Mutualize the ipa client config in openshift

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2020-08-20 11:07:49 +02:00 · 2020-08-20 11:07:49 +02:00 · b7e08d6d48
commit b7e08d6d48
parent a65d4589d0
9 changed files with 59 additions and 34 deletions
--- a/playbooks/openshift-apps/noggin.yml
+++ b/playbooks/openshift-apps/noggin.yml
@ -10,16 +10,6 @@

  vars:

-  pre_tasks:
-  - name: Get the IPA CA cert
-    slurp:
-      src: /etc/ipa/ca.crt
-    delegate_to: "{{ ipa_server }}"
-    register: ipa_ca_cert_var
-  - name: Register the IPA CA cert in a fact
-    set_fact:
-      ipa_ca_cert: "{{ ipa_ca_cert_var.content | b64decode }}"
-
  roles:
  # RabbitMQ is not redeployed in staging yet
  # - role: rabbit/user
@ -65,30 +55,40 @@
  - role: openshift/imagestream
    app: noggin
    imagename: noggin
+
  - role: openshift/object
    app: noggin
    template: buildconfig.yml
    objectname: buildconfig.yml
+
  - role: openshift/object
    app: noggin
    template: configmap.yml
    objectname: configmap.yml
+
+  - role: openshift/ipa-client
+    app: noggin
+
  - role: openshift/object
    app: noggin
    file: service.yml
    objectname: service.yml
+
  - role: openshift/object
    app: noggin
    template: route.yml
    objectname: route.yml
+
  - role: openshift/object
    app: noggin
    template: secrets.yml
    objectname: secrets.yml
+
  - role: openshift/object
    app: noggin
    template: secret-webhook.yml
    objectname: secret-webhook.yml
+
  - role: openshift/object
    app: noggin
    template: deploymentconfig.yml
--- a/roles/openshift-apps/noggin/templates/configmap.yml
+++ b/roles/openshift-apps/noggin/templates/configmap.yml
@ -34,14 +34,3 @@ items:
  data:
    config.toml: |-
      {{ load_file('fedora-messaging.toml') | indent(6) }}
- apiVersion: v1
-  kind: ConfigMap
-  metadata:
-    name: ipa-config
-  data:
-    ldap.conf: |-
-      {{ load_file('ipa-ldap.conf') | indent(6) }}
-    default.conf: |-
-      {{ load_file('ipa-default.conf') | indent(6) }}
-    ca.crt: |-
-      {{ ipa_ca_cert | indent(6) }}
--- a/roles/openshift-apps/noggin/templates/deploymentconfig.yml
+++ b/roles/openshift-apps/noggin/templates/deploymentconfig.yml
@ -107,7 +107,7 @@ spec:
          secretName: fedora-messaging-key
      - name: ipa-config-volume
        configMap:
-          name: ipa-config
+          name: ipa-client-config
  triggers:
  - imageChangeParams:
      automatic: true
--- a/roles/openshift-apps/noggin/templates/fedora-messaging.toml
+++ b/roles/openshift-apps/noggin/templates/fedora-messaging.toml
@ -1,7 +1,15 @@
 amqp_url = "amqps://noggin:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpubsub"
+
+# Just check if the queue exist, don't try to create it (the server does not allow it).
 passive_declares = true
-publish_exchange = "amq.topic"
-topic_prefix = ""
+
+# The topic_prefix configuration value will add a prefix to the topics of every sent message.
+# This is used for migrating from fedmsg, and should not be used afterwards.
+{% if env == "staging" %}
+topic_prefix = "org.fedoraproject.stg"
+{% else %}
+topic_prefix = "org.fedoraproject.prod"
+{% endif %}

 [tls]
 ca_cert = "/etc/pki/fedora-messaging/cacert.pem"
--- a/roles/openshift-apps/noggin/templates/ipa-ldap.conf
+++ b/roles/openshift-apps/noggin/templates/ipa-ldap.conf
@ -1,9 +0,0 @@
-SASL_NOCANON	on
-URI ldaps://{{ ipa_server }}
-{% if env == "staging" %}
-BASE dc=stg,dc=fedoraproject,dc=org
-{% else %}
-BASE dc=fedoraproject,dc=org
-{% endif %}
-TLS_CACERT /etc/ipa/ca.crt
-SASL_MECH GSSAPI
--- a/roles/openshift/ipa-client/tasks/main.yml
+++ b/roles/openshift/ipa-client/tasks/main.yml
@ -0,0 +1,19 @@
+- name: Get the IPA CA cert
+  slurp:
+    src: /etc/ipa/ca.crt
+  delegate_to: "{{ ipa_server }}"
+  register: ipa_ca_cert_var
+
+- name: Register the IPA CA cert in a fact
+  set_fact:
+    ipa_ca_cert: "{{ ipa_ca_cert_var.content | b64decode }}"
+
+- name: Copy ipa config template to temporary file
+  template:
+    src: "{{roles_path}}/openshift/ipa-client/templates/configmap.yml"
+    dest: "/etc/openshift_apps/{{app}}/configmap-ipa-client.yml"
+  register: object_template
+
+- name: Call `oc apply` on the copied file
+  shell: oc -n {{app}} apply -f /etc/openshift_apps/{{app}}/configmap-ipa-client.yml
+  when: object_template.changed or object_template_fullpath.changed or object_file.changed
--- a/roles/openshift/ipa-client/templates/configmap.yml
+++ b/roles/openshift/ipa-client/templates/configmap.yml
@ -0,0 +1,13 @@
+{% macro load_file(filename) %}{% include filename %}{%- endmacro -%}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ipa-client-config
+data:
+  ldap.conf: |-
+    {{ load_file('ldap.conf') | indent(6) }}
+  default.conf: |-
+    {{ load_file('default.conf') | indent(6) }}
+  ca.crt: |-
+    {{ ipa_ca_cert | indent(6) }}
--- a/roles/openshift-apps/noggin/templates/ipa-default.conf
+++ b/roles/openshift-apps/noggin/templates/ipa-default.conf
@ -1,5 +1,5 @@
 [global]
-basedn = dc=freeipa-dev,dc=fedoraproject,dc=org
+basedn = {% if env == "staging" %}dc=stg,{% endif %}dc=fedoraproject,dc=org
 realm = {{ ipa_realm }}
 domain = {{ ipa_realm | lower }}
 server = {{ ipa_server }}
--- a/roles/openshift/ipa-client/templates/ldap.conf
+++ b/roles/openshift/ipa-client/templates/ldap.conf
@ -0,0 +1,5 @@
+SASL_NOCANON	on
+URI ldaps://{{ ipa_server }}
+BASE {% if env == "staging" %}dc=stg,{% endif %}dc=fedoraproject,dc=org
+TLS_CACERT /etc/ipa/ca.crt
+SASL_MECH GSSAPI