Set up librariesio2fedsmg publishing cert

Signed-off-by: Jeremy Cline <jeremy@jcline.org>

playbooks/openshift-apps/librariesio2fedmsg.yml

@@ -14,6 +14,16 @@
     description: librariesio2fedmsg
     appowners:
     - jcline
+  - role: openshift/secret-file
+    app: librariesio2fedmsg
+    secret_name: librariesio2fedmsg-fedmsg-key
+    key: fedmsg-librariesio2fedmsg.key
+    privatefile: fedmsg-certs/keys/librariesio2fedmsg-librariesio2fedmsg.app.os.fedoraproject.org.key
+  - role: openshift/secret-file
+    app: librariesio2fedmsg
+    secret_name: librariesio2fedmsg-fedmsg-crt
+    key: fedmsg-librariesio2fedmsg.crt
+    privatefile: fedmsg-certs/keys/librariesio2fedmsg-librariesio2fedmsg.app.os.fedoraproject.org.crt
   - { role: openshift/object, app: librariesio2fedmsg, file: imagestream.yml }
   - { role: openshift/object, app: librariesio2fedmsg, file: buildconfig.yml }
   - { role: openshift/start-build, app: librariesio2fedmsg, name: fedmsg-relay-docker-build }

roles/openshift-apps/librariesio2fedmsg/files/buildconfig.yml

@@ -54,7 +54,11 @@ items:
             dnf clean all
         RUN pip-3 install git+https://github.com/fedora-infra/sse2fedmsg.git
         RUN rm /etc/fedmsg.d/*py
+        RUN mkdir -p /etc/pki/fedmsg/
+        RUN ln -sf /etc/pki/fedmsg/key/fedmsg-librariesio2fedmsg.key /etc/pki/fedmsg/librariesio2fedmsg.key
+        RUN ln -sf /etc/pki/fedmsg/crt/fedmsg-librariesio2fedmsg.crt /etc/pki/fedmsg/librariesio2fedmsg.crt
         ENV USER=librariesio2fedmsg
+        RUN chmod 777 /var/run/fedmsg/
         ENTRYPOINT sse2fedmsg librariesio http://firehose.libraries.io/events
       type: Dockerfile
     strategy:

roles/openshift-apps/librariesio2fedmsg/files/deploymentconfig.yml

@@ -37,6 +37,12 @@ items:
           - name: fedmsg-config-volume
             mountPath: /etc/fedmsg.d/
             readOnly: true
+          - name: fedmsg-key-volume
+            mountPath: /etc/pki/fedmsg/key
+            readOnly: true
+          - name: fedmsg-crt-volume
+            mountPath: /etc/pki/fedmsg/crt
+            readOnly: true
         - name: fedmsg-relay
           image: librariesio2fedmsg/fedmsg-relay:latest
           livenessProbe:
@@ -68,6 +74,12 @@ items:
         - name: fedmsg-config-volume
           configMap:
             name: fedmsg-config
+        - name: fedmsg-key-volume
+          secret:
+            secretName: librariesio2fedmsg-fedmsg-key
+        - name: fedmsg-crt-volume
+          secret:
+            secretName: librariesio2fedmsg-fedmsg-crt
     triggers:
     - imageChangeParams:
         automatic: true

roles/openshift-apps/librariesio2fedmsg/templates/configmap.yml

@@ -9,30 +9,17 @@ items:
           # know our hostname.
           active=True,
           {% if env == 'staging' %}
-          environment="stg",
+          environment='stg',
+          relay_inbound=["tcp://busgateway01.stg.phx2.fedoraproject.org:9941"],
           {% else %}
-          environment="prod",
+          environment='prod',
+          relay_inbound=["tcp://busgateway01.phx2.fedoraproject.org:9941"],
           {% endif %}
-          high_water_mark=0,
-          io_threads=1,
-          post_init_sleep=0.5,
-          zmq_linger=1000,
-          zmq_tcp_keepalive=1,
-          zmq_tcp_keepalive_cnt=3,
-          zmq_tcp_keepalive_idle=60,
-          zmq_tcp_keepalive_intvl=5,
-          zmq_reconnect_ivl=100,
-          zmq_reconnect_ivl_max=1000,
-          endpoints={
-              "relay_outbound": [
-                  "tcp://*:9940",
-              ],
+          sign_messages=True,
+          cert_prefix="librariesio2fedmsg",
+          certnames={
+              "librariesio2fedmsg." + socket.gethostname(): "librariesio2fedmsg",
           },
-          relay_inbound=[
-              "tcp://127.0.0.1:4001",
-          ],
-          sign_messages=False,
-          validate_signatures=False,
       )
   kind: ConfigMap
   metadata: