From e564d0c2daa2e015b7076c2d6253957ad9ec7fb4 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Thu, 4 Apr 2024 14:46:19 -0400 Subject: [PATCH] Add a role and playbook for the cloud-image-uploader This app is an AQMP client that uploads VM images to public clouds. It currently supports Azure images. Ref: https://pagure.io/fedora-infrastructure/issue/11860 --- .../openshift-apps/cloud-image-uploader.yml | 77 +++++++++++++ .../files/imagestream.yml | 11 ++ .../templates/buildconfig.yml | 31 ++++++ .../templates/config.toml | 101 ++++++++++++++++++ .../templates/configmap.yml | 15 +++ .../templates/deployment.yml | 79 ++++++++++++++ .../cloud-image-uploader/templates/secret.yml | 17 +++ 7 files changed, 331 insertions(+) create mode 100644 playbooks/openshift-apps/cloud-image-uploader.yml create mode 100644 roles/openshift-apps/cloud-image-uploader/files/imagestream.yml create mode 100644 roles/openshift-apps/cloud-image-uploader/templates/buildconfig.yml create mode 100644 roles/openshift-apps/cloud-image-uploader/templates/config.toml create mode 100644 roles/openshift-apps/cloud-image-uploader/templates/configmap.yml create mode 100644 roles/openshift-apps/cloud-image-uploader/templates/deployment.yml create mode 100644 roles/openshift-apps/cloud-image-uploader/templates/secret.yml diff --git a/playbooks/openshift-apps/cloud-image-uploader.yml b/playbooks/openshift-apps/cloud-image-uploader.yml new file mode 100644 index 0000000000..80965b3aff --- /dev/null +++ b/playbooks/openshift-apps/cloud-image-uploader.yml @@ -0,0 +1,77 @@ +- name: make the app be real + hosts: os_control_stg + user: root + gather_facts: False + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - role: rabbit/queue + username: "cloud-image-uploader" + queue_name: "cloud-image-uploader" + routing_keys: + - "org.fedoraproject.{{ env }}.buildsys.build.state.change" + thresholds: + warning: 10 + critical: 50 + + - role: openshift/project + app: cloud-image-uploader + description: AMQP consumer that uploads Cloud images to cloud providers + appowners: + - jcline + + - role: openshift/object + app: cloud-image-uploader + file: imagestream.yml + objectname: imagestream.yml + + - role: openshift/object + app: cloud-image-uploader + template: buildconfig.yml + objectname: buildconfig.yml + + - role: openshift/object + app: cloud-image-uploader + template: configmap.yml + objectname: configmap.yml + + - role: openshift/secret-file + app: cloud-image-uploader + secret_name: cloud-image-uploader-fedora-messaging-key + key: cloud-image-uploader.key + privatefile: "rabbitmq/{{env}}/pki/private/cloud-image-uploader{{env_suffix}}.key" + + - role: openshift/secret-file + app: cloud-image-uploader + secret_name: cloud-image-uploader-fedora-messaging-crt + key: cloud-image-uploader.crt + privatefile: "rabbitmq/{{env}}/pki/issued/cloud-image-uploader{{env_suffix}}.crt" + + - role: openshift/secret-file + app: cloud-image-uploader + secret_name: cloud-image-uploader-fedora-messaging-ca + key: cloud-image-uploader.ca + privatefile: "rabbitmq/{{env}}/pki/ca.crt" + + - role: openshift/object + app: cloud-image-uploader + template: secret.yml + objectname: secret.yml + + - role: openshift/start-build + app: cloud-image-uploader + buildname: cloud-image-uploader-build + objectname: cloud-image-uploader-build + + - role: openshift/object + app: cloud-image-uploader + file: deployment.yml + objectname: deployment.yml + + - role: openshift/rollout + app: cloud-image-uploader + dcname: cloud-image-uploader diff --git a/roles/openshift-apps/cloud-image-uploader/files/imagestream.yml b/roles/openshift-apps/cloud-image-uploader/files/imagestream.yml new file mode 100644 index 0000000000..4ed34108a1 --- /dev/null +++ b/roles/openshift-apps/cloud-image-uploader/files/imagestream.yml @@ -0,0 +1,11 @@ +--- +apiVersion: image.openshift.io/v1 +items: + - apiVersion: image.openshift.io/v1 + kind: ImageStream + metadata: + name: cloud-image-uploader + labels: + build: cloud-image-uploader +kind: List +metadata: {} diff --git a/roles/openshift-apps/cloud-image-uploader/templates/buildconfig.yml b/roles/openshift-apps/cloud-image-uploader/templates/buildconfig.yml new file mode 100644 index 0000000000..ea7efefa16 --- /dev/null +++ b/roles/openshift-apps/cloud-image-uploader/templates/buildconfig.yml @@ -0,0 +1,31 @@ +apiVersion: build.openshift.io/v1 +items: +- apiVersion: build.openshift.io/v1 + kind: BuildConfig + metadata: + labels: + build: cloud-image-uploader-build + name: cloud-image-uploader-build + spec: + runPolicy: Serial + source: + type: git + git: + uri: https://pagure.io/cloud-image-uploader.git +{% if env == 'staging' %} + ref: main +{% else %} + ref: prod +{% endif %} + strategy: + type: Docker + dockerStrategy: + dockerfilePath: Containerfile + triggers: + - type: ImageChange + output: + to: + kind: ImageStreamTag + name: cloud-image-uploader:latest +kind: List +metadata: {} diff --git a/roles/openshift-apps/cloud-image-uploader/templates/config.toml b/roles/openshift-apps/cloud-image-uploader/templates/config.toml new file mode 100644 index 0000000000..b9c72ccfa1 --- /dev/null +++ b/roles/openshift-apps/cloud-image-uploader/templates/config.toml @@ -0,0 +1,101 @@ +# This file is in the TOML format. +# For complete details on all configuration options, see the documentation +# https://fedora-messaging.readthedocs.io/en/latest/configuration.html. + +amqp_url = "amqps://cloud-image-uploader:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpubsub" +callback = "fedora_cloud_image_uploader:Uploader" +passive_declares = true + +[tls] +ca_cert = "/etc/pki/rabbitmq/ca/fedora-messaging-cloud-image-uploader-ca.crt" +keyfile = "/etc/pki/rabbitmq/key/fedora-messaging-cloud-image-uploader.key" +certfile = "/etc/pki/rabbitmq/cert/fedora-messaging-cloud-image-uploader.crt" + +[client_properties] +app = "Fedora Cloud Image Uploader" +app_url = "https://pagure.io/cloud-image-uploader" +app_contacts_email = "cloud@lists.fedoraproject.org" + +[[bindings]] +queue = "fedora-image-uploader" +exchange = "amq.topic" +routing_keys = ["org.fedoraproject.{{ env }}.buildsys.build.state.change"] + +[queues.fedora-image-uploader] +durable = true +auto_delete = false +exclusive = false +arguments = {} + +[consumer_config.azure] +location = "eastus" +{% if env == "staging" %} +resource_group_name = "fedora-cloud" +storage_account_name = "fedoraimages" +{% else %} +resource_group_name = "fedora-cloud-staging" +storage_account_name = "fedoraimagesstaging" +{% endif %} +gallery_name = "Fedora" +gallery_description = "The Fedora compute gallery." +storage_container_name = "vhds" + +# A list of regions and replication settings for uploaded images. +# +# Images need to be replicated to the region to be usable. +{% if env == "staging" %} + +[[consumer_config.azure.target_regions]] +name = "eastus" +regional_replica_count = 3 +storage_account_type = "Standard_ZRS" + +{% else %} + +[[consumer_config.azure.target_regions]] +name = "eastus" +regional_replica_count = 1 +storage_account_type = "Standard_LRS" + +{% endif %} + + +[qos] +prefetch_size = 0 +prefetch_count = 25 + +[log_config] +version = 1 +disable_existing_loggers = true + +[log_config.formatters.simple] +format = "[%(asctime)s %(name)s %(levelname)s] %(message)s" + +[log_config.handlers.console] +class = "logging.StreamHandler" +formatter = "simple" +stream = "ext://sys.stdout" + +[log_config.loggers.fedora_messaging] +level = "INFO" +propagate = false +handlers = ["console"] + +[log_config.loggers.fedora_cloud_image_uploader] +level = "INFO" +propagate = false +handlers = ["console"] + +[log_config.loggers.twisted] +level = "INFO" +propagate = false +handlers = ["console"] + +[log_config.loggers.pika] +level = "WARNING" +propagate = false +handlers = ["console"] + +[log_config.root] +level = "ERROR" +handlers = ["console"] diff --git a/roles/openshift-apps/cloud-image-uploader/templates/configmap.yml b/roles/openshift-apps/cloud-image-uploader/templates/configmap.yml new file mode 100644 index 0000000000..06c236f7d7 --- /dev/null +++ b/roles/openshift-apps/cloud-image-uploader/templates/configmap.yml @@ -0,0 +1,15 @@ +{%- macro load_file(filename) %}{% include filename %}{%- endmacro -%} +--- +apiVersion: v1 +kind: List +metadata: {} +items: +- apiVersion: v1 + kind: ConfigMap + metadata: + name: cloud-image-uploader-configmap + labels: + app: cloud-image-uploader + data: + config.toml: |- + {{ lookup('template', 'config.toml') | indent(6) }} diff --git a/roles/openshift-apps/cloud-image-uploader/templates/deployment.yml b/roles/openshift-apps/cloud-image-uploader/templates/deployment.yml new file mode 100644 index 0000000000..248cf9626d --- /dev/null +++ b/roles/openshift-apps/cloud-image-uploader/templates/deployment.yml @@ -0,0 +1,79 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cloud-image-uploader + annotations: + image.openshift.io/triggers: >- + [ + { + "from": { + "kind":"ImageStreamTag", + "namespace":"cloud-image-uploader" + "name":"cloud-image-uploader:latest", + }, + "fieldPath":"spec.template.spec.containers[?(@.name==\"cloud-image-uploader\")].image", + "pause":"false" + } + ] +spec: + replicas: 1 + selector: + app: cloud-image-uploader + strategy: + type: Recreate + template: + metadata: + labels: + app: cloud-image-uploader + spec: + volumes: + - name: config-volume + configMap: + name: cloud-image-uploader-configmap + - name: fedora-messaging-ca-volume + secret: + secretName: cloud-image-uploader-fedora-messaging-ca + - name: fedora-messaging-key-volume + secret: + secretName: cloud-image-uploader-fedora-messaging-key + - name: fedora-messaging-cert-volume + secret: + secretName: cloud-image-uploader-fedora-messaging-crt + containers: + - name: cloud-image-uploader + image: cloud-image-uploader/cloud-image-uploader:latest + imagePullPolicy: Always + env: + - name: AZURE_SECRET + valueFrom: + secretKeyRef: + name: azure-credentials + key: secret + - name: AZURE_CLIENT_ID + valueFrom: + secretKeyRef: + name: azure-credentials + key: client_id + - name: AZURE_TENANT + valueFrom: + secretKeyRef: + name: azure-credentials + key: tenant_id + - name: AZURE_SUBSCRIPTION_ID + valueFrom: + secretKeyRef: + name: azure-credentials + key: subscription_id + volumeMounts: + - name: config-volume + mountPath: /etc/fedora-messaging + readOnly: true + - name: fedora-messaging-ca-volume + mountPath: /etc/pki/rabbitmq/ca + readOnly: true + - name: fedora-messaging-key-volume + mountPath: /etc/pki/rabbitmq/key + readOnly: true + - name: fedora-messaging-cert-volume + mountPath: /etc/pki/rabbitmq/cert + readOnly: true diff --git a/roles/openshift-apps/cloud-image-uploader/templates/secret.yml b/roles/openshift-apps/cloud-image-uploader/templates/secret.yml new file mode 100644 index 0000000000..80bf1d06ff --- /dev/null +++ b/roles/openshift-apps/cloud-image-uploader/templates/secret.yml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "azure-credentials" + labels: + app: "cloud-image-uploader" +data: +{% if env == 'staging' %} + secret: "{{stg_azure_secret}}" + client_id: "{{stg_azure_client_id}}" + tenant_id: "{{stg_azure_tenant_id}}" +{% else %} + secret: "{{prod_azure_secret}}" + client_id: "{{prod_azure_client_id}}" + tenant_id: "{{prod_azure_tenant_id}}" +{% endif %} + subscription_id: "{{azure_subscription_id}}"