Allow to pass ssl-related args for zookeeper

Zookeeper does support TLS encryption and authentication for client
connections. There's no reason not to pass these arguments to the kazoo
to allow encrypted connections.

We bump minimum kazoo version to 2.6.0 since change implementin SSL support
has been merged with [1] and was first released with 2.6.0 tag.

[1] 35ce10669a

Change-Id: Ied29512989f477a19753afcb789e5588877fd688

releasenotes/notes/zookeeper_tls-808355fd2ab1acae.yaml

@@ -0,0 +1,17 @@
+---
+features:
+  - |
+    Added TLS support for Zookeeper.
+
+    TLS-related options can be defined in a connection URL as query parameters
+    and they will be passed to the Kazoo driver as client arguments.
+
+    * ``ca``: SSL CA file to use for authentication
+    * ``certfile``: SSL certfile to use for authentication
+    * ``keyfile``: SSL keyfile to use for authentication
+    * ``keyfile_password``: keyfile password
+    * ``use_ssl``: controls whether SSL is used or not. Default to False.
+    * ``verify_certs``: when use_ssl is True you can control whether to
+      complete certificate validation
+
+    This also bumps minimum kazoo version to >=2.6.0

setup.cfg

@@ -62,7 +62,7 @@ postgresql =
 mysql =
   PyMySQL>=0.6.2 # MIT License
 zookeeper =
-  kazoo>=2.2 # Apache-2.0
+  kazoo>=2.6 # Apache-2.0
 memcached =
   pymemcache!=1.3.0,>=1.2.9 # Apache 2.0 License
 ipc =

tooz/drivers/zookeeper.py

@@ -95,11 +95,17 @@ class KazooDriver(coordination.CoordinationDriverCachedRunWatchers):
     ================  ===============================  ====================
     Name              Source                           Default
     ================  ===============================  ====================
-    hosts             url netloc + 'hosts' option key  localhost:2181
-    timeout           'timeout' options key            10.0 (kazoo default)
+    ca                'ca' options key                 None
+    certfile          'certfile' options key           None
     connection_retry  'connection_retry' options key   None
     command_retry     'command_retry' options key      None
+    hosts             url netloc + 'hosts' option key  localhost:2181
+    keyfile           'keyfile' options key            None
+    keyfile_password  'keyfile_password' options key   None
     randomize_hosts   'randomize_hosts' options key    True
+    timeout           'timeout' options key            10.0 (kazoo default)
+    use_ssl           'use_ssl' options key            False
+    verify_certs      'verify_certs' options key       True
     ================  ===============================  ====================
 
     .. _kazoo: http://kazoo.readthedocs.org/
@@ -472,13 +478,19 @@ class KazooDriver(coordination.CoordinationDriverCachedRunWatchers):
             hosts = ['localhost:2181']
         randomize_hosts = options.get('randomize_hosts', True)
         client_kwargs = {
-            'hosts': ",".join(hosts),
-            'timeout': float(options.get('timeout', self.timeout)),
+            'auth_data': auth_data,
+            'ca': options.get('ca', None),
+            'certfile': options.get('certfile', None),
             'connection_retry': options.get('connection_retry'),
             'command_retry': options.get('command_retry'),
-            'randomize_hosts': strutils.bool_from_string(randomize_hosts),
-            'auth_data': auth_data,
             'default_acl': default_acl,
+            'hosts': ",".join(hosts),
+            'keyfile': options.get('keyfile', None),
+            'keyfile_password': options.get('keyfile_password', None),
+            'randomize_hosts': strutils.bool_from_string(randomize_hosts),
+            'timeout': float(options.get('timeout', self.timeout)),
+            'use_ssl': bool(options.get('use_ssl', False)),
+            'verify_certs': bool(options.get('verify_certs', True)),
         }
         handler_kind = options.get('handler')
         if handler_kind: