anubis: switch this to just allowing CloudFront

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

playbooks/openshift-apps/fedora-coreos-pipeline.yml

@@ -14,6 +14,7 @@
     project_description: Fedora CoreOS Pipeline
     appowners:
     - aaradhak
+    - acervera
     - afrosi
     - azukku
     - bipinbn

roles/anubis-el/files/botPolicy.yaml

@@ -12,6 +12,9 @@ bots:
     weight:
       adjust: 20
     path_regex: ^/fork/
+  - name: cloudfront
+    user_agent_regex: "Amazon CloudFront"
+    action: ALLOW
   # allow Pagure attachment files (referenced from Fedora Forge)
   - name: pagure attachment files
     path_regex: ^/.+?/issue/raw/files/

roles/anubis/templates/policies.yaml.j2

@@ -36,6 +36,9 @@ bots:
   - name: productmd
     user_agent_regex: productmd
     action: ALLOW
+  - name: zchunk
+    path_regex: '.*zck'
+    action: ALLOW
   - name: atlassian
     user_agent_regex: Atlassian-Jira-Automation/*
     action: ALLOW

roles/logdetective/tasks/main.yml

@@ -1,5 +1,6 @@
 ---
-- import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
+- name: Import common cloud setup tasks
+  ansible.builtin.import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
 
 - name: Install basic packages
   ansible.builtin.dnf:
@@ -19,10 +20,11 @@
   ansible.builtin.get_url:
     url: https://developer.download.nvidia.com/compute/cuda/repos/fedora41/x86_64/cuda-fedora41.repo
     dest: /etc/yum.repos.d/
+    mode: "0644"
   tags:
     - cuda_installation
 
-- name: install cuda
+- name: Install cuda
   ansible.builtin.package:
     name: cuda-toolkit-12
   register: cuda_installation
@@ -31,12 +33,12 @@
 
 - name: Restart the system
   ansible.builtin.reboot:
-  when: cuda_installation.changed
+  when: cuda_installation.changed # noqa: no-handler
   tags:
     - cuda_installation
 
 - name: Ensure state of secondary drive
-  ignore_errors: true
+  ignore_errors: true # noqa: ignore-errors
   when:
     - drive_device is defined
   block:
@@ -44,6 +46,7 @@
       ansible.builtin.file:
         path: /mnt/srv
         state: directory
+        mode: "0755"
 
     - name: Mount the drive on boot
       ansible.posix.mount:
@@ -74,6 +77,7 @@
         block: |
           export HUGGINGFACE_HUB_CACHE=/mnt/srv/.cache/huggingface
           export PIP_CACHE_DIR=/mnt/srv/.cache/pip
+        mode: "0644"
 
     - name: Set up CUDA binary paths
       ansible.builtin.lineinfile:
@@ -85,6 +89,7 @@
         path: /etc/profile.d/models.sh
         line: export MODELS_PATH=/mnt/srv/models/
         create: true
+        mode: "0644"
 
     # TODO Configure Podman to store data on our secondary drive in
     # /mnt/srv/containers_storage/
@@ -108,13 +113,16 @@
 
 
 - name: Stop and disable nftables service
-  systemd:
+  ansible.builtin.systemd:
     name: nftables
     state: stopped
     enabled: false
 
 - name: Start firewalld so that we can allow ports more easily
-  systemd: state=started name=firewalld enabled=yes
+  ansible.builtin.systemd:
+    name: firewalld
+    state: started
+    enabled: true
 
 - name: Allow accessing 443 from the outside
   ansible.posix.firewalld:
@@ -122,6 +130,12 @@
     permanent: true
     state: enabled
 
+- name: Allow accessing 8090 from the outside for Packit Interface
+  ansible.posix.firewalld:
+    port: 8090/tcp
+    permanent: true
+    state: enabled
+
 - name: Allow HTTP and HTTPS in firewall
   ansible.posix.firewalld:
     service: "{{ item }}"

roles/openshift-apps/bugzilla2fedmsg/templates/buildconfig.yml.j2

@@ -17,7 +17,7 @@ spec:
       from:
         kind: ImageStreamTag
         namespace: openshift
-        name: python:3.9-ubi8
+        name: python:3.11-ubi9
   triggers:
   - type: ImageChange
   - type: ConfigChange

roles/openshift-apps/bugzilla2fedmsg/templates/fedora-messaging.toml

@@ -20,19 +20,37 @@ certfile = "/etc/pki/fedora-messaging/bugzilla2fedmsg-cert.pem"
 [consumer_config]
     fasjson_url = "https://fasjson{{ env_suffix }}.fedoraproject.org"
 
+    {% if env == "staging" %}
+    [consumer_config.kafka]
+    # Kafka servers
+    # https://kafka-python.readthedocs.io/en/master/apidoc/KafkaConsumer.html
+    {% if env == "staging" %}
+    servers = [
+        "b-1.itpreprod.sui7dp.c7.kafka.us-east-1.amazonaws.com:9096",
+        "b-2.itpreprod.sui7dp.c7.kafka.us-east-1.amazonaws.com:9096",
+        "b-6.itpreprod.sui7dp.c7.kafka.us-east-1.amazonaws.com:9096",
+    ]
+    username = "{{ redhat_kafka_staging_username }}"
+    password = "{{ redhat_kafka_staging_password }}"
+    topics = ["qa.ants.engineering.bugzilla.bug", "stage.ants.engineering.bugzilla.bug"]
+    {% else %}
+    servers = [
+        "b-3.itprod.bvduhl.c8.kafka.us-east-1.amazonaws.com:9096",
+        "b-2.itprod.bvduhl.c8.kafka.us-east-1.amazonaws.com:9096",
+        "b-1.itprod.bvduhl.c8.kafka.us-east-1.amazonaws.com:9096",
+    ]
+    username = "{{ redhat_kafka_prod_username }}"
+    password = "{{ redhat_kafka_prod_password }}"
+    topics = ["ants.engineering.bugzilla.bug"]
+    {% endif %}
+    {% else %}
     [consumer_config.stomp]
     # Broker URI
     # http://nikipore.github.io/stompest/protocol.html#stompest.protocol.failover.StompFailoverUri
     # Example: failover:(tcp://remote1:61615,tcp://localhost:61616)?randomize=false,startupMaxReconnectAttempts=3,initialReconnectDelay=7,maxReconnectDelay=8,maxReconnectAttempts=0
-{% if env == 'staging' %}
-    uri = "ssl://umb.stage.api.redhat.com:61612"
-    user = "{{ redhat_dmz_dev_broker_username }}"
-    pass = "{{ redhat_dmz_dev_broker_password }}"
-{% else %}
     uri = "ssl://umb.api.redhat.com:61612"
     user = "{{ redhat_dmz_prod_broker_username }}"
     pass = "{{ redhat_dmz_prod_broker_password }}"
-{% endif %}
     ssl_crt = "/etc/pki/stomp/msg-client-fedora-prod.crt"
     ssl_key = "/etc/pki/stomp/msg-client-fedora-prod.key"
 
@@ -44,6 +62,7 @@ certfile = "/etc/pki/fedora-messaging/bugzilla2fedmsg-cert.pem"
 
     # How many messages to prefetch
     prefetch_size = 100
+    {% endif %}
 
     [consumer_config.bugzilla]
     # Products to relay messages for - messages for bugs files against