Add RLP rabbitmq playbook and vars
This commit is contained in:
parent
2cd17e13c4
commit
bc747aa564
97
role-rocky-rabbitmq.yml
Normal file
97
role-rocky-rabbitmq.yml
Normal file
@ -0,0 +1,97 @@
|
||||
---
|
||||
# Stands up a RabbitMQ Cluster
|
||||
- name: Configure RabbitMQ
|
||||
hosts: rabbitmq_rlp
|
||||
become: true
|
||||
vars_files:
|
||||
# vars/vaults/encpass.yml
|
||||
- vars/common.yml
|
||||
- vars/rabbitmq/rlp/rabbitmq.yml
|
||||
- vars/rabbitmq/rlp/rabbitmq_vhost.yml
|
||||
- vars/rabbitmq/rlp/rabbitmq_users.yml
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
- name: Verify if we are Rocky Linux 9 or higher
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- ansible_distribution_major_version|int >= 9
|
||||
- ansible_distribution | lower == "rocky"
|
||||
success_msg: "We are on a supported system"
|
||||
fail_msg: "Only Rocky Linux versions 9 or higher are supported."
|
||||
|
||||
# We have separate passwords per rabbitmq env
|
||||
- name: Import rabbitmq passwords
|
||||
ansible.builtin.include_vars:
|
||||
file: "vars/vaults/rabbitmq_{{ rabbitmq_env }}.yml"
|
||||
|
||||
# The extras repos has epel-release provided
|
||||
- name: Enable the EPEL repository
|
||||
ansible.builtin.dnf:
|
||||
name: epel-release
|
||||
state: present
|
||||
notify:
|
||||
- enable_crb
|
||||
tags:
|
||||
- packages
|
||||
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: Install centos rabbitmq
|
||||
yum:
|
||||
name: centos-release-rabbitmq-39
|
||||
state: present
|
||||
tags:
|
||||
- packages
|
||||
|
||||
roles:
|
||||
- role: rockylinux.ipagetcert
|
||||
state: present
|
||||
when: rabbitmq_private
|
||||
|
||||
tasks:
|
||||
- name: Run rabbitmq installation
|
||||
ansible.builtin.import_tasks: "tasks/rabbitmq/rabbitmq.yml"
|
||||
tags:
|
||||
- rabbitmq_cluster
|
||||
|
||||
- name: Run rabbitmq vhosts
|
||||
ansible.builtin.import_tasks: "tasks/rabbitmq/vhost.yml"
|
||||
tags:
|
||||
- vhosts
|
||||
|
||||
- name: Run rabbitmq users
|
||||
ansible.builtin.import_tasks: "tasks/rabbitmq/users.yml"
|
||||
tags:
|
||||
- users
|
||||
|
||||
- name: Run rabbitmq topics
|
||||
ansible.builtin.import_tasks: "tasks/rabbitmq/topics.yml"
|
||||
tags:
|
||||
- topics
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
||||
...
|
69
vars/rabbitmq/rlp/rabbitmq.yml
Normal file
69
vars/rabbitmq/rlp/rabbitmq.yml
Normal file
@ -0,0 +1,69 @@
|
||||
---
|
||||
# rabbitmq settings
|
||||
rabbitmq_tls_ca_cert: "/etc/pki/tls/certs/ca-bundle.crt"
|
||||
rabbitmq_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
|
||||
rabbitmq_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
|
||||
|
||||
# These should be in a vault, with a different value. Generated by:
|
||||
# dd if=/dev/urandom bs=30 count=1 | base64
|
||||
# rabbitmq_cookie: ...
|
||||
|
||||
# Admin passwords - these should be in a vault
|
||||
rabbitmq_admin: "rockyadmin"
