Page MenuHomeDevCentral
Files F9963922

D2793.id7090.diff
No OneTemporary
Actions

D2793.id7090.diff
View Options

diff --git a/_modules/rabbitmq.py b/_modules/rabbitmq.py
--- a/_modules/rabbitmq.py
+++ b/_modules/rabbitmq.py
@@ -19,6 +19,11 @@
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+def get_password(credential):
+ secret = __salt__["vault.read_secret"](credential)
+ return compute_password_hash(secret["password"])
+
+
def compute_password_hash(password):
salt = secrets.randbits(32)
return _compute_password_hash_with_salt(salt, password)
diff --git a/pillar/saas/rabbitmq.sls b/pillar/saas/rabbitmq.sls
new file mode 100644
--- /dev/null
+++ b/pillar/saas/rabbitmq.sls
@@ -0,0 +1,103 @@
+# -------------------------------------------------------------
+# Salt — RabbitMQ
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+# -------------------------------------------------------------
+# RabbitMQ clusters
+#
+# Each cluster is defined by a deployment method (e.g. docker),
+# and the node we can use to configure it.
+#
+# The cluster configuration is a collection of vhosts and users:
+#
+# vhosts:
+# <vhost name>: <configuration>
+#
+# users:
+# <user>: <password FULL secret path in Vault>
+#
+# In addition, a root account is managed by deployment states.
+#
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+#
+# The vhost configuration allows to define the exchanges and queues,
+# and the permissions users have on them.
+#
+# exchanges:
+# type is 'direct', 'topic' or 'fanout'
+#
+# queues:
+# Application can create their own ephemeral queue.
+# For that, it needs configure permission on the vhost.
+#
+# If an application needs a stable one, it should be configured here,
+# so we can drop the configure permission.
+#
+# permissions:
+# See https://www.rabbitmq.com/access-control.html#authorisation
+# for the needed permissions for an AMQP operation
+#
+# To give access to server-generated queue names, use amq\.gen.*
+# To not give any access, use blank string
+#
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+rabbitmq_clusters:
+ white-rabbit:
+ deployment: docker
+ node: docker-002
+ container: white-rabbit
+ url: https://white-rabbit.nasqueron.org/
+
+ vhosts:
+
+ ###
+ ### Nasqueron dev services:
+ ### - Notifications center
+ ###
+
+ dev: &nasqueron-dev-services-vhost
+ description: Nasqueron dev services
+
+ exchanges:
+ # Producer: Notifications center
+ # Consumers: any notifications client
+ notifications:
+ type: topic
+
+ queues:
+ # Used by Wearg to stream notifications to IRC
+ wearg-notifications:
+ routing_key: "#"
+ binds:
+ - notifications
+
+ permissions:
+ # Notifications center (paas-docker role / notifications container)
+ notifications:
+ configure: ''
+ read: ''
+ write: '^notifications$'
+
+ # Wearg (viperserv role)
+ wearg:
+ configure: ''
+ read: '^wearg\-notifications$'
+ write: ''
+
+ # Notifications CLI clients
+ notifications-ysul: &notifications-client-permissions
+ configure: '^amq\.gen.*$'
+ read: '^(amq\.gen.*|notifications)$'
+ write: '^amq\.gen.*$'
+ notifications-windriver: *notifications-client-permissions
+
+ users:
+ # Notifications center server and clients
+ notifications: ops/secrets/nasqueron.notifications.broker
+ wearg: apps/viperserv/broker
+ notifications-ysul: ops/secrets/nasqueron/notifications/notifications-cli/ysul
+ notifications-windriver: ops/secrets/nasqueron/notifications/notifications-cli/windriver
diff --git a/roles/saas-rabbitmq/init.sls b/roles/saas-rabbitmq/init.sls
new file mode 100644
--- /dev/null
+++ b/roles/saas-rabbitmq/init.sls
@@ -0,0 +1,9 @@
+# -------------------------------------------------------------
+# Salt — RabbitMQ
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+include:
+ - .server
diff --git a/roles/saas-rabbitmq/server/content.sls b/roles/saas-rabbitmq/server/content.sls
new file mode 100644
--- /dev/null
+++ b/roles/saas-rabbitmq/server/content.sls
@@ -0,0 +1,81 @@
+# -------------------------------------------------------------
