From 7a32463f9d70df823357fc9972191cc10b823674 Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@redhat.com>
Date: Wed, 15 Jul 2020 15:45:24 -0700
Subject: [PATCH] Revert "Revert "Add Zookeeper TLS support""

This reverts commit 05021f11a29a0213c5aecddf8e7b907b7834214a.

This switches Zuul and Nodepool to use Zookeeper TLS.  The ZK
cluster is already listening on both ports.

Change-Id: I03d28fb75610fbf5221eeee28699e4bd6f1157ea
---
 .../roles/nodepool-base/library/make_nodepool_zk_hosts.py    | 2 +-
 playbooks/roles/nodepool-base/tasks/main.yaml                | 4 ++++
 playbooks/roles/zuul/templates/zuul.conf.j2                  | 5 ++++-
 testinfra/test_zookeeper.py                                  | 2 +-
 4 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/playbooks/roles/nodepool-base/library/make_nodepool_zk_hosts.py b/playbooks/roles/nodepool-base/library/make_nodepool_zk_hosts.py
index e00803a282..2919c98521 100644
--- a/playbooks/roles/nodepool-base/library/make_nodepool_zk_hosts.py
+++ b/playbooks/roles/nodepool-base/library/make_nodepool_zk_hosts.py
@@ -31,7 +31,7 @@ def main():
         for host in p['zk_group']:
             zk_hosts.append(dict(
                 host=p['hostvars'][host]['ansible_host'],
-                port=2181
+                port=2281
             ))
         module.exit_json(hosts=zk_hosts, changed=True)
     except Exception as e:
diff --git a/playbooks/roles/nodepool-base/tasks/main.yaml b/playbooks/roles/nodepool-base/tasks/main.yaml
index d2c85f2bc5..a6a1822163 100644
--- a/playbooks/roles/nodepool-base/tasks/main.yaml
+++ b/playbooks/roles/nodepool-base/tasks/main.yaml
@@ -71,6 +71,10 @@
   vars:
     new_config:
       zookeeper-servers: '{{ zk_hosts.hosts }}'
+      zookeeper-tls:
+        cert: "/etc/nodepool/certs/cert.pem"
+        key: "/etc/nodepool/keys/key.pem"
+        ca: "/etc/nodepool/certs/cacert.pem"
   set_fact:
     nodepool_config: "{{ nodepool_config | combine(new_config) }}"
 
diff --git a/playbooks/roles/zuul/templates/zuul.conf.j2 b/playbooks/roles/zuul/templates/zuul.conf.j2
index 93f27de39d..0f5c65a6c4 100644
--- a/playbooks/roles/zuul/templates/zuul.conf.j2
+++ b/playbooks/roles/zuul/templates/zuul.conf.j2
@@ -28,8 +28,11 @@ relative_priority=true
 user=zuul
 
 [zookeeper]
-hosts={% for host in groups['zookeeper'] %}{{ (hostvars[host].public_v4) }}:2181{% if not loop.last %},{% endif %}{% endfor %}
+hosts={% for host in groups['zookeeper'] %}{{ (hostvars[host].public_v4) }}:2281{% if not loop.last %},{% endif %}{% endfor %}
 
+tls_cert=/etc/zuul/certs/cert.pem
+tls_key=/etc/zuul/keys/key.pem
+tls_ca=/etc/zuul/certs/cacert.pem
 session_timeout=40
 
 [statsd]
diff --git a/testinfra/test_zookeeper.py b/testinfra/test_zookeeper.py
index 6327a71c8f..feb9009612 100644
--- a/testinfra/test_zookeeper.py
+++ b/testinfra/test_zookeeper.py
@@ -22,7 +22,7 @@ def test_id_file(host):
     assert myid.content == b'1\n'
 
 def test_zk_listening(host):
-    zk = host.socket("tcp://0.0.0.0:2181")
+    zk = host.socket("tcp://0.0.0.0:2281")
     assert zk.is_listening
 
 def test_zk_listening_ssl(host):