diff --git a/.gitignore b/.gitignore index af5a597cc..3ee16aab8 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ dist/ venv/ *~ .*.swp +tools/ca/ diff --git a/.zuul.yaml b/.zuul.yaml index 8c48ce84e..e777ab73f 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -347,6 +347,26 @@ env-vars: DIB_SIMPLE_INIT_NETWORKMANAGER: '1' +- job: + name: nodepool-tox-py36 + description: | + Nodepool unit tests with ZooKeeper running + parent: tox-py36 + pre-run: playbooks/nodepool-tox/pre.yaml + vars: &nodepool_tox_vars + tox_environment: + NODEPOOL_ZK_CA: /opt/zookeeper/ca/certs/cacert.pem + NODEPOOL_ZK_CERT: /opt/zookeeper/ca/certs/client.pem + NODEPOOL_ZK_KEY: /opt/zookeeper/ca/keys/clientkey.pem + +- job: + name: nodepool-tox-py38 + description: | + Nodepool unit tests with ZooKeeper running + parent: tox-py38 + pre-run: playbooks/nodepool-tox/pre.yaml + vars: *nodepool_tox_vars + - project: vars: release_python: python3 @@ -357,8 +377,8 @@ - nodepool-build-image-siblings - zuul-tox-docs - tox-pep8 - - tox-py36 - - tox-py38 + - nodepool-tox-py36 + - nodepool-tox-py38 - nodepool-zuul-functional: voting: false - nodepool-functional-openstack: @@ -380,8 +400,8 @@ - nodepool-upload-image - zuul-tox-docs - tox-pep8 - - tox-py36 - - tox-py38 + - nodepool-tox-py36 + - nodepool-tox-py38 - nodepool-functional-openstack - nodepool-functional-openstack-src - nodepool-functional-k8s diff --git a/bindep.txt b/bindep.txt index f6c019371..6665a4632 100644 --- a/bindep.txt +++ b/bindep.txt @@ -15,5 +15,6 @@ musl-dev [compile test platform:apk] python3-dev [compile test platform:dpkg] python3-devel [compile test platform:rpm] sudo -zookeeperd [platform:dpkg test] -zookeeper [platform:suse test] +docker.io [test platform:dpkg] +docker [test platform:fedora] +docker-compose [test] diff --git a/nodepool/config.py b/nodepool/config.py index 00ae5083c..46f4c69ea 100644 --- a/nodepool/config.py +++ b/nodepool/config.py @@ -101,7 +101,7 @@ class Config(ConfigValue): for server in zk_cfg: z = zk.ZooKeeperConnectionConfig(server['host'], - server.get('port', 2181), + server.get('port', 2281), server.get('chroot', None)) name = z.host + '_' + str(z.port) self.zookeeper_servers[name] = z @@ -358,7 +358,6 @@ def loadSecureConfig(config, secure_config_path, env=os.environ): if secure.get('zookeeper-servers', []): config.zookeeper_servers = {} - # TODO(Shrews): Support ZooKeeper auth config.setZooKeeperServers(secure.get('zookeeper-servers')) config.setSecureDiskimageEnv( secure.get('diskimages', []), secure_config_path) diff --git a/nodepool/tests/__init__.py b/nodepool/tests/__init__.py index eac942d82..0e8c28bc7 100644 --- a/nodepool/tests/__init__.py +++ b/nodepool/tests/__init__.py @@ -61,16 +61,37 @@ class ZookeeperServerFixture(fixtures.Fixture): self.zookeeper_host = host if not port: - self.zookeeper_port = 2181 + self.zookeeper_port = 2281 else: self.zookeeper_port = int(port) + zk_ca = os.environ.get('NODEPOOL_ZK_CA', None) + if not zk_ca: + zk_ca = os.path.join(os.path.dirname(__file__), + '../../tools/ca/certs/cacert.pem') + self.zookeeper_ca = zk_ca + zk_cert = os.environ.get('NODEPOOL_ZK_CERT', None) + if not zk_cert: + zk_cert = os.path.join(os.path.dirname(__file__), + '../../tools/ca/certs/client.pem') + self.zookeeper_cert = zk_cert + zk_key = os.environ.get('NODEPOOL_ZK_KEY', None) + if not zk_key: + zk_key = os.path.join(os.path.dirname(__file__), + '../../tools/ca/keys/clientkey.pem') + self.zookeeper_key = zk_key + class ChrootedKazooFixture(fixtures.Fixture): - def __init__(self, zookeeper_host, zookeeper_port): + def __init__(self, zookeeper_host, zookeeper_port, zookeeper_ca, + zookeeper_cert, zookeeper_key): super(ChrootedKazooFixture, self).