From 99e163b220a113000fb9cb0db385f770012bfe3f Mon Sep 17 00:00:00 2001 From: nazunalika Date: Wed, 30 Dec 2020 02:22:58 -0700 Subject: [PATCH] slurry of changes and fixes --- ansible/playbooks/adhoc-rabbitmqqueue.yml | 84 +++++++++++++++++++ ansible/playbooks/adhoc-rabbitmquser.yml | 1 + ansible/playbooks/role-gitlab-ee.yml | 1 + ansible/playbooks/role-rocky-rabbitmq.yml | 1 + .../templates/etc/gitlab/rocky_gitlab.rb | 2 +- ansible/playbooks/vars/common.yml | 8 ++ ansible/playbooks/vars/encpass.yml | 3 + ansible/playbooks/vars/gitlab.yml | 11 +-- ansible/playbooks/vars/groups.yml | 15 ++++ ansible/playbooks/vars/rabbitmq.yml | 5 ++ ansible/playbooks/vars/svcusers.yml | 21 +++++ 11 files changed, 146 insertions(+), 6 deletions(-) create mode 100644 ansible/playbooks/adhoc-rabbitmqqueue.yml create mode 100644 ansible/playbooks/vars/common.yml diff --git a/ansible/playbooks/adhoc-rabbitmqqueue.yml b/ansible/playbooks/adhoc-rabbitmqqueue.yml new file mode 100644 index 0000000..ee7aa5a --- /dev/null +++ b/ansible/playbooks/adhoc-rabbitmqqueue.yml @@ -0,0 +1,84 @@ +--- +# This playbook is meant to be used with callable variables, like adhoc or AWX. +# What: Creates RabbitMQ Users +# Required parameters: +# -> username: The username to create in RabbitMQ, which should match an LDAP +# name or the CN of a certificate. Note that if it's a hostname +# it must be the FQDN. +# -> queue_name: Name of the queue to create. This should be setup with a +# prefix_suffix name, where prefix is the username, and +# the suffix is a service name. +# -> routing_keys: A list to be used as routing keys. +# Optional: +# -> write_queues: A list of queues name prefixes that which the user will +# be allowed to publish. +# -> thresholds: A dictionary with two keys "warning" and "critical" - The +# values are numbers. In the event we have a monitoring system +# this can be a number of messages that could cause an alert. +# -> vhost: The vhost this queue will be part of. The default is /pubsub. + +- name: Create a User + hosts: rabbitmq + become: false + gather_facts: false + vars_files: + - vars/encpass.yml + - vars/rabbitmq.yml + + tasks: + - name: "Checking for user variables" + assert: + that: + - username != "admin" + - username != "guest" + - username != "mq-monitoring" + success_msg: "Required variables provided" + fail_msg: "Username is reserved" + tags: + - rabbitmq + + - name: "Validate username queue name" + assert: + that: + - "queue_name.startswith(username)" + tags: + - rabbitmq + + - name: "Creating User Account" + community.rabbitmq.rabbitmq_user: + user: "{{ username }}" + vhost: "{{ vhost|default('/pubsub') }}" + read_priv: "^(zmq\\.topic)|^(amq\\.topic)|({{ username }}.*)$" + write_priv: "^(amq\\.topic)|({{ username }}.*){% for queue in write_queues|default([]) %}|({{ queue }}.*){% endfor %}$" + configure_priv: "^$" + state: present + tags: + - rabbitmq + + - name: "Create {{ queue_name }}" + delegate_to: "{{ rabbitmq_cluster_list[0] }}" + community.rabbitmq.rabbitmq_queue: + name: "{{ queue_name }}" + vhost: "{{ vhost|default('/pubsub') }}" + auto_delete: false + durable: true + message_ttl: "{{ message_ttl|default('null') }}" + state: present + login_user: admin + login_password: "{{ rabbitmq_admin_password }}" + tags: + - rabbitmq + + - name: "Bind {{ queue_name }} to amq.topic exchange" + delegate_to: "{{ rabbitmq_cluster_list[0] }}" + community.rabbitmq.rabbitmq_binding: + name: "amq.topic" + destination: "{{ queue_name }}" + destination_type: queue + routing_key: "{{ item }}" + vhost: "{{ vhost|default('/pubsub') }}" + state: present + login_user: admin + login_password: "{{ rabbitmq_admin_password }}" + tags: + - rabbitmq diff --git a/ansible/playbooks/adhoc-rabbitmquser.yml b/ansible/playbooks/adhoc-rabbitmquser.yml index 10427d3..31fb6fe 100644 --- a/ansible/playbooks/adhoc-rabbitmquser.yml +++ b/ansible/playbooks/adhoc-rabbitmquser.yml @@ -1,6 +1,7 @@ --- # This playbook is meant to be used with callable variables, like adhoc or AWX. # What: Creates RabbitMQ Users +# The username is the required parameter - name: Create a User hosts: rabbitmq diff --git a/ansible/playbooks/role-gitlab-ee.yml b/ansible/playbooks/role-gitlab-ee.yml index e52b63c..5c725c9 100644 --- a/ansible/playbooks/role-gitlab-ee.yml +++ b/ansible/playbooks/role-gitlab-ee.yml @@ -4,6 +4,7 @@ hosts: gitlabservers become: true vars_files: + - vars/common.yml - vars/gitlab.yml # This is to try to avoid the handler issue in pre/post tasks diff --git a/ansible/playbooks/role-rocky-rabbitmq.yml b/ansible/playbooks/role-rocky-rabbitmq.yml index 979c877..c5a07ac 100644 --- a/ansible/playbooks/role-rocky-rabbitmq.yml +++ b/ansible/playbooks/role-rocky-rabbitmq.yml @@ -4,6 +4,7 @@ hosts: rabbitmq become: true vars_files: + - vars/common.yml - vars/encpass.yml - vars/rabbitmq.yml diff --git a/ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb b/ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb index a0a888f..82ddcf6 100644 --- a/ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb +++ b/ansible/playbooks/templates/etc/gitlab/rocky_gitlab.rb @@ -40,7 +40,7 @@ gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' password: '{{ gitlab_ldap_password }}' allow_username_or_email_login: true base: '{{ gitlab_ldap_base }}' - user_filter: '' + user_filter: '{{ gitlab_ldap_user_filter }}' group_base: '{{ gitlab_ldap_group_dn }}' admin_group: '{{ gitlab_ldap_admin_group }}' sync_ssh_keys: true diff --git a/ansible/playbooks/vars/common.yml b/ansible/playbooks/vars/common.yml new file mode 100644 index 0000000..3e4bfe1 --- /dev/null +++ b/ansible/playbooks/vars/common.yml @@ -0,0 +1,8 @@ +--- +rocky_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org" +rocky_ldap_bind_pw: "ThisIsNotThePassword!" +rocky_ldap_user_basedn: "cn=users,cn=accounts,dc=rockylinux,dc=org" +rocky_ldap_group_basedn: "cn=groups,cn=accounts,dc=rockylinux,dc=org" +rocky_ldap_account_basedn: "cn=accounts,dc=rockylinux,dc=org" +# Requires jinja 2.9+ +rocky_ipaserver_list: "{{ groups['ipaserver'] + groups['ipareplicas'] }}" diff --git a/ansible/playbooks/vars/encpass.yml b/ansible/playbooks/vars/encpass.yml index efa8dc7..7b43fdd 100644 --- a/ansible/playbooks/vars/encpass.yml +++ b/ansible/playbooks/vars/encpass.yml @@ -16,3 +16,6 @@ ipsilon_db_password: !vault | koji_db_pass: !vault | $ANSIBLE_VAULT;1.1;AES256 REDACTED +pubsub_federation_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + REDACTED diff --git a/ansible/playbooks/vars/gitlab.yml b/ansible/playbooks/vars/gitlab.yml index 0b39ec1..31a0718 100644 --- a/ansible/playbooks/vars/gitlab.yml +++ b/ansible/playbooks/vars/gitlab.yml @@ -21,15 +21,16 @@ gitlab_ssl_key: "/etc/nginx/ssl/{{ gitlab_domain }}.key" # LDAP Configuration gitlab_ldap_enabled: "true" -gitlab_ldap_host: "ipa001.rockylinux.org" +gitlab_ldap_host: "{{ rocky_ipaserver_list[0] }}" gitlab_ldap_port: "389" gitlab_ldap_uid: "uid" gitlab_ldap_method: "start_tls" -gitlab_ldap_bind_dn: "uid=binder,cn=sysaccounts,cn=etc,dc=rockylinux,dc=org" -gitlab_ldap_password: "ThisIsNotThePassword!" -gitlab_ldap_base: "cn=users,cn=accounts,dc=rockylinux,dc=org" -gitlab_ldap_group_dn: "cn=groups,cn=accounts,dc=rockylinux,dc=org" +gitlab_ldap_bind_dn: "{{ rocky_ldap_bind_dn }}" +gitlab_ldap_password: "{{ rocky_ldap_bind_pw }}" +gitlab_ldap_base: "{{ rocky_ldap_user_basedn }}" +gitlab_ldap_group_dn: "{{ rocky_ldap_group_basedn }}" gitlab_ldap_admin_group: "cn=gitadm,cn=groups,cn=accounts,dc=rockylinux,dc=org" +gitlab_ldap_user_filter: "(&(objectClass=posixAccount)(memberOf=cn=gitusers,cn=groups,cn=accounts,dc=rockylinux,dc=org))" gitlab_time_zone: "UTC" diff --git a/ansible/playbooks/vars/groups.yml b/ansible/playbooks/vars/groups.yml index f56b259..b1e3369 100644 --- a/ansible/playbooks/vars/groups.yml +++ b/ansible/playbooks/vars/groups.yml @@ -42,12 +42,25 @@ ipagroups: - rfelsburg - tg - hbjy + - group: gitusers + description: Rocky Linux GitLab Users + user: + - label + - neil + - rlh + - rfelsburg + - tg + - hbjy + - rockyautomation - group: services description: Rocky Linux Service Accounts user: - hostman - kerbman - rockykoji + - pubsub_federation + - rockypubsub + - rockyautomation - group: iam description: Rocky Linux Identity Management user: @@ -56,3 +69,5 @@ ipagroups: description: Rocky Linux Release Engineering user: - label + - group: mq_pub_readonly + description: RabbitMQ ReadOnly diff --git a/ansible/playbooks/vars/rabbitmq.yml b/ansible/playbooks/vars/rabbitmq.yml index 9b98ac5..135b7d7 100644 --- a/ansible/playbooks/vars/rabbitmq.yml +++ b/ansible/playbooks/vars/rabbitmq.yml @@ -16,6 +16,10 @@ rabbitmq_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key" #rabbitmq_cluster_name: #rabbitmq_env: +# Federation / Public Queues +rabbitmq_enable_public: false +#pubsub_federation_pass: + # THIS IS DYNAMIC. IT'S ADVISED IT NOT BE STATIC. # This should be changed depending on how inventory is managed. For example, if # it's not possible to have "staging inventory" as opposed to a "production" @@ -23,6 +27,7 @@ rabbitmq_tls_key: "/etc/pki/tls/private/{{ ansible_fqdn }}.key" # also possible there will be more than one cluster, so these must be taken # into account when setting this variable. rabbitmq_cluster_list: "{{ groups['rabbitmq'] }}" +rabbitmq_ldap_servers: "{{ rocky_ipaserver_list }}" # Messaging queues are generally private rabbitmq_private: true diff --git a/ansible/playbooks/vars/svcusers.yml b/ansible/playbooks/vars/svcusers.yml index ccef80d..1399637 100644 --- a/ansible/playbooks/vars/svcusers.yml +++ b/ansible/playbooks/vars/svcusers.yml @@ -21,3 +21,24 @@ svcusers: password: ThisIsNotMyPassword1! title: System Account - Koji Manager loginshell: /sbin/nologin + - name: pubsub_federation + first: pubsub + last: federation + email: infrastructure@rockylinux.org + password: ThisIsNotMyPassword1! + title: System Account - pubsub federator + loginshell: /sbin/nologin + - name: rockypubsub + first: rocky + last: pubsub + email: infrastructure@rockylinux.org + password: ThisIsNotMyPassword1! + title: System Account - pubsub + loginshell: /sbin/nologin + - name: rockyautomation + first: Rocky + last: Automation + email: infrastructure@rockylinux.org + password: ThisIsNotMyPassword1! + title: System Account - Automation + loginshell: /sbin/nologin