From 4dcb6d1e54db2b4746e0d6b70f07262cbf32e32f Mon Sep 17 00:00:00 2001 From: nazunalika Date: Tue, 9 Feb 2021 12:12:22 -0700 Subject: [PATCH] staging --- .../playbooks/role-rocky-kojid-staging.yml | 90 +++++++++++++ ansible/playbooks/role-rocky-kojid.yml | 4 +- .../playbooks/role-rocky-kojihub-staging.yml | 123 ++++++++++++++++++ ansible/playbooks/role-rocky-kojihub.yml | 4 +- ansible/playbooks/tasks/mantis.yml | 1 + .../vars/{ => production}/koji-common.yml | 0 .../playbooks/vars/{ => production}/kojid.yml | 0 .../vars/{ => production}/kojihub.yml | 0 .../playbooks/vars/staging/koji-common.yml | 13 ++ ansible/playbooks/vars/staging/kojid.yml | 15 +++ ansible/playbooks/vars/staging/kojihub.yml | 119 +++++++++++++++++ 11 files changed, 365 insertions(+), 4 deletions(-) create mode 100644 ansible/playbooks/role-rocky-kojid-staging.yml create mode 100644 ansible/playbooks/role-rocky-kojihub-staging.yml rename ansible/playbooks/vars/{ => production}/koji-common.yml (100%) rename ansible/playbooks/vars/{ => production}/kojid.yml (100%) rename ansible/playbooks/vars/{ => production}/kojihub.yml (100%) create mode 100644 ansible/playbooks/vars/staging/koji-common.yml create mode 100644 ansible/playbooks/vars/staging/kojid.yml create mode 100644 ansible/playbooks/vars/staging/kojihub.yml diff --git a/ansible/playbooks/role-rocky-kojid-staging.yml b/ansible/playbooks/role-rocky-kojid-staging.yml new file mode 100644 index 0000000..a6a29f9 --- /dev/null +++ b/ansible/playbooks/role-rocky-kojid-staging.yml @@ -0,0 +1,90 @@ +--- +# Stands up an ipsilon instance for simple SSO +- name: Configure koji hub and web server + hosts: kojihub + become: true + vars_files: + - vars/vaults/encpass.yml + - vars/common.yml + - vars/staging/kojid.yml + - vars/staging/koji-common.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + - name: Check for keytabs - kojid + stat: + path: /etc/kojid.keytab + register: kojid_keytab_check + changed_when: "1 != 1" + + - name: Verify keytab + assert: + that: + - "kojid_keytab_check.stat.exists" + success_msg: "It is likely we have all keytabs" + fail_msg: "There are no keytabs. Please build the keytabs." + + # EPEL and PowerTools are required for ipsilon to function + # I also couldn't find an ansible built-in to do this + - name: Enable the PowerTools repository + ini_file: + dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo + section: powertools + option: enabled + value: 1 + owner: root + group: root + mode: '0644' + + # The CentOS extras repos has epel-release provided + - name: Enable the EPEL repository + yum: + name: epel-release + state: present + tags: + - packages + + - name: Install rocky-tools copr + yum_repository: + name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool + description: Copr repo for rockylinux-tools owned by nalika + file: copr_repos + baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/ + gpgcheck: true + gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg + enabled: true + + # Right now, we are not sure how or where we'll get our certificates. So we + # are presenting a choice by setting a variable, koji_internal_ca. There is a + # change that we will have to do internal certs for mqtt anyway. + # TODO: We need an MQTT role and pre_tasks for the keytabs for this role + roles: + - role: rockylinux.kojid + state: present + + post_tasks: + - name: "Setup shared filesystem mount" + import_tasks: tasks/koji_efs.yml + + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root diff --git a/ansible/playbooks/role-rocky-kojid.yml b/ansible/playbooks/role-rocky-kojid.yml index d69ea2f..e365219 100644 --- a/ansible/playbooks/role-rocky-kojid.yml +++ b/ansible/playbooks/role-rocky-kojid.yml @@ -6,8 +6,8 @@ vars_files: - vars/vaults/encpass.yml - vars/common.yml - - vars/kojid.yml - - vars/koji-common.yml + - vars/production/kojid.yml + - vars/production/koji-common.yml # This is to try to avoid the handler issue in pre/post tasks handlers: diff --git a/ansible/playbooks/role-rocky-kojihub-staging.yml b/ansible/playbooks/role-rocky-kojihub-staging.yml new file mode 100644 index 0000000..0ac3884 --- /dev/null +++ b/ansible/playbooks/role-rocky-kojihub-staging.yml @@ -0,0 +1,123 @@ +--- +# Stands up an ipsilon instance for simple SSO +- name: Configure koji hub and web server + hosts: kojihub + become: true + vars_files: + - vars/vaults/encpass.yml + - vars/common.yml + - vars/staging/kojihub.yml + - vars/staging/koji-common.yml + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + - name: Check for keytabs - web + stat: + path: /etc/keytabs/koji-web.keytab + register: koji_keytab + changed_when: "1 != 1" + + - name: Check for keytabs - kojira + stat: + path: /etc/keytabs/kojira.keytab + register: kojira_keytab + changed_when: "1 != 1" + + - name: Check for keytabs - gc + stat: + path: /etc/keytabs/koji-gc.keytab + register: gc_keytab + changed_when: "1 != 1" + + - name: Check for keytabs - host + stat: + path: /etc/keytabs/host.keytab + register: host_keytab + changed_when: "1 != 1" + + - name: Verify keytab + assert: + that: + - "koji_keytab.stat.exists" + - "kojira_keytab.stat.exists" + - "gc_keytab.stat.exists" + - "host_keytab.stat.exists" + success_msg: "It is likely we have all keytabs" + fail_msg: "There are no keytabs. Please build the keytabs." + + # EPEL and PowerTools are required for ipsilon to function + # I also couldn't find an ansible built-in to do this + - name: Enable the PowerTools repository + ini_file: + dest: /etc/yum.repos.d/CentOS-Linux-PowerTools.repo + section: powertools + option: enabled + value: 1 + owner: root + group: root + mode: '0644' + + # The CentOS extras repos has epel-release provided + - name: Enable the EPEL repository + yum: + name: epel-release + state: present + tags: + - packages + + - name: Install rocky-tools copr + yum_repository: + name: copr:copr.fedorainfracloud.org:nalika:rockylinux-tool + description: Copr repo for rockylinux-tools owned by nalika + file: copr_repos + baseurl: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/epel-8-$basearch/ + gpgcheck: true + gpgkey: https://download.copr.fedorainfracloud.org/results/nalika/rockylinux-tools/pubkey.gpg + enabled: true + + # Right now, we are not sure how or where we'll get our certificates. So we + # are presenting a choice by setting a variable, koji_internal_ca. There is a + # change that we will have to do internal certs for mqtt anyway. + # TODO: We need an MQTT role and pre_tasks for the keytabs for this role + roles: + - role: geerlingguy.certbot + state: present + when: not koji_internal_ca + + - role: rockylinux.ipagetcert + state: present + when: koji_internal_ca + + - role: geerlingguy.postgresql + state: present + when: koji_postgresql_vm + + - role: rockylinux.kojihub + state: present + + post_tasks: + - name: "Setup shared filesystem mount" + import_tasks: tasks/koji_efs.yml + + - name: Touching run file that ansible has ran here + file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root diff --git a/ansible/playbooks/role-rocky-kojihub.yml b/ansible/playbooks/role-rocky-kojihub.yml index dd3d8a3..d28afe6 100644 --- a/ansible/playbooks/role-rocky-kojihub.yml +++ b/ansible/playbooks/role-rocky-kojihub.yml @@ -6,8 +6,8 @@ vars_files: - vars/vaults/encpass.yml - vars/common.yml - - vars/kojihub.yml - - vars/koji-common.yml + - vars/production/kojihub.yml + - vars/production/koji-common.yml # This is to try to avoid the handler issue in pre/post tasks handlers: diff --git a/ansible/playbooks/tasks/mantis.yml b/ansible/playbooks/tasks/mantis.yml index 845e17d..4aaa4cf 100644 --- a/ansible/playbooks/tasks/mantis.yml +++ b/ansible/playbooks/tasks/mantis.yml @@ -29,6 +29,7 @@ dest: "/var/www" owner: apache group: apache + mode: '0644' remote_src: true - name: Configure mantis diff --git a/ansible/playbooks/vars/koji-common.yml b/ansible/playbooks/vars/production/koji-common.yml similarity index 100% rename from ansible/playbooks/vars/koji-common.yml rename to ansible/playbooks/vars/production/koji-common.yml diff --git a/ansible/playbooks/vars/kojid.yml b/ansible/playbooks/vars/production/kojid.yml similarity index 100% rename from ansible/playbooks/vars/kojid.yml rename to ansible/playbooks/vars/production/kojid.yml diff --git a/ansible/playbooks/vars/kojihub.yml b/ansible/playbooks/vars/production/kojihub.yml similarity index 100% rename from ansible/playbooks/vars/kojihub.yml rename to ansible/playbooks/vars/production/kojihub.yml diff --git a/ansible/playbooks/vars/staging/koji-common.yml b/ansible/playbooks/vars/staging/koji-common.yml new file mode 100644 index 0000000..a08c2df --- /dev/null +++ b/ansible/playbooks/vars/staging/koji-common.yml @@ -0,0 +1,13 @@ +--- +# Koji common +koji_efs_mount_path: /mnt/koji +koji_efs_fsid: whatever.amazonaws.com +koji_efs_fs_ip_map: + us-east-2a: 10.x.x.x + us-east-2b: 10.x.x.x + us-east-2c: 