FMN: setup the fmn vhost in rabbitmq

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2022-11-21 10:30:21 +01:00 · 2022-11-21 10:30:21 +01:00 · c8c4dfe72c
commit c8c4dfe72c
parent ac0f56446d
3 changed files with 148 additions and 9 deletions
--- a/playbooks/openshift-apps/fmn.yml
+++ b/playbooks/openshift-apps/fmn.yml
@ -19,6 +19,76 @@
        owner: fmn
        encoding: UTF-8

+- name: setup RabbitMQ
+  hosts: rabbitmq[0]:rabbitmq_stg[0]
+  user: root
+  gather_facts: False
+
+  vars_files:
+    - /srv/web/infra/ansible/vars/global.yml
+    - /srv/private/ansible/vars.yml
+    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+    - role: rabbit/queue
+      username: "fmn{{ env_suffix }}"
+      queue_name: "fmn{{ env_suffix }}"
+      routing_keys:
+        - "#"
+      thresholds:
+        warning: 50
+        critical: 500
+      sent_topics: ^org\.fedoraproject\.{{ env_short }}\.fmn\..*
+      tags:
+        - config
+        - fedora-messaging
+        - rabbitmq_cluster
+
+    - role: rabbit/vhost
+      vhost: /fmn
+      tags:
+        - config
+        - fedora-messaging
+        - rabbitmq_cluster
+
+    - role: rabbit/queue
+      username: fmn
+      vhost: /fmn
+      queue_name: email
+      thresholds:
+        warning: 10
+        critical: 100
+      tags:
+        - config
+        - fedora-messaging
+        - rabbitmq_cluster
+
+    - role: rabbit/queue
+      username: fmn
+      vhost: /fmn
+      queue_name: irc
+      # message_ttl: 300000
+      thresholds:
+        warning: 10
+        critical: 100
+      tags:
+        - config
+        - fedora-messaging
+        - rabbitmq_cluster
+
+  tasks:
+    - name: Grant the fmn user access to the fmn vhost
+      rabbitmq_user:
+        user: "fmn{{ env_suffix }}"
+        vhost: /fmn
+        configure_priv: .*
+        read_priv: .*
+        write_priv: .*
+      tags:
+        - config
+        - fedora-messaging
+        - rabbitmq_cluster
+
 - name: make the app be real
  # Only staging for now
  # hosts: os_control_stg:os_control
@ -102,15 +172,6 @@
      objectname: secret-webhook.yml

    # Fedora Messaging
-    - role: rabbit/queue
-      username: "fmn{{ env_suffix }}"
-      queue_name: "fmn{{ env_suffix }}"
-      routing_keys:
-        - "#"
-      thresholds:
-        warning: 50
-        critical: 500
-      sent_topics: ^org\.fedoraproject\.{{ env_short }}\.fmn\..*
    - role: openshift/secret-file
      app: fmn
      secret_name: fedora-messaging-ca
--- a/roles/rabbit/vhost/defaults/main.yml
+++ b/roles/rabbit/vhost/defaults/main.yml
@ -0,0 +1 @@
+rabbitmq_server: "rabbitmq01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org"
--- a/roles/rabbit/vhost/tasks/main.yml
+++ b/roles/rabbit/vhost/tasks/main.yml
@ -0,0 +1,77 @@
+---
+# Ensure a virtual host exists in RabbitMQ with a cluster replication policy.
+# This is intended to be something most applications can use, but if you need
+# more flexibility, just use the rabbitmq_vhost module directly.
+#
+# Required parameters:
+#
+#   - vhost (str): the virtual host to create in RabbitMQ.
+
+- name: Validate parameters
+  assert:
+    that:
+      - vhost != "/pubsub"
+      - vhost != "/public_pubsub"
+    fail_msg: "This virtual host name is reserved"
+  tags:
+    - config
+    - fedora-messaging
+    - rabbitmq_cluster
+
+- name: Configure the virtual host
+  run_once: true
+  delegate_to: "{{ rabbitmq_server }}"
+  rabbitmq_vhost:
+    name: "{{ vhost }}"
+    state: present
+  tags:
+    - config
+    - fedora-messaging
+    - rabbitmq_cluster
+
+- name: Configure the HA policy for the queues
+  run_once: true
+  delegate_to: "{{ rabbitmq_server }}"
+  rabbitmq_policy:
+    name: HA
+    apply_to: queues
+    pattern: .*
+    tags:
+      ha-mode: all
+      ha-sync-mode: automatic # Auto sync queues to new cluster members
+      ha-sync-batch-size: 10000 # Larger is faster, but must finish in 1 net_ticktime
+    vhost: "{{ vhost }}"
+  tags:
+    - config
+    - fedora-messaging
+    - rabbitmq_cluster
+
+- name: Grant the admin user access to the vhost
+  run_once: true
+  delegate_to: "{{ rabbitmq_server }}"
+  rabbitmq_user:
+    user: admin
+    vhost: "{{ vhost }}"
+    configure_priv: .*
+    read_priv: .*
+    write_priv: .*
+    tags: administrator
+  tags:
+    - config
+    - fedora-messaging
+    - rabbitmq_cluster
+
+- name: Grant the nagios-monitoring user access to the vhost
+  run_once: true
+  delegate_to: "{{ rabbitmq_server }}"
+  rabbitmq_user:
+    user: nagios-monitoring
+    vhost: "{{ vhost }}"
+    configure_priv: "^$"
+    read_priv: "^$"
+    write_priv: "^$"
+    tags: monitoring
+  tags:
+    - config
+    - fedora-messaging
+    - rabbitmq_cluster
				`@ -0,0 +1 @@`
				`rabbitmq_server: "rabbitmq01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org"`