Add RLP rabbitmq playbook and vars

role-rocky-rabbitmq.yml

@@ -0,0 +1,97 @@
+---
+# Stands up a RabbitMQ Cluster
+- name: Configure RabbitMQ
+  hosts: rabbitmq_rlp
+  become: true
+  vars_files:
+    # vars/vaults/encpass.yml
+    - vars/common.yml
+    - vars/rabbitmq/rlp/rabbitmq.yml
+    - vars/rabbitmq/rlp/rabbitmq_vhost.yml
+    - vars/rabbitmq/rlp/rabbitmq_users.yml
+
+  # This is to try to avoid the handler issue in pre/post tasks
+  handlers:
+    - import_tasks: handlers/main.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      ansible.builtin.assert:
+        that:
+          - "not no_ansible.stat.exists"
+        success_msg: "We are able to run on this node"
+        fail_msg: "/etc/no-ansible exists - skipping run on this node"
+
+    - name: Verify if we are Rocky Linux 9 or higher
+      ansible.builtin.assert:
+        that:
+          - ansible_distribution_major_version|int >= 9
+          - ansible_distribution | lower == "rocky"
+        success_msg: "We are on a supported system"
+        fail_msg: "Only Rocky Linux versions 9 or higher are supported."
+
+    # We have separate passwords per rabbitmq env
+    - name: Import rabbitmq passwords
+      ansible.builtin.include_vars:
+        file: "vars/vaults/rabbitmq_{{ rabbitmq_env }}.yml"
+
+    # The extras repos has epel-release provided
+    - name: Enable the EPEL repository
+      ansible.builtin.dnf:
+        name: epel-release
+        state: present
+      notify:
+        - enable_crb
+      tags:
+        - packages
+
+    - name: Flush handlers
+      ansible.builtin.meta: flush_handlers
+
+    - name: Install centos rabbitmq
+      yum:
+        name: centos-release-rabbitmq-39
+        state: present
+      tags:
+        - packages
+
+  roles:
+    - role: rockylinux.ipagetcert
+      state: present
+      when: rabbitmq_private
+
+  tasks:
+    - name: Run rabbitmq installation
+      ansible.builtin.import_tasks: "tasks/rabbitmq/rabbitmq.yml"
+      tags:
+        - rabbitmq_cluster
+
+    - name: Run rabbitmq vhosts
+      ansible.builtin.import_tasks: "tasks/rabbitmq/vhost.yml"
+      tags:
+        - vhosts
+
+    - name: Run rabbitmq users
+      ansible.builtin.import_tasks: "tasks/rabbitmq/users.yml"
+      tags:
+        - users
+
+    - name: Run rabbitmq topics
+      ansible.builtin.import_tasks: "tasks/rabbitmq/topics.yml"
+      tags:
+        - topics
+
+  post_tasks:
+    - name: Touching run file that ansible has ran here
+      ansible.builtin.file:
+        path: /var/log/ansible.run
+        state: touch
+        mode: '0644'
+        owner: root
+        group: root
+...

