separating keytabs

2024-11-24 13:51:26 +00:00 · 2020-12-31 14:44:36 -07:00 · 2020-12-31 14:44:36 -07:00 · 7503757ba4
commit 7503757ba4
parent bb064e1393
9 changed files with 46 additions and 25 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -34,6 +34,7 @@ koji_theme_file: rocky.tar.gz
 koji_web_url: https://koji.rockylinux.org/koji
 koji_hub_url: https://koji.rockylinux.org/kojihub
 koji_files_url: https://koji.rockylinux.org/kojifiles
 koji_web_keytab: /etc/keytabs/koji-web.keytab
 # This should be changed before deployment
 koji_hub_secret: cK5XCuzMSXJfgA7yFvXkGwFu
@ -44,16 +45,20 @@ koji_web_tls_key: /etc/pki/tls/private/koji.rockylinux.org.key
 # Kojira
 koji_kojira: true
 koji_kojira_user: kojira
-koji_kojira_user_kerb: koji/kojira
+koji_kojira_user_kerb: kojira/koji.rockylinux.org
-koji_kojira_principal: koji/kojira@ROCKYLINUX.ORG
+koji_kojira_principal: kojira/koji.rockylinux.org@ROCKYLINUX.ORG
-koji_kojira_keytab: /etc/koji.keytab
+koji_kojira_keytab: /etc/keytabs/kojira.keytab
 # MBS
 koji_mbs: true
 koji_mbs_user: mbs
 koji_mbs_user_kerb: mbs/mbs.rockylinux.org
 koji_mbs_principal: mbs/mbs.rockylinux.org@ROCKYLINUX.ORG
-koji_mbs_keytab: /etc/mbs.keytab
+koji_mbs_keytab: /etc/keytabs/mbs.keytab
 # GC
 koji_gc_keytab: /etc/keytabs/koji-gc.keytab
 koji_gc_principal: koji-gc/koji.rockylinux.org@ROCKYLINUX.ORG
 # Storage
 koji_nfs: true
@ -68,9 +73,9 @@ koji_admin_localuser: true
 koji_admin_localuser_name: koji
 # Hub Settings
-koji_hub_principal: "HTTP/{{ inventory_hostname }}@ROCKYLINUX.ORG"
+koji_hub_principal: "host/kojihub@ROCKYLINUX.ORG"
-koji_hub_proxy_principals: koji/kojiweb@ROCKYLINUX.ORG
+koji_hub_proxy_principals: "HTTP/{{ inventory_hostname  }}@ROCKYLINUX.ORG"
-koji_hub_keytab: /etc/koji.keytab
+koji_hub_keytab: /etc/keytabs/host.keytab
 koji_hub_principal_format: compile/%s@ROCKYLINUX.ORG
 # This should be sufficient even for LE
 koji_hub_ca: "{{ koji_web_cacert }}"
@ -84,6 +89,7 @@ koji_fas_url: https://accounts.rockylinux.org
 koji_hub_plugins: false
 koji_hub_plugins_list: []
 # Not implemented
 koji_hub_plugin_mqtt_host: mqtt.rockylinux.org
 koji_hub_plugin_mqtt_topic: koji
 koji_hub_plugin_mqtt_ca: "{{ koji_hub_ca }}"
--- a/files/etc/cron.d/koji-directory-cleanup
+++ b/files/etc/cron.d/koji-directory-cleanup
@ -0,0 +1,3 @@
 # Adapted from Fedora Infra
 0 8 * * * apache find /mnt/koji/work    -xdev -depth -mindepth 2 -mtime +14 \( -type f -o -type l \) -delete -o -type d -empty -delete >& /dev/null
 0 9 * * * apache find /mnt/koji/scratch -xdev -depth             -mtime +14 \( -type f -o -type l \) -delete -o -type d -empty -delete >& /dev/null
--- a/files/etc/cron.d/koji-gc
+++ b/files/etc/cron.d/koji-gc
@ -0,0 +1,6 @@
 # Run garbage collector nightly
 SCRIPT=/usr/sbin/koji-gc
 MAILTO=infrastructure@rockylinux.org
 0 8 * * *  apache /usr/local/bin/lock-wrapper koji-gc-delete $SCRIPT --action=delete --lock-file /var/tmp/koji-gc.lock
 0 9 * * *  apache /usr/local/bin/lock-wrapper koji-gc-trash $SCRIPT --action=trash --lock-file /var/tmp/koji-gc.lock
 0 10 * * * apache /usr/local/bin/lock-wrapper koji-gc-prune $SCRIPT --action=prune --lock-file /var/tmp/koji-gc.lock
--- a/files/etc/koji-hub/plugins/sidetag.conf
+++ b/files/etc/koji-hub/plugins/sidetag.conf
@ -0,0 +1,3 @@
 [sidetag]
 # automatically remove sidetag on untagging last package
 remove_empty = on
--- a/templates/etc/httpd/conf.d/kojihub.conf.j2
+++ b/templates/etc/httpd/conf.d/kojihub.conf.j2
@ -45,7 +45,6 @@ Alias /kojifiles "{{ koji_mount }}/"
 <Location /kojihub/ssllogin>
        AuthType GSSAPI
        AuthName "GSSAPI Single Sign On Login"
-        GssapiCredStore keytab:/etc/koji.keytab
+        GssapiCredStore keytab:{{ koji_hub_keytab }}
        Require valid-user
 </Location>
--- a/templates/etc/httpd/conf.d/kojiweb.conf.j2
+++ b/templates/etc/httpd/conf.d/kojiweb.conf.j2
@ -5,7 +5,7 @@ Alias /koji "/usr/share/koji-web/scripts/wsgi_publisher.py"
 RewriteEngine on
 RewriteCond %{HTTPS} off
 RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L]
-RewriteRule  ^/$    /koji [R,L] 
+RewriteRule  ^/$    /koji [R,L]
 Header always set X-Frame-Options "SAMEORIGIN"
 Header always set X-Xss-Protection "1; mode=block"
@ -36,7 +36,7 @@ WSGIProcessGroup koji
 <Location /koji/login>
    AuthType GSSAPI
    AuthName "Koji Web UI"
-    GssapiCredStore keytab:/etc/koji.keytab
+    GssapiCredStore keytab:{{ koji_web_keytab }}
    Require valid-user
    ErrorDocument 401 /koji-static/errors/unauthorized.html
 </Location>
@ -69,4 +69,3 @@ Alias /repos {{ koji_mount }}/repos
        Require all granted
    </IfVersion>
 </Directory>
--- a/templates/etc/koji-gc/koji-gc.conf.j2
+++ b/templates/etc/koji-gc/koji-gc.conf.j2
@ -2,20 +2,27 @@
 #earlier = higher precedence!
 [main]
-key_aliases =
+; Kerberos Auth
-    30C9ECF8    fedora-test
+principal   = {{ koji_gc_principal }}
-    4F2A6FD2    fedora-gold
+keytab      = {{ koji_gc_keytab }}
-    897DA07A    redhat-beta
+krb_rdns    = False
-    1AC70CE6    fedora-extras
+#key_aliases =
 #    30C9ECF8    fedora-test
 #    4F2A6FD2    fedora-gold
 #    897DA07A    redhat-beta
 #    1AC70CE6    fedora-extras
-unprotected_keys =
+#unprotected_keys =
-    fedora-test
+#    fedora-test
-    fedora-extras
+#    fedora-extras
-    redhat-beta
+#    redhat-beta
 server = {{ koji_hub_url }}
 weburl = {{ koji_web_url }}
 # We don't know what we're doing with SSL CA's yet
 #serverca =
 # The domain name that will be appended to Koji usernames
 # when creating email notifications
 #email_domain = fedoraproject.org
@ -30,8 +37,6 @@ policy =
    #note that tags with master lock engaged are already protected
    tag *-updates :: keep
    age < 1 day :: skip
    sig fedora-gold :: skip
    sig fedora-test && age < 12 weeks :: keep
    #stuff to chuck semi-rapidly
    tag *-testing *-candidate :: {  # nested rules
--- a/templates/etc/koji-hub/hub.conf.j2
+++ b/templates/etc/koji-hub/hub.conf.j2
@ -24,7 +24,7 @@ KojiWebURL = {{ koji_web_url }}
 # The domain name that will be appended to Koji usernames
 # when creating email notifications
-#EmailDomain = example.com
+#EmailDomain = rockylinux.org
 # whether to send the task owner and package owner email or not on success.  this still goes to watchers
 NotifyOnSuccess = True
 ## Disables all notifications
--- a/templates/koji-pgsql.sql.j2
+++ b/templates/koji-pgsql.sql.j2
@ -1,7 +1,7 @@
 with user_id as (insert into users (name, status, usertype) values ('{{ koji_admin_user }}', 0, 0) returning id)
 insert into user_krb_principals (user_id, krb_principal) values ((select id from user_id),'{{ koji_admin_principal }}');
 insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1);
-with user_id as (insert into users (name, status, usertype) values ('{{ koji_kojira_user_kerb }}', 0, 0) returning id)
+with user_id as (insert into users (name, status, usertype) values ('{{ koji_kojira_user }}', 0, 0) returning id)
 insert into user_krb_principals (user_id, krb_principal) values ((select id from user_id),'{{ koji_kojira_principal }}');
 INSERT INTO user_perms (user_id, perm_id, creator_id) VALUES (2, 10, 1);
 with user_id as (insert into users (name, status, usertype) values ('{{ koji_mbs_user_kerb }}', 0, 0) returning id)