From eacff9323287e46e44fc059ceeac4031c7c3ee64 Mon Sep 17 00:00:00 2001 From: Paul Belanger Date: Tue, 2 Mar 2021 13:44:17 -0500 Subject: [PATCH] Add tls support This adds TLS support for zookeeper Change-Id: I08c847d1d47a2ebd81f089befbef9a54ea1f6d4c Signed-off-by: Paul Belanger --- defaults/main.yaml | 14 +++++++++ tasks/config.yaml | 23 ++++++++++++++ templates/etc/zookeeper/ca/certs/cacert.pem | 4 +++ .../etc/zookeeper/ca/keystores/server.pem | 4 +++ tests/playbooks/run.yaml | 30 +++++++++++++++++++ 5 files changed, 75 insertions(+) create mode 100644 templates/etc/zookeeper/ca/certs/cacert.pem create mode 100644 templates/etc/zookeeper/ca/keystores/server.pem diff --git a/defaults/main.yaml b/defaults/main.yaml index 1803854..ab0e0a3 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -40,6 +40,20 @@ zookeeper_file_zoo_conf_group: zookeeper zookeeper_file_zoo_conf_mode: 0644 zookeeper_file_zoo_conf_owner: zookeeper +zookeeper_file_ssl_truststore_content: +zookeeper_file_ssl_truststore_dest: /etc/zookeeper/ca/certs/cacert.pem +zookeeper_file_ssl_truststore_group: "{{ zookeeper_user_group }}" +zookeeper_file_ssl_truststore_mode: 0644 +zookeeper_file_ssl_truststore_owner: "{{ zookeeper_user_name }}" +zookeeper_file_ssl_truststore_src: etc/zookeeper/ca/certs/cacert.pem + +zookeeper_file_ssl_keystore_content: +zookeeper_file_ssl_keystore_dest: /etc/zookeeper/ca/keystores/server.pem +zookeeper_file_ssl_keystore_group: "{{ zookeeper_user_group }}" +zookeeper_file_ssl_keystore_mode: 0600 +zookeeper_file_ssl_keystore_owner: "{{ zookeeper_user_name }}" +zookeeper_file_ssl_keystore_src: etc/zookeeper/ca/keystores/server.pem + # tasks/install.yaml zookeeper_package_state: present diff --git a/tasks/config.yaml b/tasks/config.yaml index c6d1c50..fa9a163 100644 --- a/tasks/config.yaml +++ b/tasks/config.yaml @@ -42,6 +42,9 @@ with_items: - /etc/zookeeper - /etc/zookeeper/conf + - /etc/zookeeper/ca + - /etc/zookeeper/ca/certs + - /etc/zookeeper/ca/keystores - /var/log/zookeeper - name: Install zookeeper log4j.properties @@ -54,6 +57,26 @@ src: "{{ zookeeper_file_log4j_properties_src }}" register: zookeeper_file_log4j_properties +- name: Install zookeeper ssl truststore configuration + become: true + template: + dest: "{{ zookeeper_file_ssl_truststore_dest }}" + group: "{{ zookeeper_file_ssl_truststore_group }}" + mode: "{{ zookeeper_file_ssl_truststore_mode }}" + owner: "{{ zookeeper_file_ssl_truststore_owner }}" + src: "{{ zookeeper_file_ssl_truststore_src }}" + register: zookeeper_file_ssl_truststore + +- name: Install zookeeper ssl keystore configuration + become: true + template: + dest: "{{ zookeeper_file_ssl_keystore_dest }}" + group: "{{ zookeeper_file_ssl_keystore_group }}" + mode: "{{ zookeeper_file_ssl_keystore_mode }}" + owner: "{{ zookeeper_file_ssl_keystore_owner }}" + src: "{{ zookeeper_file_ssl_keystore_src }}" + register: zookeeper_file_ssl_keystore + - name: Install zookeeper myid become: yes template: diff --git a/templates/etc/zookeeper/ca/certs/cacert.pem b/templates/etc/zookeeper/ca/certs/cacert.pem new file mode 100644 index 0000000..3c43ed0 --- /dev/null +++ b/templates/etc/zookeeper/ca/certs/cacert.pem @@ -0,0 +1,4 @@ +# This file is generated by Ansible +# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN +# +{{ zookeeper_file_ssl_truststore_content }} diff --git a/templates/etc/zookeeper/ca/keystores/server.pem b/templates/etc/zookeeper/ca/keystores/server.pem new file mode 100644 index 0000000..d20c29b --- /dev/null +++ b/templates/etc/zookeeper/ca/keystores/server.pem @@ -0,0 +1,4 @@ +# This file is generated by Ansible +# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN +# +{{ zookeeper_file_ssl_keystore_content }} diff --git a/tests/playbooks/run.yaml b/tests/playbooks/run.yaml index f700b2b..d3fffdb 100644 --- a/tests/playbooks/run.yaml +++ b/tests/playbooks/run.yaml @@ -23,8 +23,38 @@ - name: Assert results are registered. assert: that: + - zookeeper_file_ssl_keystore + - zookeeper_file_ssl_truststore - zookeeper_service_zookeeper + - name: Register /etc/zookeeper/ca/certs/cacert.pem + stat: + path: /etc/zookeeper/ca/certs/cacert.pem + register: _zookeeper_file_ssl_truststore_stat + + - name: Assert _zookeeper_file_ssl_truststore_stat tests. + assert: + that: + - _zookeeper_file_ssl_truststore_stat.stat.exists + - _zookeeper_file_ssl_truststore_stat.stat.isreg + - _zookeeper_file_ssl_truststore_stat.stat.pw_name == 'zookeeper' + - _zookeeper_file_ssl_truststore_stat.stat.gr_name == 'zookeeper' + - _zookeeper_file_ssl_truststore_stat.stat.mode == '0644' + + - name: Register /etc/zookeeper/ca/keystores/server.pem + stat: + path: /etc/zookeeper/ca/keystores/server.pem + register: _zookeeper_file_ssl_keystore_stat + + - name: Assert _zookeeper_file_ssl_keystore_stat tests. + assert: + that: + - _zookeeper_file_ssl_keystore_stat.stat.exists + - _zookeeper_file_ssl_keystore_stat.stat.isreg + - _zookeeper_file_ssl_keystore_stat.stat.pw_name == 'zookeeper' + - _zookeeper_file_ssl_keystore_stat.stat.gr_name == 'zookeeper' + - _zookeeper_file_ssl_keystore_stat.stat.mode == '0600' + - name: Ensure zookeeper is running. become: yes shell: /usr/sbin/service zookeeper status