RabbitMQ Ready for Testing

tasks/commonapps.yml

@@ -0,0 +1,108 @@
+---
+# Common App Queues
+# GitLab + Others like CI
+- name: Rocky Automation User
+  run_once: true
+  include_tasks: runners/mkuser.yml
+  vars:
+    username: rockyautomation
+  tags:
+    - ci
+
+- name: Rocky Automation Queue
+  run_once: true
+  include_tasks: runners/mkqueue.yml
+  vars:
+    username: rockyautomation
+    queue_name: rockyautomation-ci
+    # 10 Days
+    message_ttl: 864000000
+    routing_keys:
+      - "org.rockylinux.{{ rabbitmq_env }}.gitlab.#"
+      # Testing only
+      - "org.rockylinux.ci.#"
+  tags:
+    - ci
+
+- name: OSCI
+  run_once: true
+  include_tasks: runners/mkqueue.yml
+  vars:
+    username: "osci-pipeline-{{ rabbitmq_env }}"
+    queue_name: "{{ item }}-{{ rabbitmq_env }}"
+    message_ttl: 432000000
+    routing_keys:
+      - "org.rockylinux.ci.#"
+  loop:
+    - osci-pipeline-queue-0
+    - osci-pipeline-queue-1
+    - osci-pipeline-queue-2
+    - osci-pipeline-queue-3
+    - osci-pipeline-queue-4
+    - osci-pipeline-queue-5
+  tags:
+    - osci
+# End GitLab and CI
+
+# Koji User
+- name: Rocky Koji User
+  run_once: true
+  include_tasks: runners/mkuser.yml
+  vars:
+    username: rockykoji
+# End Koji
+
+# Potential ODCS
+- name: Create the rocky-odcs vhost
+  run_once: true
+  delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+  community.rabbitmq.rabbitmq_vhost:
+    name: /rocky-odcs
+    state: present
+  tags:
+    - odcs
+
+- name: Configure the odcs HA Policy
+  run_once: true
+  delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+  community.rabbitmq.rabbitmq_policy:
+    name: HA
+    apply_to: queues
+    pattern: ".*"
+    tags:
+      ha-mode: all
+      ha-sync-mode: automatic
+      ha-sync-batch-size: 10000
+    vhost: /rocky-odcs
+  tags:
+    - odcs
+
+- name: Add a policy to keep the odcs vhost swept
+  run_once: true
+  delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+  community.rabbitmq.rabbitmq_policy:
+    name: pubsub_sweeper
+    apply_to: queues
+    state: present
+    pattern: ".*"
+    tags:
+      expires: 111600000
+      max-length-bytes: 1073741824
+    vhost: /rocky-odcs
+  tags:
+    - odcs
+
+# To consider: Separate ODCS Admin Account?
+- name: Grant the rockyadmin user access to the rocky-odcs vhost
+  run_once: true
+  delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+  community.rabbitmq.rabbitmq_user:
+    user: rockyadmin
+    vhost: /rocky-odcs
+    configure_priv: ".*"
+    read_priv: ".*"
+    write_priv: ".*"
+    tags: administrator
+  tags:
+    - odcs
+# ODCS End

tasks/federation.yml

@@ -1,5 +1,13 @@
 ---
 # Create necessary federation pieces
+
+# You will need to address the certificates yourself. Right now we are trying
+# to figure out how to deal with SNI using FreeIPA. So instead we're using a
+# service account in IPA instead using a password. This isn't ideal and we're
+# looking into finding a way to address this in an easier manner.
+# /etc/rabbitmq/pubsub_federation.pem
+# /etc/rabbitmq/pubsub_federation.key
+
 # This public user can write UUID objects and read anything else
 - name: Create a public access user
   run_once: true
@@ -7,7 +15,7 @@
   community.rabbitmq.rabbitmq_user:
     user: rockypubsub
     permissions:
-      - vhost:
+      - vhost: /public_pubsub
         configure_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$"
         write_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$"
         read_priv: ".*"
@@ -15,11 +23,6 @@
   tags:
     - rabbitmq_cluster
 
