From bc747aa564537027a340d29903a0eecd1a1a1bb0 Mon Sep 17 00:00:00 2001 From: Louis Abel Date: Mon, 1 Apr 2024 22:46:41 -0700 Subject: [PATCH] Add RLP rabbitmq playbook and vars --- role-rocky-rabbitmq.yml | 97 +++++++++++++++++++++++++ vars/rabbitmq/rlp/rabbitmq.yml | 69 ++++++++++++++++++ vars/rabbitmq/rlp/rabbitmq_topics.yml | 13 ++++ vars/rabbitmq/rlp/rabbitmq_users.yml | 95 ++++++++++++++++++++++++ vars/rabbitmq/rlp/rabbitmq_vhost.yml | 100 ++++++++++++++++++++++++++ 5 files changed, 374 insertions(+) create mode 100644 role-rocky-rabbitmq.yml create mode 100644 vars/rabbitmq/rlp/rabbitmq.yml create mode 100644 vars/rabbitmq/rlp/rabbitmq_topics.yml create mode 100644 vars/rabbitmq/rlp/rabbitmq_users.yml create mode 100644 vars/rabbitmq/rlp/rabbitmq_vhost.yml diff --git a/role-rocky-rabbitmq.yml b/role-rocky-rabbitmq.yml new file mode 100644 index 0000000..0d1d8c7 --- /dev/null +++ b/role-rocky-rabbitmq.yml @@ -0,0 +1,97 @@ +--- +# Stands up a RabbitMQ Cluster +- name: Configure RabbitMQ + hosts: rabbitmq_rlp + become: true + vars_files: + # vars/vaults/encpass.yml + - vars/common.yml + - vars/rabbitmq/rlp/rabbitmq.yml + - vars/rabbitmq/rlp/rabbitmq_vhost.yml + - vars/rabbitmq/rlp/rabbitmq_users.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + ansible.builtin.assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + - name: Verify if we are Rocky Linux 9 or higher + ansible.builtin.assert: + that: + - ansible_distribution_major_version|int >= 9 + - ansible_distribution | lower == "rocky" + success_msg: "We are on a supported system" + fail_msg: "Only Rocky Linux versions 9 or higher are supported." + + # We have separate passwords per rabbitmq env + - name: Import rabbitmq passwords + ansible.builtin.include_vars: + file: "vars/vaults/rabbitmq_{{ rabbitmq_env }}.yml" + + # The extras repos has epel-release provided + - name: Enable the EPEL repository + ansible.builtin.dnf: + name: epel-release + state: present + notify: + - enable_crb + tags: + - packages + + - name: Flush handlers + ansible.builtin.meta: flush_handlers + + - name: Install centos rabbitmq + yum: + name: centos-release-rabbitmq-39 + state: present + tags: + - packages + + roles: + - role: rockylinux.ipagetcert + state: present + when: rabbitmq_private + + tasks: + - name: Run rabbitmq installation + ansible.builtin.import_tasks: "tasks/rabbitmq/rabbitmq.yml" + tags: + - rabbitmq_cluster + + - name: Run rabbitmq vhosts + ansible.builtin.import_tasks: "tasks/rabbitmq/vhost.yml" + tags: + - vhosts + + - name: Run rabbitmq users + ansible.builtin.import_tasks: "tasks/rabbitmq/users.yml" + tags: + - users + + - name: Run rabbitmq topics + ansible.builtin.import_tasks: "tasks/rabbitmq/topics.yml" + tags: + - topics + + post_tasks: + - name: Touching run file that ansible has ran here + ansible.builtin.file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root +... diff --git a/vars/rabbitmq/rlp/rabbitmq.yml b/vars/rabbitmq/rlp/rabbitmq.yml new file mode 100644 index 0000000..597fd20 --- /dev/null +++ b/vars/rabbitmq/rlp/rabbitmq.yml @@ -0,0 +1,69 @@ +--- +# rabbitmq settings +rabbitmq_tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt" +rabbitmq_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt" +rabbitmq_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key" + +# These should be in a vault, with a different value. Generated by: +# dd if=/dev/urandom bs=30 count=1 | base64 +# rabbitmq_cookie: ... + +# Admin passwords - these should be in a vault +rabbitmq_admin: "rockyadmin" +# rabbitmq_admin_password: ... + +# rabbitmq cluster list and information should be defined in hostvars to ensure +# that the configuration is idempotent. +# rabbitmq_cluster_name: +# rabbitmq_env: + +# Federation / Public Queues +rabbitmq_enable_public: false +# pubsub_federation_pass: + +# THIS IS DYNAMIC. IT'S ADVISED IT NOT BE STATIC. +# This should be changed depending on how inventory is managed. For example, if +# it's not possible to have "staging inventory" as opposed to a "production" +# inventory, you would likely have a different name than just "rabbitmq". It is +# also possible there will be more than one cluster, so these must be taken +# into account when setting this variable. +rabbitmq_cluster_list: "{{ groups['rabbitmq'] }}" +rabbitmq_ldap_servers: "{{ rocky_ipaserver_list }}" +rabbitmq_ldap_bind_dn: "uid=rabbitmq_binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org" +rabbitmq_ldap_bind_pw: "{{ rabbitmq_binder_password }}" +rabbitmq_ldap_basedn: "{{ rocky_ldap_account_basedn }}" + +# Messaging queues are generally private +rabbitmq_private: true +ipa_getcert_requested_hostnames: + - name: "{{ ansible_fqdn }}" + owner: rabbitmq + key_location: "{{ rabbitmq_tls_key }}" + cert_location: "{{ rabbitmq_tls_cert }}" + postcmd: "/bin/systemctl restart rabbitmq-server" + cnames: + - "rabbitmq-{{ rabbitmq_env }}.rockylinux.org" + +# Rabbitmq settings +rabbitmq_file_limit: '500000' +rabbitmq_ports: + - 1883/tcp + - 4369/tcp + - 5671/tcp + - 5672/tcp + - 8883/tcp + - 15672/tcp + - 25672/tcp + - 35672-35682/tcp + +# Rabbitmq plugins +rabbitmq_plugins: + - rabbitmq_amqp1_0 + - rabbitmq_auth_backend_ldap + - rabbitmq_auth_mechanism_ssl + - rabbitmq_management + - rabbitmq_mqtt + - rabbitmq_federation + - rabbitmq_federation_management + - rabbitmq_peer_discovery_common +... diff --git a/vars/rabbitmq/rlp/rabbitmq_topics.yml b/vars/rabbitmq/rlp/rabbitmq_topics.yml new file mode 100644 index 0000000..b4dc753 --- /dev/null +++ b/vars/rabbitmq/rlp/rabbitmq_topics.yml @@ -0,0 +1,13 @@ +--- +rabbitmq_topics: + - name: "zmq.topic" + exchange_type: "topic" + vhosts: + - vhost: "public_pubsub" + destination: "amq.topic" + destination_type: "exchange" + routing_key: "#" + binding: true + - vhost: "pubsub" + binding: false +... diff --git a/vars/rabbitmq/rlp/rabbitmq_users.yml b/vars/rabbitmq/rlp/rabbitmq_users.yml new file mode 100644 index 0000000..5ff19f7 --- /dev/null +++ b/vars/rabbitmq/rlp/rabbitmq_users.yml @@ -0,0 +1,95 @@ +--- +rabbitmq_users: + - user: guest + state: absent + - user: rockyadmin + state: present + tags: "administrator" + permissions: + - vhost: / + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + - vhost: pubsub + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + - vhost: public_pubsub + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + - vhost: distrobuild + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + - vhost: odcs + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + - vhost: '/pubsub' + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + - vhost: '/public_pubsub' + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + - user: distrobuild + state: present + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + vhost: