RabbitMQ: add topic auth to more apps

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2022-07-05 08:35:10 +02:00 · 2022-07-05 08:35:10 +02:00 · 4249161ad0
parent 632f16f252
commit 4249161ad0
34 changed files with 98 additions and 44 deletions
--- a/inventory/group_vars/copr_back_aws
+++ b/inventory/group_vars/copr_back_aws
@ -46,6 +46,8 @@ messaging:
    - app_name: Copr build system
      key: copr
      username: copr
+      sent_topics:
+        - ^org\.fedoraproject\.{{ env_short }}\.copr\..*
 nrpe_procs_crit: 2500
 nrpe_procs_warn: 2200
 root_auth_users: msuchy pingou frostyx praiskup
--- a/inventory/group_vars/copr_back_dev_aws
+++ b/inventory/group_vars/copr_back_dev_aws
@ -40,6 +40,8 @@ messaging:
    - app_name: Copr build system
      key: copr
      username: copr
+      sent_topics:
+        - ^org\.fedoraproject\.{{ env_short }}\.copr\..*
 root_auth_users: msuchy pingou frostyx praiskup
 spawn_in_advance: "false"
 tcp_ports: [
--- a/inventory/group_vars/github2fedmsg
+++ b/inventory/group_vars/github2fedmsg
@ -61,6 +61,8 @@ primary_auth_source: ipa
 tcp_ports: [80]
 # for fedora-messaging
 username: "github2fedmsg{{ env_suffix }}"
+sent_topics:
+- ^org\.fedoraproject\.{{ env_short }}\.github\..*
 # Definining these vars has a number of effects
 # 1) mod_wsgi is configured to use the vars for its own setup
 # 2) iptables opens enough ports for all threads for fedmsg
--- a/inventory/group_vars/github2fedmsg_stg
+++ b/inventory/group_vars/github2fedmsg_stg
@ -60,6 +60,8 @@ num_cpus: 1
 tcp_ports: [80]
 # for fedora-messaging
 username: "github2fedmsg{{ env_suffix }}"
+sent_topics:
+- ^org\.fedoraproject\.{{ env_short }}\.github\..*
 # Definining these vars has a number of effects
 # 1) mod_wsgi is configured to use the vars for its own setup
 # 2) iptables opens enough ports for all threads for fedmsg
--- a/inventory/host_vars/copr-be-dev.cloud.fedoraproject.org
+++ b/inventory/host_vars/copr-be-dev.cloud.fedoraproject.org
@ -21,6 +21,8 @@ messaging:
    - app_name: Copr build system
      key: copr
      username: copr
+      sent_topics:
+        - ^org\.fedoraproject\.{{ env_short }}\.copr\..*
 # There is no python2 on F30
 nagios_Check_Services:
  dhcpd: false
--- a/inventory/host_vars/copr-be.cloud.fedoraproject.org
+++ b/inventory/host_vars/copr-be.cloud.fedoraproject.org
@ -21,6 +21,8 @@ messaging:
    - app_name: Copr build system
      key: copr
      username: copr
+      sent_topics:
+        - ^org\.fedoraproject\.{{ env_short }}\.copr\..*
 nagios_Check_Services:
  dhcpd: false
  httpd: false
--- a/playbooks/groups/batcave.yml
+++ b/playbooks/groups/batcave.yml
@ -29,8 +29,6 @@
  - role: httpd/certificate
    certname: "{{wildcard_cert_name}}"
    SSLCertificateChainFile: "{{wildcard_int_file}}"
-  - role: rabbit/user
-    username: "mirror_pagure_ansible{{ env_suffix }}"
  - role: rabbit/user
    username: "batcave{{ env_suffix }}"
    sent_topics:
@ -40,18 +38,22 @@
    username: "mirror_pagure_ansible{{ env_suffix }}"
    queue_name: "mirror_pagure_ansible{{ env_suffix }}"
    routing_keys:
-      - "io.pagure.*.pagure.git.receive"
+    - "io.pagure.*.pagure.git.receive"
    thresholds:
      warning: 10
      critical: 100
+    sent_topics:
+    - ^$
  - role: rabbit/queue
    username: "mirror_pagure_ansible{{ env_suffix }}"
    queue_name: "mirror_pagure_ansible{{ env_suffix }}_13"
    routing_keys:
-      - "io.pagure.*.pagure.git.receive"
+    - "io.pagure.*.pagure.git.receive"
    thresholds:
      warning: 10
      critical: 100
+    sent_topics:
+    - ^$
    when: datacenter != 'iad2'
  - batcave
  - role: grobisplitter
--- a/playbooks/groups/koji-hub.yml
+++ b/playbooks/groups/koji-hub.yml
@ -118,6 +118,8 @@
  - sudo
  - role: rabbit/user
    username: "koji{{ env_suffix }}"
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.buildsys\..*

