Add RLP rabbitmq playbook and vars

2024-04-01 22:46:41 -07:00 · 2024-04-01 22:46:41 -07:00 · bc747aa564
commit bc747aa564
parent 2cd17e13c4
5 changed files with 374 additions and 0 deletions
--- a/role-rocky-rabbitmq.yml
+++ b/role-rocky-rabbitmq.yml
@ -0,0 +1,97 @@
 ---
 # Stands up a RabbitMQ Cluster
 - name: Configure RabbitMQ
  hosts: rabbitmq_rlp
  become: true
  vars_files:
    # vars/vaults/encpass.yml
    - vars/common.yml
    - vars/rabbitmq/rlp/rabbitmq.yml
    - vars/rabbitmq/rlp/rabbitmq_vhost.yml
    - vars/rabbitmq/rlp/rabbitmq_users.yml
  # This is to try to avoid the handler issue in pre/post tasks
  handlers:
    - import_tasks: handlers/main.yml
  pre_tasks:
    - name: Check if ansible cannot be run here
      stat:
        path: /etc/no-ansible
      register: no_ansible
    - name: Verify if we can run ansible
      ansible.builtin.assert:
        that:
          - "not no_ansible.stat.exists"
        success_msg: "We are able to run on this node"
        fail_msg: "/etc/no-ansible exists - skipping run on this node"
    - name: Verify if we are Rocky Linux 9 or higher
      ansible.builtin.assert:
        that:
          - ansible_distribution_major_version|int >= 9
          - ansible_distribution | lower == "rocky"
        success_msg: "We are on a supported system"
        fail_msg: "Only Rocky Linux versions 9 or higher are supported."
    # We have separate passwords per rabbitmq env
    - name: Import rabbitmq passwords
      ansible.builtin.include_vars:
        file: "vars/vaults/rabbitmq_{{ rabbitmq_env }}.yml"
    # The extras repos has epel-release provided
    - name: Enable the EPEL repository
      ansible.builtin.dnf:
        name: epel-release
        state: present
      notify:
        - enable_crb
      tags:
        - packages
    - name: Flush handlers
      ansible.builtin.meta: flush_handlers
    - name: Install centos rabbitmq
      yum:
        name: centos-release-rabbitmq-39
        state: present
      tags:
        - packages
  roles:
    - role: rockylinux.ipagetcert
      state: present
      when: rabbitmq_private
  tasks:
    - name: Run rabbitmq installation
      ansible.builtin.import_tasks: "tasks/rabbitmq/rabbitmq.yml"
      tags:
        - rabbitmq_cluster
    - name: Run rabbitmq vhosts
      ansible.builtin.import_tasks: "tasks/rabbitmq/vhost.yml"
      tags:
        - vhosts
    - name: Run rabbitmq users
      ansible.builtin.import_tasks: "tasks/rabbitmq/users.yml"
      tags:
        - users
    - name: Run rabbitmq topics
      ansible.builtin.import_tasks: "tasks/rabbitmq/topics.yml"
      tags:
        - topics
  post_tasks:
    - name: Touching run file that ansible has ran here
      ansible.builtin.file:
        path: /var/log/ansible.run
        state: touch
        mode: '0644'
        owner: root
        group: root
 ...
--- a/vars/rabbitmq/rlp/rabbitmq.yml
+++ b/vars/rabbitmq/rlp/rabbitmq.yml
@ -0,0 +1,69 @@
 ---
 # rabbitmq settings
 rabbitmq_tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
 rabbitmq_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
 rabbitmq_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
 # These should be in a vault, with a different value. Generated by:
 # dd if=/dev/urandom bs=30 count=1 | base64
 # rabbitmq_cookie: ...
 # Admin passwords - these should be in a vault
 rabbitmq_admin: "rockyadmin"