__init__() - self.zookeeper_host = zookeeper_host - self.zookeeper_port = zookeeper_port + self.zk_args = dict( + hosts='%s:%s' % (zookeeper_host, zookeeper_port), + use_ssl=True, + ca=zookeeper_ca, + certfile=zookeeper_cert, + keyfile=zookeeper_key) def _setUp(self): # Make sure the test chroot paths do not conflict @@ -82,8 +103,7 @@ class ChrootedKazooFixture(fixtures.Fixture): self.zookeeper_chroot = "/nodepool_test/%s" % rand_test_path # Ensure the chroot path exists and clean up any pre-existing znodes. - _tmp_client = kazoo.client.KazooClient( - hosts='%s:%s' % (self.zookeeper_host, self.zookeeper_port)) + _tmp_client = kazoo.client.KazooClient(**self.zk_args) _tmp_client.start() if _tmp_client.exists(self.zookeeper_chroot): @@ -98,8 +118,7 @@ class ChrootedKazooFixture(fixtures.Fixture): def _cleanup(self): '''Remove the chroot path.''' # Need a non-chroot'ed client to remove the chroot path - _tmp_client = kazoo.client.KazooClient( - hosts='%s:%s' % (self.zookeeper_host, self.zookeeper_port)) + _tmp_client = kazoo.client.KazooClient(**self.zk_args) _tmp_client.start() _tmp_client.delete(self.zookeeper_chroot, recursive=True) _tmp_client.stop() @@ -373,7 +392,10 @@ class DBTestCase(BaseTestCase): context_name=context_name, zookeeper_host=self.zookeeper_host, zookeeper_port=self.zookeeper_port, - zookeeper_chroot=self.zookeeper_chroot) + zookeeper_chroot=self.zookeeper_chroot, + zookeeper_ca=self.zookeeper_ca, + zookeeper_cert=self.zookeeper_cert, + zookeeper_key=self.zookeeper_key) os.write(fd, data.encode('utf8')) os.close(fd) self._config_images_dir = images_dir @@ -399,7 +421,10 @@ class DBTestCase(BaseTestCase): data = config.format( zookeeper_host=self.zookeeper_host, zookeeper_port=self.zookeeper_port, - zookeeper_chroot=self.zookeeper_chroot) + zookeeper_chroot=self.zookeeper_chroot, + zookeeper_ca=self.zookeeper_ca, + zookeeper_cert=self.zookeeper_cert, + zookeeper_key=self.zookeeper_key) os.write(fd, data.encode('utf8')) os.close(fd) return path @@ -587,16 +612,26 @@ class DBTestCase(BaseTestCase): self.useFixture(f) self.zookeeper_host = f.zookeeper_host self.zookeeper_port = f.zookeeper_port + self.zookeeper_ca = f.zookeeper_ca + self.zookeeper_cert = f.zookeeper_cert + self.zookeeper_key = f.zookeeper_key kz_fxtr = self.useFixture(ChrootedKazooFixture( self.zookeeper_host, - self.zookeeper_port)) + self.zookeeper_port, + self.zookeeper_ca, + self.zookeeper_cert, + self.zookeeper_key, + )) self.zookeeper_chroot = kz_fxtr.zookeeper_chroot self.zk = zk.ZooKeeper(enable_cache=False) host = zk.ZooKeeperConnectionConfig( - self.zookeeper_host, self.zookeeper_port, self.zookeeper_chroot + self.zookeeper_host, self.zookeeper_port, self.zookeeper_chroot, ) - self.zk.connect([host]) + self.zk.connect([host], + tls_ca=self.zookeeper_ca, + tls_cert=self.zookeeper_cert, + tls_key=self.zookeeper_key) self.addCleanup(self.zk.disconnect) def printZKTree(self, node): diff --git a/nodepool/tests/fixtures/azure.yaml b/nodepool/tests/fixtures/azure.yaml index ccf03138a..c3f23663e 100644 --- a/nodepool/tests/fixtures/azure.yaml +++ b/nodepool/tests/fixtures/azure.yaml @@ -6,6 +6,11 @@ zookeeper-servers: - host: 127.0.0.1 port: 2181 +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: bionic min-ready: 1 diff --git a/nodepool/tests/fixtures/builder_2_diskimages.yaml b/nodepool/tests/fixtures/builder_2_diskimages.yaml index 6e8539689..c79a2a367 100644 --- a/nodepool/tests/fixtures/builder_2_diskimages.yaml +++ b/nodepool/tests/fixtures/builder_2_diskimages.yaml @@ -8,6 +8,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label1 - name: fake-label2 diff --git a/nodepool/tests/fixtures/cleanup-port.yaml b/nodepool/tests/fixtures/cleanup-port.yaml index f27a985f4..c48623d77 100644 --- a/nodepool/tests/fixtures/cleanup-port.yaml +++ b/nodepool/tests/fixtures/cleanup-port.yaml @@ -8,6 +8,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/disabled_provider.yaml b/nodepool/tests/fixtures/disabled_provider.yaml index 53c978ae1..48d68d873 100644 --- a/nodepool/tests/fixtures/disabled_provider.yaml +++ b/nodepool/tests/fixtures/disabled_provider.