  tasks:
  - import_tasks: "{{ tasks_path }}/motd.yml"
--- a/playbooks/groups/logserver.yml
+++ b/playbooks/groups/logserver.yml
@ -31,6 +31,8 @@
  # Set up for fedora-messaging
  - role: rabbit/user
    username: "logging{{ env_suffix }}"
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.logging\.stats\..*
  - logging

  pre_tasks:
--- a/playbooks/groups/mailman.yml
+++ b/playbooks/groups/mailman.yml
@ -99,8 +99,10 @@
    mailman_hyperkitty_cookie_key: "{{ mailman_hk_cookie_key }}"
  - role: fedmsg/base
  # Set up for fedora-messaging
-  - { role: rabbit/user,
-      username: "mailman{{ env_suffix }}"}
+  - role: rabbit/user
+    username: "mailman{{ env_suffix }}"
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.mailman\..*

  tasks:
  - name: install more needed packages
--- a/playbooks/groups/mirrormanager.yml
+++ b/playbooks/groups/mirrormanager.yml
@ -102,8 +102,11 @@
  roles:
  - role: fedmsg/base
  # Set up for fedora-messaging
-  - { role: rabbit/user,
-      username: "mirrormanager{{ env_suffix }}"}
+  - role: rabbit/user
+    username: "mirrormanager{{ env_suffix }}"
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.mirrormanager\..*
+    - ^org\.fedoraproject\.{{ env_short }}\.logger\.log\..*

  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/notifs-backend.yml
+++ b/playbooks/groups/notifs-backend.yml
@ -36,8 +36,11 @@
  - collectd/base
  - fedmsg/base
  # Set up for fedora-messaging
-  - { role: rabbit/user,
-      username: "notifs-backend{{ env_suffix }}"}
+  - role: rabbit/user
+    username: "notifs-backend{{ env_suffix }}"
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.fmn\..*
+    - ^org\.fedoraproject\.{{ env_short }}\.logger\.log\..*
  - sudo

  tasks:
--- a/playbooks/groups/notifs-web.yml
+++ b/playbooks/groups/notifs-web.yml
@ -27,8 +27,11 @@
  - mod_wsgi
  - role: fedmsg/base
  # Set up for fedora-messaging
-  - { role: rabbit/user,
-      username: "notifs-web{{ env_suffix }}"}
+  - role: rabbit/user
+    username: "notifs-web{{ env_suffix }}"
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.fmn\..*
+    - ^org\.fedoraproject\.{{ env_short }}\.logger\.log\..*
  - notifs/frontend
  - sudo

--- a/playbooks/groups/odcs.yml
+++ b/playbooks/groups/odcs.yml
@ -44,6 +44,8 @@
  roles:
  - role: rabbit/user
    username: "odcs{{ env_suffix }}"
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.odcs\..*
  - mod_wsgi
  - role: nfs/client
    mnt_dir: '/mnt/fedora_koji'
@ -144,8 +146,6 @@
  roles:
  - role: keytab/service
    service: odcs
-  - role: rabbit/user
-    username: "fmc{{ env_suffix }}"
  - role: rabbit/queue
    username: "fmc{{ env_suffix }}"
    queue_name: "{{ fmc_queue_name }}"
@ -153,6 +153,8 @@
    thresholds:
      warning: 100
      critical: 1000
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.odcs\..*
  - role: fmc

  handlers:
--- a/playbooks/groups/pdc.yml
+++ b/playbooks/groups/pdc.yml
@ -47,5 +47,8 @@
  # Set up for fedora-messaging
  - role: rabbit/user
    username: "pdc{{ env_suffix }}"
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.pdc\..*
+    - ^org\.fedoraproject\.{{ env_short }}\.logger\.log\..*
    when: inventory_hostname.startswith(('pdc-web01','pdc-web01.stg'))
  - pdc/frontend
--- a/playbooks/groups/people.yml
+++ b/playbooks/groups/people.yml
@ -77,6 +77,7 @@
    username: "planet{{ env_suffix }}"
    sent_topics:
    - ^org\.fedoraproject\.{{ env_short }}\.planet\..*
+    - ^org\.fedoraproject\.{{ env_short }}\.logger\.log\..*

  - role: apache

--- a/playbooks/groups/pkgs.yml
+++ b/playbooks/groups/pkgs.yml
@ -84,6 +84,8 @@
    username: "pagure{{ env_suffix }}"
    sent_topics:
    - ^org\.fedoraproject\.{{ env_short }}\.pagure\..*
+    - ^org\.fedoraproject\.{{ env_short }}\.git\..*
+    - ^org\.fedoraproject\.{{ env_short }}\.logger\.log\..*

  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
--- a/playbooks/groups/releng-compose.yml
+++ b/playbooks/groups/releng-compose.yml
@ -130,6 +130,10 @@

