openqa roles: fix fedora-messaging key permissions

geekotest needs to be able to read the key files or else openQA cannot publish messages. Signed-off-by: Adam Williamson <awilliam@redhat.com>
2019-08-23 12:02:27 -07:00 · 2019-08-23 12:02:27 -07:00 · cc5a23960a
commit cc5a23960a
parent f55344abe3
4 changed files with 26 additions and 10 deletions
--- a/roles/autocloudreporter/tasks/main.yml
+++ b/roles/autocloudreporter/tasks/main.yml
@ -112,13 +112,17 @@
  tags:
  - config

+# This is kinda icky, as there's no intrinsic reason the group geekotest
+# should exist so far as this role is concerned. But as we run this role
+# on the same box as openQA, in fact we need to keep the ownership in
+# line. This needs making cleaner somehow.
 - name: Deploy the Fedora infra fedora-messaging key (openQA production)
  copy:
    src: "{{ private }}/files/rabbitmq/production/pki/private/openqa.key"
    dest: /etc/pki/fedora-messaging/openqa-key.pem
-    mode: 0600
+    mode: 0640
    owner: root
-    group: root
+    group: geekotest
  when: "deployment_type is defined"
  tags:
  - config
--- a/roles/check-compose/tasks/main.yml
+++ b/roles/check-compose/tasks/main.yml
@ -140,6 +140,8 @@
  tags:
  - config

+# We always use the openQA cert and key here for now; we don't really
+# need a separate identity for check-compose.
 - name: Deploy the Fedora infra fedora-messaging cert
  copy:
    src: "{{ private }}/files/rabbitmq/{{checkcompose_env}}/pki/issued/openqa{{checkcompose_env_suffix}}.crt"
@ -147,16 +149,22 @@
    mode: 0644
    owner: root
    group: root
+  when: "deployment_type is defined"
  tags:
  - config

+# This is kinda icky, as there's no intrinsic reason the group geekotest
+# should exist so far as this role is concerned. But as we run this role
+# on the same box as openQA, in fact we need to keep the ownership in
+# line. This needs making cleaner somehow.
 - name: Deploy the Fedora infra fedora-messaging key
  copy:
    src: "{{ private }}/files/rabbitmq/{{checkcompose_env}}/pki/private/openqa{{checkcompose_env_suffix}}.key"
    dest: /etc/pki/fedora-messaging/openqa{{checkcompose_env_suffix}}-key.pem
-    mode: 0600
+    mode: 0640
    owner: root
-    group: root
+    group: geekotest
+  when: "deployment_type is defined"
  tags:
  - config

--- a/roles/openqa/dispatcher/tasks/main.yml
+++ b/roles/openqa/dispatcher/tasks/main.yml
@ -293,9 +293,9 @@
  copy:
    src: "{{ private }}/files/rabbitmq/{{openqa_env}}/pki/private/openqa{{openqa_env_suffix}}.key"
    dest: /etc/pki/fedora-messaging/openqa{{openqa_env_suffix}}-key.pem
-    mode: 0600
+    mode: 0640
    owner: root
-    group: root
+    group: geekotest
  when: "deployment_type is defined"
  tags:
  - config
@ -315,9 +315,9 @@
  copy:
    src: "{{ private }}/files/rabbitmq/production/pki/private/openqa.key"
    dest: /etc/pki/fedora-messaging/openqa-key.pem
-    mode: 0600
+    mode: 0640
    owner: root
-    group: root
+    group: geekotest
  when: "deployment_type is defined and deployment_type == 'stg'"
  tags:
  - config
--- a/roles/relvalconsumer/tasks/main.yml
+++ b/roles/relvalconsumer/tasks/main.yml
@ -145,13 +145,17 @@
  tags:
  - config

+# This is kinda icky, as there's no intrinsic reason the group geekotest
+# should exist so far as this role is concerned. But as we run this role
+# on the same box as openQA, in fact we need to keep the ownership in
+# line. This needs making cleaner somehow.
 - name: Deploy the Fedora infra fedora-messaging key
  copy:
    src: "{{ private }}/files/rabbitmq/production/pki/private/openqa.key"
    dest: /etc/pki/fedora-messaging/openqa-key.pem
-    mode: 0600
+    mode: 0640
    owner: root
-    group: root
+    group: geekotest
  when: "deployment_type is defined"
  tags:
  - config