diff --git a/playbooks/openshift-apps/noggin.yml b/playbooks/openshift-apps/noggin.yml index 6fc10c62d3..570df44cfa 100644 --- a/playbooks/openshift-apps/noggin.yml +++ b/playbooks/openshift-apps/noggin.yml @@ -10,16 +10,6 @@ vars: - pre_tasks: - - name: Get the IPA CA cert - slurp: - src: /etc/ipa/ca.crt - delegate_to: "{{ ipa_server }}" - register: ipa_ca_cert_var - - name: Register the IPA CA cert in a fact - set_fact: - ipa_ca_cert: "{{ ipa_ca_cert_var.content | b64decode }}" - roles: # RabbitMQ is not redeployed in staging yet # - role: rabbit/user @@ -65,30 +55,40 @@ - role: openshift/imagestream app: noggin imagename: noggin + - role: openshift/object app: noggin template: buildconfig.yml objectname: buildconfig.yml + - role: openshift/object app: noggin template: configmap.yml objectname: configmap.yml + + - role: openshift/ipa-client + app: noggin + - role: openshift/object app: noggin file: service.yml objectname: service.yml + - role: openshift/object app: noggin template: route.yml objectname: route.yml + - role: openshift/object app: noggin template: secrets.yml objectname: secrets.yml + - role: openshift/object app: noggin template: secret-webhook.yml objectname: secret-webhook.yml + - role: openshift/object app: noggin template: deploymentconfig.yml diff --git a/roles/openshift-apps/noggin/templates/configmap.yml b/roles/openshift-apps/noggin/templates/configmap.yml index b8049c6a3a..1268d82e27 100644 --- a/roles/openshift-apps/noggin/templates/configmap.yml +++ b/roles/openshift-apps/noggin/templates/configmap.yml @@ -34,14 +34,3 @@ items: data: config.toml: |- {{ load_file('fedora-messaging.toml') | indent(6) }} -- apiVersion: v1 - kind: ConfigMap - metadata: - name: ipa-config - data: - ldap.conf: |- - {{ load_file('ipa-ldap.conf') | indent(6) }} - default.conf: |- - {{ load_file('ipa-default.conf') | indent(6) }} - ca.crt: |- - {{ ipa_ca_cert | indent(6) }} diff --git a/roles/openshift-apps/noggin/templates/deploymentconfig.yml b/roles/openshift-apps/noggin/templates/deploymentconfig.yml index 01f3195f4b..6ead224b41 100644 --- a/roles/openshift-apps/noggin/templates/deploymentconfig.yml +++ b/roles/openshift-apps/noggin/templates/deploymentconfig.yml @@ -107,7 +107,7 @@ spec: secretName: fedora-messaging-key - name: ipa-config-volume configMap: - name: ipa-config + name: ipa-client-config triggers: - imageChangeParams: automatic: true diff --git a/roles/openshift-apps/noggin/templates/fedora-messaging.toml b/roles/openshift-apps/noggin/templates/fedora-messaging.toml index 385114d6df..e1c9313743 100644 --- a/roles/openshift-apps/noggin/templates/fedora-messaging.toml +++ b/roles/openshift-apps/noggin/templates/fedora-messaging.toml @@ -1,7 +1,15 @@ amqp_url = "amqps://noggin:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpubsub" + +# Just check if the queue exist, don't try to create it (the server does not allow it). passive_declares = true -publish_exchange = "amq.topic" -topic_prefix = "" + +# The topic_prefix configuration value will add a prefix to the topics of every sent message. +# This is used for migrating from fedmsg, and should not be used afterwards. +{% if env == "staging" %} +topic_prefix = "org.fedoraproject.stg" +{% else %} +topic_prefix = "org.fedoraproject.prod" +{% endif %} [tls] ca_cert = "/etc/pki/fedora-messaging/cacert.pem" diff --git a/roles/openshift-apps/noggin/templates/ipa-ldap.conf b/roles/openshift-apps/noggin/templates/ipa-ldap.conf deleted file mode 100644 index 7677d9d231..0000000000 --- a/roles/openshift-apps/noggin/templates/ipa-ldap.conf +++ /dev/null @@ -1,9 +0,0 @@ -SASL_NOCANON on -URI ldaps://{{ ipa_server }} -{% if env == "staging" %} -BASE dc=stg,dc=fedoraproject,dc=org -{% else %} -BASE dc=fedoraproject,dc=org -{% endif %} -TLS_CACERT /etc/ipa/ca.crt -SASL_MECH GSSAPI diff --git a/roles/openshift/ipa-client/tasks/main.yml b/roles/openshift/ipa-client/tasks/main.yml new file mode 100644 index 0000000000..ab7c1571fe --- /dev/null +++ b/roles/openshift/ipa-client/tasks/main.yml @@ -0,0 +1,19 @@ +- name: Get the IPA CA cert + slurp: + src: /etc/ipa/ca.crt + delegate_to: "{{ ipa_server }}" + register: ipa_ca_cert_var + +- name: Register the IPA CA cert in a fact + set_fact: + ipa_ca_cert: "{{ ipa_ca_cert_var.content | b64decode }}" + +- name: Copy ipa config template to temporary file + template: + src: "{{roles_path}}/openshift/ipa-client/templates/configmap.yml" + dest: "/etc/openshift_apps/{{app}}/configmap-ipa-client.yml" + register: object_template + +- name: Call `oc apply` on the copied file + shell: oc -n {{app}} apply -f /etc/openshift_apps/{{app}}/configmap-ipa-client.yml + when: object_template.changed or object_template_fullpath.changed or object_file.changed diff --git a/roles/openshift/ipa-client/templates/configmap.yml b/roles/openshift/ipa-client/templates/configmap.yml new file mode 100644 index 0000000000..66094ff5c4 --- /dev/null +++ b/roles/openshift/ipa-client/templates/configmap.yml @@ -0,0 +1,13 @@ +{% macro load_file(filename) %}{% include filename %}{%- endmacro -%} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: ipa-client-config +data: + ldap.conf: |- + {{ load_file('ldap.conf') | indent(6) }} + default.conf: |- + {{ load_file('default.conf') | indent(6) }} + ca.crt: |- + {{ ipa_ca_cert | indent(6) }} diff --git a/roles/openshift-apps/noggin/templates/ipa-default.conf b/roles/openshift/ipa-client/templates/default.conf similarity index 71% rename from roles/openshift-apps/noggin/templates/ipa-default.conf rename to roles/openshift/ipa-client/templates/default.conf index d1066f5160..9181d59067 100644 --- a/roles/openshift-apps/noggin/templates/ipa-default.conf +++ b/roles/openshift/ipa-client/templates/default.conf @@ -1,5 +1,5 @@ [global] -basedn = dc=freeipa-dev,dc=fedoraproject,dc=org +basedn = {% if env == "staging" %}dc=stg,{% endif %}dc=fedoraproject,dc=org realm = {{ ipa_realm }} domain = {{ ipa_realm | lower }} server = {{ ipa_server }} diff --git a/roles/openshift/ipa-client/templates/ldap.conf b/roles/openshift/ipa-client/templates/ldap.conf new file mode 100644 index 0000000000..ecc6a3cc94 --- /dev/null +++ b/roles/openshift/ipa-client/templates/ldap.conf @@ -0,0 +1,5 @@ +SASL_NOCANON on +URI ldaps://{{ ipa_server }} +BASE {% if env == "staging" %}dc=stg,{% endif %}dc=fedoraproject,dc=org +TLS_CACERT /etc/ipa/ca.crt +SASL_MECH GSSAPI