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/diskimage_build_timeout.yaml b/nodepool/tests/fixtures/diskimage_build_timeout.yaml index b730a9451..48ba3d4f5 100644 --- a/nodepool/tests/fixtures/diskimage_build_timeout.yaml +++ b/nodepool/tests/fixtures/diskimage_build_timeout.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: [] providers: [] diff --git a/nodepool/tests/fixtures/external_driver.yaml b/nodepool/tests/fixtures/external_driver.yaml index 54c91a7b4..4d129708d 100644 --- a/nodepool/tests/fixtures/external_driver.yaml +++ b/nodepool/tests/fixtures/external_driver.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: test-label min-ready: 1 diff --git a/nodepool/tests/fixtures/functional/kubernetes/basic.yaml b/nodepool/tests/fixtures/functional/kubernetes/basic.yaml index 4013cfffe..f30554d0e 100644 --- a/nodepool/tests/fixtures/functional/kubernetes/basic.yaml +++ b/nodepool/tests/fixtures/functional/kubernetes/basic.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: kubernetes-namespace min-ready: 1 diff --git a/nodepool/tests/fixtures/functional/openshift/basic.yaml b/nodepool/tests/fixtures/functional/openshift/basic.yaml index fec47b031..6a9dc5569 100644 --- a/nodepool/tests/fixtures/functional/openshift/basic.yaml +++ b/nodepool/tests/fixtures/functional/openshift/basic.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: openshift-project min-ready: 1 diff --git a/nodepool/tests/fixtures/functional/openshift/pods.yaml b/nodepool/tests/fixtures/functional/openshift/pods.yaml index 127803ba4..d44867b73 100644 --- a/nodepool/tests/fixtures/functional/openshift/pods.yaml +++ b/nodepool/tests/fixtures/functional/openshift/pods.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: openshift-pod min-ready: 1 diff --git a/nodepool/tests/fixtures/ignore_provider_quota_false.yaml b/nodepool/tests/fixtures/ignore_provider_quota_false.yaml index 190a76abe..0e9fe791c 100644 --- a/nodepool/tests/fixtures/ignore_provider_quota_false.yaml +++ b/nodepool/tests/fixtures/ignore_provider_quota_false.yaml @@ -8,6 +8,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label diff --git a/nodepool/tests/fixtures/ignore_provider_quota_true.yaml b/nodepool/tests/fixtures/ignore_provider_quota_true.yaml index 3a73c7857..efea56443 100644 --- a/nodepool/tests/fixtures/ignore_provider_quota_true.yaml +++ b/nodepool/tests/fixtures/ignore_provider_quota_true.yaml @@ -8,6 +8,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label diff --git a/nodepool/tests/fixtures/info_cmd_two_provider.yaml b/nodepool/tests/fixtures/info_cmd_two_provider.yaml index 01a999792..e01d604e6 100644 --- a/nodepool/tests/fixtures/info_cmd_two_provider.yaml +++ b/nodepool/tests/fixtures/info_cmd_two_provider.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/info_cmd_two_provider_remove.yaml b/nodepool/tests/fixtures/info_cmd_two_provider_remove.yaml index 786dbfd4f..004fe5439 100644 --- a/nodepool/tests/fixtures/info_cmd_two_provider_remove.yaml +++ b/nodepool/tests/fixtures/info_cmd_two_provider_remove.