infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 7 Projects Releases Packages Wiki Activity Actions
ansible/playbooks/openshift-apps/fmn.yml
Aurélien Bompard d884a0f8ba
Use the combined RabbitMQ CA cert in the clients 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2025-04-11 15:15:45 +02:00

221 lines
6.3 KiB
YAML
Raw Blame History

#
# Fedora Messaging Notifications (FMN)
#
---
- name: Setup the database
hosts: db01.iad2.fedoraproject.org:db01.stg.iad2.fedoraproject.org
gather_facts: no
become: yes
become_user: postgres
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: FMN DB user
community.postgresql.postgresql_user:
name: fmn
password: "{{ (env == 'production') | ternary(fmn_prod_db_password, fmn_stg_db_password) }}"
- name: FMN database creation
community.postgresql.postgresql_db:
name: fmn
owner: fmn
encoding: UTF-8
- name: Setup RabbitMQ
hosts: rabbitmq[0]:rabbitmq_stg[0]
user: root
gather_facts: false
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: rabbit/queue
queue_username: "fmn{{ env_suffix }}"
queue_name: "fmn{{ env_suffix }}"
queue_routing_keys:
# The FMN queue is subscribed to everything
- "#"
queue_thresholds:
warning: 20000
critical: 25000
# FMN sends messages when a rule is changed, to invalidate its cache
user_sent_topics: ^org\.fedoraproject\.{{ env_short }}\.fmn\..*
tags:
- config
- fedora-messaging
- rabbitmq_cluster
# FMN also has an internal VHost for communication between the consumer
# (which listens to the Fedora Messaging bus on /pubsub) and the senders
# (which send messages to the various destinations such as email, IRC,
# Matrix).
- role: rabbit/vhost
vhost: /fmn
tags:
- config
- fedora-messaging
- rabbitmq_cluster
tasks:
- name: Grant the fmn user access to the fmn vhost
community.rabbitmq.rabbitmq_user:
user: "fmn{{ env_suffix }}"
vhost: /fmn
configure_priv: .*
read_priv: .*
write_priv: .*
# We have to repeat the topic permissions here until this is fixed:
# https://github.com/ansible-collections/community.rabbitmq/issues/156
topic_permissions:
- vhost: /pubsub
read_priv: .*
write_priv: ^org\.fedoraproject\.{{ env_short }}\.fmn\..*
tags:
- config
- fedora-messaging
- rabbitmq_cluster
- name: Create the sending queues in the fmn vhost
community.rabbitmq.rabbitmq_queue:
name: "{{ item }}"
vhost: /fmn
auto_delete: no
durable: yes
# message_ttl: 300000
state: present
login_user: admin
login_password: "{{ (env == 'production') | ternary(rabbitmq_admin_password_production, rabbitmq_admin_password_staging) }}"
with_items:
- email
- irc
- matrix
tags:
- config
- fedora-messaging
- rabbitmq_cluster
- name: Make the app be real
hosts: os_control_stg:os_control
user: root
gather_facts: false
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
roles:
- role: openshift/project
project_app: fmn
project_description: "Fedora Messaging Notifications"
project_appowners:
- abompard
- ryanlerch
- nphilipp
tags:
- apply-appowners
- role: openshift/object
object_app: fmn
object_file: imagestream.yml
object_objectname: imagestream.yml
- role: openshift/object
object_app: fmn
object_template: buildconfig.yml.j2
object_objectname: buildconfig.yml
- role: openshift/object
object_app: fmn
object_template: configmap.yml.j2
object_objectname: configmap.yml
- role: openshift/object
object_app: fmn
object_file: service.yml
object_objectname: service.yml
# Routes
- role: openshift/route
route_app: fmn
route_name: frontend
route_host: "notifications{{ env_suffix }}.fedoraproject.org"
route_servicename: frontend
route_serviceport: web
route_annotations:
haproxy.router.openshift.io/timeout: 5m
- role: openshift/route
route_app: fmn
route_name: api
route_host: "fmn-api.apps.ocp{{ env_suffix }}.fedoraproject.org"
route_servicename: api
route_serviceport: web
route_annotations:
haproxy.router.openshift.io/timeout: 5m
# Sendria is an email sink for testing, to avoid sending actual emails.
- role: openshift/route
route_app: fmn
route_name: sendria
route_host: "fmn-email.apps.ocp{{ env_suffix }}.fedoraproject.org"
route_servicename: sendria
route_serviceport: web
route_annotations:
haproxy.router.openshift.io/timeout: 5m
when: env == "staging"
# Secrets
- role: openshift/object
object_app: fmn
object_template: secrets.yml.j2
object_objectname: secrets.yml
- role: openshift/object
object_app: fmn
object_template: secret-webhook.yml.j2
object_objectname: secret-webhook.yml
# Fedora Messaging
- role: openshift/secret-file
secret_file_app: fmn
secret_file_secret_name: fedora-messaging-ca
secret_file_key: cacert.pem
secret_file_privatefile: "rabbitmq/{{env}}/ca-combined.crt"
- role: openshift/secret-file
secret_file_app: fmn
secret_file_secret_name: fedora-messaging-crt
secret_file_key: fmn-cert.pem
secret_file_privatefile: "rabbitmq/{{env}}/pki/issued/fmn{{env_suffix}}.crt"
- role: openshift/secret-file
secret_file_app: fmn
secret_file_secret_name: fedora-messaging-key
secret_file_key: fmn-key.pem
secret_file_privatefile: "rabbitmq/{{env}}/pki/private/fmn{{env_suffix}}.key"
# Deployment config
- role: openshift/object
object_app: fmn
object_template: deploymentconfig.yml.j2
object_objectname: deploymentconfig.yml
# FASJSON access
- role: openshift/ipa-client
ipa_client_app: fmn
- role: openshift/keytab
keytab_app: fmn
keytab_key: service.keytab
keytab_secret_name: keytab
keytab_service: fmn
# Cron jobs
- role: openshift/object
object_app: fmn
object_template: cron.yml.j2
object_objectname: cron.yml
Reference in a new issue View git blame Copy permalink