From 596a19aca951090be5f2ce609b1b755e2fca8c93 Mon Sep 17 00:00:00 2001 From: nazunalika Date: Tue, 29 Dec 2020 17:07:26 -0700 Subject: [PATCH] RabbitMQ Almost Finished --- defaults/main.yml | 7 ++++++ tasks/federation.yml | 58 ++++++++++++++++++++++++++++++++++++++++++ tasks/main.yml | 10 ++++++-- tasks/topics.yml | 38 ++++++++++++++++++++++++++++ tasks/users.yml | 60 ++++++++++++++++++++++++++++++++++++++++++++ tasks/vhosts.yml | 59 +++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 230 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f2a665a..030ba07 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -27,3 +27,10 @@ rabbitmq_plugins: - rabbitmq_mqtt - rabbitmq_federation - rabbitmq_federation_management + +# If you want monitoring, set these in your playbooks +#rabbitmq_monitoring_username: mq-monitoring +#rabbitmq_monitoring_password: NotASafePassword + +# Enable the public pubsub or not +rabbitmq_enable_public: false diff --git a/tasks/federation.yml b/tasks/federation.yml index ed97d53..a417cd9 100644 --- a/tasks/federation.yml +++ b/tasks/federation.yml @@ -1 +1,59 @@ --- +# Create necessary federation pieces +# This public user can write UUID objects and read anything else +- name: Create a public access user + run_once: true + delegate_to: "{{ rabbitmq_cluster_list[0] }}" + community.rabbitmq.rabbitmq_user: + user: "rockypublic" + permissions: + - vhost: + configure_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$" + write_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$" + read_priv: ".*" + state: present + tags: + - rabbitmq_cluster + +# You will need to address the certificates yourself. Right now we are trying +# to figure out how to deal with SNI using FreeIPA. +# /etc/rabbitmq/pubsub_federation.pem +# /etc/rabbitmq/pubsub_federation.key + +- name: Create a federation user + run_once: true + delegate_to: "{{ rabbitmq_cluster_list[0] }}" + community.rabbitmq.rabbitmq_user: + user: pubsub_federation + permissions: + - vhost: /pubsub + configure_priv: "^federation.*" + write_priv: "^federation.*" + read_priv: ".*" + state: present + tags: + - rabbitmq_cluster + +- name: Configure Federation Upstream from pubsub to public + run_once: true + delegate_to: "{{ rabbitmq_cluster_list[0] }}" + community.rabbitmq.rabbitmq_parameter: + component: "federation-upstream" + name: "pubsub-to-public_pubsub" + value: '{"uri": "amqps://pubsub_federation:@{{ rabbitmq_cluster_list[0] }}/%2Fpubsub?cacertfile=%2Fetc%2Fipa%2Fca.crt&certfile=%2Fetc%2Frabbitmq%2Fpubsub_federation.pem&keyfile=%2Fetc%2Frabbitmq%2Fpubsub_federation.key&verify=verify_peer&fail_if_no_peer_cert=true&server_name_indication=disabled&auth_mechanism=external", "ack-mode": "on-confirm"}' + state: present + vhost: /public_pubsub + when: rabbitmq_enable_public + +- name: Configure a policy to federate the topic exchange to public + run_once: true + delegate_to: "{{ rabbitmq_cluster_list[0] }}" + community.rabbitmq.rabbitmq_policy: + apply_to: exchanges + name: pubsub-to-public_pubsub + state: present + pattern: "^(amq|zmq)\\.topic$" + tags: + federation-upstream: "pubsub-to-public_pubsub" + vhost: /public_pubsub + when: rabbitmq_enable_public diff --git a/tasks/main.yml b/tasks/main.yml index 043c9a3..a4e9792 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -36,12 +36,18 @@ names: "{{ rabbitmq_plugins | join(',') }}" state: enabled -- name: Users Tasks - include_tasks: users.yml +- name: Ensure RabbitMQ is running + service: + name: rabbitmq-server + state: started + enabled: true - name: Vhost tasks include_tasks: vhosts.yml +- name: Users Tasks + include_tasks: users.yml + - name: Topic Tasks include_tasks: topics.yml diff --git a/tasks/topics.yml b/tasks/topics.yml index ed97d53..b98483e 100644 --- a/tasks/topics.yml +++ b/tasks/topics.yml @@ -1 +1,39 @@ --- +# Create our topics +- name: Create the zmq.topic exchange in the pubsub vhost + run_once: true + delegate_to: "{{ rabbitmq_cluster_list[0] }}" + community.rabbitmq.rabbitmq_exchange: + name: "zmq.topic" + exchange_type: "topic" + vhost: "/pubsub" + login_user: admin + login_password: "{{ rabbitmq_admin_password }}" + tags: + - rabbitmq_cluster + +- name: Create the zmq.topic exchange in the public pubsub vhost + run_once: true + delegate_to: "{{ rabbitmq_cluster_list[0] }}" + community.rabbitmq.rabbitmq_exchange: + name: "zmq.topic" + exchange_type: "topic" + vhost: "/public_pubsub" + login_user: admin + login_password: "{{ rabbitmq_admin_password }}" + tags: + - rabbitmq_cluster + +- name: Forward all zmq.topic and amq.topic in public_pubsub + run_once: true + delegate_to: "{{ rabbitmq_cluster_list[0] }}" + community.rabbitmq.rabbitmq_binding: + destination_type: exchange + name: zmq.topic + dest: amq.topic + routing_key: "#" + vhost: "/public_pubsub" + login_user: admin + login_password: "{{ rabbitmq_admin_password }}" + tags: + - rabbitmq_cluster diff --git a/tasks/users.yml b/tasks/users.yml index ed97d53..88f3227 100644 --- a/tasks/users.yml +++ b/tasks/users.yml @@ -1 +1,61 @@ --- +# No guest users +- name: Remove guest user + community.rabbitmq.rabbitmq_user: + user: guest + state: absent + tags: + - rabbitmq_cluster + +# Add the admin user +- name: Create the admin user for our vhosts + community.rabbitmq.rabbitmq_user: + user: rockyadmin + password: "{{ rabbitmq_admin_password }}" + vhost: "{{ item }}" + configure_priv: .* + read_priv: .* + write_priv: .* + tags: administrator + when: inventory_hostname.startswith('rabbitmq01') + with_items: + - / + - /pubsub + - /public_pubsub + tags: + - rabbitmq_cluster + +- name: Drop the admin password in a file for admin operations + copy: + dest: /root/.rabbitmqpass + content: "{{ rabbitmq_admin_password }}" + mode: '0600' + owner: root + group: root + tags: + - rabbitmq_cluster + +# Create a monitoring user as long as the vars are set +- name: Create monitoring user + community.rabbitmq.rabbitmq_user: + user: "{{ rabbitmq_monitoring_username }}" + password: "{{ rabbitmq_monitoring_password }}" + update_password: always + permissions: + - vhost: / + configure_priv: "^$" + read_priv: "^$" + write_priv: "^$" + - vhost: /pubsub + configure_priv: "^$" + read_priv: "^$" + write_priv: "^$" + - vhost: /public_pubsub + configure_priv: "^$" + read_priv: "^$" + write_priv: "^$" + tags: monitoring + when: + - inventory_hostname.startswith('rabbitmq01') + - rabbitmq_monitoring_username + - rabbitmq_monitoring_password diff --git a/tasks/vhosts.yml b/tasks/vhosts.yml index ed97d53..cf3f5bd 100644 --- a/tasks/vhosts.yml +++ b/tasks/vhosts.yml @@ -1 +1,60 @@ --- +# Create vhosts +- name: Configure pubsub virtual host + community.rabbitmq.rabbitmq_vhost: + name: /pubsub + state: present + tags: + - rabbitmq_cluster + +- name: Configure publicly accessible vhost + run_once: true + delegate_to: "{{ rabbitmq_cluster_list[0] }}" + community.rabbitmq.rabbitmq_vhost: + name: /public_pubsub + state: present + tags: + - rabbitmq_cluster + +- name: Configure the HA policy for pubsub + community.rabbitmq.rabbitmq_policy: + name: HA + apply_to: queues + pattern: ".*" + tags: + ha-mode: all + ha-sync-mode: automatic + ha-sync-batch-size: 10000 + vhost: /pubsub + tags: + - rabbitmq_cluster + +- name: Add a policy to limit queues to 1GB and sweep after a month + run_once: true + delegate_to: "{{ rabbitmq_cluster_list[0] }}" + community.rabbitmq.rabbitmq_policy: + apply_to: queues + name: pubsub_sweeper + state: present + pattern: ".*" + tags: + expires: 111600000 + max-length-bytes: 1073741824 + vhost: /pubsub + tags: + - rabbitmq_cluster + +- name: Add a policy to keep the public vhost swept + run_once: true + delegate_to: "{{ rabbitmq_cluster_list[0] }}" + community.rabbitmq.rabbitmq_policy: + apply_to: queues + name: sweeper + state: present + pattern: ".*" + tags: + expires: 3600000 + max-length-bytes: 52428800 + vhost: /public_pubsub + tags: + - rabbitmq_cluster