opendev/system-config
Code Issues Proposed changes

Make zk-ca role more generic

Browse Source 
This renames zk-ca to opendev-ca and allows us to operate more than
one ca on bridge.  This way we can keep the CAs for ZooKeeper and
Jaeger distinct (so that a compromise of the jaeger server could not
be used to access the ZooKeeper cluster).

This also starts a new jaeger-ca and uses it on the Jaeger server.

Change-Id: I4e5bc4e3ccd78284ce785c971f7e6ad6e721f887
This commit is contained in:
James E. Blair 2022-09-22 14:36:25 -07:00
parent b127c484c9
commit 11516e0e4b
11 changed files with 81 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/source/tracing.rst
View File

@ -32,6 +32,6 @@ Badger database stored at ``/var/jaeger/badger``.
Zuul sends telemetry information to Jaeger via the gRPC protocol. Zuul sends telemetry information to Jaeger via the gRPC protocol.
The internal CA (`zk-ca`) used to create ZooKeeper certs for Zuul is An internal CA is used to provide and validate client certificates for
used to provide and validate client certificates for the gRPC the gRPC connection to Jaeger. The CA is distinct from other internal
connection to Jaeger as well. CAs (for example, ZooKeeper) for security purposes.

9
playbooks/roles/jaeger/tasks/main.yaml
View File

@ -34,11 +34,12 @@
- name: Generate GRPC TLS cert - name: Generate GRPC TLS cert
include_role: include_role:
name: zk-ca name: opendev-ca
vars: vars:
zk_ca_cert_dir: /var/jaeger/tls opendev_ca_name: jaeger
zk_ca_cert_dir_owner: "{{ jaeger_user }}" opendev_ca_cert_dir: /var/jaeger/tls
zk_ca_cert_dir_group: "{{ jaeger_group }}" opendev_ca_cert_dir_owner: "{{ jaeger_user }}"
opendev_ca_cert_dir_group: "{{ jaeger_group }}"
- name: Install apache2 - name: Install apache2
apt: apt:

9
playbooks/roles/nodepool-base/tasks/main.yaml
View File

@ -28,11 +28,12 @@
- name: Generate ZooKeeper TLS cert - name: Generate ZooKeeper TLS cert
include_role: include_role:
name: zk-ca name: opendev-ca
vars: vars:
zk_ca_cert_dir: /etc/nodepool opendev_ca_name: zk
zk_ca_cert_dir_owner: '{{ nodepool_user }}' opendev_ca_cert_dir: /etc/nodepool
zk_ca_cert_dir_group: '{{ nodepool_group }}' opendev_ca_cert_dir_owner: '{{ nodepool_user }}'
opendev_ca_cert_dir_group: '{{ nodepool_group }}'
- name: Create nodepool log dir - name: Create nodepool log dir
file: file:

0
playbooks/roles/zk-ca/README.rst → playbooks/roles/opendev-ca/README.rst
View File

7
playbooks/roles/opendev-ca/defaults/main.yaml Normal file
View File

@ -0,0 +1,7 @@
# Do not define a default here to make sure we select a specific CA
# opendev_ca_name: zk
opendev_ca_root: /var/{{ opendev_ca_name }}-ca
opendev_ca_server: "{{ inventory_hostname }}"
# opendev_ca_cert_dir: /etc/zuul
opendev_ca_cert_dir_owner: 10001
opendev_ca_cert_dir_group: 10001

3
playbooks/roles/zk-ca/zk-ca.sh → playbooks/roles/opendev-ca/opendev-ca.sh
View File

@ -14,7 +14,8 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
# Manage a CA for Zookeeper # Manage a CA.
# This is based on the zk-ca.sh script from Zuul.
CAROOT=$1 CAROOT=$1
SERVER=$2 SERVER=$2