10.x.x.x +koji_efs_fs_type: efs +koji_efs_fs_opts: + - _netdev + - tls + - iam diff --git a/ansible/playbooks/vars/staging/kojid.yml b/ansible/playbooks/vars/staging/kojid.yml new file mode 100644 index 0000000..bb524f8 --- /dev/null +++ b/ansible/playbooks/vars/staging/kojid.yml @@ -0,0 +1,15 @@ +--- +# vars for kojid + +kojid_vendor: Rocky +kojid_packager: infrastructure@rockylinux.org +kojid_distribution: Rocky +# These three should probably be specified by special vars +# kojid_web_url: https://kojistg.rockylinux.org/koji +# kojid_hub_url: https://kojistg.rockylinux.org/kojihub +# kojid_files_url: https://kojistg.rockylinux.org/kojifiles + +kojid_ca_bundle: /etc/pki/tls/certs/ca-bundle.crt +kojid_keytab: /etc/kojid.keytab +kojid_smtp_host: smtp.rockylinux.org +kojid_allowed_scm: "git.centos.org:/* git.rockylinux.org:/*" diff --git a/ansible/playbooks/vars/staging/kojihub.yml b/ansible/playbooks/vars/staging/kojihub.yml new file mode 100644 index 0000000..7d6cf0b --- /dev/null +++ b/ansible/playbooks/vars/staging/kojihub.yml @@ -0,0 +1,119 @@ +--- +# koji hub settings +# This should be the front-facing URL of koji +#koji_url_name: kojistg.rockylinux.org + +# Use an internal CA (IPA) +koji_internal_ca: true + +# Use postgresql on this machine rather than managed service +koji_postgresql_vm: true + +# Database settings +koji_db_name: koji +koji_db_user: koji +# This will need to change when koji_postgresql_vm is false +koji_db_host: "{{ ansible_fqdn }}" + +koji_web_url: "https://{{ koji_url_name }}/koji" +koji_hub_url: "https://{{ koji_url_name }}/kojihub" +koji_files_url: "https://{{ koji_url_name }}/kojifiles" + +# The IPA internal CA is combined with the others +# Change before deployment or store in vault +koji_hub_secret: cK5XCuzMSXJfgA7yFvXkGwFu +koji_web_cacert: /etc/pki/tls/certs/ca-bundle.crt +koji_web_tls_cert: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt" +koji_web_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key" + +# Kojira +koji_kojira: true +koji_kojira_user: kojira +koji_kojira_user_kerb: kojira/kojistg.rockylinux.org +koji_kojira_principal: kojira/kojistg.rockylinux.org@ROCKYLINUX.ORG +koji_kojira_keytab: /etc/keytabs/kojira.keytab + +# MBS +koji_mbs: true +koji_mbs_user: mbs +koji_mbs_user_kerb: mbs/mbs.rockylinux.org +koji_mbs_principal: mbs/mbs.rockylinux.org@ROCKYLINUX.ORG +koji_mbs_keytab: /etc/keytabs/mbs.keytab + +# GC +koji_gc_keytab: /etc/keytabs/koji-gc.keytab +koji_gc_principal: koji-gc/kojistg.rockylinux.org@ROCKYLINUX.ORG + +# Sigul +koji_sigul: true +koji_sigul_user: sigul +koji_sigul_user_kerb: sigul/sigul.rockylinux.org +koji_sigul_principal: sigul/sigul.rockylinux.org@ROCKYLINUX.ORG + +# NFS? We need a place. +koji_nfs: false +koji_mount: /mnt/koji +koji_nfs_path: nfs.rockylinux.org:/export/koji + +# Koji Admin Settings +koji_admin_client: true +koji_admin_user: rockykoji +koji_admin_principal: rockykoji@ROCKYLINUX.ORG +koji_admin_localuser: true +koji_admin_localuser_name: koji + +# Hub Settings +koji_hub_principal: "host/kojihub@ROCKYLINUX.ORG" +koji_hub_proxy_principals: "HTTP/{{ inventory_hostname }}@ROCKYLINUX.ORG" +koji_hub_keytab: /etc/keytabs/host.keytab +koji_hub_principal_format: compile/%s@ROCKYLINUX.ORG +# This should be sufficient even for LE +koji_hub_ca: "{{ koji_web_cacert }}" + +# Koji FAS Syncing +# This isn't implemented yet in the role +koji_fas_sync: false +koji_fas_url: https://accounts.rockylinux.org + +# IPA Certs if Required +ipa_getcert_requested_hostnames: + - name: "{{ ansible_fqdn }}" + owner: apache + key_location: "{{ koji_web_tls_key }}" + cert_location: "{{ koji_web_tls_cert }}" + postcmd: "/bin/systemctl reload httpd" + +# postgresql vars +postgresql_restarted_state: "restarted" +postgresql_python_library: python3-psycopg2 +postgresql_user: postgres +postgresql_group: postgres +postgresql_hba_entries: + - type: local + database: koji + user: koji + auth_method: trust + - type: local + database: all + user: postgres + auth_method: peer + - type: host + database: koji + user: koji + address: '10.100.1.0/24' + auth_method: md5 + +postgresql_databases: + - name: "{{ koji_db_name }}" + owner: "{{ koji_db_user }}" + +postgresql_users: + - name: "{{ koji_db_user }}" + password: "{{ koji_db_pass }}" + role_attr_flags: "NOCREATEDB,NOSUPERUSER,NOCREATEROLE" + db: "{{ koji_db_name }}" + state: present + +postgresql_global_config_options: + - option: listen_addresses + value: '*'