 # rabbitmq_admin_password: ...
 # rabbitmq cluster list and information should be defined in hostvars to ensure
 # that the configuration is idempotent.
 # rabbitmq_cluster_name:
 # rabbitmq_env:
 # Federation / Public Queues
 rabbitmq_enable_public: false
 # pubsub_federation_pass:
 # THIS IS DYNAMIC. IT'S ADVISED IT NOT BE STATIC.
 # This should be changed depending on how inventory is managed. For example, if
 # it's not possible to have "staging inventory" as opposed to a "production"
 # inventory, you would likely have a different name than just "rabbitmq". It is
 # also possible there will be more than one cluster, so these must be taken
 # into account when setting this variable.
 rabbitmq_cluster_list: "{{ groups['rabbitmq'] }}"
 rabbitmq_ldap_servers: "{{ rocky_ipaserver_list }}"
 rabbitmq_ldap_bind_dn: "uid=rabbitmq_binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
 rabbitmq_ldap_bind_pw: "{{ rabbitmq_binder_password }}"
 rabbitmq_ldap_basedn: "{{ rocky_ldap_account_basedn }}"
 # Messaging queues are generally private
 rabbitmq_private: true
 ipa_getcert_requested_hostnames:
  - name: "{{ ansible_fqdn }}"
    owner: rabbitmq
    key_location: "{{ rabbitmq_tls_key }}"
    cert_location: "{{ rabbitmq_tls_cert }}"
    postcmd: "/bin/systemctl restart rabbitmq-server"
    cnames:
      - "rabbitmq-{{ rabbitmq_env }}.rockylinux.org"
 # Rabbitmq settings
 rabbitmq_file_limit: '500000'
 rabbitmq_ports:
  - 1883/tcp
  - 4369/tcp
  - 5671/tcp
  - 5672/tcp
  - 8883/tcp
  - 15672/tcp
  - 25672/tcp
  - 35672-35682/tcp
 # Rabbitmq plugins
 rabbitmq_plugins:
  - rabbitmq_amqp1_0
  - rabbitmq_auth_backend_ldap
  - rabbitmq_auth_mechanism_ssl
  - rabbitmq_management
  - rabbitmq_mqtt
  - rabbitmq_federation
  - rabbitmq_federation_management
  - rabbitmq_peer_discovery_common
 ...
--- a/vars/rabbitmq/rlp/rabbitmq_topics.yml
+++ b/vars/rabbitmq/rlp/rabbitmq_topics.yml
@ -0,0 +1,13 @@
 ---
 rabbitmq_topics:
  - name: "zmq.topic"
    exchange_type: "topic"
    vhosts:
      - vhost: "public_pubsub"
        destination: "amq.topic"
        destination_type: "exchange"
        routing_key: "#"
        binding: true
      - vhost: "pubsub"
        binding: false
 ...
--- a/vars/rabbitmq/rlp/rabbitmq_users.yml
+++ b/vars/rabbitmq/rlp/rabbitmq_users.yml
@ -0,0 +1,95 @@
 ---
 rabbitmq_users:
  - user: guest
    state: absent
  - user: rockyadmin
    state: present
    tags: "administrator"
    permissions:
      - vhost: /
        configure_priv: ".*"
        read_priv: ".*"
        write_priv: ".*"
      - vhost: pubsub
        configure_priv: ".*"
        read_priv: ".*"
        write_priv: ".*"
      - vhost: public_pubsub
        configure_priv: ".*"
        read_priv: ".*"
        write_priv: ".*"
      - vhost: distrobuild
        configure_priv: ".*"
        read_priv: ".*"
        write_priv: ".*"
      - vhost: odcs
        configure_priv: ".*"
        read_priv: ".*"
        write_priv: ".*"
      - vhost: '/pubsub'
        configure_priv: ".*"
        read_priv: ".*"
        write_priv: ".*"
      - vhost: '/public_pubsub'
        configure_priv: ".*"
        read_priv: ".*"
        write_priv: ".*"
  - user: distrobuild
    state: present
    configure_priv: ".*"
    read_priv: ".*"
    write_priv: ".*"
    vhost: distrobuild
  - user: rockymonitor
    state: present
    permissions:
      - vhost: /
        configure_priv: "^$"
        read_priv: "^$"
        write_priv: "^$"
      - vhost: pubsub
        configure_priv: "^$"
        read_priv: "^$"
        write_priv: "^$"
      - vhost: public_pubsub
        configure_priv: "^$"
        read_priv: "^$"
        write_priv: "^$"