distrobuild + - user: rockymonitor + state: present + permissions: + - vhost: / + configure_priv: "^$" + read_priv: "^$" + write_priv: "^$" + - vhost: pubsub + configure_priv: "^$" + read_priv: "^$" + write_priv: "^$" + - vhost: public_pubsub + configure_priv: "^$" + read_priv: "^$" + write_priv: "^$" + - vhost: '/pubsub' + configure_priv: "^$" + read_priv: "^$" + write_priv: "^$" + - vhost: '/public_pubsub' + configure_priv: "^$" + read_priv: "^$" + write_priv: "^$" + tags: "monitoring" + - user: rockypubsub + state: present + permissions: + - vhost: public_pubsub + configure_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$" + write_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$" + read_priv: ".*" + - user: pubsub_federation + state: present + permissions: + - vhost: pubsub + configure_priv: "^federation.*" + write_priv: "^federation.*" + read_priv: ".*" + - user: rockykoji + state: present + permissions: + - vhost: pubsub + configure_priv: "^$" + read_priv: "^$" + write_priv: "amq\\.topic" + - user: rockyautomation + state: present + permissions: + - vhost: pubsub + configure_priv: "^$" + read_priv: "^$" + write_priv: "amq\\.topic" +... diff --git a/vars/rabbitmq/rlp/rabbitmq_vhost.yml b/vars/rabbitmq/rlp/rabbitmq_vhost.yml new file mode 100644 index 0000000..27d476d --- /dev/null +++ b/vars/rabbitmq/rlp/rabbitmq_vhost.yml @@ -0,0 +1,100 @@ +# parameter: +# - name: "pubsub-to-public_pubsub" +# component: "federation-upstream" +# value: '{"uri": "amqps://pubsub_federation:{{ pubsub_federation_pass }}@{{ rabbitmq_cluster_list[0] }}/%2Fpubsub", "ack-mode": "on-confirm"}' +# state: present +--- +rabbitmq_vhosts: + - vhost: '/pubsub' + state: present + policy: + - name: HA + apply_to: queues + state: present + pattern: ".*" + tags: + ha-mode: 'all' + ha-sync-mode: 'automatic' + ha-sync-batch-size: 10000 + - name: pubsub_sweeper + apply_to: queues + state: present + pattern: ".*" + tags: + expires: 111600000 + max-length-bytes: 1073741824 + - vhost: '/public_pubsub' + state: present + policy: + - name: sweeper + apply_to: queues + state: present + pattern: ".*" + tags: + expires: 3600000 + max-length-bytes: 52428800 + - vhost: distrobuild + state: present + policy: + - name: HA + apply_to: queues + state: present + pattern: ".*" + tags: + ha-mode: 'all' + ha-sync-mode: 'automatic' + ha-sync-batch-size: 10000 + - vhost: odcs + state: present + policy: + - name: HA + apply_to: queues + state: present + pattern: ".*" + tags: + ha-mode: 'all' + ha-sync-mode: 'automatic' + ha-sync-batch-size: 10000 + - name: pubsub_sweeper + apply_to: queues + state: present + pattern: ".*" + tags: + expires: 111600000 + max-length-bytes: 1073741824 + # Legacy entries + - vhost: pubsub + state: present + policy: + - name: HA + apply_to: queues + state: present + pattern: ".*" + tags: + ha-mode: 'all' + ha-sync-mode: 'automatic' + ha-sync-batch-size: 10000 + - name: pubsub_sweeper + apply_to: queues + state: present + pattern: ".*" + tags: + expires: 111600000 + max-length-bytes: 1073741824 + - vhost: public_pubsub + state: present + policy: + - name: sweeper + apply_to: queues + state: present + pattern: ".*" + tags: + expires: 3600000 + max-length-bytes: 52428800 + - name: pubsub-to-public_pubsub + apply_to: exchanges + state: present + pattern: "^(amq|zmq)\\.topic$" + tags: + federation-upstream: "pubsub-to-public_pubsub" +...