Page MenuHomeDevCentral

Configure Notifications center
ClosedPublic

Authored by dereckson on Oct 2 2020, 00:27.
Referenced Files
Unknown Object (File)
Tue, Nov 26, 06:03
Unknown Object (File)
Mon, Nov 25, 10:59
Unknown Object (File)
Mon, Nov 25, 10:56
Unknown Object (File)
Mon, Nov 25, 10:53
Unknown Object (File)
Mon, Nov 25, 10:50
Unknown Object (File)
Mon, Nov 25, 10:40
Unknown Object (File)
Mon, Nov 25, 10:37
Unknown Object (File)
Mon, Nov 25, 10:37
Subscribers
None

Details

Summary

Currently, the notifications center configuration is stored into
an ad hoc repository, operations-data-notifications (rOPSDATAN).

Configuration files are JSON, which can be more compactly expressed
and maintained in YAML, then dumped on the server as JSON.

As we need to provision those files and set SELinux context for them,
they can be hosted directly on rOPS too.

Secrets for credentials.json are stored in Vault.

Test Plan

Deploy container and config on docker-001.

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dereckson created this revision.

Confused two files for a change. This one will be the config change so.

dereckson retitled this revision from Move notifications container to production Docker engine to Configure Notifications center.Oct 2 2020, 00:48
dereckson edited the summary of this revision. (Show Details)
dereckson edited the test plan for this revision. (Show Details)

Fix uid, gid and path: this is Notifications center, not RabbitMQ.

dereckson added inline comments.
pillar/notifications/config.sls
57

orgz

Next: switch to Vault credentials

Next: migrate secrets to Vault

#!/bin/sh
vault kv put ops/secrets/nasqueron.notifications.credentials_github_nasqueron password=$(ssh ysul /usr/home/zr/bin/getcredentials 153 token)
vault kv put ops/secrets/nasqueron.notifications.credentials_github_wolfplex password=$(ssh ysul /usr/home/zr/bin/getcredentials 156 token)
vault kv put ops/secrets/nasqueron.notifications.credentials_github_keruald password=$(ssh ysul /usr/home/zr/bin/getcredentials 157 token)
vault kv put ops/secrets/nasqueron.notifications.credentials_github_trustspace password=$(ssh ysul /usr/home/zr/bin/getcredentials 158 token)
vault kv put ops/secrets/nasqueron.notifications.credentials_github_eglide password=$(ssh ysul /usr/home/zr/bin/getcredentials 159 token)
vault kv put ops/secrets/nasqueron.notifications.credentials_phabricator_nasqueron password=$(ssh ysul /usr/home/zr/bin/getcredentials 154 token)
pillar/notifications/config.sls
43

Not sure api_token has ever been used, code uses secret field in PhabricatorAPI class.

This revision is now accepted and ready to land.Jan 30 2023, 19:10

Rebased. Removed created field from new file.

This revision was automatically updated to reflect the committed changes.
pillar/notifications/config.sls
19

Pillar doesn't have access to credentials module.

Furthermore, access is granted to those keys for docker-001, not the Salt master.

Perhaps we need a Jinja filter to call credentials.get_password (get_token is an alias for get_password, so no need to implement that)?