Browse Source

Revert "Revert "Add Zookeeper TLS support""

This reverts commit 05021f11a2.

This switches Zuul and Nodepool to use Zookeeper TLS.  The ZK
cluster is already listening on both ports.

Change-Id: I03d28fb75610fbf5221eeee28699e4bd6f1157ea
changes/35/741335/1
James E. Blair 2 years ago
parent
commit
7a32463f9d
  1. 2
      playbooks/roles/nodepool-base/library/make_nodepool_zk_hosts.py
  2. 4
      playbooks/roles/nodepool-base/tasks/main.yaml
  3. 5
      playbooks/roles/zuul/templates/zuul.conf.j2
  4. 2
      testinfra/test_zookeeper.py

2
playbooks/roles/nodepool-base/library/make_nodepool_zk_hosts.py

@ -31,7 +31,7 @@ def main():
for host in p['zk_group']:
zk_hosts.append(dict(
host=p['hostvars'][host]['ansible_host'],
port=2181
port=2281
))
module.exit_json(hosts=zk_hosts, changed=True)
except Exception as e:

4
playbooks/roles/nodepool-base/tasks/main.yaml

@ -71,6 +71,10 @@
vars:
new_config:
zookeeper-servers: '{{ zk_hosts.hosts }}'
zookeeper-tls:
cert: "/etc/nodepool/certs/cert.pem"
key: "/etc/nodepool/keys/key.pem"
ca: "/etc/nodepool/certs/cacert.pem"
set_fact:
nodepool_config: "{{ nodepool_config | combine(new_config) }}"

5
playbooks/roles/zuul/templates/zuul.conf.j2

@ -28,8 +28,11 @@ relative_priority=true
user=zuul
[zookeeper]
hosts={% for host in groups['zookeeper'] %}{{ (hostvars[host].public_v4) }}:2181{% if not loop.last %},{% endif %}{% endfor %}
hosts={% for host in groups['zookeeper'] %}{{ (hostvars[host].public_v4) }}:2281{% if not loop.last %},{% endif %}{% endfor %}
tls_cert=/etc/zuul/certs/cert.pem
tls_key=/etc/zuul/keys/key.pem
tls_ca=/etc/zuul/certs/cacert.pem
session_timeout=40
[statsd]

2
testinfra/test_zookeeper.py

@ -22,7 +22,7 @@ def test_id_file(host):
assert myid.content == b'1\n'
def test_zk_listening(host):
zk = host.socket("tcp://0.0.0.0:2181")
zk = host.socket("tcp://0.0.0.0:2281")
assert zk.is_listening
def test_zk_listening_ssl(host):

Loading…
Cancel
Save