only osbs-client on buildvm (just schedules with osbs) and koji-hub (status checking), ssl_verify everywhere, enable in prod

Signed-off-by: Adam Miller <admiller@redhat.com>
2026-05-11 10:32:27 +08:00 · 2016-07-12 21:19:42 +00:00
parent 29fa82db8c
commit 010732969e
4 changed files with 62 additions and 38 deletions
--- a/playbooks/groups/buildhw.yml
+++ b/playbooks/groups/buildhw.yml
@@ -24,37 +24,6 @@
  - hosts
  - { role: fas_client, when: not inventory_hostname.startswith('bkernel') }
  - { role: sudo, when: not inventory_hostname.startswith('bkernel') }
-  - {
-      role: osbs-client,
-        when: env == 'staging',
-        general: {
-          verbose: 0,
-          build_json_dir: '/usr/share/osbs/',
-          openshift_required_version: 1.1.0,
-        },
-        default: {
-          username: "{{ osbs_koji_stg_username }}",
-          password: "{{ osbs_koji_stg_password }}",
-          koji_certs_secret: "koji",
-          openshift_url: 'https://{{ osbs_fqdn }}/',
-          registry_uri: 'https://{{ docker_registry }}/v2',
-          source_registry_uri: 'https://{{ docker_registry }}/v2',
-          build_host: '{{ osbs_fqdn }}',
-          koji_root: 'http://{{ koji_root }}',
-          koji_hub: 'http://{{ koji_hub }}',
-          sources_command: 'fedpkg sources',
-          build_type: 'prod',
-          authoritative_registry: 'registry.example.com',
-          vendor: 'Fedora Project',
-          verify_ssl: false,
-          use_auth: true,
-          builder_use_auth: true,
-          distribution_scope: 'private',
-          registry_api_versions: 'v2',
-          builder_openshift_url: 'https://172.17.0.1:8443/'
-        }
-    }
-

  tasks:
  - include: "{{ tasks }}/2fa_client.yml"
--- a/playbooks/groups/buildvm.yml
+++ b/playbooks/groups/buildvm.yml
@@ -50,7 +50,37 @@
          build_type: 'prod',
          authoritative_registry: 'registry.example.com',
          vendor: 'Fedora Project',
-          verify_ssl: false,
+          verify_ssl: true,
+          use_auth: true,
+          builder_use_auth: true,
+          distribution_scope: 'private',
+          registry_api_versions: 'v2',
+          builder_openshift_url: 'https://172.17.0.1:8443/'
+        }
+    }
+  - {
+      role: osbs-client,
+        when: env == 'production',
+        general: {
+          verbose: 0,
+          build_json_dir: '/usr/share/osbs/',
+          openshift_required_version: 1.1.0,
+        },
+        default: {
+          username: "{{ osbs_koji_prod_username }}",
+          password: "{{ osbs_koji_prod_password }}",
+          koji_certs_secret: "koji",
+          openshift_url: 'https://{{ osbs_fqdn }}/',
+          registry_uri: 'https://{{ docker_registry }}/v2',
+          source_registry_uri: 'https://{{ docker_registry }}/v2',
+          build_host: '{{ osbs_fqdn }}',
+          koji_root: 'http://{{ koji_root }}',
+          koji_hub: 'http://{{ koji_hub }}',
+          sources_command: 'fedpkg sources',
+          build_type: 'prod',
+          authoritative_registry: 'registry.example.com',
+          vendor: 'Fedora Project',
+          verify_ssl: true,
          use_auth: true,
          builder_use_auth: true,
          distribution_scope: 'private',
--- a/playbooks/groups/koji-hub.yml
+++ b/playbooks/groups/koji-hub.yml
@@ -62,7 +62,36 @@
          builder_openshift_url: 'https://172.17.0.1:8443/'
        }
    }
-
+  - {
+      role: osbs-client,
+        when: env == 'staging',
+        general: {
+          verbose: 0,
+          build_json_dir: '/usr/share/osbs/',
+          openshift_required_version: 1.1.0,
+        },
+        default: {
+          username: "{{ osbs_koji_prod_username }}",
+          password: "{{ osbs_koji_prod_password }}",
+          koji_certs_secret: "koji",
+          openshift_url: 'https://{{ osbs_fqdn }}/',
+          registry_uri: 'https://{{ docker_registry }}/v2',
+          source_registry_uri: 'https://{{ docker_registry }}/v2',
+          build_host: '{{ osbs_fqdn }}',
+          koji_root: 'http://{{ koji_root }}',
+          koji_hub: 'http://{{ koji_hub }}',
+          sources_command: 'fedpkg sources',
+          build_type: 'prod',
+          authoritative_registry: 'registry.example.com',
+          vendor: 'Fedora Project',
+          verify_ssl: false,
+          use_auth: true,
+          builder_use_auth: true,
+          distribution_scope: 'private',
+          registry_api_versions: 'v2',
+          builder_openshift_url: 'https://172.17.0.1:8443/'
+        }
+    }
  - { role: nfs/server, when: env == "staging" }
  - { role: keepalived, when: env == "production" and inventory_hostname.startswith('koji') }
  - role: nfs/client
--- a/roles/koji_builder/templates/kojid.conf
+++ b/roles/koji_builder/templates/kojid.conf
@@ -77,15 +77,11 @@ serverca = /etc/kojid/cacert.pem

 {% if 'runroot' in group_names %}
 ; Config for it lives in /etc/kojid/runroot.conf
-{% if env == 'staging' %}
 plugins = runroot builder_containerbuild
-{% else %}
-plugins = runroot
-{% endif %}

 {% else %}

-{% if env == 'staging' and not inventory_hostname.startswith('arm') %}
+{% if not inventory_hostname.startswith('arm') %}
 plugins = builder_containerbuild
 {% else %}
 plugins =