separating keytabs

This commit is contained in:
nazunalika 2020-12-31 14:44:36 -07:00
parent bb064e1393
commit 7503757ba4
9 changed files with 46 additions and 25 deletions

View File

@ -34,6 +34,7 @@ koji_theme_file: rocky.tar.gz
koji_web_url: https://koji.rockylinux.org/koji koji_web_url: https://koji.rockylinux.org/koji
koji_hub_url: https://koji.rockylinux.org/kojihub koji_hub_url: https://koji.rockylinux.org/kojihub
koji_files_url: https://koji.rockylinux.org/kojifiles koji_files_url: https://koji.rockylinux.org/kojifiles
koji_web_keytab: /etc/keytabs/koji-web.keytab
# This should be changed before deployment # This should be changed before deployment
koji_hub_secret: cK5XCuzMSXJfgA7yFvXkGwFu koji_hub_secret: cK5XCuzMSXJfgA7yFvXkGwFu
@ -44,16 +45,20 @@ koji_web_tls_key: /etc/pki/tls/private/koji.rockylinux.org.key
# Kojira # Kojira
koji_kojira: true koji_kojira: true
koji_kojira_user: kojira koji_kojira_user: kojira
koji_kojira_user_kerb: koji/kojira koji_kojira_user_kerb: kojira/koji.rockylinux.org
koji_kojira_principal: koji/kojira@ROCKYLINUX.ORG koji_kojira_principal: kojira/koji.rockylinux.org@ROCKYLINUX.ORG
koji_kojira_keytab: /etc/koji.keytab koji_kojira_keytab: /etc/keytabs/kojira.keytab
# MBS # MBS
koji_mbs: true koji_mbs: true
koji_mbs_user: mbs koji_mbs_user: mbs
koji_mbs_user_kerb: mbs/mbs.rockylinux.org koji_mbs_user_kerb: mbs/mbs.rockylinux.org
koji_mbs_principal: mbs/mbs.rockylinux.org@ROCKYLINUX.ORG koji_mbs_principal: mbs/mbs.rockylinux.org@ROCKYLINUX.ORG
koji_mbs_keytab: /etc/mbs.keytab koji_mbs_keytab: /etc/keytabs/mbs.keytab
# GC
koji_gc_keytab: /etc/keytabs/koji-gc.keytab
koji_gc_principal: koji-gc/koji.rockylinux.org@ROCKYLINUX.ORG
# Storage # Storage
koji_nfs: true koji_nfs: true
@ -68,9 +73,9 @@ koji_admin_localuser: true
koji_admin_localuser_name: koji koji_admin_localuser_name: koji
# Hub Settings # Hub Settings
koji_hub_principal: "HTTP/{{ inventory_hostname }}@ROCKYLINUX.ORG" koji_hub_principal: "host/kojihub@ROCKYLINUX.ORG"
koji_hub_proxy_principals: koji/kojiweb@ROCKYLINUX.ORG koji_hub_proxy_principals: "HTTP/{{ inventory_hostname }}@ROCKYLINUX.ORG"
koji_hub_keytab: /etc/koji.keytab koji_hub_keytab: /etc/keytabs/host.keytab
koji_hub_principal_format: compile/%s@ROCKYLINUX.ORG koji_hub_principal_format: compile/%s@ROCKYLINUX.ORG
# This should be sufficient even for LE # This should be sufficient even for LE
koji_hub_ca: "{{ koji_web_cacert }}" koji_hub_ca: "{{ koji_web_cacert }}"
@ -84,6 +89,7 @@ koji_fas_url: https://accounts.rockylinux.org
koji_hub_plugins: false koji_hub_plugins: false
koji_hub_plugins_list: [] koji_hub_plugins_list: []
# Not implemented
koji_hub_plugin_mqtt_host: mqtt.rockylinux.org koji_hub_plugin_mqtt_host: mqtt.rockylinux.org
koji_hub_plugin_mqtt_topic: koji koji_hub_plugin_mqtt_topic: koji
koji_hub_plugin_mqtt_ca: "{{ koji_hub_ca }}" koji_hub_plugin_mqtt_ca: "{{ koji_hub_ca }}"

View File

@ -0,0 +1,3 @@
# Adapted from Fedora Infra
0 8 * * * apache find /mnt/koji/work -xdev -depth -mindepth 2 -mtime +14 \( -type f -o -type l \) -delete -o -type d -empty -delete >& /dev/null
0 9 * * * apache find /mnt/koji/scratch -xdev -depth -mtime +14 \( -type f -o -type l \) -delete -o -type d -empty -delete >& /dev/null

6
files/etc/cron.d/koji-gc Normal file
View File

@ -0,0 +1,6 @@
# Run garbage collector nightly
SCRIPT=/usr/sbin/koji-gc
MAILTO=infrastructure@rockylinux.org
0 8 * * * apache /usr/local/bin/lock-wrapper koji-gc-delete $SCRIPT --action=delete --lock-file /var/tmp/koji-gc.lock
0 9 * * * apache /usr/local/bin/lock-wrapper koji-gc-trash $SCRIPT --action=trash --lock-file /var/tmp/koji-gc.lock
0 10 * * * apache /usr/local/bin/lock-wrapper koji-gc-prune $SCRIPT --action=prune --lock-file /var/tmp/koji-gc.lock

View File

@ -0,0 +1,3 @@
[sidetag]
# automatically remove sidetag on untagging last package
remove_empty = on

View File

@ -45,7 +45,6 @@ Alias /kojifiles "{{ koji_mount }}/"
<Location /kojihub/ssllogin> <Location /kojihub/ssllogin>
AuthType GSSAPI AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login" AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:/etc/koji.keytab GssapiCredStore keytab:{{ koji_hub_keytab }}
Require valid-user Require valid-user
</Location> </Location>

View File

@ -36,7 +36,7 @@ WSGIProcessGroup koji
<Location /koji/login> <Location /koji/login>
AuthType GSSAPI AuthType GSSAPI
AuthName "Koji Web UI" AuthName "Koji Web UI"
GssapiCredStore keytab:/etc/koji.keytab GssapiCredStore keytab:{{ koji_web_keytab }}
Require valid-user Require valid-user
ErrorDocument 401 /koji-static/errors/unauthorized.html ErrorDocument 401 /koji-static/errors/unauthorized.html
</Location> </Location>
@ -69,4 +69,3 @@ Alias /repos {{ koji_mount }}/repos
Require all granted Require all granted
</IfVersion> </IfVersion>
</Directory> </Directory>

View File

@ -2,20 +2,27 @@
#earlier = higher precedence! #earlier = higher precedence!
[main] [main]
key_aliases = ; Kerberos Auth
30C9ECF8 fedora-test principal = {{ koji_gc_principal }}
4F2A6FD2 fedora-gold keytab = {{ koji_gc_keytab }}
897DA07A redhat-beta krb_rdns = False
1AC70CE6 fedora-extras #key_aliases =
# 30C9ECF8 fedora-test
# 4F2A6FD2 fedora-gold
# 897DA07A redhat-beta
# 1AC70CE6 fedora-extras
unprotected_keys = #unprotected_keys =
fedora-test # fedora-test
fedora-extras # fedora-extras
redhat-beta # redhat-beta
server = {{ koji_hub_url }} server = {{ koji_hub_url }}
weburl = {{ koji_web_url }} weburl = {{ koji_web_url }}
# We don't know what we're doing with SSL CA's yet
#serverca =
# The domain name that will be appended to Koji usernames # The domain name that will be appended to Koji usernames
# when creating email notifications # when creating email notifications
#email_domain = fedoraproject.org #email_domain = fedoraproject.org
@ -30,8 +37,6 @@ policy =
#note that tags with master lock engaged are already protected #note that tags with master lock engaged are already protected
tag *-updates :: keep tag *-updates :: keep
age < 1 day :: skip age < 1 day :: skip
sig fedora-gold :: skip
sig fedora-test && age < 12 weeks :: keep
#stuff to chuck semi-rapidly #stuff to chuck semi-rapidly
tag *-testing *-candidate :: { # nested rules tag *-testing *-candidate :: { # nested rules

View File

@ -24,7 +24,7 @@ KojiWebURL = {{ koji_web_url }}
# The domain name that will be appended to Koji usernames # The domain name that will be appended to Koji usernames
# when creating email notifications # when creating email notifications
#EmailDomain = example.com #EmailDomain = rockylinux.org
# whether to send the task owner and package owner email or not on success. this still goes to watchers # whether to send the task owner and package owner email or not on success. this still goes to watchers
NotifyOnSuccess = True NotifyOnSuccess = True
## Disables all notifications ## Disables all notifications

View File

@ -1,7 +1,7 @@
with user_id as (insert into users (name, status, usertype) values ('{{ koji_admin_user }}', 0, 0) returning id) with user_id as (insert into users (name, status, usertype) values ('{{ koji_admin_user }}', 0, 0) returning id)
insert into user_krb_principals (user_id, krb_principal) values ((select id from user_id),'{{ koji_admin_principal }}'); insert into user_krb_principals (user_id, krb_principal) values ((select id from user_id),'{{ koji_admin_principal }}');
insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1); insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1);
with user_id as (insert into users (name, status, usertype) values ('{{ koji_kojira_user_kerb }}', 0, 0) returning id) with user_id as (insert into users (name, status, usertype) values ('{{ koji_kojira_user }}', 0, 0) returning id)
insert into user_krb_principals (user_id, krb_principal) values ((select id from user_id),'{{ koji_kojira_principal }}'); insert into user_krb_principals (user_id, krb_principal) values ((select id from user_id),'{{ koji_kojira_principal }}');
INSERT INTO user_perms (user_id, perm_id, creator_id) VALUES (2, 10, 1); INSERT INTO user_perms (user_id, perm_id, creator_id) VALUES (2, 10, 1);
with user_id as (insert into users (name, status, usertype) values ('{{ koji_mbs_user_kerb }}', 0, 0) returning id) with user_id as (insert into users (name, status, usertype) values ('{{ koji_mbs_user_kerb }}', 0, 0) returning id)