infrastructure/ansible
1
0
Fork 0
Code Pull requests 7 Activity Actions

fas: drop yubiukey and totpcgi, nuke fas-stg test playbook.

Browse source 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi 2022-06-17 12:24:20 -07:00
parent fdaaa364cb
commit ad2fe29c04
9 changed files with 1 additions and 529 deletions
Download patch file Download diff file Expand all files Collapse all files

162
playbooks/openshift-apps/fas-stg.yml
View file

@ -1,162 +0,0 @@
- name: make the app be real
hosts: os_control_stg[0]
user: root
gather_facts: False
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
fas_db_host: "db-fas01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org"
gen_cert: false
wsgi_procs: 4
wsgi_threads: 1
pre_tasks:
- include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README
roles:
- role: openshift/project
app: fas
description: FAS
appowners:
- puiterwijk
- pingou
- scoady
- mobrien
allow_fas_db: true
- role: openshift/imagestream
app: fas
imagename: fas
- role: openshift/imagestream
app: fas
imagename: totpcgi
- role: openshift/imagestream
app: fas
imagename: yubikey
- role: openshift/object
app: fas
template: buildconfig-fas.yml
objectname: buildconfig-fas.yml
- role: openshift/object
app: fas
template: buildconfig-yubikey.yml
objectname: buildconfig-yubikey.yml
- role: openshift/object
app: fas
template: buildconfig-totpcgi.yml
objectname: buildconfig-totpcgi.yml
- role: openshift/object
app: fas
template_fullpath: "{{roles_path}}/fas_server/templates/configmap.yml"
objectname: configmap-fas.yml
- role: openshift/object
app: fas
template_fullpath: "{{roles_path}}/yubikey/templates/configmap.yml"
objectname: configmap-yubikey.yml
- role: openshift/object
app: fas
template_fullpath: "{{roles_path}}/totpcgi/templates/configmap.yml"
objectname: configmap-totpcgi.yml
- role: openshift/object
app: fas
template_fullpath: "{{roles_path}}/totpcgi/templates/configmap.yml"
objectname: configmap-totpcgi-vpn.yml
when: env == "production"
- role: openshift/secret-file
app: fas
privatefile: "keytabs/{{env}}/fas_sync"
key: fas_sync_keytab
secret_name: fas-sync-keytab
- role: openshift/secret-file
app: fas
privatefile: "fas-gpg/pubring.gpg"
key: pubring.gpg
secret_name: fas-gpg-pubring
- role: openshift/object
app: fas
file: service-fas.yml
objectname: service-fas.yml
- role: openshift/object
app: fas
file: service-yubikey.yml
objectname: service-yubikey.yml
- role: openshift/object
app: fas
file: service-totpcgi.yml
objectname: service-totpcgi.yml
- role: openshift/object
app: fas
file: service-totpcgi-vpn.yml
objectname: service-totpcgi-vpn.yml
when: env == "production"
- role: openshift/route
app: fas
routename: fas
host: "admin-test.stg.fedoraproject.org"
path: "/accounts"
serviceport: dynamic
servicename: fas
annotations:
haproxy.router.openshift.io/timeout: 5m
- role: openshift/route
app: fas
routename: fas-static
host: "admin-test.stg.fedoraproject.org"
path: "/accounts/static"
serviceport: static
servicename: fas
- role: openshift/route
app: fas
routename: totpcgi-provision
host: "admin-test.stg.fedoraproject.org"
path: "/totpcgiprovision"
serviceport: provision
servicename: totpcgi
- role: openshift/route
app: fas
routename: totpcgi
host: "fas-all{{ env_suffix }}.{{ datacenter }}.fedoraproject.org"
serviceport: totp
servicename: totpcgi
termination_passthrough: true
- role: openshift/route
app: fas
routename: totpcgi-vpn
host: "fas-all.vpn.fedoraproject.org"
serviceport: totp
servicename: totpcgi-vpn
termination_passthrough: true
when: env == "production"
- role: openshift/object
app: fas
template: deploymentconfig-fas.yml
objectname: deploymentconfig-fas.yml
- role: openshift/object
app: fas
template: deploymentconfig-yubikey.yml
objectname: deploymentconfig-yubikey.yml
- role: openshift/object
app: fas
template: deploymentconfig-totpcgi.yml
objectname: deploymentconfig-totpcgi.yml
- role: openshift/object
app: fas
template: deploymentconfig-totpcgi.yml
objectname: deploymentconfig-totpcgi-vpn.yml
when: env == "production"
- role: openshift/secret-tls
app: fas
key: tls-cert-primary
secret_name: tls-cert-primary
private_cert: "2fa-certs/keys/fas-all{{ env_suffix }}.{{ datacenter }}.fedoraproject.org.crt"
private_key: "2fa-certs/keys/fas-all{{ env_suffix }}.{{ datacenter }}.fedoraproject.org.key"
- role: openshift/secret-tls
app: fas
key: tls-cert-vpn
secret_name: tls-cert-vpn
private_cert: "2fa-certs/keys/fas-all.vpn.fedoraproject.org.crt"
private_key: "2fa-certs/keys/fas-all.vpn.fedoraproject.org.key"
when: env == "production"

