Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions
ansible/roles/relvalconsumer/tasks/main.yml
Adam Williamson 504b8217d3 openqa etc.: use pip for local installs, not setuptools 
On Fedora 39, we ran into an issue with setuptools that isn't
immediately resolvable:
https://github.com/pypa/setuptools/issues/3797#issuecomment-1783613895
using pip like this seems to avoid it.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
2023-10-27 17:23:53 -07:00

233 lines
9.4 KiB
YAML
Raw Blame History

# This role creates Wikitcms release validation events. There should
# always be exactly one host in infra with this role set up and
# relvalconsumer_prod set to True, or else we'll stop getting events.
# It also updates the AMI pages for the events when relevant AMI
# images are published.
#
# Required vars
# - wikitcms_token
## string - a token file to install for unattended wiki editing
# using openidc auth
# - relvalconsumer_amqp_queue
## string - Message queue name for the consumer. To use the
## fedora-messaging scheduler with public authentication
## on the Fedora production AMQP broker (which is what
## you'd typically want), you only need to set this.
## This should be a unique and private string; the
## official recommendation is to use a random UUID
## generated by uuidgen.
# - relvalamiconsumer_amqp_queue
## string - Message queue name for the AMI consumer. To use the
## fedora-messaging scheduler with public authentication
## on the Fedora production AMQP broker (which is what
## you'd typically want), you only need to set this.
## This should be a unique and private string; the
## official recommendation is to use a random UUID
## generated by uuidgen.
#
# Required vars with defaults
# - relvalconsumer_prod
## bool - whether this is the production instance. **SHOULD ONLY
## EVER BE TRUE ON ONE SYSTEM IN THE WORLD**
## default - False
# - relvalconsumer_amqp_passive
## bool - If true, passive_declares will be set true in all the
## fedora-messaging consumer configuration files. This
## is needed for private authentication on the Fedora
## brokers.
## default - False
# - relvalconsumer_amqp_url
## string - AMQP broker URL for fedora-messaging event creator.
## The role default for this is the Fedora production
## broker with the shared 'fedora' username.
# - relvalconsumer_amqp_cacert
## string - CA certificate file to use for authenticating with
## AMQP broker for fedora-messaging event creator.
## The role default for this is the CA cert file for the
## Fedora production broker.
# - relvalconsumer_amqp_cert
## string - Certificate file to use for authenticating with AMQP
## broker for fedora-messaging event creator. The role
## default for this is the certificate file for the
## public 'fedora' account on the Fedora production
## broker.
# - relvalconsumer_amqp_key
## string - Private key file to use for authenticating with AMQP
## broker for fedora-messaging event creator. The role
## default for this is the key file for the public
## 'fedora' account on the Fedora production broker.
# - relvalconsumer_amqp_routing_keys
## list - List of routing key names for the fedora-messaging
## creator to subscribe to. The role default for this
## is the appropriate keys for the Fedora production
## broker.
# - relvalconsumer_amqp_mailfrom
## string - From email address for error report emails. Defaults
## to "root@{{ external_hostname }}". Only relevant if
## relvalconsumer_amqp_mailto is set.
# - relvalconsumer_amqp_smtp
## string - Hostname of SMTP server to use for sending error
## emails. Defaults to 'localhost'. Only relevant if
## relvalconsumer_amqp_mailto is set.
# - relvalconsumer_disabled
## bool - If true, don't enable the consumer service. This is
## mainly just for temporary use if something's broken.
## default - False
# - relvalamiconsumer_amqp_routing_keys
## list - List of routing key names for the event AMI page
## updater to subscribe to. The role default for this
## is the appropriate keys for the Fedora production
## broker.
# - relvalamiconsumer_disabled
## bool - If true, don't enable the consumer service. This is
## mainly just for temporary use if something's broken.
## default - False
#
# Optional vars
# - relvalconsumer_amqp_mailto
## list - List of email addresses to email errors to. If set,
## the email log handler will be configured.
# - relvalconsumer_bugzilla_api_key
## string - An API key for Bugzilla. If relvalconsumer_prod and
## this are both set, the consumer will be configured
## to report bugs to Bugzilla for oversize images. As
## with relvalconsumer_prod, only the 'official' prod
## instance should have this set.
# note: kept around for when we need packages from u-t
#- name: Install required packages (testing)