49
playbooks/roles/opendev-ca/tasks/main.yaml Normal file
View File

@ -0,0 +1,49 @@
- name: Ensure opendev-ca directory exists
delegate_to: localhost
file:
path: "{{ opendev_ca_root }}"
state: directory
# Run this in flock so that we can run it in plays for multiple target
# hosts in parallel while serializing access to the CA files.
- name: Run opendev-ca.sh
delegate_to: localhost
script: "opendev-ca.sh {{ opendev_ca_root }} {{ opendev_ca_server }}"
args:
executable: "flock {{ opendev_ca_root }}/lock"
- name: Ensure cert dir exists
file:
path: "{{ opendev_ca_cert_dir }}/certs"
state: directory
owner: "{{ opendev_ca_cert_dir_owner }}"
group: "{{ opendev_ca_cert_dir_group }}"
mode: '0755'
- name: Ensure keys dir exists
file:
path: "{{ opendev_ca_cert_dir }}/keys"
state: directory
owner: "{{ opendev_ca_cert_dir_owner }}"
group: "{{ opendev_ca_cert_dir_group }}"
mode: '0700'
- name: Copy TLS cacert into place
copy:
src: "{{ opendev_ca_root }}/certs/cacert.pem"
dest: "{{ opendev_ca_cert_dir }}/certs/cacert.pem"
- name: Copy TLS cert into place
copy:
src: "{{ opendev_ca_root }}/certs/{{ inventory_hostname }}.pem"
dest: "{{ opendev_ca_cert_dir }}/certs/cert.pem"
- name: Copy TLS key into place
copy:
src: "{{ opendev_ca_root }}/keys/{{ inventory_hostname }}key.pem"
dest: "{{ opendev_ca_cert_dir }}/keys/key.pem"
- name: Copy TLS keystore into place
copy:
src: "{{ opendev_ca_root }}/keystores/{{ inventory_hostname }}.pem"
dest: "{{ opendev_ca_cert_dir }}/keys/keystore.pem"

5
playbooks/roles/zk-ca/defaults/main.yaml
View File

@ -1,5 +0,0 @@
zk_ca_root: /var/zk-ca
zk_ca_server: "{{ inventory_hostname }}"
zk_ca_cert_dir: /etc/zuul
zk_ca_cert_dir_owner: 10001
zk_ca_cert_dir_group: 10001

49
playbooks/roles/zk-ca/tasks/main.yaml
View File

@ -1,49 +0,0 @@
- name: Ensure zk-ca directory exists
delegate_to: localhost
file:
path: "{{ zk_ca_root }}"
state: directory
# Run this in flock so that we can run it in plays for multiple target
# hosts in parallel while serializing access to the CA files.
- name: Run zk-ca.sh
delegate_to: localhost
script: "zk-ca.sh {{ zk_ca_root }} {{ zk_ca_server }}"
args:
executable: "flock {{ zk_ca_root }}/lock"
- name: Ensure cert dir exists
file:
path: "{{ zk_ca_cert_dir }}/certs"
state: directory
owner: "{{ zk_ca_cert_dir_owner }}"
group: "{{ zk_ca_cert_dir_group }}"
mode: '0755'
- name: Ensure keys dir exists
file:
path: "{{ zk_ca_cert_dir }}/keys"
state: directory
owner: "{{ zk_ca_cert_dir_owner }}"
group: "{{ zk_ca_cert_dir_group }}"
mode: '0700'
- name: Copy TLS cacert into place
copy:
src: "/var/zk-ca/certs/cacert.pem"
dest: "{{ zk_ca_cert_dir }}/certs/cacert.pem"
- name: Copy TLS cert into place
copy:
src: "/var/zk-ca/certs/{{ inventory_hostname }}.pem"
dest: "{{ zk_ca_cert_dir }}/certs/cert.pem"
- name: Copy TLS key into place
copy:
src: "/var/zk-ca/keys/{{ inventory_hostname }}key.pem"
dest: "{{ zk_ca_cert_dir }}/keys/key.pem"
- name: Copy TLS keystore into place
copy:
src: "/var/zk-ca/keystores/{{ inventory_hostname }}.pem"
dest: "{{ zk_ca_cert_dir }}/keys/keystore.pem"

9
playbooks/roles/zookeeper/tasks/main.yaml
View File

@ -30,11 +30,12 @@
- tls - tls
- name: Generate ZooKeeper TLS cert - name: Generate ZooKeeper TLS cert
include_role: include_role:
name: zk-ca name: opendev-ca
vars: vars:
zk_ca_cert_dir: /var/zookeeper/tls opendev_ca_name: zk
zk_ca_cert_dir_owner: 10001 opendev_ca_cert_dir: /var/zookeeper/tls
zk_ca_cert_dir_group: 10001 opendev_ca_cert_dir_owner: 10001
opendev_ca_cert_dir_group: 10001
- name: Write config - name: Write config
template: template:
src: zoo.cfg.j2 src: zoo.cfg.j2

8
playbooks/roles/zuul/tasks/main.yaml
View File

@ -23,10 +23,12 @@
- name: Generate ZooKeeper TLS cert - name: Generate ZooKeeper TLS cert
include_role: include_role:
name: zk-ca name: opendev-ca
vars: vars:
zk_ca_cert_dir_owner: "{{ zuul_user_id }}" opendev_ca_name: zk
zk_ca_cert_dir_group: "{{ zuul_group_id }}" opendev_ca_cert_dir: /etc/zuul
opendev_ca_cert_dir_owner: "{{ zuul_user_id }}"
opendev_ca_cert_dir_group: "{{ zuul_group_id }}"
- name: Write Zuul Conf File - name: Write Zuul Conf File
template: template: