9 @@
 relvalconsumer_prod: false
+relvalconsumer_amqp_passive: false
+relvalconsumer_amqp_url: "amqps://fedora:@rabbitmq.fedoraproject.org/%2Fpublic_pubsub"
+relvalconsumer_amqp_cacert: /etc/fedora-messaging/cacert.pem
+relvalconsumer_amqp_key: /etc/fedora-messaging/fedora-key.pem
+relvalconsumer_amqp_cert: /etc/fedora-messaging/fedora-cert.pem
+relvalconsumer_amqp_routing_keys: ["org.fedoraproject.prod.pungi.compose.status.change"]
+relvalconsumer_amqp_mailfrom: "root@{{ external_hostname }}"
+relvalconsumer_amqp_smtp: localhost

roles/relvalconsumer/tasks/main.yml

@@ -4,14 +4,66 @@
 #
 # Required vars
 # - wikitcms_token
-##      string - a token file to install for unattended reporting to
-#                a wiki using openidc auth
+##      string - a token file to install for unattended wiki editing
+#                using openidc auth
+# - relvalconsumer_amqp_queue
+##      string - Message queue name for the consumer. To use the
+##               fedora-messaging scheduler with public authentication
+##               on the Fedora production AMQP broker (which is what
+##               you'd typically want), you only need to set this.
+##               This should be a unique and private string; the
+##               official recommendation is to use a random UUID
+##               generated by uuidgen.
 #
 # Required vars with defaults
 # - relvalconsumer_prod
 ##       bool - whether this is the production instance. **SHOULD ONLY
 ##              EVER BE TRUE ON ONE SYSTEM IN THE WORLD**
 ##       default - False
+# - relvalconsumer_amqp_passive
+##        bool - If true, passive_declares will be set true in all the
+##               fedora-messaging consumer configuration files. This
+##               is needed for private authentication on the Fedora
+##               brokers.
+##       default - False
+# - relvalconsumer_amqp_url
+##      string - AMQP broker URL for fedora-messaging job scheduler.
+##               The role default for this is the Fedora production
+##               broker with the shared 'fedora' username.
+# - relvalconsumer_amqp_cacert
+##      string - CA certificate file to use for authenticating with
+##               AMQP broker for fedora-messaging job scheduler.
+##               The role default for this is the CA cert file for the
+##               Fedora production broker.
+# - relvalconsumer_amqp_cert
+##      string - Certificate file to use for authenticating with AMQP
+##               broker for fedora-messaging job scheduler. The role
+##               default for this is the certificate file for the
+##               public 'fedora' account on the Fedora production
+##               broker.
+# - relvalconsumer_amqp_key
+##      string - Private key file to use for authenticating with AMQP
+##               broker for fedora-messaging job scheduler. The role
+##               default for this is the key file for the public
+##               'fedora' account on the Fedora production broker.
+# - relvalconsumer_amqp_routing_keys
+##        list - List of routing key names for the fedora-messaging
+##               scheduler to subscribe to. The role default for this
+##               is the appropriate keys for the Fedora production
+##               broker.
+# - relvalconsumer_amqp_mailfrom
+##      string - From email address for error report emails. Defaults
+##               to "root@{{ external_hostname }}". Only relevant if
+##               relvalconsumer_amqp_mailto is set.
+# - relvalconsumer_amqp_smtp
+##      string - Hostname of SMTP server to use for sending error
+##               emails. Defaults to 'localhost'. Only relevant if
+##               relvalconsumer_amqp_mailto is set.
+#
+# Optional vars
+# - relvalconsumer_amqp_mailto
+##        list - List of email addresses to email errors to. If set,
+##               the email log handler will be configured.
 
 # note: kept around for when we need packages from u-t
 #- name: Install required packages (testing)
@@ -25,7 +77,7 @@
   package:
     # 'relval' itself is needed as we call it directly for size
     # checking
-    name: ['python3-fedfind', 'python3-wikitcms', 'python3-fedmsg',
+    name: ['python3-fedfind', 'python3-wikitcms', 'fedora-messaging',
            'python3-mwclient', 'python3-setuptools', 'relval']
     state: present
   tags:
@@ -37,12 +89,9 @@
   tags:
   - packages
 
-# next two duplicated with openqa/dispatcher, but I kinda don't want to
-# move them up somewhere shared, I like the roles to be somewhat usable
+# duplicated with openqa/dispatcher, but I kinda don't want to move
+# this up somewhere shared, I like the roles to be somewhat usable
 # outside of Fedora infra...
-- name: Create /etc/fedora (credentials files location)
-  file: path=/etc/fedora state=directory owner=root group=fedmsg mode=0750
-
 # We actually want to handle the case where wikitcms_token isn't defined
 # even though it makes this role essentially do nothing, as we don't
 # really want openqa-stg creating stuff in the staging wiki all the
@@ -50,20 +99,11 @@
 - name: Create /root/.openidc (token file location for manual runs as root)
   file: path=/root/.openidc state=directory owner=root group=root mode=0700
 
-- name: Create /usr/share/fedmsg/.openidc (token file location for fedmsg consumer runs)
-  file: path=/usr/share/fedmsg/.openidc state=directory owner=root group=fedmsg mode=0770
-
 #- name: Write wikitcms token file for root
 #  copy: src={{ wikitcms_token }} dest=/root/.openidc/oidc_wikitcms.json owner=root group=root mode=0600
 #  when: "wikitcms_token is defined"
 #  tags:
 #  - config
-#
-#- name: Write wikitcms token file for fedmsg
-#  copy: src={{ wikitcms_token }} dest=/usr/share/fedmsg/.openidc/oidc_wikitcms.json owner=root group=fedmsg mode=0660
-#  when: "wikitcms_token is defined"
-#  tags:
-#  - config
 
 - name: Check out relvalconsumer
   git:
@@ -77,12 +117,58 @@
     chdir: /root/relvalconsumer
   when: "gitrvc is changed"
   notify:
-  - restart fedmsg-hub
+  - restart relvalconsumer
 
-- name: Enable fedmsg consumer
-  template: src=relvalconsumer.py.j2 dest=/etc/fedmsg.d/relvalconsumer.py owner=root group=root mode=0644
-  when: "wikitcms_token is defined"
+- name: Create /etc/pki/fedora-messaging
+  file:
+    dest: /etc/pki/fedora-messaging
+    mode: 0775
+    owner: root
+    group: root
+    state: directory
+  when: "deployment_type is defined"
+  tags:
+  - config
+
+# We always use the openQA production cert and key here for now; we
+# don't really need a separate identity for relvalconsumer. We don't
+# use the staging identity as even staging relvalconsumer listens on
+# the prod bus.
+- name: Deploy the Fedora infra fedora-messaging cert (openQA production)
+  copy:
+    src: "{{ private }}/files/rabbitmq/production/pki/issued/openqa.crt"
+    dest: /etc/pki/fedora-messaging/openqa-cert.pem
+    mode: 0644
+    owner: root
+    group: root
+  when: "deployment_type is defined"
+  tags:
+  - config
+
+- name: Deploy the Fedora infra fedora-messaging key
+  copy:
+    src: "{{ private }}/files/rabbitmq/production/pki/private/openqa.key"
+    dest: /etc/pki/fedora-messaging/openqa-key.pem
+    mode: 0600
+    owner: root
+    group: root
+  when: "deployment_type is defined"
+  tags:
+  - config
+
+- name: Configure fedora-messaging relvalconsumer
+  template: src=relvalconsumer.toml.j2 dest=/etc/fedora-messaging/relvalconsumer.toml owner=root group=root mode=0640
+  notify:
+  - restart relvalconsumer
+  tags:
+  - config
+
+- name: Wipe the old fedmsg consumer config file
+  file: path=/etc/fedmsg.d/relvalconsumer.py state=absent
   notify:
   - restart fedmsg-hub
   tags:
   - config
+
+- name: Enable and start fedora-messaging relvalconsumer
+  service: name=fm-consumer@relvalconsumer enabled=yes state=started