# dnf:
# name: ['python3-fedfind', 'python3-wikitcms']
# state: present
# enablerepo: "updates-testing"
# tags:
# - packages
- name: Install required packages
package:
# 'relval' itself is needed as we call it directly for size
# checking
name: ['python3-fedfind', 'python3-wikitcms', 'fedora-messaging',
'python3-mwclient', 'python3-pip', 'python3-pip', 'relval']
state: present
tags:
- packages
- name: Install required packages (wiki oidc auth)
package: name=python3-openidc-client state=present enablerepo="updates"
when: "wikitcms_token is defined"
tags:
- packages
# duplicated with openqa/dispatcher, but I kinda don't want to move
# this up somewhere shared, I like the roles to be somewhat usable
# outside of Fedora infra...
# We actually want to handle the case where wikitcms_token isn't defined
# even though it makes this role essentially do nothing, as we don't
# really want openqa-stg creating stuff in the staging wiki all the
# time. So in that case install the role but leave it disabled
- name: Create /root/.openidc (token file location for manual runs as root)
file: path=/root/.openidc state=directory owner=root group=root mode=0700
#- name: Write wikitcms token file for root
# copy: src={{ wikitcms_token }} dest=/root/.openidc/oidc_wikitcms.json owner=root group=root mode=0600
# when: "wikitcms_token is defined"
# tags:
# - config
- name: Check out relvalconsumer
git:
repo: https://pagure.io/fedora-qa/relvalconsumer.git
dest: /root/relvalconsumer
register: gitrvc
- name: Check if relvalconsumer is installed for current Python
command: "pip show relvalconsumer"
register: instrvc
changed_when: "1 != 1"
failed_when: "1 != 1"
check_mode: no
- name: Install relvalconsumer
command: "python3 -m pip install /root/relvalconsumer"
when: "gitrvc is changed or instrvc.rc != 0"
notify:
- restart relvalconsumer
- name: Create /etc/pki/fedora-messaging
file:
dest: /etc/pki/fedora-messaging
mode: 0775
owner: root
group: root
state: directory
when: "deployment_type is defined"
tags:
- config
# as noted elsewhere, we are reusing the openqa user and creds for
# convenience while the roles are all run on the same system, and
# stg uses the prod account and credentials to listen on prod
- name: Deploy the Fedora infra fedora-messaging cert (openQA production)
copy:
src: "{{ private }}/files/rabbitmq/production/pki/issued/{{ openqa_amqp_prod_username }}.crt"
dest: "/etc/pki/fedora-messaging/{{ openqa_amqp_prod_username }}-cert.pem"
mode: 0644
owner: root
group: root
when: "deployment_type is defined"
tags:
- config
# This is kinda icky, as there's no intrinsic reason the group geekotest
# should exist so far as this role is concerned. But as we run this role
# on the same box as openQA, in fact we need to keep the ownership in
# line. This needs making cleaner somehow.
- name: Deploy the Fedora infra fedora-messaging key (openQA production)
copy:
src: "{{ private }}/files/rabbitmq/production/pki/private/{{ openqa_amqp_prod_username }}.key"
dest: "/etc/pki/fedora-messaging/{{ openqa_amqp_prod_username }}-key.pem"
mode: 0640
owner: root
group: geekotest
when: "deployment_type is defined"
tags:
- config
- name: Create python-bugzilla configuration directory
file:
dest: /root/.config/python-bugzilla
mode: 0700
owner: root
group: root
state: directory
when: "relvalconsumer_bugzilla_api_key is defined"
tags:
- config
- name: Write python-bugzilla configuration file
template: src=bugzillarc.j2 dest=/root/.config/python-bugzilla/bugzillarc owner=root group=root mode=0600
when: "relvalconsumer_bugzilla_api_key is defined"
tags:
- config
- name: Configure fedora-messaging relvalconsumer
template: src=relvalconsumer.toml.j2 dest=/etc/fedora-messaging/relvalconsumer.toml owner=root group=root mode=0640
notify:
- restart relvalconsumer
tags:
- config
- name: Configure fedora-messaging relvalamiconsumer
template: src=relvalamiconsumer.toml.j2 dest=/etc/fedora-messaging/relvalamiconsumer.toml owner=root group=root mode=0640
notify:
- restart relvalamiconsumer
tags:
- config
- name: Enable and start fedora-messaging relvalconsumer
service: name=fm-consumer@relvalconsumer enabled=yes state=started
when: not relvalconsumer_disabled|bool
- name: Enable and start fedora-messaging relvalamiconsumer
service: name=fm-consumer@relvalamiconsumer enabled=yes state=started
when: not relvalamiconsumer_disabled|bool
Reference in a new issue View git blame Copy permalink