  - role: rabbit/user
    username: "pungi{{ env_suffix }}"
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.logger\.log\..*
+    - ^org\.fedoraproject\.{{ env_short }}\.pungi\..*
+    - ^org\.fedoraproject\.{{ env_short }}\.compose\..*

  - {
    role: "push-container-registry",
--- a/playbooks/groups/retrace.yml
+++ b/playbooks/groups/retrace.yml
@ -27,7 +27,7 @@

  roles: 
  - role: rabbit/queue
-    username: faf
+    username: faf{{ env_suffix }}
    queue_name: faf
    routing_keys:
      - "org.fedoraproject.*.faf.report.threshold1"
@ -46,6 +46,8 @@
      - "org.fedoraproject.*.faf.problem.threshold10000"
      - "org.fedoraproject.*.faf.problem.threshold100000"
      - "org.fedoraproject.*.faf.problem.threshold1000000"
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.faf\..*

 - name: Setup retrace hosts
  hosts: retrace,retrace_stg
--- a/playbooks/groups/sundries.yml
+++ b/playbooks/groups/sundries.yml
@ -55,9 +55,11 @@
    when: master_sundries_node|bool
  - role: fedora-web/kinoite/build
    when: master_sundries_node|bool
-  - { role: rabbit/user,
-      username: "sundries{{ env_suffix }}",
-      when: master_sundries_node|bool and deployment_type == "stg" }
+  - role: rabbit/user
+    username: "sundries{{ env_suffix }}"
+    sent_topics:
+    - ^$
+    when: master_sundries_node|bool and deployment_type == "stg"
  - role: fedmsg/base
    when: master_sundries_node|bool
  - role: nfs/client
--- a/playbooks/groups/wiki.yml
+++ b/playbooks/groups/wiki.yml
@ -30,8 +30,13 @@
  - apache
  - fedmsg/base
  # Set up for fedora-messaging
-  - { role: rabbit/user, username: "wiki{{ env_suffix }}", when: inventory_hostname.startswith('wiki01') }
-  - { role: rabbit/queue, username: "wiki{{ env_suffix }}", queue_name: "wiki{{ env_suffix }}"}
+  - role: rabbit/queue
+    username: "wiki{{ env_suffix }}"
+    queue_name: "wiki{{ env_suffix }}"
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.wiki\..*
+    - ^org\.fedoraproject\.{{ env_short }}\.logger\.log\..*
+    when: inventory_hostname.startswith('wiki01')
  - { role: nfs/client, when: env == "staging", mnt_dir: '/mnt/web/attachments',  nfs_src_dir: 'fedora_app_staging/app/attachments' }
  - { role: nfs/client, when: env != "staging", mnt_dir: '/mnt/web/attachments',  nfs_src_dir: 'fedora_app/app/attachments' }
  - mediawiki
--- a/playbooks/manual/autosign.yml
+++ b/playbooks/manual/autosign.yml
@ -67,6 +67,9 @@
    - "org.fedoraproject.*.coreos.build.request.artifacts-sign"
    - "org.fedoraproject.*.coreos.build.request.ostree-sign"
    - "org.fedoraproject.*.buildsys.tag"
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.coreos\..*\.finished$
+    - ^org\.fedoraproject\.{{ env_short }}\.robosignatory\..*\.finished$
  - robosignatory
  - role: keytab/service
    service: autosign
--- a/playbooks/openshift-apps/coreos-ostree-importer.yml
+++ b/playbooks/openshift-apps/coreos-ostree-importer.yml
@ -43,6 +43,8 @@
    thresholds:
      warning: 10
      critical: 100
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.coreos\..*

  # Fedora Messaging secrets
  - role: openshift/secret-file
--- a/playbooks/openshift-apps/greenwave.yml
+++ b/playbooks/openshift-apps/greenwave.yml
@ -19,6 +19,8 @@
    thresholds:
      warning: 50
      critical: 100
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.greenwave\..*

  # The openshift/project role breaks if the project already exists:
  # https://pagure.io/fedora-infrastructure/issue/6404
--- a/playbooks/openshift-apps/koschei.yml
+++ b/playbooks/openshift-apps/koschei.yml
@ -16,6 +16,9 @@
    queue_name: "{{ app }}{{ env_suffix }}"
    routing_keys: []
    message_ttl: 60000
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.koschei\..*
+    - ^org\.fedoraproject\.{{ env_short }}\.ci\..*

  - openshift/project

--- a/playbooks/openshift-apps/message-tagging-service.yml
+++ b/playbooks/openshift-apps/message-tagging-service.yml
@ -37,9 +37,6 @@

  # Setup for fedora-messaging

-  - role: rabbit/user
-    username: "mts{{ env_suffix }}"
-
  - role: rabbit/queue
    username: "mts{{ env_suffix }}"
    queue_name: "mts{{ env_suffix }}"
@ -48,6 +45,8 @@
    thresholds:
      warning: 10
      critical: 100
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.build\.tag\..*

  # cacert, certificate and private key for fedora-messaging

--- a/playbooks/openshift-apps/monitor_gating.yml
+++ b/playbooks/openshift-apps/monitor_gating.yml
@ -26,6 +26,8 @@

  - role: rabbit/user
    username: "monitor-gating{{ env_suffix }}"
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.monitor-gating\..*

  - role: openshift/keytab
    app: monitor-gating
--- a/playbooks/openshift-apps/resultsdb-ci-listener.yml
+++ b/playbooks/openshift-apps/resultsdb-ci-listener.yml
@ -9,9 +9,6 @@
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  roles:
-    - role: rabbit/user
-      username: "resultsdb{{ env_suffix }}_ci_listener"
-
    - role: rabbit/queue
      username: "resultsdb{{ env_suffix }}_ci_listener"
      queue_name: "resultsdb{{ env_suffix }}_ci_listener"
@ -25,6 +22,8 @@
        - 'org.centos.*.ci.koji-build.test.running'
        - 'org.centos.*.ci.koji-build.test.complete'
        - 'org.centos.*.ci.koji-build.test.error'
+      sent_topics:
+        - ^$

    # The openshift/project role breaks if the project already exists:
    # https://pagure.io/fedora-infrastructure/issue/6404
--- a/playbooks/openshift-apps/resultsdb.yml
+++ b/playbooks/openshift-apps/resultsdb.yml
@ -40,6 +40,8 @@
  roles:
    - role: rabbit/user
      username: "resultsdb{{ env_suffix }}"
+      sent_topics:
+        - ^org\.fedoraproject\.{{ env_short }}\.resultsdb\..*

    # The openshift/project role breaks if the project already exists:
    # https://pagure.io/fedora-infrastructure/issue/6404
--- a/playbooks/openshift-apps/toddlers.yml
+++ b/playbooks/openshift-apps/toddlers.yml
@ -22,9 +22,6 @@
    tags:
      - appowners

-  - role: rabbit/user
-    username: "toddlers{{ env_suffix }}"
-
  - role: rabbit/queue
    username: toddlers{{ env_suffix }}
    queue_name: toddlers{{ env_suffix }}
@ -56,6 +53,8 @@
    thresholds:
      warning: 10
      critical: 100
+    sent_topics:
+      - ^org\.fedoraproject\.{{ env_short }}\.toddlers\..*

  - role: openshift/keytab
    app: toddlers
--- a/playbooks/openshift-apps/waiverdb.yml
+++ b/playbooks/openshift-apps/waiverdb.yml
@ -39,6 +39,8 @@
  roles:
    - role: rabbit/user
      username: "waiverdb{{ env_suffix }}"
+      sent_topics:
+        - ^org\.fedoraproject\.{{ env_short }}\.waiverdb\..*

    # The openshift/project role breaks if the project already exists:
    # https://pagure.io/fedora-infrastructure/issue/6404
--- a/roles/messaging/base/tasks/main.yml
+++ b/roles/messaging/base/tasks/main.yml
@ -56,6 +56,7 @@
  include_role: name=rabbit/user
  vars:
  - username: "{{ item.username }}{{ env_suffix }}"
+    sent_topics: "{{ item.sent_topics }}"
  with_items: "{{ messaging.certificates }}"
  tags:
  - fedora-messaging
--- a/roles/rabbitmq_cluster/tasks/apps.yml
+++ b/roles/rabbitmq_cluster/tasks/apps.yml
@ -68,14 +68,9 @@
  include_role:
    name: rabbit/user
  vars:
-     username: copr{{ env_suffix }}
-
- name: faf
-  run_once: true
-  include_role:
-    name: rabbit/user
-  vars:
-     username: faf{{ env_suffix }}
+    username: copr{{ env_suffix }}
+    sent_topics:
+      - ^org\.fedoraproject\.{{ env_short }}\.copr\..*

 - name: CentOS Stream
  run_once: true
@ -371,13 +366,6 @@
 #
 # ELN BEGIN

- name: eln build user
-  run_once: true
-  include_role:
-    name: rabbit/user
-  vars:
-    username: distrobuildsync-eln
-
 - name: eln queue
  run_once: true
  include_role:
--- a/roles/supybot/tasks/main.yml
+++ b/roles/supybot/tasks/main.yml
@ -104,6 +104,8 @@
    name: rabbit/user
  vars:
    username: "{{ botnames[env] }}"
+    sent_topics:
+    - ^org\.fedoraproject\.{{ env_short }}\.meetbot\..*
  when:
  - inventory_hostname.startswith('value02')