77
playbooks/openshift-apps/fas.yml
View file

@ -1,5 +1,5 @@
- name: make the app be real - name: make the app be real
hosts: os_masters[0]:os_masters_stg[0] hosts: os_masters[0]:os_control_stg[0]
user: root user: root
gather_facts: False gather_facts: False
@ -28,41 +28,14 @@
- role: openshift/imagestream - role: openshift/imagestream
app: fas app: fas
imagename: fas imagename: fas
- role: openshift/imagestream
app: fas
imagename: totpcgi
- role: openshift/imagestream
app: fas
imagename: yubikey
- role: openshift/object - role: openshift/object
app: fas app: fas
template: buildconfig-fas.yml template: buildconfig-fas.yml
objectname: buildconfig-fas.yml objectname: buildconfig-fas.yml
- role: openshift/object
app: fas
template: buildconfig-yubikey.yml
objectname: buildconfig-yubikey.yml
- role: openshift/object
app: fas
template: buildconfig-totpcgi.yml
objectname: buildconfig-totpcgi.yml
- role: openshift/object - role: openshift/object
app: fas app: fas
template_fullpath: "{{roles_path}}/fas_server/templates/configmap.yml" template_fullpath: "{{roles_path}}/fas_server/templates/configmap.yml"
objectname: configmap-fas.yml objectname: configmap-fas.yml
- role: openshift/object
app: fas
template_fullpath: "{{roles_path}}/yubikey/templates/configmap.yml"
objectname: configmap-yubikey.yml
- role: openshift/object
app: fas
template_fullpath: "{{roles_path}}/totpcgi/templates/configmap.yml"
objectname: configmap-totpcgi.yml
- role: openshift/object
app: fas
template_fullpath: "{{roles_path}}/totpcgi/templates/configmap.yml"
objectname: configmap-totpcgi-vpn.yml
when: env == "production"
- role: openshift/secret-file - role: openshift/secret-file
app: fas app: fas
privatefile: "keytabs/{{env}}/fas_sync" privatefile: "keytabs/{{env}}/fas_sync"
@ -77,19 +50,6 @@
app: fas app: fas
file: service-fas.yml file: service-fas.yml
objectname: service-fas.yml objectname: service-fas.yml
- role: openshift/object
app: fas
file: service-yubikey.yml
objectname: service-yubikey.yml
- role: openshift/object
app: fas
file: service-totpcgi.yml
objectname: service-totpcgi.yml
- role: openshift/object
app: fas
file: service-totpcgi-vpn.yml
objectname: service-totpcgi-vpn.yml
when: env == "production"
- role: openshift/route - role: openshift/route
app: fas app: fas
routename: fas routename: fas
@ -106,45 +66,10 @@
path: "/accounts/static" path: "/accounts/static"
serviceport: static serviceport: static
servicename: fas servicename: fas
- role: openshift/route
app: fas
routename: totpcgi-provision
host: "admin{{ env_suffix }}.fedoraproject.org"
path: "/totpcgiprovision"
serviceport: provision
servicename: totpcgi
- role: openshift/route
app: fas
routename: totpcgi
host: "fas-all{{ env_suffix }}.{{ datacenter }}.fedoraproject.org"
serviceport: totp
servicename: totpcgi
termination_passthrough: true
- role: openshift/route
app: fas
routename: totpcgi-vpn
host: "fas-all.vpn.fedoraproject.org"
serviceport: totp
servicename: totpcgi-vpn
termination_passthrough: true
when: env == "production"
- role: openshift/object - role: openshift/object
app: fas app: fas
template: deploymentconfig-fas.yml template: deploymentconfig-fas.yml
objectname: deploymentconfig-fas.yml objectname: deploymentconfig-fas.yml
- role: openshift/object
app: fas
template: deploymentconfig-yubikey.yml
objectname: deploymentconfig-yubikey.yml
- role: openshift/object
app: fas
template: deploymentconfig-totpcgi.yml
objectname: deploymentconfig-totpcgi.yml
- role: openshift/object
app: fas
template: deploymentconfig-totpcgi.yml
objectname: deploymentconfig-totpcgi-vpn.yml
when: env == "production"
- role: openshift/secret-tls - role: openshift/secret-tls
app: fas app: fas
key: tls-cert-primary key: tls-cert-primary

