infrastructure/ansible
2
0
Fork 0
Code Pull requests 7 Activity Actions

the-new-hotness: Add kerberos config

Browse source 
Signed-off-by: Michal Konečný <mkonecny@redhat.com>
This commit is contained in:
Michal Konečný 2019-05-28 18:04:14 +02:00
parent 4cf1624c76
commit 3d1e0f94a9
4 changed files with 205 additions and 172 deletions
Download patch file Download diff file Expand all files Collapse all files

13
playbooks/openshift-apps/the-new-hotness.yml
View file

@ -27,17 +27,8 @@
app: the-new-hotness app: the-new-hotness
key: koji-keytab key: koji-keytab
secret_name: the-new-hotness-keytab secret_name: the-new-hotness-keytab
service: the-new-hotness service: hotness
host: "stg.release-monitoring.org" host: "hotness{{env_suffix}}.fedoraproject.org"
when: env == "staging"
- role: openshift/keytab
app: the-new-hotness
key: koji-keytab
secret_name: the-new-hotness-keytab
service: the-new-hotness
host: "release-monitoring.org"
when: env == "production"
- role: openshift/secret-file - role: openshift/secret-file
app: the-new-hotness app: the-new-hotness

6
roles/openshift-apps/the-new-hotness/files/deploymentconfig.yml
View file

@ -58,6 +58,9 @@ items:
readOnly: true readOnly: true
- name: temp-volume - name: temp-volume
mountPath: /var/tmp mountPath: /var/tmp
- name: krb-config-volume
mountPath: /etc/krb5
readOnly: true
volumes: volumes:
- name: config-volume - name: config-volume
configMap: configMap:
@ -75,6 +78,9 @@ items:
- name: keytab-volume - name: keytab-volume
secret: secret:
secretName: the-new-hotness-keytab secretName: the-new-hotness-keytab
- name: krb-config-volume
configMap:
name: krb5-configmap
triggers: triggers:
- imageChangeParams: - imageChangeParams:
automatic: true automatic: true

3
roles/openshift-apps/the-new-hotness/templates/buildconfig.yml
View file

@ -46,6 +46,9 @@ items:
pushd hotness_schema && \ pushd hotness_schema && \
pip-3 install . && \ pip-3 install . && \
rm -rf the-new-hotness rm -rf the-new-hotness
RUN rm -f /etc/krb5.conf && \
ln -sf /etc/krb5/krb5.conf /etc/krb5.conf && \
ln -sf /etc/keytabs/koji-keytab /etc/krb5.hotness_hotness{{ env_suffix }}.fedoraproject.org.keytab
EXPOSE 9940 EXPOSE 9940
type: Dockerfile type: Dockerfile
git: git:

355
roles/openshift-apps/the-new-hotness/templates/configmap.yml
View file

@ -3,168 +3,201 @@ apiVersion: v1
kind: List kind: List
metadata: {} metadata: {}
items: items:
- apiVersion: v1 - apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata:
name: the-new-hotness-configmap
labels:
app: the-new-hotness
data:
config.toml: |-
# This file is in the TOML format.
# For complete details on all configuration options, see the documentation
# https://fedora-messaging.readthedocs.io/en/latest/configuration.html.
amqp_url = "amqps://the-new-hotness:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpubsub"
publish_exchange = "amq.topic"
{% if env == "staging" %}
topic_prefix = "org.fedoraproject.stg"
{% else %}
topic_prefix = "org.fedoraproject.prod"
{% endif %}
passive_declares = true
callback = "hotness.consumers:BugzillaTicketFiler"
# Note the double brackets below.
# To add another binding, add another [[bindings]] section.
[[bindings]]
queue = "the-new-hotness{{ env_suffix }}"
exchange = "amq.topic"
routing_keys = [
"org.release-monitoring.*.anitya.project.version.update",
"org.release-monitoring.*.anitya.project.map.new",
"org.fedoraproject.*.buildsys.task.state.change",
]
[exchanges]
[tls]
ca_cert = "/etc/pki/rabbitmq/ca/fedora-messaging-the-new-hotness-ca.crt"
keyfile = "/etc/pki/rabbitmq/key/fedora-messaging-the-new-hotness.key"
certfile = "/etc/pki/rabbitmq/cert/fedora-messaging-the-new-hotness.crt"
[client_properties]
app = "the-new-hotness"
[queues."the-new-hotness{{env_suffix}}"]
durable = true
auto_delete = false
exclusive = false
arguments = {}
[qos]
prefetch_size = 0
prefetch_count = 25
[log_config]
version = 1
disable_existing_loggers = true
[log_config.formatters.simple]
format = "[%(name)s %(levelname)s] %(message)s"
[log_config.handlers.console]
class = "logging.StreamHandler"
formatter = "simple"
stream = "ext://sys.stdout"
[log_config.loggers.fedora_messaging]
level = "INFO"
propagate = false
handlers = ["console"]
[log_config.root]
level = "INFO"
handlers = ["console"]
# the-new-hotness consumer configuration
[consumer_config]
repo_url = "https://pagure.io/releng/fedora-scm-requests"
{% if env == "staging" %}
mdapi_url = "https://apps.stg.fedoraproject.org/mdapi"
pdc_url = "https://pdc.stg.fedoraproject.org"
dist_git_url = "https://src.stg.fedoraproject.org"
{% else %}
mdapi_url = "https://apps.fedoraproject.org/mdapi"
pdc_url = "https://pdc.fedoraproject.org"
dist_git_url = "https://src.fedoraproject.org"
{% endif %}
# The time in seconds the-new-hotness should wait for a socket to connect
# before giving up.
connect_timeout = 15
# The time in seconds the-new-hotness should wait for a read from a socket
# before giving up.
read_timeout = 15
# The number of times the-new-hotness should retry a network request that
# that failed for any reason (e.g. read timeout, DNS error, etc)
requests_retries = 3
# If true, publish fedmsg messages instead of fedora-messaging messages
legacy_messaging = false
[consumer_config.bugzilla]
enabled = true
{% if env == "staging" %}
user = "{{ upstream_release_bugzilla_user }}"
password = "{{ upstream_release_bugzilla_password }}"
api_key = ""
url = "https://partner-bugzilla.redhat.com"
explanation_url = "https://stg.fedoraproject.org/wiki/Upstream_release_monitoring"
{% else %}
user = ""
password = ""
api_key = "{{ upstream_release_bugzilla_api_token }}"
url = "https://bugzilla.redhat.com"
explanation_url = "https://fedoraproject.org/wiki/Upstream_release_monitoring"
{% endif %}
product = "Fedora"
version = "rawhide"
keywords = "FutureFeature,Triaged"
bug_status = "NEW"
short_desc_template = "%(name)s-%(latest_upstream)s is available"
description_template = """
Latest upstream release: %(latest_upstream)s
Current version/release in %(repo_name)s: %(repo_version)s-%(repo_release)s
URL: %(url)s
Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy\n
More information about the service that created this bug can be found at: %(explanation_url)s\n
Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.\n
Based on the information from anitya: https://release-monitoring.org/project/%(projectid)s/\n
"""
[consumer_config.koji]
{% if env == "staging" %}
server = "https://koji.stg.fedoraproject.org/kojihub"
weburl = "https://koji.stg.fedoraproject.org/koji"
{% else %}
server = "https://koji.fedoraproject.org/kojihub"
weburl = "https://koji.fedoraproject.org/koji"
{% endif %}
krb_principal = "hotness/hotness{{env_suffix}}.fedoraproject.org@{{ipa_realm}}"
krb_keytab = "/etc/krb5.hotness_hotness{{env_suffix}}.fedoraproject.org.keytab"
krb_ccache = ""
krb_proxyuser = ""
krb_sessionopts = {timeout = 3600, krb_rdns = false}
git_url = "https://src.fedoraproject.org/rpms/{package}.git"
user_email = [
"Fedora Release Monitoring",
"<release-monitoring@fedoraproject.org>",
]
opts = {scratch = true}
priority = 30
target_tag = "rawhide"
[consumer_config.anitya]
url = "https://release-monitoring.org"
username = "{{ fedoraDummyUser }}"
password = "{{ fedoraDummyUserPassword }}"
[consumer_config.cache]
backend = "dogpile.cache.dbm"
expiration_time = 300
arguments = {filename = "/var/tmp/the-new-hotness-cache.dbm"}
- apiVersion: v1
kind: ConfigMap
metadata: metadata:
name: the-new-hotness-configmap name: krb5-configmap
labels: labels:
app: the-new-hotness app: the-new-hotness
data: data:
config.toml: |- krb5.conf: |-
# This file is in the TOML format. [logging]
# For complete details on all configuration options, see the documentation default = FILE:/var/log/krb5libs.log
# https://fedora-messaging.readthedocs.io/en/latest/configuration.html. kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
amqp_url = "amqps://the-new-hotness:@rabbitmq{{ env_suffix }}.fedoraproject.org/%2Fpubsub" [libdefaults]
default_realm = {{ ipa_realm }}
publish_exchange = "amq.topic" rdns = false
{% if env == "staging" %} dns_canonicalize_hostname = false
topic_prefix = "org.fedoraproject.stg" dns_lookup_realm = false
{% else %} dns_lookup_kdc = false
topic_prefix = "org.fedoraproject.prod" ticket_lifetime = 24h
{% endif %} renew_lifetime = 7d
passive_declares = true forwardable = true
[realms]
callback = "hotness.consumers:BugzillaTicketFiler" {{ ipa_realm }} = {
kdc = https://id{{ env_suffix }}.fedoraproject.org/KdcProxy
# Note the double brackets below. }
# To add another binding, add another [[bindings]] section. [domain_realm]
[[bindings]] .fedoraproject.org = FEDORAPROJECT.ORG
queue = "the-new-hotness{{ env_suffix }}" fedoraproject.org = FEDORAPROJECT.ORG
exchange = "amq.topic" {% if env == "staging" %}
routing_keys = [ .stg.phx2.fedoraproject.org = STG.FEDORAPROJECT.ORG
"org.release-monitoring.*.anitya.project.version.update", {% endif %}
"org.release-monitoring.*.anitya.project.map.new", .stg.fedoraproject.org = STG.FEDORAPROJECT.ORG
"org.fedoraproject.*.buildsys.task.state.change", stg.fedoraproject.org = STG.FEDORAPROJECT.ORG
]
[exchanges]
[tls]
ca_cert = "/etc/pki/rabbitmq/ca/fedora-messaging-the-new-hotness-ca.crt"
keyfile = "/etc/pki/rabbitmq/key/fedora-messaging-the-new-hotness.key"
certfile = "/etc/pki/rabbitmq/cert/fedora-messaging-the-new-hotness.crt"
[client_properties]
app = "the-new-hotness"
[queues."the-new-hotness{{env_suffix}}"]
durable = true
auto_delete = false
exclusive = false
arguments = {}
[qos]
prefetch_size = 0
prefetch_count = 25
[log_config]
version = 1
disable_existing_loggers = true
[log_config.formatters.simple]
format = "[%(name)s %(levelname)s] %(message)s"
[log_config.handlers.console]
class = "logging.StreamHandler"
formatter = "simple"
stream = "ext://sys.stdout"
[log_config.loggers.fedora_messaging]
level = "INFO"
propagate = false
handlers = ["console"]
[log_config.root]
level = "INFO"
handlers = ["console"]
# the-new-hotness consumer configuration
[consumer_config]
repo_url = "https://pagure.io/releng/fedora-scm-requests"
{% if env == "staging" %}
mdapi_url = "https://apps.stg.fedoraproject.org/mdapi"
pdc_url = "https://pdc.stg.fedoraproject.org"
dist_git_url = "https://src.stg.fedoraproject.org"
{% else %}
mdapi_url = "https://apps.fedoraproject.org/mdapi"
pdc_url = "https://pdc.fedoraproject.org"
dist_git_url = "https://src.fedoraproject.org"
{% endif %}
# The time in seconds the-new-hotness should wait for a socket to connect
# before giving up.
connect_timeout = 15
# The time in seconds the-new-hotness should wait for a read from a socket
# before giving up.
read_timeout = 15
# The number of times the-new-hotness should retry a network request that
# that failed for any reason (e.g. read timeout, DNS error, etc)
requests_retries = 3
# If true, publish fedmsg messages instead of fedora-messaging messages
legacy_messaging = false
[consumer_config.bugzilla]
enabled = true
{% if env == "staging" %}
user = "{{ upstream_release_bugzilla_user }}"
password = "{{ upstream_release_bugzilla_password }}"
api_key = ""
url = "https://partner-bugzilla.redhat.com"
explanation_url = "https://stg.fedoraproject.org/wiki/Upstream_release_monitoring"
{% else %}
user = ""
password = ""
api_key = "{{ upstream_release_bugzilla_api_token }}"
url = "https://bugzilla.redhat.com"
explanation_url = "https://fedoraproject.org/wiki/Upstream_release_monitoring"
{% endif %}
product = "Fedora"
version = "rawhide"
keywords = "FutureFeature,Triaged"
bug_status = "NEW"
short_desc_template = "%(name)s-%(latest_upstream)s is available"
description_template = """
Latest upstream release: %(latest_upstream)s
Current version/release in %(repo_name)s: %(repo_version)s-%(repo_release)s
URL: %(url)s
Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy\n
More information about the service that created this bug can be found at: %(explanation_url)s\n
Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.\n
Based on the information from anitya: https://release-monitoring.org/project/%(projectid)s/\n
"""
[consumer_config.koji]
{% if env == "staging" %}
server = "https://koji.stg.fedoraproject.org/kojihub"
weburl = "https://koji.stg.fedoraproject.org/koji"
{% else %}
server = "https://koji.fedoraproject.org/kojihub"
weburl = "https://koji.fedoraproject.org/koji"
{% endif %}
krb_principal = "hotness/hotness01{{env_suffix}}.phx2.fedoraproject.org@{{ipa_realm}}"
krb_keytab = "/etc/krb5.hotness_hotness01{{env_suffix}}.phx2.fedoraproject.org.keytab"
krb_ccache = ""
krb_proxyuser = ""
krb_sessionopts = {timeout = 3600, krb_rdns = false}
git_url = "https://src.fedoraproject.org/rpms/{package}.git"
user_email = [
"Fedora Release Monitoring",
"<release-monitoring@fedoraproject.org>",
]
opts = {scratch = true}
priority = 30
target_tag = "rawhide"
[consumer_config.anitya]
url = "https://release-monitoring.org"
username = "{{ fedoraDummyUser }}"
password = "{{ fedoraDummyUserPassword }}"
[consumer_config.cache]
backend = "dogpile.cache.dbm"
expiration_time = 300
arguments = {filename = "/var/tmp/the-new-hotness-cache.dbm"}