vars/rabbitmq/rlp/rabbitmq.yml

@@ -0,0 +1,69 @@
+---
+# rabbitmq settings
+rabbitmq_tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
+rabbitmq_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
+rabbitmq_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
+
+# These should be in a vault, with a different value. Generated by:
+# dd if=/dev/urandom bs=30 count=1 | base64
+# rabbitmq_cookie: ...
+
+# Admin passwords - these should be in a vault
+rabbitmq_admin: "rockyadmin"
+# rabbitmq_admin_password: ...
+
+# rabbitmq cluster list and information should be defined in hostvars to ensure
+# that the configuration is idempotent.
+# rabbitmq_cluster_name:
+# rabbitmq_env:
+
+# Federation / Public Queues
+rabbitmq_enable_public: false
+# pubsub_federation_pass:
+
+# THIS IS DYNAMIC. IT'S ADVISED IT NOT BE STATIC.
+# This should be changed depending on how inventory is managed. For example, if
+# it's not possible to have "staging inventory" as opposed to a "production"
+# inventory, you would likely have a different name than just "rabbitmq". It is
+# also possible there will be more than one cluster, so these must be taken
+# into account when setting this variable.
+rabbitmq_cluster_list: "{{ groups['rabbitmq'] }}"
+rabbitmq_ldap_servers: "{{ rocky_ipaserver_list }}"
+rabbitmq_ldap_bind_dn: "uid=rabbitmq_binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
+rabbitmq_ldap_bind_pw: "{{ rabbitmq_binder_password }}"
+rabbitmq_ldap_basedn: "{{ rocky_ldap_account_basedn }}"
+
+# Messaging queues are generally private
+rabbitmq_private: true
+ipa_getcert_requested_hostnames:
+  - name: "{{ ansible_fqdn }}"
+    owner: rabbitmq
+    key_location: "{{ rabbitmq_tls_key }}"
+    cert_location: "{{ rabbitmq_tls_cert }}"
+    postcmd: "/bin/systemctl restart rabbitmq-server"
+    cnames:
+      - "rabbitmq-{{ rabbitmq_env }}.rockylinux.org"
+
+# Rabbitmq settings
+rabbitmq_file_limit: '500000'
+rabbitmq_ports:
+  - 1883/tcp
+  - 4369/tcp
+  - 5671/tcp
+  - 5672/tcp
+  - 8883/tcp
+  - 15672/tcp
+  - 25672/tcp
+  - 35672-35682/tcp
+
+# Rabbitmq plugins
+rabbitmq_plugins:
+  - rabbitmq_amqp1_0
+  - rabbitmq_auth_backend_ldap
+  - rabbitmq_auth_mechanism_ssl
+  - rabbitmq_management
+  - rabbitmq_mqtt
+  - rabbitmq_federation
+  - rabbitmq_federation_management
+  - rabbitmq_peer_discovery_common
+...

vars/rabbitmq/rlp/rabbitmq_topics.yml

@@ -0,0 +1,13 @@
+---
+rabbitmq_topics:
+  - name: "zmq.topic"
+    exchange_type: "topic"
+    vhosts:
+      - vhost: "public_pubsub"
+        destination: "amq.topic"
+        destination_type: "exchange"
+        routing_key: "#"
+        binding: true
+      - vhost: "pubsub"
+        binding: false
+...

vars/rabbitmq/rlp/rabbitmq_users.yml

@@ -0,0 +1,95 @@
+---
+rabbitmq_users:
+  - user: guest
+    state: absent
+  - user: rockyadmin
+    state: present
+    tags: "administrator"
+    permissions:
+      - vhost: /
+        configure_priv: ".*"
+        read_priv: ".*"
+        write_priv: ".*"
+      - vhost: pubsub
+        configure_priv: ".*"
+        read_priv: ".*"
+        write_priv: ".*"
+      - vhost: public_pubsub
+        configure_priv: ".*"
+        read_priv: ".*"
+        write_priv: ".*"
+      - vhost: distrobuild
+        configure_priv: ".*"
+        read_priv: ".*"
+        write_priv: ".*"
+      - vhost: odcs
+        configure_priv: ".*"
+        read_priv: ".*"
+        write_priv: ".*"
+      - vhost: '/pubsub'
+        configure_priv: ".*"
+        read_priv: ".*"
+        write_priv: ".*"
+      - vhost: '/public_pubsub'
+        configure_priv: ".*"
+        read_priv: ".*"
+        write_priv: ".*"
+  - user: distrobuild
+    state: present
+    configure_priv: ".*"
+    read_priv: ".*"
+    write_priv: ".*"
+    vhost: distrobuild
+  - user: rockymonitor
+    state: present
+    permissions:
+      - vhost: /
+        configure_priv: "^$"
+        read_priv: "^$"
+        write_priv: "^$"
+      - vhost: pubsub
+        configure_priv: "^$"
+        read_priv: "^$"
+        write_priv: "^$"
+      - vhost: public_pubsub
+        configure_priv: "^$"
+        read_priv: "^$"
+        write_priv: "^$"
+      - vhost: '/pubsub'
+        configure_priv: "^$"
+        read_priv: "^$"
+        write_priv: "^$"
+      - vhost: '/public_pubsub'
+        configure_priv: "^$"
+        read_priv: "^$"
+        write_priv: "^$"
+    tags: "monitoring"
+  - user: rockypubsub
+    state: present
+    permissions:
+      - vhost: public_pubsub
+        configure_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$"
+        write_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$"
+        read_priv: ".*"
+  - user: pubsub_federation
+    state: present
+    permissions:
+      - vhost: pubsub
+        configure_priv: "^federation.*"
+        write_priv: "^federation.*"
+        read_priv: ".*"
+  - user: rockykoji
+    state: present
+    permissions:
+      - vhost: pubsub
+        configure_priv: "^$"
+        read_priv: "^$"
+        write_priv: "amq\\.topic"
+  - user: rockyautomation
+    state: present
+    permissions:
+      - vhost: pubsub
+        configure_priv: "^$"
+        read_priv: "^$"
+        write_priv: "amq\\.topic"
+...

