From c8c4dfe72cab18724af6f54d92739ffdc2f382a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Mon, 21 Nov 2022 10:30:21 +0100
Subject: [PATCH] FMN: setup the fmn vhost in rabbitmq
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
---
 playbooks/openshift-apps/fmn.yml     | 79 ++++++++++++++++++++++++----
 roles/rabbit/vhost/defaults/main.yml |  1 +
 roles/rabbit/vhost/tasks/main.yml    | 77 +++++++++++++++++++++++++++
 3 files changed, 148 insertions(+), 9 deletions(-)
 create mode 100644 roles/rabbit/vhost/defaults/main.yml
 create mode 100644 roles/rabbit/vhost/tasks/main.yml

diff --git a/playbooks/openshift-apps/fmn.yml b/playbooks/openshift-apps/fmn.yml
index 8d875d9b22..6a2b098f17 100644
--- a/playbooks/openshift-apps/fmn.yml
+++ b/playbooks/openshift-apps/fmn.yml
@@ -19,6 +19,76 @@
         owner: fmn
         encoding: UTF-8
 
+- name: setup RabbitMQ
+  hosts: rabbitmq[0]:rabbitmq_stg[0]
+  user: root
+  gather_facts: False
+
+  vars_files:
+    - /srv/web/infra/ansible/vars/global.yml
+    - /srv/private/ansible/vars.yml
+    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+    - role: rabbit/queue
+      username: "fmn{{ env_suffix }}"
+      queue_name: "fmn{{ env_suffix }}"
+      routing_keys:
+        - "#"
+      thresholds:
+        warning: 50
+        critical: 500
+      sent_topics: ^org\.fedoraproject\.{{ env_short }}\.fmn\..*
+      tags:
+        - config
+        - fedora-messaging
+        - rabbitmq_cluster
+
+    - role: rabbit/vhost
+      vhost: /fmn
+      tags:
+        - config
+        - fedora-messaging
+        - rabbitmq_cluster
+
+    - role: rabbit/queue
+      username: fmn
+      vhost: /fmn
+      queue_name: email
+      thresholds:
+        warning: 10
+        critical: 100
+      tags:
+        - config
+        - fedora-messaging
+        - rabbitmq_cluster
+
+    - role: rabbit/queue
+      username: fmn
+      vhost: /fmn
+      queue_name: irc
+      # message_ttl: 300000
+      thresholds:
+        warning: 10
+        critical: 100
+      tags:
+        - config
+        - fedora-messaging
+        - rabbitmq_cluster
+
+  tasks:
+    - name: Grant the fmn user access to the fmn vhost
+      rabbitmq_user:
+        user: "fmn{{ env_suffix }}"
+        vhost: /fmn
+        configure_priv: .*
+        read_priv: .*
+        write_priv: .*
+      tags:
+        - config
+        - fedora-messaging
+        - rabbitmq_cluster
+
 - name: make the app be real
   # Only staging for now
   # hosts: os_control_stg:os_control
@@ -102,15 +172,6 @@
       objectname: secret-webhook.yml
 
     # Fedora Messaging
-    - role: rabbit/queue
-      username: "fmn{{ env_suffix }}"
-      queue_name: "fmn{{ env_suffix }}"
-      routing_keys:
-        - "#"
-      thresholds:
-        warning: 50
-        critical: 500
-      sent_topics: ^org\.fedoraproject\.{{ env_short }}\.fmn\..*
     - role: openshift/secret-file
       app: fmn
       secret_name: fedora-messaging-ca
diff --git a/roles/rabbit/vhost/defaults/main.yml b/roles/rabbit/vhost/defaults/main.yml
new file mode 100644
index 0000000000..7f8d3fe590
--- /dev/null
+++ b/roles/rabbit/vhost/defaults/main.yml
@@ -0,0 +1 @@
+rabbitmq_server: "rabbitmq01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org"
diff --git a/roles/rabbit/vhost/tasks/main.yml b/roles/rabbit/vhost/tasks/main.yml
new file mode 100644
index 0000000000..3ca1390c97
--- /dev/null
+++ b/roles/rabbit/vhost/tasks/main.yml
@@ -0,0 +1,77 @@
+---
+# Ensure a virtual host exists in RabbitMQ with a cluster replication policy.
+# This is intended to be something most applications can use, but if you need
+# more flexibility, just use the rabbitmq_vhost module directly.
+#
+# Required parameters:
+#
+#   - vhost (str): the virtual host to create in RabbitMQ.
+
+- name: Validate parameters
+  assert:
+    that:
+      - vhost != "/pubsub"
+      - vhost != "/public_pubsub"
+    fail_msg: "This virtual host name is reserved"
+  tags:
+    - config
+    - fedora-messaging
+    - rabbitmq_cluster
+
+- name: Configure the virtual host
+  run_once: true
+  delegate_to: "{{ rabbitmq_server }}"
+  rabbitmq_vhost:
+    name: "{{ vhost }}"
+    state: present
+  tags:
+    - config
+    - fedora-messaging
+    - rabbitmq_cluster
+
+- name: Configure the HA policy for the queues
+  run_once: true
+  delegate_to: "{{ rabbitmq_server }}"
+  rabbitmq_policy:
+    name: HA
+    apply_to: queues
+    pattern: .*
+    tags:
+      ha-mode: all
+      ha-sync-mode: automatic # Auto sync queues to new cluster members
+      ha-sync-batch-size: 10000 # Larger is faster, but must finish in 1 net_ticktime
+    vhost: "{{ vhost }}"
+  tags:
+    - config
+    - fedora-messaging
+    - rabbitmq_cluster
+
+- name: Grant the admin user access to the vhost
+  run_once: true
+  delegate_to: "{{ rabbitmq_server }}"
+  rabbitmq_user:
+    user: admin
+    vhost: "{{ vhost }}"
+    configure_priv: .*
+    read_priv: .*
+    write_priv: .*
+    tags: administrator
+  tags:
+    - config
+    - fedora-messaging
+    - rabbitmq_cluster
+
+- name: Grant the nagios-monitoring user access to the vhost
+  run_once: true
+  delegate_to: "{{ rabbitmq_server }}"
+  rabbitmq_user:
+    user: nagios-monitoring
+    vhost: "{{ vhost }}"
+    configure_priv: "^$"
+    read_priv: "^$"
+    write_priv: "^$"
+    tags: monitoring
+  tags:
+    - config
+    - fedora-messaging
+    - rabbitmq_cluster