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/integration_occ.yaml b/nodepool/tests/fixtures/integration_occ.yaml index e769c804e..996c63bad 100644 --- a/nodepool/tests/fixtures/integration_occ.yaml +++ b/nodepool/tests/fixtures/integration_occ.yaml @@ -6,6 +6,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/kubernetes.yaml b/nodepool/tests/fixtures/kubernetes.yaml index 579a7be6b..284ed7d52 100644 --- a/nodepool/tests/fixtures/kubernetes.yaml +++ b/nodepool/tests/fixtures/kubernetes.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: pod-fedora - name: kubernetes-namespace diff --git a/nodepool/tests/fixtures/launcher_reg1.yaml b/nodepool/tests/fixtures/launcher_reg1.yaml index d2197c28f..8cef28169 100644 --- a/nodepool/tests/fixtures/launcher_reg1.yaml +++ b/nodepool/tests/fixtures/launcher_reg1.yaml @@ -8,6 +8,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/launcher_reg2.yaml b/nodepool/tests/fixtures/launcher_reg2.yaml index 6b1ce8673..2f383c104 100644 --- a/nodepool/tests/fixtures/launcher_reg2.yaml +++ b/nodepool/tests/fixtures/launcher_reg2.yaml @@ -8,6 +8,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/launcher_two_provider.yaml b/nodepool/tests/fixtures/launcher_two_provider.yaml index 9fabd0f5d..f846db94c 100644 --- a/nodepool/tests/fixtures/launcher_two_provider.yaml +++ b/nodepool/tests/fixtures/launcher_two_provider.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/launcher_two_provider_max_1.yaml b/nodepool/tests/fixtures/launcher_two_provider_max_1.yaml index 6cce26dc3..baacbe627 100644 --- a/nodepool/tests/fixtures/launcher_two_provider_max_1.yaml +++ b/nodepool/tests/fixtures/launcher_two_provider_max_1.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 0 diff --git a/nodepool/tests/fixtures/launcher_two_provider_remove.yaml b/nodepool/tests/fixtures/launcher_two_provider_remove.yaml index 786dbfd4f..004fe5439 100644 --- a/nodepool/tests/fixtures/launcher_two_provider_remove.yaml +++ b/nodepool/tests/fixtures/launcher_two_provider_remove.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/leaked_node.yaml b/nodepool/tests/fixtures/leaked_node.yaml index 786dbfd4f..004fe5439 100644 --- a/nodepool/tests/fixtures/leaked_node.yaml +++ b/nodepool/tests/fixtures/leaked_node.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/leaked_node_nodepool_id.yaml b/nodepool/tests/fixtures/leaked_node_nodepool_id.yaml index 5ec2c36e3..814e25d7e 100644 --- a/nodepool/tests/fixtures/leaked_node_nodepool_id.yaml +++ b/nodepool/tests/fixtures/leaked_node_nodepool_id.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/multi_drivers.yaml b/nodepool/tests/fixtures/multi_drivers.yaml index 95be64461..1ca050c81 100644 --- a/nodepool/tests/fixtures/multi_drivers.yaml +++ b/nodepool/tests/fixtures/multi_drivers.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: test-label min-ready: 1 diff --git a/nodepool/tests/fixtures/multiple_pools.yaml b/nodepool/tests/fixtures/multiple_pools.yaml index 1a0e2df42..27d0bc10d 100644 --- a/nodepool/tests/fixtures/multiple_pools.yaml +++ b/nodepool/tests/fixtures/multiple_pools.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label1 min-ready: 1 diff --git a/nodepool/tests/fixtures/multiproviders.yaml b/nodepool/tests/fixtures/multiproviders.yaml index 1f68825ef..88bad7275 100644 --- a/nodepool/tests/fixtures/multiproviders.yaml +++ b/nodepool/tests/fixtures/multiproviders.