Revert "Revert "Add Zookeeper TLS support""

This reverts commit 05021f11a2.

This switches Zuul and Nodepool to use Zookeeper TLS.  The ZK
cluster is already listening on both ports.

Change-Id: I03d28fb75610fbf5221eeee28699e4bd6f1157ea
This commit is contained in:
James E. Blair 2020-07-15 15:45:24 -07:00
parent cd76e090c3
commit 7a32463f9d
4 changed files with 10 additions and 3 deletions

View File

@ -31,7 +31,7 @@ def main():
for host in p['zk_group']: for host in p['zk_group']:
zk_hosts.append(dict( zk_hosts.append(dict(
host=p['hostvars'][host]['ansible_host'], host=p['hostvars'][host]['ansible_host'],
port=2181 port=2281
)) ))
module.exit_json(hosts=zk_hosts, changed=True) module.exit_json(hosts=zk_hosts, changed=True)
except Exception as e: except Exception as e:

View File

@ -71,6 +71,10 @@
vars: vars:
new_config: new_config:
zookeeper-servers: '{{ zk_hosts.hosts }}' zookeeper-servers: '{{ zk_hosts.hosts }}'
zookeeper-tls:
cert: "/etc/nodepool/certs/cert.pem"
key: "/etc/nodepool/keys/key.pem"
ca: "/etc/nodepool/certs/cacert.pem"
set_fact: set_fact:
nodepool_config: "{{ nodepool_config | combine(new_config) }}" nodepool_config: "{{ nodepool_config | combine(new_config) }}"

View File

@ -28,8 +28,11 @@ relative_priority=true
user=zuul user=zuul
[zookeeper] [zookeeper]
hosts={% for host in groups['zookeeper'] %}{{ (hostvars[host].public_v4) }}:2181{% if not loop.last %},{% endif %}{% endfor %} hosts={% for host in groups['zookeeper'] %}{{ (hostvars[host].public_v4) }}:2281{% if not loop.last %},{% endif %}{% endfor %}
tls_cert=/etc/zuul/certs/cert.pem
tls_key=/etc/zuul/keys/key.pem
tls_ca=/etc/zuul/certs/cacert.pem
session_timeout=40 session_timeout=40
[statsd] [statsd]

View File

@ -22,7 +22,7 @@ def test_id_file(host):
assert myid.content == b'1\n' assert myid.content == b'1\n'
def test_zk_listening(host): def test_zk_listening(host):
zk = host.socket("tcp://0.0.0.0:2181") zk = host.socket("tcp://0.0.0.0:2281")
assert zk.is_listening assert zk.is_listening
def test_zk_listening_ssl(host): def test_zk_listening_ssl(host):