From 24c7194f1aca5d089114349017cb9980336b4797 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Tue, 5 Jul 2022 09:29:29 +0200 Subject: [PATCH] Split off some rabbitmq vhosts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Bompard --- playbooks/groups/batcave.yml | 2 + roles/rabbitmq_cluster/tasks/apps.yml | 214 +----------------- roles/rabbitmq_cluster/tasks/main.yml | 12 + .../tasks/vhost-centos-odcs.yml | 105 +++++++++ .../tasks/vhost-mbs-private-queue.yml | 92 ++++++++ 5 files changed, 213 insertions(+), 212 deletions(-) create mode 100644 roles/rabbitmq_cluster/tasks/vhost-centos-odcs.yml create mode 100644 roles/rabbitmq_cluster/tasks/vhost-mbs-private-queue.yml diff --git a/playbooks/groups/batcave.yml b/playbooks/groups/batcave.yml index d94eae5147..6706b9f4a5 100644 --- a/playbooks/groups/batcave.yml +++ b/playbooks/groups/batcave.yml @@ -34,6 +34,8 @@ sent_topics: - ^org\.fedoraproject\.{{ env_short }}\.ansible\..* - ^org\.fedoraproject\.{{ env_short }}\.git\..* + - ^org\.fedoraproject\.{{ env_short }}\.infragit\..* + - ^org\.fedoraproject\.{{ env_short }}\.logger\.log\..* - role: rabbit/queue username: "mirror_pagure_ansible{{ env_suffix }}" queue_name: "mirror_pagure_ansible{{ env_suffix }}" diff --git a/roles/rabbitmq_cluster/tasks/apps.yml b/roles/rabbitmq_cluster/tasks/apps.yml index cd5f8a30df..0a0689c85c 100644 --- a/roles/rabbitmq_cluster/tasks/apps.yml +++ b/roles/rabbitmq_cluster/tasks/apps.yml @@ -1,5 +1,6 @@ # -# This playbook creates users and queues for specific applications +# This playbook creates users and queues for specific applications that are not +# elsewhere in Ansible. # @@ -134,123 +135,8 @@ username: resultsdb-centos{{ env_suffix }} # CENTOS RESULTSDB END -# CENTOS ODCS BEGIN -- name: Configure the centos-odcs virtual host - run_once: true - delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" - rabbitmq_vhost: - name: /centos-odcs - state: present - tags: - - centos-odcs - -- name: Configure the HA policy for the centos-odcs queues - run_once: true - delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" - rabbitmq_policy: - name: HA - apply_to: queues - pattern: .* - tags: - ha-mode: all - ha-sync-mode: automatic # Auto sync queues to new cluster members - ha-sync-batch-size: 10000 # Larger is faster, but must finish in 1 net_ticktime - vhost: /centos-odcs - tags: - - centos-odcs - -- name: Add a policy to limit queues to 1GB and remove after a month of no use - run_once: true - delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" - rabbitmq_policy: - apply_to: queues - name: pubsub_sweeper - state: present - pattern: ".*" - tags: - # Unused queues are killed after 1000 * 60 * 60 * 31 milliseconds (~a month) - expires: 111600000 - # Queues can use at most 1GB of storage - max-length-bytes: 1073741824 - vhost: /centos-odcs - tags: - - centos-odcs - -- name: Create the centos-odcs-admin user for the centos-odcs vhost (prod) - run_once: true - delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" - rabbitmq_user: - user: centos-odcs-admin - password: "{{ (env == 'production')|ternary(rabbitmq_centos_odcs_admin_password_production, rabbitmq_centos_odcs_admin_password_staging) }}" - vhost: /centos-odcs - configure_priv: .* - read_priv: .* - write_priv: .* - tags: - - centos-odcs - -- name: Dump the admin password in a file for administrative operations - run_once: true - delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" - copy: - dest: /root/.centos-odcs-rabbitmqpass - content: "{{ (env == 'production')|ternary(rabbitmq_centos_odcs_admin_password_production, rabbitmq_centos_odcs_admin_password_staging) }}" - mode: 0600 - owner: root - group: root - tags: - - centos-odcs - -- name: Grant the admin user access to the centos-odcs vhost - run_once: true - delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" - rabbitmq_user: - user: admin - vhost: /centos-odcs - configure_priv: .* - read_priv: .* - write_priv: .* - tags: administrator - tags: - - centos-odcs - -- name: Create a user for centos-odcs access - run_once: true - delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" - rabbitmq_user: - user: "centos-odcs-private-queue{{ env_suffix }}" - vhost: /centos-odcs - configure_priv: .* - write_priv: .* - read_priv: .* - state: present - tags: - - centos-odcs - -- name: Create the user in RabbitMQ - run_once: true - delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" - rabbitmq_user: - user: centos-odcs - vhost: /centos-odcs - read_priv: "^$" # Publish only, no reading - write_priv: "amq\\.topic" - configure_priv: "^$" # No configuration permissions - state: present - tags: - - centos-odcs - -# CENTOS ODCS END - # CENTOS robosignatory BEGIN -- name: CentOS Stream robosignatory user - run_once: true - include_role: - name: rabbit/user - vars: - username: centos-stream-robosignatory - - name: CentOS Stream robosignatory queue run_once: true include_role: @@ -268,102 +154,6 @@ # CENTOS STREAM robosignatory END -# MBS BEGIN -# -- name: Configure the mbs-private-queue virtual host - run_once: true - delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" - rabbitmq_vhost: - name: /mbs-private-queue - state: present - tags: - - mbs-private-queue - -- name: Configure the HA policy for the mbs-private-queue queues - run_once: true - delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" - rabbitmq_policy: - name: HA - apply_to: queues - pattern: .* - tags: - ha-mode: all - ha-sync-mode: automatic # Auto sync queues to new cluster members - ha-sync-batch-size: 10000 # Larger is faster, but must finish in 1 net_ticktime - vhost: /mbs-private-queue - tags: - - mbs-private-queue - -- name: Add a policy to limit queues to 1GB and remove after a month of no use - run_once: true - delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" - rabbitmq_policy: - apply_to: queues - name: pubsub_sweeper - state: present - pattern: ".*" - tags: - # Unused queues are killed after 1000 * 60 * 60 * 31 milliseconds (~a month) - expires: 111600000 - # Queues can use at most 1GB of storage - max-length-bytes: 1073741824 - vhost: /mbs-private-queue - tags: - - mbs-private-queue - -- name: Create the mbs-private-queue user for the mbs-private-queue vhost (prod) - run_once: true - delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" - rabbitmq_user: - user: mbs-private-queue - password: "{{ (env == 'production')|ternary(rabbitmq_mbs_private_queue_admin_password_production, rabbitmq_mbs_private_queue_admin_password_staging) }}" - vhost: /mbs-private-queue - configure_priv: .* - read_priv: .* - write_priv: .* - tags: - - mbs-private-queue - -- name: Dump the admin password in a file for administrative operations - run_once: true - delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" - copy: - dest: /root/.mbs-private-queue-rabbitmqpass - content: "{{ (env == 'production')|ternary(rabbitmq_mbs_private_queue_admin_password_production, rabbitmq_mbs_private_queue_admin_password_staging) }}" - mode: 0600 - owner: root - group: root - tags: - - mbs-private-queue - -- name: Grant the admin user access to the mbs-private-queue vhost - run_once: true - delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" - rabbitmq_user: - user: admin - vhost: /mbs-private-queue - configure_priv: .* - read_priv: .* - write_priv: .* - tags: administrator - tags: - - mbs-private-queue - -- name: Create a user for mbs-private-queue access - run_once: true - delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" - rabbitmq_user: - user: "mbs-private-queue{{ env_suffix }}" - vhost: /mbs-private-queue - configure_priv: .* - write_priv: .* - read_priv: .* - state: present - tags: - - mbs-private-queue - -# MBS END -# # ELN BEGIN - name: eln queue diff --git a/roles/rabbitmq_cluster/tasks/main.yml b/roles/rabbitmq_cluster/tasks/main.yml index d653d28a47..8ac12d02cd 100644 --- a/roles/rabbitmq_cluster/tasks/main.yml +++ b/roles/rabbitmq_cluster/tasks/main.yml @@ -489,3 +489,15 @@ tags: - rabbitmq_cluster - config + +# VirtualHost /centos-odcs +- import_tasks: vhost-centos-odcs.yml + tags: + - rabbitmq_cluster + - config + +# VirtualHost /mbs-private-queue +- import_tasks: vhost-mbs-private-queue.yml + tags: + - rabbitmq_cluster + - config diff --git a/roles/rabbitmq_cluster/tasks/vhost-centos-odcs.yml b/roles/rabbitmq_cluster/tasks/vhost-centos-odcs.yml new file mode 100644 index 0000000000..0d6143df96 --- /dev/null +++ b/roles/rabbitmq_cluster/tasks/vhost-centos-odcs.yml @@ -0,0 +1,105 @@ +- name: Configure the centos-odcs virtual host + run_once: true + delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" + rabbitmq_vhost: + name: /centos-odcs + state: present + tags: + - centos-odcs + +- name: Configure the HA policy for the centos-odcs queues + run_once: true + delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" + rabbitmq_policy: + name: HA + apply_to: queues + pattern: .* + tags: + ha-mode: all + ha-sync-mode: automatic # Auto sync queues to new cluster members + ha-sync-batch-size: 10000 # Larger is faster, but must finish in 1 net_ticktime + vhost: /centos-odcs + tags: + - centos-odcs + +- name: Add a policy to limit queues to 1GB and remove after a month of no use + run_once: true + delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" + rabbitmq_policy: + apply_to: queues + name: pubsub_sweeper + state: present + pattern: ".