From 2e7094db84a0a206eed2f9c4c1650a16c267fc4b Mon Sep 17 00:00:00 2001 From: Paul Belanger Date: Thu, 10 Jun 2021 18:51:02 -0400 Subject: [PATCH] Add zookeeper ssl certs These will be used to confirm SSL on zookeeper works as expected. Depends-On: https://review.opendev.org/c/windmill/ansible-role-zookeeper/+/778230 Depends-On: https://review.opendev.org/c/windmill/windmill/+/795909 Change-Id: Ief59dc15d9528b420c1d12d6e7fa98fa8e165492 Signed-off-by: Paul Belanger --- ansible/group_vars/zookeeper.yaml | 196 +++++++++++++++++++++++++++ zookeeper/etc/zookeeper/conf/zoo.cfg | 31 +++++ 2 files changed, 227 insertions(+) create mode 100644 zookeeper/etc/zookeeper/conf/zoo.cfg diff --git a/ansible/group_vars/zookeeper.yaml b/ansible/group_vars/zookeeper.yaml index 24b5915..d596e0b 100644 --- a/ansible/group_vars/zookeeper.yaml +++ b/ansible/group_vars/zookeeper.yaml @@ -14,3 +14,199 @@ --- zookeeper_install_method: tarball zookeeper_tarball_version: 3.5.9 +zookeeper_file_zoo_conf_src: "{{ windmill_config_git_dest }}/zookeeper/etc/zookeeper/conf/zoo.cfg" + +zookeeper_file_ssl_truststore_content: | + Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2a:bc:ea:bd:f2:11:1c:aa:d4:45:40:1c:c0:b5:46:f4:8b:78:ee:68 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=California, O=Company Name, OU=Org, CN=caroot + Validity + Not Before: Jun 22 02:38:55 2021 GMT + Not After : Mar 22 02:38:55 2031 GMT + Subject: C=US, ST=California, O=Company Name, OU=Org, CN=caroot + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:da:9a:37:0c:81:2d:9a:df:50:95:16:d1:59:1f: + d3:2e:88:3d:00:c9:d4:41:46:e2:56:50:ff:ca:a8: + df:d8:78:4a:bb:19:db:cf:f5:59:ce:76:a2:e3:10: + 58:45:7d:28:75:2a:57:8a:d0:52:a1:2d:c8:08:d5: + d0:03:4b:cd:74:49:e5:95:64:2d:05:30:6f:41:a7: + a9:31:5d:93:b0:9d:62:ed:7b:89:bd:7c:75:9d:47: + ca:89:3b:50:06:99:85:c0:f9:b3:1f:1f:d8:94:90: + 10:75:e7:65:0d:18:34:4e:df:46:f3:88:32:a5:c8: + a0:67:d2:d3:9b:ed:13:1b:b9:02:74:0c:95:cf:93: + 59:c8:a2:95:53:0f:3c:75:b2:39:b9:15:98:28:f8: + 9b:24:72:02:f3:d9:33:28:bd:32:d9:f3:b0:f7:9c: + cb:bb:87:1b:86:57:c1:72:31:38:3c:4f:6f:8b:26: + e1:fc:73:4e:25:a7:29:d6:22:2c:2d:7b:c1:c0:58: + 95:01:a9:23:e9:f4:30:d7:49:35:17:08:a2:89:dd: + b3:51:ad:50:67:9e:f7:f4:36:19:e8:97:d6:04:12: + d6:8c:15:bf:2f:9b:c4:33:c6:18:bd:28:91:78:85: + 80:ff:97:88:8c:8a:58:06:17:ee:58:37:42:bb:d2: + b3:3d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + B3:D9:9B:12:EA:74:B0:37:C3:1C:28:75:D4:3E:5D:E3:7F:1E:CB:09 + X509v3 Authority Key Identifier: + keyid:B3:D9:9B:12:EA:74:B0:37:C3:1C:28:75:D4:3E:5D:E3:7F:1E:CB:09 + + X509v3 Basic Constraints: critical + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + 99:5f:30:95:02:b1:f4:32:ef:09:8d:c1:30:68:6a:5c:16:2c: + 15:cf:65:71:0c:42:a7:46:bc:57:12:6d:c7:43:30:7c:71:63: + c2:ba:87:9e:c3:59:68:ff:52:5f:80:71:41:d2:c9:53:eb:71: + 62:09:c0:f4:28:93:89:a5:79:0d:de:44:59:da:62:46:d0:d3: + da:5d:f0:f4:b2:a6:38:43:f1:d6:81:e7:80:cd:83:e6:b2:4d: + 04:54:9a:63:50:c5:4e:56:ae:44:76:d1:13:ef:79:a3:00:19: + d6:46:e6:90:ca:0a:de:2d:89:43:0b:73:11:82:94:35:ad:12: + bd:2c:f0:c4:0b:e5:27:25:c3:d8:c8:0d:1f:2e:7e:c7:4b:8b: + 32:f7:13:da:04:fe:9d:1a:31:db:79:02:12:ca:cf:67:0c:d9: + 85:59:da:7a:88:16:d1:ee:e8:f3:36:d6:30:50:09:98:74:d5: + 97:92:06:15:3f:e7:bf:63:9d:fe:b3:50:ce:e4:80:6b:4f:49: + 34:26:96:eb:13:47:69:9f:a1:45:35:93:38:9b:a2:09:e8:65: + e0:2b:c8:d9:a6:56:d7:ab:a2:f3:5b:fc:f5:aa:82:21:8c:0b: + 43:67:1b:9c:fe:52:40:25:68:65:87:cc:cc:5c:a1:bc:60:a4: + dc:7c:1f:5d + -----BEGIN CERTIFICATE----- + MIIDkTCCAnmgAwIBAgIUKrzqvfIRHKrURUAcwLVG9It47mgwDQYJKoZIhvcNAQEL + BQAwWDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoM + DENvbXBhbnkgTmFtZTEMMAoGA1UECwwDT3JnMQ8wDQYDVQQDDAZjYXJvb3QwHhcN + MjEwNjIyMDIzODU1WhcNMzEwMzIyMDIzODU1WjBYMQswCQYDVQQGEwJVUzETMBEG + A1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMQ29tcGFueSBOYW1lMQwwCgYDVQQL + DANPcmcxDzANBgNVBAMMBmNhcm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC + AQoCggEBANqaNwyBLZrfUJUW0Vkf0y6IPQDJ1EFG4lZQ/8qo39h4SrsZ28/1Wc52 + ouMQWEV9KHUqV4rQUqEtyAjV0ANLzXRJ5ZVkLQUwb0GnqTFdk7CdYu17ib18dZ1H + yok7UAaZhcD5sx8f2JSQEHXnZQ0YNE7fRvOIMqXIoGfS05vtExu5AnQMlc+TWcii + lVMPPHWyObkVmCj4myRyAvPZMyi9MtnzsPecy7uHG4ZXwXIxODxPb4sm4fxzTiWn + KdYiLC17wcBYlQGpI+n0MNdJNRcIoonds1GtUGee9/Q2GeiX1gQS1owVvy+bxDPG + GL0okXiFgP+XiIyKWAYX7lg3QrvSsz0CAwEAAaNTMFEwHQYDVR0OBBYEFLPZmxLq + dLA3wxwoddQ+XeN/HssJMB8GA1UdIwQYMBaAFLPZmxLqdLA3wxwoddQ+XeN/HssJ + MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJlfMJUCsfQy7wmN + wTBoalwWLBXPZXEMQqdGvFcSbcdDMHxxY8K6h57DWWj/Ul+AcUHSyVPrcWIJwPQo + k4mleQ3eRFnaYkbQ09pd8PSypjhD8daB54DNg+ayTQRUmmNQxU5WrkR20RPveaMA + GdZG5pDKCt4tiUMLcxGClDWtEr0s8MQL5Sclw9jIDR8ufsdLizL3E9oE/p0aMdt5 + AhLKz2cM2YVZ2nqIFtHu6PM21jBQCZh01ZeSBhU/579jnf6zUM7kgGtPSTQmlusT + R2mfoUU1kzibognoZeAryNmmVterovNb/PWqgiGMC0NnG5z+UkAlaGWHzMxcobxg + pNx8H10= + -----END CERTIFICATE----- + +zookeeper_file_ssl_keystore_content: | + Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2a:bc:ea:bd:f2:11:1c:aa:d4:45:40:1c:c0:b5:46:f4:8b:78:ee:6a + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=California, O=Company Name, OU=Org, CN=caroot + Validity + Not Before: Jun 22 02:38:55 2021 GMT + Not After : Mar 22 02:38:55 2031 GMT + Subject: C=US, ST=California, L=Oakland, O=Company Name, OU=Org, CN=zk01 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ed:43:97:ba:11:16:e4:88:0e:55:c4:87:8e:3c: + 55:91:24:31:83:9a:56:6d:e5:01:ec:f9:6b:4a:61: + 78:59:f0:2a:f4:0b:8f:6b:29:55:a0:31:7b:e6:12: + 5c:f7:10:26:2e:e8:86:1c:fe:64:20:12:0b:9c:f6: + bd:a9:2f:f0:09:f0:29:ae:60:a8:73:7e:47:de:68: + e2:14:e3:e1:1e:a5:55:4a:84:fd:7d:4e:41:a2:a3: + ac:cc:10:3b:53:21:8d:91:59:df:07:67:bd:7a:2e: + 16:90:7e:df:53:a9:ab:27:4e:ff:11:6f:00:86:0b: + 5b:d0:1e:41:33:90:3e:3b:4f:b4:77:34:2f:8c:78: + 0c:68:d1:6f:eb:51:cd:01:6e:84:91:af:88:40:7d: + ed:2b:7e:37:f6:01:cc:bb:c7:fa:9a:b5:4c:fa:0e: + 42:d2:f1:97:e5:a8:cd:a1:31:1d:2f:9a:4c:08:91: + 72:4a:3c:de:ea:07:15:c6:9c:b8:a3:15:cc:b3:b7: + 13:2c:b0:53:0c:dd:a3:47:93:29:3b:fb:8b:90:23: + 4a:34:09:1d:4e:37:58:f2:05:37:74:23:32:bb:0a: + f4:a7:52:84:07:df:8b:4e:09:dc:21:d1:3e:57:f1: + d2:27:55:68:a3:4a:c9:53:c6:8c:fb:77:26:65:09: + 22:d3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 6F:69:A2:20:03:1E:94:47:FB:C9:BE:65:FC:5B:A7:D9:4B:DF:61:09 + X509v3 Authority Key Identifier: + keyid:B3:D9:9B:12:EA:74:B0:37:C3:1C:28:75:D4:3E:5D:E3:7F:1E:CB:09 + + Signature Algorithm: sha256WithRSAEncryption + be:cf:3f:a4:f0:9c:ad:04:77:b3:5f:a9:5a:ca:db:49:00:c8: + 5d:5f:00:5f:af:40:f0:8c:7b:a0:7d:2e:33:f0:58:90:50:21: + 01:6a:9d:4f:5c:58:36:f8:5f:24:e4:85:2a:8c:a0:65:87:21: + 0c:40:e9:bf:f1:7c:bd:13:f3:29:99:7d:eb:1d:9f:b9:b0:00: + e5:bc:cf:53:ef:1a:30:c4:b7:81:0e:9c:8f:98:4e:b1:d9:fa: + eb:46:7c:28:fb:e8:bd:dd:9c:ae:de:0f:66:b4:6d:cd:2e:73: + 00:6a:e2:80:9e:2f:d8:d6:fa:ac:42:73:ae:70:6c:75:93:e5: + c7:57:98:15:af:ef:94:bf:9f:30:d5:d9:74:80:85:2c:29:62: + 4a:49:18:30:14:8a:38:60:83:3b:7e:44:86:9a:ea:ac:bc:d0: + a4:d2:25:b7:16:31:42:05:b9:92:26:98:a0:3b:7c:d9:e6:56: + ef:44:b2:4e:10:14:15:70:a9:7e:18:f1:62:46:7d:dc:3e:0c: + 8f:2b:2e:b1:4a:7e:58:4c:8b:2c:84:1f:8a:86:b3:33:d8:e4: + 24:59:48:ff:2f:2e:80:de:ad:5f:13:7e:44:9d:d3:78:be:1b: + ce:17:33:a6:a8:66:4d:46:30:b0:56:6e:d2:45:65:7b:0d:5a: + 86:2c:75:85 + -----BEGIN CERTIFICATE----- + MIIDyTCCArGgAwIBAgIUKrzqvfIRHKrURUAcwLVG9It47mowDQYJKoZIhvcNAQEL + BQAwWDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoM + DENvbXBhbnkgTmFtZTEMMAoGA1UECwwDT3JnMQ8wDQYDVQQDDAZjYXJvb3QwHhcN + MjEwNjIyMDIzODU1WhcNMzEwMzIyMDIzODU1WjBoMQswCQYDVQQGEwJVUzETMBEG + A1UECAwKQ2FsaWZvcm5pYTEQMA4GA1UEBwwHT2FrbGFuZDEVMBMGA1UECgwMQ29t + cGFueSBOYW1lMQwwCgYDVQQLDANPcmcxDTALBgNVBAMMBHprMDEwggEiMA0GCSqG + SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtQ5e6ERbkiA5VxIeOPFWRJDGDmlZt5QHs + +WtKYXhZ8Cr0C49rKVWgMXvmElz3ECYu6IYc/mQgEguc9r2pL/AJ8CmuYKhzfkfe + aOIU4+EepVVKhP19TkGio6zMEDtTIY2RWd8HZ716LhaQft9TqasnTv8RbwCGC1vQ + HkEzkD47T7R3NC+MeAxo0W/rUc0BboSRr4hAfe0rfjf2Acy7x/qatUz6DkLS8Zfl + qM2hMR0vmkwIkXJKPN7qBxXGnLijFcyztxMssFMM3aNHkyk7+4uQI0o0CR1ON1jy + BTd0IzK7CvSnUoQH34tOCdwh0T5X8dInVWijSslTxoz7dyZlCSLTAgMBAAGjezB5 + MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl + cnRpZmljYXRlMB0GA1UdDgQWBBRvaaIgAx6UR/vJvmX8W6fZS99hCTAfBgNVHSME + GDAWgBSz2ZsS6nSwN8McKHXUPl3jfx7LCTANBgkqhkiG9w0BAQsFAAOCAQEAvs8/ + pPCcrQR3s1+pWsrbSQDIXV8AX69A8Ix7oH0uM/BYkFAhAWqdT1xYNvhfJOSFKoyg + ZYchDEDpv/F8vRPzKZl96x2fubAA5bzPU+8aMMS3gQ6cj5hOsdn660Z8KPvovd2c + rt4PZrRtzS5zAGrigJ4v2Nb6rEJzrnBsdZPlx1eYFa/vlL+fMNXZdICFLCliSkkY + MBSKOGCDO35EhprqrLzQpNIltxYxQgW5kiaYoDt82eZW70SyThAUFXCpfhjxYkZ9 + 3D4MjysusUp+WEyLLIQfioazM9jkJFlI/y8ugN6tXxN+RJ3TeL4bzhczpqhmTUYw + sFZu0kVlew1ahix1hQ== + -----END CERTIFICATE----- + -----BEGIN PRIVATE KEY----- + MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDtQ5e6ERbkiA5V + xIeOPFWRJDGDmlZt5QHs+WtKYXhZ8Cr0C49rKVWgMXvmElz3ECYu6IYc/mQgEguc + 9r2pL/AJ8CmuYKhzfkfeaOIU4+EepVVKhP19TkGio6zMEDtTIY2RWd8HZ716LhaQ + ft9TqasnTv8RbwCGC1vQHkEzkD47T7R3NC+MeAxo0W/rUc0BboSRr4hAfe0rfjf2 + Acy7x/qatUz6DkLS8ZflqM2hMR0vmkwIkXJKPN7qBxXGnLijFcyztxMssFMM3aNH + kyk7+4uQI0o0CR1ON1jyBTd0IzK7CvSnUoQH34tOCdwh0T5X8dInVWijSslTxoz7 + dyZlCSLTAgMBAAECggEAH9zA5nLfESeYTTpMPfSqRQiIQbUbQDzNymYgW2fFgsZ2 + 7jkTNH/jiNS8X8Q9icw4ZHpDcGdVSN1Dg/u6sprGcH85CbrfREtEGYEaQ1Xq6HOp + hY1ggVBeDhpO3UScwugxm8Bm7BapYlwIGbWABjs1ydyY8l1mw5mI5eT6OpN3V/10 + 8RP11Shasgju5iPqnCQt52EZ2iOoajaeog/x7NffMGtndF9SzPuJFk+BUkYZ4WXM + hUWHZUIANkMc6cE8A/kw9+AMCNramvlZRqNlOk3QXcntQQDHA/BT7O0aC62oj3BG + fKF43n7kEiB4tMFVnzYnLUPaNuk2Bh7vZ3tbe23gsQKBgQD/grjkKvh1nYA7VE3B + BRYmik7RAvcH8l/LHbCOXCLSTw5rTSj1vpcBmVTJSes5zkznG61eFIbw2keFqq8V + 6CdLaLRtfjaT30btqZnLBT69REOpJzOylx2br1Bidh/ntMtiEiwYBbkxPjNSWZ1p + deI4Cn1J1GX7gkcJLjY1qyEP+QKBgQDtt+yQbm/bXxfRSF5IqSkoJG+o+v0e0gCV + 9HyGv+5XQ3YEnbfrXYdK78iGBRaWV3NxdcaYAw6/8zQy+XSFhSv4BtQcEil7D1bE + gqQsoNGc8j8BkJl+8Hr7rNijwNmpaS4X1e3rU2YCEkP/7eYZORj8aqcYAjEhufep + FHeRYhwUKwKBgHawV4iNuWqRJh7pM1ElNrviZWhL00qauQrWGMyYWgiNdqo7Znp4 + 9RZmDm+OabkpbqmwPqFEMcax7qVVuw0XESHDWoS+K0YXYpBFx036esFac3+g2S/t + aHCISHPkYT+1yQAeZuMlzXflZ9uqCygQ/WuA2+AuzMy/IJZQJBhcDPipAoGAK/gr + H4Pt2Ku8Ig+6sMHpRO2IYb8a9optZU81gU8a7LUjrTLnA/fmwGudsXxbcy91wPTB + 6PgX0FVRwGP3s4KwYU4SCacqWQK7T9nCOCb+3oLIOKfgXGRquwZ7g752BCnaRrph + KXfhlFyAi2QbfWrcPkQT6BLvt4dIUdPhUdjNzMUCgYACSFAXrGfhM5H7JNgTnzxx + yeyoZtSkHggU66E9ab+NK5H0OwWua5AvGB6IZpkB79m7osZcMcniN9ACbA49XgwG + znPiBHmQHJ639kraofD+riYn0gtyc9Gat5GlAkmmljR7huuJZ8UmbLxlrwGSG1+c + WiZaHKlQMWEYrPgmiXlLew== + -----END PRIVATE KEY----- diff --git a/zookeeper/etc/zookeeper/conf/zoo.cfg b/zookeeper/etc/zookeeper/conf/zoo.cfg new file mode 100644 index 0000000..4729012 --- /dev/null +++ b/zookeeper/etc/zookeeper/conf/zoo.cfg @@ -0,0 +1,31 @@ +# The number of milliseconds of each tick +tickTime=2000 +# The number of ticks that the initial +# synchronization phase can take +initLimit=10 +# The number of ticks that can pass between +# sending a request and getting an acknowledgement +syncLimit=5 +# the directory where the snapshot is stored. +dataDir=/var/lib/zookeeper + +# the port at which the clients will connect +clientPort=2181 + +# specify all zookeeper servers +# The fist port is used by followers to connect to the leader +# The second one is used for leader election +server.1={{ hostvars['zk01'].ansible_host }}:2888:3888 + +# Necessary for TLS support +serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory + +# Client TLS configuration +secureClientPort=2281 +ssl.keyStore.location=/etc/zookeeper/ca/keystores/server.pem +ssl.trustStore.location=/etc/zookeeper/ca/certs/cacert.pem + +# Server TLS configuration +sslQuorum=true +ssl.quorum.keyStore.location=/etc/zookeeper/ca/keystores/server.pem +ssl.quorum.trustStore.location=/etc/zookeeper/ca/certs/cacert.pem