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-static-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node-host-key-checking.yaml b/nodepool/tests/fixtures/node-host-key-checking.yaml index bb0e5330d..6acbb72f3 100644 --- a/nodepool/tests/fixtures/node-host-key-checking.yaml +++ b/nodepool/tests/fixtures/node-host-key-checking.yaml @@ -8,6 +8,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node-network_cli.yaml b/nodepool/tests/fixtures/node-network_cli.yaml index d2c7eeba4..35a10c377 100644 --- a/nodepool/tests/fixtures/node-network_cli.yaml +++ b/nodepool/tests/fixtures/node-network_cli.yaml @@ -8,6 +8,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node.yaml b/nodepool/tests/fixtures/node.yaml index 302c6d537..24bf3b998 100644 --- a/nodepool/tests/fixtures/node.yaml +++ b/nodepool/tests/fixtures/node.yaml @@ -8,6 +8,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node_auto_floating_ip.yaml b/nodepool/tests/fixtures/node_auto_floating_ip.yaml index a0a062e3f..84051ed0f 100644 --- a/nodepool/tests/fixtures/node_auto_floating_ip.yaml +++ b/nodepool/tests/fixtures/node_auto_floating_ip.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label1 min-ready: 1 diff --git a/nodepool/tests/fixtures/node_az.yaml b/nodepool/tests/fixtures/node_az.yaml index ce283301a..40b5222e0 100644 --- a/nodepool/tests/fixtures/node_az.yaml +++ b/nodepool/tests/fixtures/node_az.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node_az_change.yaml b/nodepool/tests/fixtures/node_az_change.yaml index d268175cd..e787ebe0b 100644 --- a/nodepool/tests/fixtures/node_az_change.yaml +++ b/nodepool/tests/fixtures/node_az_change.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 0 diff --git a/nodepool/tests/fixtures/node_boot_from_volume.yaml b/nodepool/tests/fixtures/node_boot_from_volume.yaml index e932b5d37..b50ddeacc 100644 --- a/nodepool/tests/fixtures/node_boot_from_volume.yaml +++ b/nodepool/tests/fixtures/node_boot_from_volume.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node_cmd.yaml b/nodepool/tests/fixtures/node_cmd.yaml index 2a4c83b9e..08f8ab152 100644 --- a/nodepool/tests/fixtures/node_cmd.yaml +++ b/nodepool/tests/fixtures/node_cmd.yaml @@ -6,6 +6,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label1 min-ready: 1 diff --git a/nodepool/tests/fixtures/node_delete_error.yaml b/nodepool/tests/fixtures/node_delete_error.yaml index a5a76e479..5cfff7e5f 100644 --- a/nodepool/tests/fixtures/node_delete_error.yaml +++ b/nodepool/tests/fixtures/node_delete_error.yaml @@ -8,6 +8,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 0 diff --git a/nodepool/tests/fixtures/node_disabled_label.yaml b/nodepool/tests/fixtures/node_disabled_label.yaml index d51c5134f..e7316a124 100644 --- a/nodepool/tests/fixtures/node_disabled_label.yaml +++ b/nodepool/tests/fixtures/node_disabled_label.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 0 diff --git a/nodepool/tests/fixtures/node_diskimage_fail.yaml b/nodepool/tests/fixtures/node_diskimage_fail.yaml index 17550b548..8f412493f 100644 --- a/nodepool/tests/fixtures/node_diskimage_fail.yaml +++ b/nodepool/tests/fixtures/node_diskimage_fail.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node_diskimage_formats.yaml b/nodepool/tests/fixtures/node_diskimage_formats.yaml index ebd4ff356..bfcc28d4c 100644 --- a/nodepool/tests/fixtures/node_diskimage_formats.yaml +++ b/nodepool/tests/fixtures/node_diskimage_formats.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label-default-format min-ready: 1 diff --git a/nodepool/tests/fixtures/node_diskimage_only.yaml b/nodepool/tests/fixtures/node_diskimage_only.yaml index 1155ac12b..f1e79791d 100644 --- a/nodepool/tests/fixtures/node_diskimage_only.yaml +++ b/nodepool/tests/fixtures/node_diskimage_only.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: [] providers: [] diff --git a/nodepool/tests/fixtures/node_diskimage_parents.yaml b/nodepool/tests/fixtures/node_diskimage_parents.yaml index c9471313f..0f647f035 100644 --- a/nodepool/tests/fixtures/node_diskimage_parents.yaml +++ b/nodepool/tests/fixtures/node_diskimage_parents.