+# Salt — RabbitMQ
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+
+{% for cluster, cluster_args in pillar['rabbitmq_clusters'].items() %}
+
+
+# -------------------------------------------------------------
+# RabbitMQ vhosts
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% for vhost, vhost_args in cluster_args["vhosts"].items() %}
+rabbitmq_cluster_{{ cluster }}_vhost_{{ vhost }}:
+ rabbitmq.vhost_present:
+ - name: {{ vhost }}
+ - cluster: {{ cluster }}
+ - description: {{ vhost_args["description"] }}
+{% endfor %}
+
+# -------------------------------------------------------------
+# RabbitMQ exchanges and queues
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% for vhost, vhost_args in cluster_args["vhosts"].items() %}
+
+{% for exchange, exchange_args in vhost_args.get("exchanges", {}).items() %}
+rabbitmq_cluster_{{ cluster }}_vhost_{{ vhost }}_exchange_{{ exchange }}:
+ rabbitmq.exchange_present:
+ - name: {{ exchange }}
+ - cluster: {{ cluster }}
+ - vhost: {{ vhost }}
+ - type: {{ exchange_args["type"] }}
+{% endfor %}
+
+{% for queue, queue_args in vhost_args.get("queues", {}).items() %}
+rabbitmq_cluster_{{ cluster }}_vhost_{{ vhost }}_queue_{{ queue }}:
+ rabbitmq.queue_present:
+ - name: {{ queue }}
+ - cluster: {{ cluster }}
+ - vhost: {{ vhost }}
+ - routing_key: {{ queue_args["routing_key"] }}
+ - binds: {{ queue_args.get("binds", []) }}
+{% endfor %}
+
+{% endfor %}
+
+# -------------------------------------------------------------
+# RabbitMQ users and permissions
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% for user, credential in cluster_args['users'].items() %}
+
+rabbitmq_cluster_{{ cluster }}_user_{{ user }}:
+ rabbitmq.user_present:
+ - name: {{ user }}
+ - cluster: {{ cluster }}
+ - credential: {{ credential }}
+
+{% for vhost, vhost_args in cluster_args["vhosts"].items() %}
+{% if user in vhost_args.get("permissions", {}) %}
+{% set privilege = vhost_args["permissions"][user] %}
+rabbitmq_cluster_{{ cluster }}_vhost_{{ vhost }}_permissions_user_{{ user }}:
+ rabbitmq.user_permissions:
+ - cluster: {{ cluster }}
+ - vhost: {{ vhost }}
+ - user: {{ user }}
+ - permissions:
+ configure: {{ privilege['configure'] }}
+ write: {{ privilege['write'] }}
+ read: {{ privilege['read'] }}
+{% endif %}
+{% endfor %}
+
+{% endfor %}
+
+
+{% endfor %}
diff --git a/roles/saas-rabbitmq/server/init.sls b/roles/saas-rabbitmq/server/init.sls
new file mode 100644
--- /dev/null
+++ b/roles/saas-rabbitmq/server/init.sls
@@ -0,0 +1,12 @@
+# -------------------------------------------------------------
+# Salt — RabbitMQ
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+include:
+ - .software
+
+ # Content includes vhosts, exchanges, queues, users, privileges
+ - .content
diff --git a/roles/saas-rabbitmq/server/software.sls b/roles/saas-rabbitmq/server/software.sls
new file mode 100644
--- /dev/null
+++ b/roles/saas-rabbitmq/server/software.sls
@@ -0,0 +1,8 @@
+# -------------------------------------------------------------
+# Salt — RabbitMQ
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+# This state is left intentionally blank.
diff --git a/services.sls b/services.sls
new file mode 100644
--- /dev/null
+++ b/services.sls
@@ -0,0 +1,14 @@
+# -------------------------------------------------------------
+# Salt configuration for Nasqueron servers :: services
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Description: List of the roles configured through services API.
+# They are typically run on the Salt primary server,
+# especially as they can need Vault credentials,
+# but they don't touch any file *directly*.
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+base:
+ 'local':
+ - roles/saas-rabbitmq

File Metadata

Mime Type
text/plain
Expires
Tue, Jun 17, 22:48 (7 h, 28 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2742173
Default Alt Text
D2793.id7090.diff (9 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator