Make zk-ca role more generic
This renames zk-ca to opendev-ca and allows us to operate more than one ca on bridge. This way we can keep the CAs for ZooKeeper and Jaeger distinct (so that a compromise of the jaeger server could not be used to access the ZooKeeper cluster). This also starts a new jaeger-ca and uses it on the Jaeger server. Change-Id: I4e5bc4e3ccd78284ce785c971f7e6ad6e721f887
This commit is contained in:
parent
b127c484c9
commit
11516e0e4b
@ -32,6 +32,6 @@ Badger database stored at ``/var/jaeger/badger``.
|
||||
|
||||
Zuul sends telemetry information to Jaeger via the gRPC protocol.
|
||||
|
||||
The internal CA (`zk-ca`) used to create ZooKeeper certs for Zuul is
|
||||
used to provide and validate client certificates for the gRPC
|
||||
connection to Jaeger as well.
|
||||
An internal CA is used to provide and validate client certificates for
|
||||
the gRPC connection to Jaeger. The CA is distinct from other internal
|
||||
CAs (for example, ZooKeeper) for security purposes.
|
||||
|
@ -34,11 +34,12 @@
|
||||
|
||||
- name: Generate GRPC TLS cert
|
||||
include_role:
|
||||
name: zk-ca
|
||||
name: opendev-ca
|
||||
vars:
|
||||
zk_ca_cert_dir: /var/jaeger/tls
|
||||
zk_ca_cert_dir_owner: "{{ jaeger_user }}"
|
||||
zk_ca_cert_dir_group: "{{ jaeger_group }}"
|
||||
opendev_ca_name: jaeger
|
||||
opendev_ca_cert_dir: /var/jaeger/tls
|
||||
opendev_ca_cert_dir_owner: "{{ jaeger_user }}"
|
||||
opendev_ca_cert_dir_group: "{{ jaeger_group }}"
|
||||
|
||||
- name: Install apache2
|
||||
apt:
|
||||
|
@ -28,11 +28,12 @@
|
||||
|
||||
- name: Generate ZooKeeper TLS cert
|
||||
include_role:
|
||||
name: zk-ca
|
||||
name: opendev-ca
|
||||
vars:
|
||||
zk_ca_cert_dir: /etc/nodepool
|
||||
zk_ca_cert_dir_owner: '{{ nodepool_user }}'
|
||||
zk_ca_cert_dir_group: '{{ nodepool_group }}'
|
||||
opendev_ca_name: zk
|
||||
opendev_ca_cert_dir: /etc/nodepool
|
||||
opendev_ca_cert_dir_owner: '{{ nodepool_user }}'
|
||||
opendev_ca_cert_dir_group: '{{ nodepool_group }}'
|
||||
|
||||
- name: Create nodepool log dir
|
||||
file:
|
||||
|
7
playbooks/roles/opendev-ca/defaults/main.yaml
Normal file
7
playbooks/roles/opendev-ca/defaults/main.yaml
Normal file
@ -0,0 +1,7 @@
|
||||
# Do not define a default here to make sure we select a specific CA
|
||||
# opendev_ca_name: zk
|
||||
opendev_ca_root: /var/{{ opendev_ca_name }}-ca
|
||||
opendev_ca_server: "{{ inventory_hostname }}"
|
||||
# opendev_ca_cert_dir: /etc/zuul
|
||||
opendev_ca_cert_dir_owner: 10001
|
||||
opendev_ca_cert_dir_group: 10001
|
@ -14,7 +14,8 @@
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
# Manage a CA for Zookeeper
|
||||
# Manage a CA.
|
||||
# This is based on the zk-ca.sh script from Zuul.
|
||||
|
||||
CAROOT=$1
|
||||
SERVER=$2
|
49
playbooks/roles/opendev-ca/tasks/main.yaml
Normal file
49
playbooks/roles/opendev-ca/tasks/main.yaml
Normal file
@ -0,0 +1,49 @@
|
||||
- name: Ensure opendev-ca directory exists
|
||||
delegate_to: localhost
|
||||
file:
|
||||
path: "{{ opendev_ca_root }}"