-# You will need to address the certificates yourself. Right now we are trying
-# to figure out how to deal with SNI using FreeIPA.
-# /etc/rabbitmq/pubsub_federation.pem
-# /etc/rabbitmq/pubsub_federation.key
-
 - name: Create a federation user
   run_once: true
   delegate_to: "{{ rabbitmq_cluster_list[0] }}"

tasks/main.yml

@@ -79,3 +79,6 @@
 
 - name: Federation Tasks
   include_tasks: federation.yml
+
+- name: Common Apps
+  include_tasks: commonapps.yml

tasks/runners/mkqueue.yml

@@ -0,0 +1,41 @@
+---
+# Creates a user account and queue in RabbitMQ
+# This is used as a template for repeated tasks in the role
+- name: "Creating User Account"
+  community.rabbitmq.rabbitmq_user:
+    user: "{{ username }}"
+    vhost: "{{ vhost|default('/pubsub') }}"
+    read_priv: "^(zmq\\.topic)|^(amq\\.topic)|({{ username  }}.*)$"
+    write_priv: "^(amq\\.topic)|({{ username  }}.*){% for queue in write_queues|default([]) %}|({{ queue  }}.*){% endfor %}$"
+    configure_priv: "^$"
+    state: present
+  tags:
+    - rabbitmq
+
+- name: "Create {{ queue_name }}"
+  delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+  community.rabbitmq.rabbitmq_queue:
+    name: "{{ queue_name }}"
+    vhost: "{{ vhost|default('/pubsub') }}"
+    auto_delete: false
+    durable: true
+    message_ttl: "{{ message_ttl|default('null') }}"
+    state: present
+    login_user: rockyadmin
+    login_password: "{{ rabbitmq_admin_password }}"
+  tags:
+    - rabbitmq
+
+- name: "Bind {{ queue_name }} to amq.topic exchange"
+  delegate_to: "{{ rabbitmq_cluster_list[0] }}"
+  community.rabbitmq.rabbitmq_binding:
+    name: "amq.topic"
+    destination: "{{ queue_name }}"
+    destination_type: queue
+    routing_key: "{{ item }}"
+    vhost: "{{ vhost|default('/pubsub') }}"
+    state: present
+    login_user: rockyadmin
+    login_password: "{{ rabbitmq_admin_password }}"
+  tags:
+    - rabbitmq

tasks/runners/mkuser.yml

@@ -0,0 +1,13 @@
+---
+# Creates a user account in RabbitMQ
+# This is used as a template for repeated tasks in the role
+- name: "Creating User Account {{ username }}"
+  community.rabbitmq.rabbitmq_user:
+    user: "{{ username }}"
+    vhost: "{{ vhost|default('/pubsub') }}"
+    read_priv: "^$"
+    write_priv: "amq\\.topic"
+    configure_priv: "^$"
+    state: present
+  tags:
+    - rabbitmq

tasks/topics.yml

@@ -7,7 +7,7 @@
     name: "zmq.topic"
     exchange_type: "topic"
     vhost: "/pubsub"
-    login_user: admin
+    login_user: rockyadmin
     login_password: "{{ rabbitmq_admin_password }}"
   tags:
     - rabbitmq_cluster
@@ -19,7 +19,7 @@
     name: "zmq.topic"
     exchange_type: "topic"
     vhost: "/public_pubsub"
-    login_user: admin
+    login_user: rockyadmin
     login_password: "{{ rabbitmq_admin_password }}"
   tags:
     - rabbitmq_cluster
@@ -33,7 +33,7 @@
     dest: amq.topic
     routing_key: "#"
     vhost: "/public_pubsub"
-    login_user: admin
+    login_user: rockyadmin
     login_password: "{{ rabbitmq_admin_password }}"
   tags:
     - rabbitmq_cluster