*" + tags: + # Unused queues are killed after 1000 * 60 * 60 * 31 milliseconds (~a month) + expires: 111600000 + # Queues can use at most 1GB of storage + max-length-bytes: 1073741824 + vhost: /centos-odcs + tags: + - centos-odcs + +- name: Create the centos-odcs-admin user for the centos-odcs vhost (prod) + run_once: true + delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" + rabbitmq_user: + user: centos-odcs-admin + password: "{{ (env == 'production')|ternary(rabbitmq_centos_odcs_admin_password_production, rabbitmq_centos_odcs_admin_password_staging) }}" + vhost: /centos-odcs + configure_priv: .* + read_priv: .* + write_priv: .* + tags: + - centos-odcs + +- name: Dump the admin password in a file for administrative operations + run_once: true + delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" + copy: + dest: /root/.centos-odcs-rabbitmqpass + content: "{{ (env == 'production')|ternary(rabbitmq_centos_odcs_admin_password_production, rabbitmq_centos_odcs_admin_password_staging) }}" + mode: 0600 + owner: root + group: root + tags: + - centos-odcs + +- name: Grant the admin user access to the centos-odcs vhost + run_once: true + delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" + rabbitmq_user: + user: admin + vhost: /centos-odcs + configure_priv: .* + read_priv: .* + write_priv: .* + tags: administrator + tags: + - centos-odcs + +- name: Create a user for centos-odcs access + run_once: true + delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" + rabbitmq_user: + user: "centos-odcs-private-queue{{ env_suffix }}" + vhost: /centos-odcs + configure_priv: .* + write_priv: .* + read_priv: .* + state: present + tags: + - centos-odcs + +- name: Create the user in RabbitMQ + run_once: true + delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" + rabbitmq_user: + user: centos-odcs + vhost: /centos-odcs + read_priv: "^$" # Publish only, no reading + write_priv: "amq\\.topic" + configure_priv: "^$" # No configuration permissions + state: present + tags: + - centos-odcs + diff --git a/roles/rabbitmq_cluster/tasks/vhost-mbs-private-queue.yml b/roles/rabbitmq_cluster/tasks/vhost-mbs-private-queue.yml new file mode 100644 index 0000000000..bc4ce70c2a --- /dev/null +++ b/roles/rabbitmq_cluster/tasks/vhost-mbs-private-queue.yml @@ -0,0 +1,92 @@ +- name: Configure the mbs-private-queue virtual host + run_once: true + delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" + rabbitmq_vhost: + name: /mbs-private-queue + state: present + tags: + - mbs-private-queue + +- name: Configure the HA policy for the mbs-private-queue queues + run_once: true + delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" + rabbitmq_policy: + name: HA + apply_to: queues + pattern: .* + tags: + ha-mode: all + ha-sync-mode: automatic # Auto sync queues to new cluster members + ha-sync-batch-size: 10000 # Larger is faster, but must finish in 1 net_ticktime + vhost: /mbs-private-queue + tags: + - mbs-private-queue + +- name: Add a policy to limit queues to 1GB and remove after a month of no use + run_once: true + delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" + rabbitmq_policy: + apply_to: queues + name: pubsub_sweeper + state: present + pattern: ".*" + tags: + # Unused queues are killed after 1000 * 60 * 60 * 31 milliseconds (~a month) + expires: 111600000 + # Queues can use at most 1GB of storage + max-length-bytes: 1073741824 + vhost: /mbs-private-queue + tags: + - mbs-private-queue + +- name: Create the mbs-private-queue user for the mbs-private-queue vhost (prod) + run_once: true + delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" + rabbitmq_user: + user: mbs-private-queue + password: "{{ (env == 'production')|ternary(rabbitmq_mbs_private_queue_admin_password_production, rabbitmq_mbs_private_queue_admin_password_staging) }}" + vhost: /mbs-private-queue + configure_priv: .* + read_priv: .* + write_priv: .* + tags: + - mbs-private-queue + +- name: Dump the admin password in a file for administrative operations + run_once: true + delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" + copy: + dest: /root/.mbs-private-queue-rabbitmqpass + content: "{{ (env == 'production')|ternary(rabbitmq_mbs_private_queue_admin_password_production, rabbitmq_mbs_private_queue_admin_password_staging) }}" + mode: 0600 + owner: root + group: root + tags: + - mbs-private-queue + +- name: Grant the admin user access to the mbs-private-queue vhost + run_once: true + delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" + rabbitmq_user: + user: admin + vhost: /mbs-private-queue + configure_priv: .* + read_priv: .* + write_priv: .* + tags: administrator + tags: + - mbs-private-queue + +- name: Create a user for mbs-private-queue access + run_once: true + delegate_to: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" + rabbitmq_user: + user: "mbs-private-queue{{ env_suffix }}" + vhost: /mbs-private-queue + configure_priv: .* + write_priv: .* + read_priv: .* + state: present + tags: + - mbs-private-queue +