|
||||
state: directory
|
||||
|
||||
# Run this in flock so that we can run it in plays for multiple target
|
||||
# hosts in parallel while serializing access to the CA files.
|
||||
- name: Run opendev-ca.sh
|
||||
delegate_to: localhost
|
||||
script: "opendev-ca.sh {{ opendev_ca_root }} {{ opendev_ca_server }}"
|
||||
args:
|
||||
executable: "flock {{ opendev_ca_root }}/lock"
|
||||
|
||||
- name: Ensure cert dir exists
|
||||
file:
|
||||
path: "{{ opendev_ca_cert_dir }}/certs"
|
||||
state: directory
|
||||
owner: "{{ opendev_ca_cert_dir_owner }}"
|
||||
group: "{{ opendev_ca_cert_dir_group }}"
|
||||
mode: '0755'
|
||||
|
||||
- name: Ensure keys dir exists
|
||||
file:
|
||||
path: "{{ opendev_ca_cert_dir }}/keys"
|
||||
state: directory
|
||||
owner: "{{ opendev_ca_cert_dir_owner }}"
|
||||
group: "{{ opendev_ca_cert_dir_group }}"
|
||||
mode: '0700'
|
||||
|
||||
- name: Copy TLS cacert into place
|
||||
copy:
|
||||
src: "{{ opendev_ca_root }}/certs/cacert.pem"
|
||||
dest: "{{ opendev_ca_cert_dir }}/certs/cacert.pem"
|
||||
|
||||
- name: Copy TLS cert into place
|
||||
copy:
|
||||
src: "{{ opendev_ca_root }}/certs/{{ inventory_hostname }}.pem"
|
||||
dest: "{{ opendev_ca_cert_dir }}/certs/cert.pem"
|
||||
|
||||
- name: Copy TLS key into place
|
||||
copy:
|
||||
src: "{{ opendev_ca_root }}/keys/{{ inventory_hostname }}key.pem"
|
||||
dest: "{{ opendev_ca_cert_dir }}/keys/key.pem"
|
||||
|
||||
- name: Copy TLS keystore into place
|
||||
copy:
|
||||
src: "{{ opendev_ca_root }}/keystores/{{ inventory_hostname }}.pem"
|
||||
dest: "{{ opendev_ca_cert_dir }}/keys/keystore.pem"
|
@ -1,5 +0,0 @@
|
||||
zk_ca_root: /var/zk-ca
|
||||
zk_ca_server: "{{ inventory_hostname }}"
|
||||
zk_ca_cert_dir: /etc/zuul
|
||||
zk_ca_cert_dir_owner: 10001
|
||||
zk_ca_cert_dir_group: 10001
|
@ -1,49 +0,0 @@
|
||||
- name: Ensure zk-ca directory exists
|
||||
delegate_to: localhost
|
||||
file:
|
||||
path: "{{ zk_ca_root }}"
|
||||
state: directory
|
||||
|
||||
# Run this in flock so that we can run it in plays for multiple target
|
||||
# hosts in parallel while serializing access to the CA files.
|
||||
- name: Run zk-ca.sh
|
||||
delegate_to: localhost
|
||||
script: "zk-ca.sh {{ zk_ca_root }} {{ zk_ca_server }}"
|
||||
args:
|
||||
executable: "flock {{ zk_ca_root }}/lock"
|
||||
|
||||
- name: Ensure cert dir exists
|
||||
file:
|
||||
path: "{{ zk_ca_cert_dir }}/certs"
|
||||
state: directory
|
||||
owner: "{{ zk_ca_cert_dir_owner }}"
|
||||
group: "{{ zk_ca_cert_dir_group }}"
|
||||
mode: '0755'
|
||||
|
||||
- name: Ensure keys dir exists
|
||||
file:
|
||||
path: "{{ zk_ca_cert_dir }}/keys"
|
||||
state: directory
|
||||
owner: "{{ zk_ca_cert_dir_owner }}"
|
||||
group: "{{ zk_ca_cert_dir_group }}"
|
||||
mode: '0700'
|
||||
|
||||
- name: Copy TLS cacert into place
|
||||
copy:
|
||||
src: "/var/zk-ca/certs/cacert.pem"
|
||||
dest: "{{ zk_ca_cert_dir }}/certs/cacert.pem"
|
||||
|
||||
- name: Copy TLS cert into place
|
||||
copy:
|
||||
src: "/var/zk-ca/certs/{{ inventory_hostname }}.pem"
|
||||
dest: "{{ zk_ca_cert_dir }}/certs/cert.pem"
|
||||
|
||||
- name: Copy TLS key into place
|
||||
copy:
|
||||
src: "/var/zk-ca/keys/{{ inventory_hostname }}key.pem"
|
||||
dest: "{{ zk_ca_cert_dir }}/keys/key.pem"
|
||||
|
||||
- name: Copy TLS keystore into place
|
||||
copy:
|
||||
src: "/var/zk-ca/keystores/{{ inventory_hostname }}.pem"
|
||||
dest: "{{ zk_ca_cert_dir }}/keys/keystore.pem"
|
@ -30,11 +30,12 @@
|
||||
- tls
|
||||
- name: Generate ZooKeeper TLS cert
|
||||
include_role:
|
||||
name: zk-ca
|
||||
name: opendev-ca
|
||||
vars:
|
||||
zk_ca_cert_dir: /var/zookeeper/tls
|
||||
zk_ca_cert_dir_owner: 10001
|
||||
zk_ca_cert_dir_group: 10001
|
||||
opendev_ca_name: zk
|
||||
opendev_ca_cert_dir: /var/zookeeper/tls
|
||||
opendev_ca_cert_dir_owner: 10001
|
||||
opendev_ca_cert_dir_group: 10001
|
||||
- name: Write config
|
||||
template:
|
||||
src: zoo.cfg.j2
|
||||
|
@ -23,10 +23,12 @@
|
||||
|
||||
- name: Generate ZooKeeper TLS cert
|
||||
include_role:
|
||||
name: zk-ca
|
||||
name: opendev-ca
|
||||
vars:
|
||||
zk_ca_cert_dir_owner: "{{ zuul_user_id }}"
|
||||
zk_ca_cert_dir_group: "{{ zuul_group_id }}"
|
||||
opendev_ca_name: zk
|
||||
opendev_ca_cert_dir: /etc/zuul
|
||||
opendev_ca_cert_dir_owner: "{{ zuul_user_id }}"
|
||||
opendev_ca_cert_dir_group: "{{ zuul_group_id }}"
|
||||
|
||||
- name: Write Zuul Conf File
|
||||
template:
|
||||
|
Loading…
Reference in New Issue
Block a user