|
||||
# rabbitmq_admin_password: ...
|
||||
|
||||
# rabbitmq cluster list and information should be defined in hostvars to ensure
|
||||
# that the configuration is idempotent.
|
||||
# rabbitmq_cluster_name:
|
||||
# rabbitmq_env:
|
||||
|
||||
# Federation / Public Queues
|
||||
rabbitmq_enable_public: false
|
||||
# pubsub_federation_pass:
|
||||
|
||||
# THIS IS DYNAMIC. IT'S ADVISED IT NOT BE STATIC.
|
||||
# This should be changed depending on how inventory is managed. For example, if
|
||||
# it's not possible to have "staging inventory" as opposed to a "production"
|
||||
# inventory, you would likely have a different name than just "rabbitmq". It is
|
||||
# also possible there will be more than one cluster, so these must be taken
|
||||
# into account when setting this variable.
|
||||
rabbitmq_cluster_list: "{{ groups['rabbitmq'] }}"
|
||||
rabbitmq_ldap_servers: "{{ rocky_ipaserver_list }}"
|
||||
rabbitmq_ldap_bind_dn: "uid=rabbitmq_binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org"
|
||||
rabbitmq_ldap_bind_pw: "{{ rabbitmq_binder_password }}"
|
||||
rabbitmq_ldap_basedn: "{{ rocky_ldap_account_basedn }}"
|
||||
|
||||
# Messaging queues are generally private
|
||||
rabbitmq_private: true
|
||||
ipa_getcert_requested_hostnames:
|
||||
- name: "{{ ansible_fqdn }}"
|
||||
owner: rabbitmq
|
||||
key_location: "{{ rabbitmq_tls_key }}"
|
||||
cert_location: "{{ rabbitmq_tls_cert }}"
|
||||
postcmd: "/bin/systemctl restart rabbitmq-server"
|
||||
cnames:
|
||||
- "rabbitmq-{{ rabbitmq_env }}.rockylinux.org"
|
||||
|
||||
# Rabbitmq settings
|
||||
rabbitmq_file_limit: '500000'
|
||||
rabbitmq_ports:
|
||||
- 1883/tcp
|
||||
- 4369/tcp
|
||||
- 5671/tcp
|
||||
- 5672/tcp
|
||||
- 8883/tcp
|
||||
- 15672/tcp
|
||||
- 25672/tcp
|
||||
- 35672-35682/tcp
|
||||
|
||||
# Rabbitmq plugins
|
||||
rabbitmq_plugins:
|
||||
- rabbitmq_amqp1_0
|
||||
- rabbitmq_auth_backend_ldap
|
||||
- rabbitmq_auth_mechanism_ssl
|
||||
- rabbitmq_management
|
||||
- rabbitmq_mqtt
|
||||
- rabbitmq_federation
|
||||
- rabbitmq_federation_management
|
||||
- rabbitmq_peer_discovery_common
|
||||
...
|
13
vars/rabbitmq/rlp/rabbitmq_topics.yml
Normal file
13
vars/rabbitmq/rlp/rabbitmq_topics.yml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
rabbitmq_topics:
|
||||
- name: "zmq.topic"
|
||||
exchange_type: "topic"
|
||||
vhosts:
|
||||
- vhost: "public_pubsub"
|
||||
destination: "amq.topic"
|
||||
destination_type: "exchange"
|
||||
routing_key: "#"
|
||||
binding: true
|
||||
- vhost: "pubsub"
|
||||
binding: false
|
||||
...
|
95
vars/rabbitmq/rlp/rabbitmq_users.yml
Normal file
95
vars/rabbitmq/rlp/rabbitmq_users.yml
Normal file
@ -0,0 +1,95 @@
|
||||
---
|
||||
rabbitmq_users:
|
||||
- user: guest
|
||||
state: absent
|
||||
- user: rockyadmin
|
||||
state: present
|
||||
tags: "administrator"
|
||||
permissions:
|
||||
- vhost: /
|
||||
configure_priv: ".*"
|
||||
read_priv: ".*"
|
||||
write_priv: ".*"
|
||||
- vhost: pubsub
|
||||
configure_priv: ".*"
|
||||
read_priv: ".*"
|
||||
write_priv: ".*"
|
||||
- vhost: public_pubsub
|
||||
configure_priv: ".*"
|
||||
read_priv: ".*"
|
||||
write_priv: ".*"
|
||||
- vhost: distrobuild
|
||||
configure_priv: ".*"
|
||||
read_priv: ".*"
|
||||
write_priv: ".*"
|
||||
- vhost: odcs
|
||||
configure_priv: ".*"
|
||||
read_priv: ".*"
|
||||
write_priv: ".*"
|
||||
- vhost: '/pubsub'
|
||||
configure_priv: ".*"
|
||||
read_priv: ".*"
|
||||
write_priv: ".*"
|
||||
- vhost: '/public_pubsub'
|
||||
configure_priv: ".*"
|
||||
read_priv: ".*"
|
||||
write_priv: ".*"
|
||||
- user: distrobuild
|
||||
state: present
|
||||
configure_priv: ".*"
|
||||
read_priv: ".*"
|
||||
write_priv: ".*"
|
||||
vhost: distrobuild
|
||||
- user: rockymonitor
|
||||
state: present
|
||||
permissions:
|
||||
- vhost: /
|
||||
configure_priv: "^$"
|
||||
read_priv: "^$"
|
||||
write_priv: "^$"
|
||||
- vhost: pubsub
|
||||
configure_priv: "^$"
|
||||
read_priv: "^$"
|
||||
write_priv: "^$"
|
||||
- vhost: public_pubsub
|
||||
configure_priv: "^$"
|
||||
read_priv: "^$"
|
||||
write_priv: "^$"
|
||||
- vhost: '/pubsub'
|
||||
configure_priv: "^$"
|
||||
read_priv: "^$"
|
||||
write_priv: "^$"
|
||||
- vhost: '/public_pubsub'
|
||||
configure_priv: "^$"
|
||||
read_priv: "^$"
|
||||
write_priv: "^$"
|
||||
tags: "monitoring"
|
||||
- user: rockypubsub
|
||||
state: present
|
||||
permissions:
|
||||
- vhost: public_pubsub
|
||||
configure_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$"
|
||||
write_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$"
|
||||
read_priv: ".*"
|
||||
- user: pubsub_federation
|
||||
state: present
|
||||
permissions:
|
||||
- vhost: pubsub
|
||||
configure_priv: "^federation.*"
|
||||
write_priv: "^federation.*"
|
||||
read_priv: ".*"
|
||||
- user: rockykoji
|
||||
state: present
|
||||
permissions:
|
||||
- vhost: pubsub
|
||||
configure_priv: "^$"
|
||||
read_priv: "^$"
|
||||
write_priv: "amq\\.topic"
|
||||
- user: rockyautomation
|
||||
state: present
|
||||
permissions:
|
||||
- vhost: pubsub
|
||||
configure_priv: "^$"
|
||||
read_priv: "^$"
|
||||
write_priv: "amq\\.topic"
|
||||
...