vars/rabbitmq/rlp/rabbitmq_vhost.yml

@@ -0,0 +1,100 @@
+#    parameter:
+#      - name: "pubsub-to-public_pubsub"
+#        component: "federation-upstream"
+#        value: '{"uri": "amqps://pubsub_federation:{{ pubsub_federation_pass }}@{{ rabbitmq_cluster_list[0] }}/%2Fpubsub", "ack-mode": "on-confirm"}'
+#        state: present
+---
+rabbitmq_vhosts:
+  - vhost: '/pubsub'
+    state: present
+    policy:
+      - name: HA
+        apply_to: queues
+        state: present
+        pattern: ".*"
+        tags:
+          ha-mode: 'all'
+          ha-sync-mode: 'automatic'
+          ha-sync-batch-size: 10000
+      - name: pubsub_sweeper
+        apply_to: queues
+        state: present
+        pattern: ".*"
+        tags:
+          expires: 111600000
+          max-length-bytes: 1073741824
+  - vhost: '/public_pubsub'
+    state: present
+    policy:
+      - name: sweeper
+        apply_to: queues
+        state: present
+        pattern: ".*"
+        tags:
+          expires: 3600000
+          max-length-bytes: 52428800
+  - vhost: distrobuild
+    state: present
+    policy:
+      - name: HA
+        apply_to: queues
+        state: present
+        pattern: ".*"
+        tags:
+          ha-mode: 'all'
+          ha-sync-mode: 'automatic'
+          ha-sync-batch-size: 10000
+  - vhost: odcs
+    state: present
+    policy:
+      - name: HA
+        apply_to: queues
+        state: present
+        pattern: ".*"
+        tags:
+          ha-mode: 'all'
+          ha-sync-mode: 'automatic'
+          ha-sync-batch-size: 10000
+      - name: pubsub_sweeper
+        apply_to: queues
+        state: present
+        pattern: ".*"
+        tags:
+          expires: 111600000
+          max-length-bytes: 1073741824
+  # Legacy entries
+  - vhost: pubsub
+    state: present
+    policy:
+      - name: HA
+        apply_to: queues
+        state: present
+        pattern: ".*"
+        tags:
+          ha-mode: 'all'
+          ha-sync-mode: 'automatic'
+          ha-sync-batch-size: 10000
+      - name: pubsub_sweeper
+        apply_to: queues
+        state: present
+        pattern: ".*"
+        tags:
+          expires: 111600000
+          max-length-bytes: 1073741824
+  - vhost: public_pubsub
+    state: present
+    policy:
+      - name: sweeper
+        apply_to: queues
+        state: present
+        pattern: ".*"
+        tags:
+          expires: 3600000
+          max-length-bytes: 52428800
+      - name: pubsub-to-public_pubsub
+        apply_to: exchanges
+        state: present
+        pattern: "^(amq|zmq)\\.topic$"
+        tags:
+          federation-upstream: "pubsub-to-public_pubsub"
+...