15
roles/openshift-apps/fas/files/service-totpcgi-vpn.yml
View file

@ -1,15 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: totpcgi-vpn
labels:
app: fas
service: totpcgi-vpn
namespace: fas
spec:
ports:
- name: totp
port: 8443
targetPort: 8443
selector:
deploymentconfig: totpcgi-vpn

18
roles/openshift-apps/fas/files/service-totpcgi.yml
View file

@ -1,18 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: totpcgi
labels:
app: fas
service: totpcgi
namespace: fas
spec:
ports:
- name: provision
port: 8080
targetPort: 8080
- name: totp
port: 8443
targetPort: 8443
selector:
deploymentconfig: totpcgi

15
roles/openshift-apps/fas/files/service-yubikey.yml
View file

@ -1,15 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: yubikey
labels:
app: fas
service: yubikey
namespace: fas
spec:
ports:
- name: web
port: 8080
targetPort: 8080
selector:
deploymentconfig: yubikey

42
roles/openshift-apps/fas/templates/buildconfig-totpcgi.yml
View file

@ -1,42 +0,0 @@
apiVersion: v1
kind: BuildConfig
metadata:
labels:
build: totpcgi
name: totpcgi
spec:
runPolicy: Serial
source:
dockerfile: |-
FROM registry.access.redhat.com/rhel6
RUN curl -v -o /etc/yum.repos.d/rhel6.repo https://infrastructure.fedoraproject.org/infra/ansible/files/common/rhel6.repo && \
curl -v -o /etc/yum.repos.d/epel6.repo https://infrastructure.fedoraproject.org/infra/ansible/files/common/epel6.repo && \
{% if env == "staging" %}
curl -v -o /etc/yum.repos.d/infra-tags-stg.repo https://infrastructure.fedoraproject.org/infra/ansible/files/common/rhel-infra-tags-stg.repo && \
{% endif %}
curl -v -o /etc/yum.repos.d/infra-tags.repo https://infrastructure.fedoraproject.org/infra/ansible/files/common/rhel-infra-tags.repo
RUN yum install -y \
mod_auth_pgsql \
totpcgi \
totpcgi-provisioning \
python-qrcode \
httpd \
mod_ssl \
python-fedora \
python-psycopg2
RUN curl https://infrastructure.fedoraproject.org/infra/ansible/roles/totpcgi/files/index.cgi -o /var/www/totpcgi/index.cgi
RUN curl https://infrastructure.fedoraproject.org/infra/ansible/roles/totpcgi/files/provisioning.cgi -o /var/www/totpcgi-provisioning/index.cgi
RUN chmod -R o+rx /var/www/totpcgi*
EXPOSE 8080
ENTRYPOINT bash /etc/totpcgi/start.sh
type: Dockerfile
strategy:
type: Docker
output:
to:
kind: ImageStreamTag
name: totpcgi:latest

43
roles/openshift-apps/fas/templates/buildconfig-yubikey.yml
View file

@ -1,43 +0,0 @@
apiVersion: v1
kind: BuildConfig
metadata:
labels:
build: yubikey
name: yubikey
spec:
runPolicy: Serial
source:
dockerfile: |-
FROM registry.access.redhat.com/rhel6
RUN curl -o /etc/yum.repos.d/rhel6.repo https://infrastructure.fedoraproject.org/infra/ansible/files/common/rhel6.repo && \
curl -o /etc/yum.repos.d/epel6.repo https://infrastructure.fedoraproject.org/infra/ansible/files/common/epel6.repo && \
{% if env == "staging" %}
curl -o /etc/yum.repos.d/infra-tags-stg.repo https://infrastructure.fedoraproject.org/infra/ansible/files/common/rhel-infra-tags-stg.repo && \
{% endif %}
curl -o /etc/yum.repos.d/infra-tags.repo https://infrastructure.fedoraproject.org/infra/ansible/files/common/rhel-infra-tags.repo
RUN yum install -y \
httpd \
yubikey-ksm \
yubikey-val \
php-pgsql
# Set up config symlinks
RUN rm -f /usr/share/ykval/ykval-config.php && \
rm -f /usr/share/ykksm/ykksm-config.php && \
ln -sf /etc/ykksm/ykksm-config.php /usr/share/ykksm/ykksm-config.php && \
ln -sf /etc/ykval/ykval-config.php /usr/share/ykval/ykval-config.php && \
rm -f /usr/share/ykksm/ykksm-config.php && \
rm -f /usr/share/ykval/ykval-config.php && \
ln -sf /etc/yubikey/ykksm-config.php /usr/share/ykksm/ykksm-config.php && \
ln -sf /etc/yubikey/ykval-config.php /usr/share/ykval/ykval-config.php
EXPOSE 8080
ENTRYPOINT bash /etc/yubikey/start.sh
type: Dockerfile
strategy:
type: Docker
output:
to:
kind: ImageStreamTag
name: yubikey:latest