|
100
vars/rabbitmq/rlp/rabbitmq_vhost.yml
Normal file
100
vars/rabbitmq/rlp/rabbitmq_vhost.yml
Normal file
@ -0,0 +1,100 @@
|
||||
# parameter:
|
||||
# - name: "pubsub-to-public_pubsub"
|
||||
# component: "federation-upstream"
|
||||
# value: '{"uri": "amqps://pubsub_federation:{{ pubsub_federation_pass }}@{{ rabbitmq_cluster_list[0] }}/%2Fpubsub", "ack-mode": "on-confirm"}'
|
||||
# state: present
|
||||
---
|
||||
rabbitmq_vhosts:
|
||||
- vhost: '/pubsub'
|
||||
state: present
|
||||
policy:
|
||||
- name: HA
|
||||
apply_to: queues
|
||||
state: present
|
||||
pattern: ".*"
|
||||
tags:
|
||||
ha-mode: 'all'
|
||||
ha-sync-mode: 'automatic'
|
||||
ha-sync-batch-size: 10000
|
||||
- name: pubsub_sweeper
|
||||
apply_to: queues
|
||||
state: present
|
||||
pattern: ".*"
|
||||
tags:
|
||||
expires: 111600000
|
||||
max-length-bytes: 1073741824
|
||||
- vhost: '/public_pubsub'
|
||||
state: present
|
||||
policy:
|
||||
- name: sweeper
|
||||
apply_to: queues
|
||||
state: present
|
||||
pattern: ".*"
|
||||
tags:
|
||||
expires: 3600000
|
||||
max-length-bytes: 52428800
|
||||
- vhost: distrobuild
|
||||
state: present
|
||||
policy:
|
||||
- name: HA
|
||||
apply_to: queues
|
||||
state: present
|
||||
pattern: ".*"
|
||||
tags:
|
||||
ha-mode: 'all'
|
||||
ha-sync-mode: 'automatic'
|
||||
ha-sync-batch-size: 10000
|
||||
- vhost: odcs
|
||||
state: present
|
||||
policy:
|
||||
- name: HA
|
||||
apply_to: queues
|
||||
state: present
|
||||
pattern: ".*"
|
||||
tags:
|
||||
ha-mode: 'all'
|
||||
ha-sync-mode: 'automatic'
|
||||
ha-sync-batch-size: 10000
|
||||
- name: pubsub_sweeper
|
||||
apply_to: queues
|
||||
state: present
|
||||
pattern: ".*"
|
||||
tags:
|
||||
expires: 111600000
|
||||
max-length-bytes: 1073741824
|
||||
# Legacy entries
|
||||
- vhost: pubsub
|
||||
state: present
|
||||
policy:
|
||||
- name: HA
|
||||
apply_to: queues
|
||||
state: present
|
||||
pattern: ".*"
|
||||
tags:
|
||||
ha-mode: 'all'
|
||||
ha-sync-mode: 'automatic'
|
||||
ha-sync-batch-size: 10000
|
||||
- name: pubsub_sweeper
|
||||
apply_to: queues
|
||||
state: present
|
||||
pattern: ".*"
|
||||
tags:
|
||||
expires: 111600000
|
||||
max-length-bytes: 1073741824
|
||||
- vhost: public_pubsub
|
||||
state: present
|
||||
policy:
|
||||
- name: sweeper
|
||||
apply_to: queues
|
||||
state: present
|
||||
pattern: ".*"
|
||||
tags:
|
||||
expires: 3600000
|
||||
max-length-bytes: 52428800
|
||||
- name: pubsub-to-public_pubsub
|
||||
apply_to: exchanges
|
||||
state: present
|
||||
pattern: "^(amq|zmq)\\.topic$"
|
||||
tags:
|
||||
federation-upstream: "pubsub-to-public_pubsub"
|
||||
...
|
Loading…
Reference in New Issue
Block a user