Add zookeeper tls support

Now that tls support is required, add support for it.

Change-Id: I36f2c0a2b2209cfa974b4686c0c32f3fe32e9cae
Signed-off-by: Paul Belanger <pabelanger@redhat.com>

defaults/main.yaml

@@ -52,6 +52,27 @@ nodepool_file_launcher_logging_conf_mode: 0644
 nodepool_file_launcher_logging_conf_owner: "{{ nodepool_user_name }}"
 nodepool_file_launcher_logging_conf_src: etc/nodepool/launcher-logging.conf
 
+nodepool_file_zookeeper_tls_cacert_content:
+nodepool_file_zookeeper_tls_cacert_dest: /etc/nodepool/ssl/zookeeper-cacert.pem
+nodepool_file_zookeeper_tls_cacert_group: "{{ nodepool_user_group }}"
+nodepool_file_zookeeper_tls_cacert_mode: 0644
+nodepool_file_zookeeper_tls_cacert_owner: "{{ nodepool_user_name }}"
+nodepool_file_zookeeper_tls_cacert_src: etc/nodepool/ssl/zookeeper-cacert.pem
+
+nodepool_file_zookeeper_tls_cert_content:
+nodepool_file_zookeeper_tls_cert_dest: /etc/nodepool/ssl/zookeeper-client.pem
+nodepool_file_zookeeper_tls_cert_group: "{{ nodepool_user_group }}"
+nodepool_file_zookeeper_tls_cert_mode: 0644
+nodepool_file_zookeeper_tls_cert_owner: "{{ nodepool_user_name }}"
+nodepool_file_zookeeper_tls_cert_src: etc/nodepool/ssl/zookeeper-client.pem
+
+nodepool_file_zookeeper_tls_key_content:
+nodepool_file_zookeeper_tls_key_dest: /etc/nodepool/ssl/zookeeper-client.key
+nodepool_file_zookeeper_tls_key_group: "{{ nodepool_user_group }}"
+nodepool_file_zookeeper_tls_key_mode: 0600
+nodepool_file_zookeeper_tls_key_owner: "{{ nodepool_user_name }}"
+nodepool_file_zookeeper_tls_key_src: etc/nodepool/ssl/zookeeper-client.key
+
 # tasks/install.yaml
 nodepool_git_dest: "{{ ansible_user_dir }}/src/opendev.org/zuul/nodepool"
 nodepool_git_uri: https://opendev.org/zuul/nodepool

tasks/config.yaml

@@ -21,6 +21,7 @@
     state: directory
   with_items:
     - /etc/nodepool
+    - /etc/nodepool/ssl
     - /opt/nodepool/images
     - /opt/nodepool/tmp
     - /var/log/nodepool
@@ -66,3 +67,33 @@
     src: "{{ nodepool_file_launcher_logging_conf_src }}"
   register: nodepool_file_launcher_logging_conf
   when: nodepool_file_launcher_logging_conf_manage
+
+- name: Install zookeeper tls cacert configuration
+  become: true
+  template:
+    dest: "{{ nodepool_file_zookeeper_tls_cacert_dest }}"
+    group: "{{ nodepool_file_zookeeper_tls_cacert_group }}"
+    mode: "{{ nodepool_file_zookeeper_tls_cacert_mode }}"
+    owner: "{{ nodepool_file_zookeeper_tls_cacert_owner }}"
+    src: "{{ nodepool_file_zookeeper_tls_cacert_src }}"
+  register: nodepool_file_zookeeper_tls_cacert
+
+- name: Install nodepool zookeeper tls cert configuration
+  become: true
+  template:
+    dest: "{{ nodepool_file_zookeeper_tls_cert_dest }}"
+    group: "{{ nodepool_file_zookeeper_tls_cert_group }}"
+    mode: "{{ nodepool_file_zookeeper_tls_cert_mode }}"
+    owner: "{{ nodepool_file_zookeeper_tls_cert_owner }}"
+    src: "{{ nodepool_file_zookeeper_tls_cert_src }}"
+  register: nodepool_file_zookeeper_tls_cert
+
+- name: Install zookeeper tls key configuration
+  become: true
+  template:
+    dest: "{{ nodepool_file_zookeeper_tls_key_dest }}"
+    group: "{{ nodepool_file_zookeeper_tls_key_group }}"
+    mode: "{{ nodepool_file_zookeeper_tls_key_mode }}"
+    owner: "{{ nodepool_file_zookeeper_tls_key_owner }}"
+    src: "{{ nodepool_file_zookeeper_tls_key_src }}"
+  register: nodepool_file_zookeeper_tls_key

templates/etc/nodepool/ssl/zookeeper-cacert.pem

@@ -0,0 +1,4 @@
+# This file is generated by Ansible
+#  DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+#
+{{ nodepool_file_zookeeper_tls_cacert_content }}

templates/etc/nodepool/ssl/zookeeper-client.key

@@ -0,0 +1,4 @@
+# This file is generated by Ansible
+#  DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+#
+{{ nodepool_file_zookeeper_tls_key_content }}

templates/etc/nodepool/ssl/zookeeper-client.pem

@@ -0,0 +1,4 @@
+# This file is generated by Ansible
+#  DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+#
+{{ nodepool_file_zookeeper_tls_cert_content }}

tests/playbooks/run.yaml

@@ -46,3 +46,45 @@
           - nodepool_git_dest_stat.stat.exists
           - nodepool_git_dest_stat.stat.isdir
       when: nodepool_install_method == 'git'
+
+    - name: Register /etc/nodepool/ssl/zookeeper-cacert.pem
+      stat:
+        path: /etc/nodepool/ssl/zookeeper-cacert.pem
+      register: _nodepool_file_zookeeper_tls_cacert_stat
+
+    - name: Assert _nodepool_file_zookeeper_tls_cacert_stat tests.
+      assert:
+        that:
+          - _nodepool_file_zookeeper_tls_cacert_stat.stat.exists
+          - _nodepool_file_zookeeper_tls_cacert_stat.stat.isreg
+          - _nodepool_file_zookeeper_tls_cacert_stat.stat.pw_name == 'nodepool'
+          - _nodepool_file_zookeeper_tls_cacert_stat.stat.gr_name == 'nodepool'
+          - _nodepool_file_zookeeper_tls_cacert_stat.stat.mode == '0644'
+
+    - name: Register /etc/nodepool/ssl/zookeeper-client.pem
+      stat:
+        path: /etc/nodepool/ssl/zookeeper-client.pem
+      register: _nodepool_file_zookeeper_tls_cert_stat
+
+    - name: Assert _nodepool_file_zookeeper_tls_cert_stat tests.
+      assert:
+        that:
+          - _nodepool_file_zookeeper_tls_cert_stat.stat.exists
+          - _nodepool_file_zookeeper_tls_cert_stat.stat.isreg
+          - _nodepool_file_zookeeper_tls_cert_stat.stat.pw_name == 'nodepool'
+          - _nodepool_file_zookeeper_tls_cert_stat.stat.gr_name == 'nodepool'
+          - _nodepool_file_zookeeper_tls_cert_stat.stat.mode == '0644'
+
+    - name: Register /etc/nodepool/ssl/zookeeper-client.key
+      stat:
+        path: /etc/nodepool/ssl/zookeeper-client.key
+      register: _nodepool_file_zookeeper_tls_key_stat
+
+    - name: Assert _nodepool_file_zookeeper_tls_key_stat tests.
+      assert:
+        that:
+          - _nodepool_file_zookeeper_tls_key_stat.stat.exists
+          - _nodepool_file_zookeeper_tls_key_stat.stat.isreg
+          - _nodepool_file_zookeeper_tls_key_stat.stat.pw_name == 'nodepool'
+          - _nodepool_file_zookeeper_tls_key_stat.stat.gr_name == 'nodepool'
+          - _nodepool_file_zookeeper_tls_key_stat.stat.mode == '0600'