      - vhost: '/pubsub'
        configure_priv: "^$"
        read_priv: "^$"
        write_priv: "^$"
      - vhost: '/public_pubsub'
        configure_priv: "^$"
        read_priv: "^$"
        write_priv: "^$"
    tags: "monitoring"
  - user: rockypubsub
    state: present
    permissions:
      - vhost: public_pubsub
        configure_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$"
        write_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$"
        read_priv: ".*"
  - user: pubsub_federation
    state: present
    permissions:
      - vhost: pubsub
        configure_priv: "^federation.*"
        write_priv: "^federation.*"
        read_priv: ".*"
  - user: rockykoji
    state: present
    permissions:
      - vhost: pubsub
        configure_priv: "^$"
        read_priv: "^$"
        write_priv: "amq\\.topic"
  - user: rockyautomation
    state: present
    permissions:
      - vhost: pubsub
        configure_priv: "^$"
        read_priv: "^$"
        write_priv: "amq\\.topic"
 ...
--- a/vars/rabbitmq/rlp/rabbitmq_vhost.yml
+++ b/vars/rabbitmq/rlp/rabbitmq_vhost.yml
@ -0,0 +1,100 @@
 #    parameter:
 #      - name: "pubsub-to-public_pubsub"
 #        component: "federation-upstream"
 #        value: '{"uri": "amqps://pubsub_federation:{{ pubsub_federation_pass }}@{{ rabbitmq_cluster_list[0] }}/%2Fpubsub", "ack-mode": "on-confirm"}'
 #        state: present
 ---
 rabbitmq_vhosts:
  - vhost: '/pubsub'
    state: present
    policy:
      - name: HA
        apply_to: queues
        state: present
        pattern: ".*"
        tags:
          ha-mode: 'all'
          ha-sync-mode: 'automatic'
          ha-sync-batch-size: 10000
      - name: pubsub_sweeper
        apply_to: queues
        state: present
        pattern: ".*"
        tags:
          expires: 111600000
          max-length-bytes: 1073741824
  - vhost: '/public_pubsub'
    state: present
    policy:
      - name: sweeper
        apply_to: queues
        state: present
        pattern: ".*"
        tags:
          expires: 3600000
          max-length-bytes: 52428800
  - vhost: distrobuild
    state: present
    policy:
      - name: HA
        apply_to: queues
        state: present
        pattern: ".*"
        tags:
          ha-mode: 'all'
          ha-sync-mode: 'automatic'
          ha-sync-batch-size: 10000
  - vhost: odcs
    state: present
    policy:
      - name: HA
        apply_to: queues
        state: present
        pattern: ".*"
        tags:
          ha-mode: 'all'
          ha-sync-mode: 'automatic'
          ha-sync-batch-size: 10000
      - name: pubsub_sweeper
        apply_to: queues
        state: present
        pattern: ".*"
        tags:
          expires: 111600000
          max-length-bytes: 1073741824
  # Legacy entries
  - vhost: pubsub
    state: present
    policy:
      - name: HA
        apply_to: queues
        state: present
        pattern: ".*"
        tags:
          ha-mode: 'all'
          ha-sync-mode: 'automatic'
          ha-sync-batch-size: 10000
      - name: pubsub_sweeper
        apply_to: queues
        state: present
        pattern: ".*"
        tags:
          expires: 111600000
          max-length-bytes: 1073741824
  - vhost: public_pubsub
    state: present
    policy:
      - name: sweeper
        apply_to: queues
        state: present
        pattern: ".*"
        tags:
          expires: 3600000
          max-length-bytes: 52428800
      - name: pubsub-to-public_pubsub
        apply_to: exchanges
        state: present
        pattern: "^(amq|zmq)\\.topic$"
        tags:
          federation-upstream: "pubsub-to-public_pubsub"
 ...