Add ssl support for zookeeper

Change-Id: I891373b656e4f2ab59e1cdffaa122bc821c46bf1
Signed-off-by: Paul Belanger <pabelanger@redhat.com>

defaults/main.yaml

@@ -95,6 +95,27 @@ zuul_file_web_logging_conf_mode: 0644
 zuul_file_web_logging_conf_owner: "{{ zuul_user_name }}"
 zuul_file_web_logging_conf_src: etc/zuul/web-logging.conf
 
+zuul_file_zookeeper_tls_cacert_content:
+zuul_file_zookeeper_tls_cacert_dest: /etc/zuul/ssl/zookeeper-cacert.pem
+zuul_file_zookeeper_tls_cacert_group: "{{ zuul_user_group }}"
+zuul_file_zookeeper_tls_cacert_mode: 0644
+zuul_file_zookeeper_tls_cacert_owner: "{{ zuul_user_name }}"
+zuul_file_zookeeper_tls_cacert_src: etc/zuul/ssl/zookeeper-cacert.pem
+
+zuul_file_zookeeper_tls_cert_content:
+zuul_file_zookeeper_tls_cert_dest: /etc/zuul/ssl/zookeeper-client.pem
+zuul_file_zookeeper_tls_cert_group: "{{ zuul_user_group }}"
+zuul_file_zookeeper_tls_cert_mode: 0644
+zuul_file_zookeeper_tls_cert_owner: "{{ zuul_user_name }}"
+zuul_file_zookeeper_tls_cert_src: etc/zuul/ssl/zookeeper-client.pem
+
+zuul_file_zookeeper_tls_key_content:
+zuul_file_zookeeper_tls_key_dest: /etc/zuul/ssl/zookeeper-client.key
+zuul_file_zookeeper_tls_key_group: "{{ zuul_user_group }}"
+zuul_file_zookeeper_tls_key_mode: 0600
+zuul_file_zookeeper_tls_key_owner: "{{ zuul_user_name }}"
+zuul_file_zookeeper_tls_key_src: etc/zuul/ssl/zookeeper-client.key
+
 zuul_file_zuul_conf_dest: /etc/zuul/zuul.conf
 zuul_file_zuul_conf_group: "{{ zuul_user_group }}"
 zuul_file_zuul_conf_mode: 0640

tasks/config.yaml

@@ -144,3 +144,33 @@
     owner: "{{ zuul_file_zuul_conf_owner }}"
     src: "{{ zuul_file_zuul_conf_src }}"
   register: zuul_file_zuul_conf
+
+- name: Install zookeeper tls cacert configuration
+  become: true
+  template:
+    dest: "{{ zuul_file_zookeeper_tls_cacert_dest }}"
+    group: "{{ zuul_file_zookeeper_tls_cacert_group }}"
+    mode: "{{ zuul_file_zookeeper_tls_cacert_mode }}"
+    owner: "{{ zuul_file_zookeeper_tls_cacert_owner }}"
+    src: "{{ zuul_file_zookeeper_tls_cacert_src }}"
+  register: zuul_file_zookeeper_tls_cacert
+
+- name: Install zuul zookeeper tls cert configuration
+  become: true
+  template:
+    dest: "{{ zuul_file_zookeeper_tls_cert_dest }}"
+    group: "{{ zuul_file_zookeeper_tls_cert_group }}"
+    mode: "{{ zuul_file_zookeeper_tls_cert_mode }}"
+    owner: "{{ zuul_file_zookeeper_tls_cert_owner }}"
+    src: "{{ zuul_file_zookeeper_tls_cert_src }}"
+  register: zuul_file_zookeeper_tls_cert
+
+- name: Install zookeeper tls key configuration
+  become: true
+  template:
+    dest: "{{ zuul_file_zookeeper_tls_key_dest }}"
+    group: "{{ zuul_file_zookeeper_tls_key_group }}"
+    mode: "{{ zuul_file_zookeeper_tls_key_mode }}"
+    owner: "{{ zuul_file_zookeeper_tls_key_owner }}"
+    src: "{{ zuul_file_zookeeper_tls_key_src }}"
+  register: zuul_file_zookeeper_tls_key

templates/etc/zuul/ssl/zookeeper-cacert.pem

@@ -0,0 +1,4 @@
+# This file is generated by Ansible
+#  DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+#
+{{ zuul_file_zookeeper_tls_cacert_content }}

templates/etc/zuul/ssl/zookeeper-client.key

@@ -0,0 +1,4 @@
+# This file is generated by Ansible
+#  DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+#
+{{ zuul_file_zookeeper_tls_key_content }}

templates/etc/zuul/ssl/zookeeper-client.pem

@@ -0,0 +1,4 @@
+# This file is generated by Ansible
+#  DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+#
+{{ zuul_file_zookeeper_tls_cert_content }}

tests/playbooks/run.yaml

@@ -308,6 +308,48 @@
           - _zuul_web_service_systemd_stat.stat.gr_name == 'root'
           - _zuul_web_service_systemd_stat.stat.mode == '0644'
 
+    - name: Register /etc/zuul/ssl/zookeeper-cacert.pem
+      stat:
+        path: /etc/zuul/ssl/zookeeper-cacert.pem
+      register: _zuul_file_zookeeper_tls_cacert_stat
+
+    - name: Assert _zuul_file_zookeeper_tls_cacert_stat tests.
+      assert:
+        that:
+          - _zuul_file_zookeeper_tls_cacert_stat.stat.exists
+          - _zuul_file_zookeeper_tls_cacert_stat.stat.isreg
+          - _zuul_file_zookeeper_tls_cacert_stat.stat.pw_name == 'zuul-test'
+          - _zuul_file_zookeeper_tls_cacert_stat.stat.gr_name == 'zuul-test'
+          - _zuul_file_zookeeper_tls_cacert_stat.stat.mode == '0644'
+
+    - name: Register /etc/zuul/ssl/zookeeper-client.pem
+      stat:
+        path: /etc/zuul/ssl/zookeeper-client.pem
+      register: _zuul_file_zookeeper_tls_cert_stat
+
+    - name: Assert _zuul_file_zookeeper_tls_cert_stat tests.
+      assert:
+        that:
+          - _zuul_file_zookeeper_tls_cert_stat.stat.exists
+          - _zuul_file_zookeeper_tls_cert_stat.stat.isreg
+          - _zuul_file_zookeeper_tls_cert_stat.stat.pw_name == 'zuul-test'
+          - _zuul_file_zookeeper_tls_cert_stat.stat.gr_name == 'zuul-test'
+          - _zuul_file_zookeeper_tls_cert_stat.stat.mode == '0644'
+
+    - name: Register /etc/zuul/ssl/zookeeper-client.key
+      stat:
+        path: /etc/zuul/ssl/zookeeper-client.key
+      register: _zuul_file_zookeeper_tls_key_stat
+
+    - name: Assert _zuul_file_zookeeper_tls_key_stat tests.
+      assert:
+        that:
+          - _zuul_file_zookeeper_tls_key_stat.stat.exists
+          - _zuul_file_zookeeper_tls_key_stat.stat.isreg
+          - _zuul_file_zookeeper_tls_key_stat.stat.pw_name == 'zuul-test'
+          - _zuul_file_zookeeper_tls_key_stat.stat.gr_name == 'zuul-test'
+          - _zuul_file_zookeeper_tls_key_stat.stat.mode == '0600'
+
     - name: Ensure zuul-executor is running.
       become: yes
       shell: /usr/sbin/service zuul-executor status