Make zk-ca role more generic

This renames zk-ca to opendev-ca and allows us to operate more than
one ca on bridge.  This way we can keep the CAs for ZooKeeper and
Jaeger distinct (so that a compromise of the jaeger server could not
be used to access the ZooKeeper cluster).

This also starts a new jaeger-ca and uses it on the Jaeger server.

Change-Id: I4e5bc4e3ccd78284ce785c971f7e6ad6e721f887
This commit is contained in:
James E. Blair 2022-09-22 14:36:25 -07:00
parent b127c484c9
commit 11516e0e4b
11 changed files with 81 additions and 73 deletions

View File

@ -32,6 +32,6 @@ Badger database stored at ``/var/jaeger/badger``.
Zuul sends telemetry information to Jaeger via the gRPC protocol.
The internal CA (`zk-ca`) used to create ZooKeeper certs for Zuul is
used to provide and validate client certificates for the gRPC
connection to Jaeger as well.
An internal CA is used to provide and validate client certificates for
the gRPC connection to Jaeger. The CA is distinct from other internal
CAs (for example, ZooKeeper) for security purposes.

View File

@ -34,11 +34,12 @@
- name: Generate GRPC TLS cert
include_role:
name: zk-ca
name: opendev-ca
vars:
zk_ca_cert_dir: /var/jaeger/tls
zk_ca_cert_dir_owner: "{{ jaeger_user }}"
zk_ca_cert_dir_group: "{{ jaeger_group }}"
opendev_ca_name: jaeger
opendev_ca_cert_dir: /var/jaeger/tls
opendev_ca_cert_dir_owner: "{{ jaeger_user }}"
opendev_ca_cert_dir_group: "{{ jaeger_group }}"
- name: Install apache2
apt:

View File

@ -28,11 +28,12 @@
- name: Generate ZooKeeper TLS cert
include_role:
name: zk-ca
name: opendev-ca
vars:
zk_ca_cert_dir: /etc/nodepool
zk_ca_cert_dir_owner: '{{ nodepool_user }}'
zk_ca_cert_dir_group: '{{ nodepool_group }}'
opendev_ca_name: zk
opendev_ca_cert_dir: /etc/nodepool
opendev_ca_cert_dir_owner: '{{ nodepool_user }}'
opendev_ca_cert_dir_group: '{{ nodepool_group }}'
- name: Create nodepool log dir
file:

View File

@ -0,0 +1,7 @@
# Do not define a default here to make sure we select a specific CA
# opendev_ca_name: zk
opendev_ca_root: /var/{{ opendev_ca_name }}-ca
opendev_ca_server: "{{ inventory_hostname }}"
# opendev_ca_cert_dir: /etc/zuul
opendev_ca_cert_dir_owner: 10001
opendev_ca_cert_dir_group: 10001

View File

@ -14,7 +14,8 @@
# License for the specific language governing permissions and limitations
# under the License.
# Manage a CA for Zookeeper
# Manage a CA.
# This is based on the zk-ca.sh script from Zuul.
CAROOT=$1
SERVER=$2

View File

@ -0,0 +1,49 @@
- name: Ensure opendev-ca directory exists
delegate_to: localhost
file:
path: "{{ opendev_ca_root }}"
state: directory
# Run this in flock so that we can run it in plays for multiple target
# hosts in parallel while serializing access to the CA files.
- name: Run opendev-ca.sh
delegate_to: localhost
script: "opendev-ca.sh {{ opendev_ca_root }} {{ opendev_ca_server }}"
args:
executable: "flock {{ opendev_ca_root }}/lock"
- name: Ensure cert dir exists
file:
path: "{{ opendev_ca_cert_dir }}/certs"
state: directory
owner: "{{ opendev_ca_cert_dir_owner }}"
group: "{{ opendev_ca_cert_dir_group }}"
mode: '0755'
- name: Ensure keys dir exists
file:
path: "{{ opendev_ca_cert_dir }}/keys"
state: directory
owner: "{{ opendev_ca_cert_dir_owner }}"
group: "{{ opendev_ca_cert_dir_group }}"
mode: '0700'
- name: Copy TLS cacert into place
copy:
src: "{{ opendev_ca_root }}/certs/cacert.pem"
dest: "{{ opendev_ca_cert_dir }}/certs/cacert.pem"
- name: Copy TLS cert into place
copy:
src: "{{ opendev_ca_root }}/certs/{{ inventory_hostname }}.pem"
dest: "{{ opendev_ca_cert_dir }}/certs/cert.pem"
- name: Copy TLS key into place
copy:
src: "{{ opendev_ca_root }}/keys/{{ inventory_hostname }}key.pem"
dest: "{{ opendev_ca_cert_dir }}/keys/key.pem"
- name: Copy TLS keystore into place
copy:
src: "{{ opendev_ca_root }}/keystores/{{ inventory_hostname }}.pem"
dest: "{{ opendev_ca_cert_dir }}/keys/keystore.pem"

View File

@ -1,5 +0,0 @@
zk_ca_root: /var/zk-ca
zk_ca_server: "{{ inventory_hostname }}"
zk_ca_cert_dir: /etc/zuul
zk_ca_cert_dir_owner: 10001
zk_ca_cert_dir_group: 10001

View File

@ -1,49 +0,0 @@
- name: Ensure zk-ca directory exists
delegate_to: localhost
file:
path: "{{ zk_ca_root }}"
state: directory
# Run this in flock so that we can run it in plays for multiple target
# hosts in parallel while serializing access to the CA files.
- name: Run zk-ca.sh
delegate_to: localhost
script: "zk-ca.sh {{ zk_ca_root }} {{ zk_ca_server }}"
args:
executable: "flock {{ zk_ca_root }}/lock"
- name: Ensure cert dir exists
file:
path: "{{ zk_ca_cert_dir }}/certs"
state: directory
owner: "{{ zk_ca_cert_dir_owner }}"
group: "{{ zk_ca_cert_dir_group }}"
mode: '0755'
- name: Ensure keys dir exists
file:
path: "{{ zk_ca_cert_dir }}/keys"
state: directory
owner: "{{ zk_ca_cert_dir_owner }}"
group: "{{ zk_ca_cert_dir_group }}"
mode: '0700'
- name: Copy TLS cacert into place
copy:
src: "/var/zk-ca/certs/cacert.pem"
dest: "{{ zk_ca_cert_dir }}/certs/cacert.pem"
- name: Copy TLS cert into place
copy:
src: "/var/zk-ca/certs/{{ inventory_hostname }}.pem"
dest: "{{ zk_ca_cert_dir }}/certs/cert.pem"
- name: Copy TLS key into place
copy:
src: "/var/zk-ca/keys/{{ inventory_hostname }}key.pem"
dest: "{{ zk_ca_cert_dir }}/keys/key.pem"
- name: Copy TLS keystore into place
copy:
src: "/var/zk-ca/keystores/{{ inventory_hostname }}.pem"
dest: "{{ zk_ca_cert_dir }}/keys/keystore.pem"

View File

@ -30,11 +30,12 @@
- tls
- name: Generate ZooKeeper TLS cert
include_role:
name: zk-ca
name: opendev-ca
vars:
zk_ca_cert_dir: /var/zookeeper/tls
zk_ca_cert_dir_owner: 10001
zk_ca_cert_dir_group: 10001
opendev_ca_name: zk
opendev_ca_cert_dir: /var/zookeeper/tls
opendev_ca_cert_dir_owner: 10001
opendev_ca_cert_dir_group: 10001
- name: Write config
template:
src: zoo.cfg.j2

View File

@ -23,10 +23,12 @@
- name: Generate ZooKeeper TLS cert
include_role:
name: zk-ca
name: opendev-ca
vars:
zk_ca_cert_dir_owner: "{{ zuul_user_id }}"
zk_ca_cert_dir_group: "{{ zuul_group_id }}"
opendev_ca_name: zk
opendev_ca_cert_dir: /etc/zuul
opendev_ca_cert_dir_owner: "{{ zuul_user_id }}"
opendev_ca_cert_dir_group: "{{ zuul_group_id }}"
- name: Write Zuul Conf File
template: