a514aa0f98
To prepare for switching to TLS, set up TLS certs for Zookeeper and all of Nodepool and Zuul, but do not have them connect over TLS yet. We have observed problems with Kazoo using TLS in production. This will let us run the ZK quorum using TLS internally, and have Zuul and Nodepool connect over plaintext while also exposing the TLS client port so that we can perform some more production tests. Change-Id: If93b27f5b55be42be1cf6ee23258127fab5ce9ea
134 lines
3.0 KiB
YAML
134 lines
3.0 KiB
YAML
- name: Create Zuul Group
|
|
group:
|
|
name: "{{ zuul_group }}"
|
|
gid: "{{ zuul_group_id }}"
|
|
system: yes
|
|
|
|
- name: Create Zuul User
|
|
user:
|
|
name: "{{ zuul_user }}"
|
|
group: "{{ zuul_group }}"
|
|
uid: "{{ zuul_user_id }}"
|
|
home: "/home/{{ zuul_user }}"
|
|
create_home: yes
|
|
shell: /bin/bash
|
|
system: yes
|
|
|
|
- name: Create Zuul Config dir
|
|
file:
|
|
state: directory
|
|
path: /etc/zuul
|
|
owner: "{{ zuul_user }}"
|
|
group: "{{ zuul_group }}"
|
|
|
|
- name: Generate ZooKeeper TLS cert
|
|
include_role:
|
|
name: zk-ca
|
|
vars:
|
|
zk_ca_cert_dir_owner: "{{ zuul_user_id }}"
|
|
zk_ca_cert_dir_group: "{{ zuul_group_id }}"
|
|
|
|
- name: Create Zuul SSL dir
|
|
file:
|
|
state: directory
|
|
path: /etc/zuul/ssl
|
|
owner: "{{ zuul_user }}"
|
|
group: "{{ zuul_group }}"
|
|
|
|
- name: Write Gearman SSL CA
|
|
copy:
|
|
content: "{{ gearman_ssl_ca }}"
|
|
dest: /etc/zuul/ssl/gearman-ca.pem
|
|
owner: "{{ zuul_user }}"
|
|
group: "{{ zuul_group }}"
|
|
mode: 0644
|
|
|
|
- name: Write Gearman Client SSL Cert
|
|
copy:
|
|
content: "{{ gearman_client_ssl_cert }}"
|
|
dest: /etc/zuul/ssl/gearman-client.pem
|
|
owner: "{{ zuul_user }}"
|
|
group: "{{ zuul_group }}"
|
|
mode: 0644
|
|
|
|
- name: Write Gearman Client SSL Key
|
|
when: gearman_client_ssl_key is defined
|
|
copy:
|
|
content: "{{ gearman_client_ssl_key }}"
|
|
dest: /etc/zuul/ssl/gearman-client.key
|
|
owner: "{{ zuul_user }}"
|
|
group: "{{ zuul_group }}"
|
|
mode: 0640
|
|
|
|
- name: Write Gearman Server SSL Cert
|
|
when: gearman_server_ssl_cert is defined
|
|
copy:
|
|
content: "{{ gearman_server_ssl_cert }}"
|
|
dest: /etc/zuul/ssl/gearman-server.pem
|
|
owner: "{{ zuul_user }}"
|
|
group: "{{ zuul_group }}"
|
|
mode: 0644
|
|
|
|
- name: Write Gearman Server SSL Key
|
|
when: gearman_server_ssl_key is defined
|
|
copy:
|
|
content: "{{ gearman_server_ssl_key }}"
|
|
dest: /etc/zuul/ssl/gearman-server.key
|
|
owner: "{{ zuul_user }}"
|
|
group: "{{ zuul_group }}"
|
|
mode: 0640
|
|
|
|
- name: Write Zuul Conf File
|
|
template:
|
|
src: zuul.conf.j2
|
|
dest: /etc/zuul/zuul.conf
|
|
owner: "{{ zuul_user }}"
|
|
group: "{{ zuul_group }}"
|
|
mode: 0600
|
|
|
|
- name: Create Zuul directories
|
|
file:
|
|
state: directory
|
|
path: '{{ item }}'
|
|
owner: "{{ zuul_user }}"
|
|
group: "{{ zuul_group }}"
|
|
loop:
|
|
- /var/log/zuul
|
|
- /var/run/zuul
|
|
- /var/lib/zuul
|
|
- /var/lib/zuul/ssh
|
|
|
|
- name: Write Zuul SSH Key
|
|
copy:
|
|
dest: /var/lib/zuul/ssh/id_rsa
|
|
content: '{{ zuul_ssh_private_key_contents }}'
|
|
owner: "{{ zuul_user }}"
|
|
group: "{{ zuul_group }}"
|
|
mode: 0400
|
|
|
|
- name: Create Zuul SSH directory
|
|
file:
|
|
state: directory
|
|
path: "~{{ zuul_user }}/.ssh"
|
|
owner: "{{ zuul_user }}"
|
|
group: "{{ zuul_group }}"
|
|
mode: 0700
|
|
|
|
- name: Write Known Hosts
|
|
copy:
|
|
dest: "~{{ zuul_user }}/.ssh/known_hosts"
|
|
content: '{{ zuul_known_hosts }}'
|
|
owner: "{{ zuul_user }}"
|
|
group: "{{ zuul_group }}"
|
|
mode: 0600
|
|
|
|
- name: Sync project-config
|
|
include_role:
|
|
name: sync-project-config
|
|
|
|
- name: Install docker-compose
|
|
package:
|
|
name:
|
|
- docker-compose
|
|
state: present
|