85
roles/openshift-apps/fas/templates/deploymentconfig-totpcgi.yml
View file

@ -1,85 +0,0 @@
apiVersion: v1
kind: DeploymentConfig
metadata:
labels:
app: fas
{% if objectname == "deploymentconfig-totpcgi-vpn.yml" %}
service: totpcgi-vpn
name: totpcgi-vpn
{% else %}
service: totpcgi
name: totpcgi
{% endif %}
spec:
replicas: 3
selector:
{% if objectname == "deploymentconfig-totpcgi-vpn.yml" %}
deploymentconfig: totpcgi-vpn
{% else %}
deploymentconfig: totpcgi
{% endif %}
strategy:
activeDeadlineSeconds: 21600
recreateParams:
timeoutSeconds: 600
resources: {}
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 600
updatePeriodSeconds: 1
type: Rolling
template:
metadata:
creationTimestamp: null
labels:
app: fas
{% if objectname == "deploymentconfig-totpcgi-vpn.yml" %}
deploymentconfig: totpcgi-vpn
{% else %}
deploymentconfig: totpcgi
{% endif %}
spec:
containers:
- name: totpcgi
image: totpcgi:latest
env:
- name: TZ
value: UTC
ports:
- containerPort: 8080
- containerPort: 8443
volumeMounts:
- name: config-volume
mountPath: /etc/totpcgi
readOnly: true
- name: httpdir-volume
mountPath: /httpdir
- name: secret-tls
mountPath: /etc/pki/totp
readOnly: true
volumes:
- name: config-volume
configMap:
name: totpcgi
- name: httpdir-volume
emptyDir: {}
- name: secret-tls
secret:
{% if objectname == "deploymentconfig-totpcgi-vpn.yml" %}
secretName: tls-cert-vpn
{% else %}
secretName: tls-cert-primary
{% endif %}
triggers:
- imageChangeParams:
automatic: true
containerNames:
- totpcgi
from:
kind: ImageStreamTag
name: totpcgi:latest
namespace: fas
type: ImageChange
- type: ConfigChange

73
roles/openshift-apps/fas/templates/deploymentconfig-yubikey.yml
View file

@ -1,73 +0,0 @@
apiVersion: v1
kind: DeploymentConfig
metadata:
labels:
app: fas
service: yubikey
name: yubikey
spec:
replicas: 3
selector:
deploymentconfig: yubikey
strategy:
activeDeadlineSeconds: 21600
recreateParams:
timeoutSeconds: 600
resources: {}
rollingParams:
intervalSeconds: 1
maxSurge: 25%
maxUnavailable: 25%
timeoutSeconds: 600
updatePeriodSeconds: 1
type: Rolling
template:
metadata:
creationTimestamp: null
labels:
app: fas
deploymentconfig: yubikey
spec:
containers:
- name: yubikey
image: yubikey:latest
env:
- name: TZ
value: UTC
ports:
- containerPort: 8080
volumeMounts:
- name: config-volume
mountPath: /etc/yubikey
readOnly: true
- name: httpdir-volume
mountPath: /httpdir
readinessProbe:
timeoutSeconds: 5
initialDelaySeconds: 1
httpGet:
path: /yk-ksm
port: 8080
livenessProbe:
timeoutSeconds: 5
initialDelaySeconds: 1
httpGet:
path: /yk-ksm
port: 8080
volumes:
- name: config-volume
configMap:
name: yubikey
- name: httpdir-volume
emptyDir: {}
triggers:
- imageChangeParams:
automatic: true
containerNames:
- yubikey
from:
kind: ImageStreamTag
name: yubikey:latest
namespace: fas
type: ImageChange
- type: ConfigChange