roles/relvalconsumer/templates/relvalconsumer.toml.j2

@@ -0,0 +1,113 @@
+# fedora-messaging consumer configuration file for relvalconsumer
+# (release validation event creator). See relvalconsumer main.yml
+# comments for details on the variables that must be set here.
+#
+# This file is in the TOML format.
+
+amqp_url = "{{ relvalconsumer_amqp_url }}"
+{% if relvalconsumer_amqp_passive|bool %}
+passive_declares = true
+{% endif %}
+callback = "relvalconsumer:RelvalConsumer"
+
+[tls]
+ca_cert = "{{ relvalconsumer_amqp_cacert }}"
+keyfile = "{{ relvalconsumer_amqp_key }}"
+certfile = "{{ relvalconsumer_amqp_cert }}"
+
+[client_properties]
+app = "Fedora release validation event creator (relvalconsumer)"
+app_url = "https://pagure.io/fedora-qa/relvalconsumer"
+app_contacts_email = ["adamwill@fedoraproject.org", "lruzicka@redhat.com", "qa-devel@lists.fedoraproject.org"]
+
+[exchanges."amq.topic"]
+type = "topic"
+durable = true
+auto_delete = false
+arguments = {}
+
+[queues."{{ relvalconsumer_amqp_queue }}"]
+durable = false
+auto_delete = true
+exclusive = true
+arguments = {}
+
+[[bindings]]
+queue = "{{ relvalconsumer_amqp_queue }}"
+exchange = "amq.topic"
+routing_keys = [{% for key in relvalconsumer_amqp_routing_keys %}"{{ key }}",{% endfor %}]
+# need this to receive messages from ZMQ->AMQP bridge
+[[bindings]]
+queue = "{{ relvalconsumer_amqp_queue }}"
+exchange = "zmq.topic"
+routing_keys = [{% for key in relvalconsumer_amqp_routing_keys %}"{{ key }}",{% endfor %}]
+
+[consumer_config]
+relval_prod = {{ relvalconsumer_prod }}
+
+[qos]
+prefetch_size = 0
+prefetch_count = 25
+
+[log_config]
+version = 1
+disable_existing_loggers = true
+
+[log_config.formatters.simple]
+format = "[%(levelname)s %(name)s] %(message)s"
+
+[log_config.handlers.console]
+class = "logging.StreamHandler"
+formatter = "simple"
+stream = "ext://sys.stdout"
+
+{% if relvalconsumer_amqp_mailto is defined %}
+[log_config.handlers.email]
+class = "logging.handlers.SMTPHandler"
+formatter = "simple"
+level = "ERROR"
+mailhost = "{{ relvalconsumer_amqp_smtp }}"
+fromaddr = "{{ relvalconsumer_amqp_mailfrom }}"
+toaddrs = [{% for key in relvalconsumer_amqp_mailto %}"{{ key }}",{% endfor %}]
+subject = "openQA scheduler error"
+{% endif %}
+
+[log_config.loggers.RelvalConsumer]
+level = "INFO"
+propagate = false
+{% if relvalconsumer_amqp_mailto is defined %}
+handlers = ["console", "email"]
+{% else %}
+handlers = ["console"]
+{% endif %}
+
+[log_config.loggers.fedora_messaging]
+level = "INFO"
+propagate = false
+{% if relvalconsumer_amqp_mailto is defined %}
+handlers = ["console", "email"]
+{% else %}
+handlers = ["console"]
+{% endif %}
+
+[log_config.loggers.twisted]
+level = "INFO"
+propagate = false
+{% if relvalconsumer_amqp_mailto is defined %}
+handlers = ["console", "email"]
+{% else %}
+handlers = ["console"]
+{% endif %}
+
+[log_config.loggers.pika]
+level = "WARNING"
+propagate = false
+handlers = ["console"]
+
+[log_config.root]
+level = "ERROR"
+{% if relvalconsumer_amqp_mailto is defined %}
+handlers = ["console", "email"]
+{% else %}
+handlers = ["console"]
+{% endif %}