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-image-parent-1 min-ready: 1 diff --git a/nodepool/tests/fixtures/node_diskimage_pause.yaml b/nodepool/tests/fixtures/node_diskimage_pause.yaml index 55a60394b..8628b2d03 100644 --- a/nodepool/tests/fixtures/node_diskimage_pause.yaml +++ b/nodepool/tests/fixtures/node_diskimage_pause.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node_flavor_name.yaml b/nodepool/tests/fixtures/node_flavor_name.yaml index 4260aba19..1f0f5866c 100644 --- a/nodepool/tests/fixtures/node_flavor_name.yaml +++ b/nodepool/tests/fixtures/node_flavor_name.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node_image_upload_pause.yaml b/nodepool/tests/fixtures/node_image_upload_pause.yaml index 6f60bb0d4..55e0b7b59 100644 --- a/nodepool/tests/fixtures/node_image_upload_pause.yaml +++ b/nodepool/tests/fixtures/node_image_upload_pause.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node_ipv6.yaml b/nodepool/tests/fixtures/node_ipv6.yaml index 93f7ccb0e..a2d060b82 100644 --- a/nodepool/tests/fixtures/node_ipv6.yaml +++ b/nodepool/tests/fixtures/node_ipv6.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label1 min-ready: 1 diff --git a/nodepool/tests/fixtures/node_label_provider.yaml b/nodepool/tests/fixtures/node_label_provider.yaml index 546dfc6b6..623f2c5bb 100644 --- a/nodepool/tests/fixtures/node_label_provider.yaml +++ b/nodepool/tests/fixtures/node_label_provider.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node_launch_retry.yaml b/nodepool/tests/fixtures/node_launch_retry.yaml index e42186cfe..4f0f71d49 100644 --- a/nodepool/tests/fixtures/node_launch_retry.yaml +++ b/nodepool/tests/fixtures/node_launch_retry.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 0 diff --git a/nodepool/tests/fixtures/node_lost_requests.yaml b/nodepool/tests/fixtures/node_lost_requests.yaml index 7f75ab49d..d71af292e 100644 --- a/nodepool/tests/fixtures/node_lost_requests.yaml +++ b/nodepool/tests/fixtures/node_lost_requests.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 0 diff --git a/nodepool/tests/fixtures/node_many_labels.yaml b/nodepool/tests/fixtures/node_many_labels.yaml index 8903bce15..c7e1a3bf2 100644 --- a/nodepool/tests/fixtures/node_many_labels.yaml +++ b/nodepool/tests/fixtures/node_many_labels.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label1 min-ready: 1 diff --git a/nodepool/tests/fixtures/node_max_hold_age.yaml b/nodepool/tests/fixtures/node_max_hold_age.yaml index 0e08b51ff..31f3817b2 100644 --- a/nodepool/tests/fixtures/node_max_hold_age.yaml +++ b/nodepool/tests/fixtures/node_max_hold_age.yaml @@ -9,6 +9,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node_max_hold_age_2.yaml b/nodepool/tests/fixtures/node_max_hold_age_2.yaml index 14fbf4b0d..7deb8ad18 100644 --- a/nodepool/tests/fixtures/node_max_hold_age_2.yaml +++ b/nodepool/tests/fixtures/node_max_hold_age_2.yaml @@ -9,6 +9,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 2 diff --git a/nodepool/tests/fixtures/node_max_hold_age_no_default.yaml b/nodepool/tests/fixtures/node_max_hold_age_no_default.yaml index 0ebef162d..b1b922f44 100644 --- a/nodepool/tests/fixtures/node_max_hold_age_no_default.yaml +++ b/nodepool/tests/fixtures/node_max_hold_age_no_default.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node_max_ready_age.yaml b/nodepool/tests/fixtures/node_max_ready_age.yaml index 790b3c5e5..3937a4bbd 100644 --- a/nodepool/tests/fixtures/node_max_ready_age.yaml +++ b/nodepool/tests/fixtures/node_max_ready_age.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label max-ready-age: 2 diff --git a/nodepool/tests/fixtures/node_min_ready_capacity.yaml b/nodepool/tests/fixtures/node_min_ready_capacity.yaml index 8eb3e86d3..e949f6e7b 100644 --- a/nodepool/tests/fixtures/node_min_ready_capacity.yaml +++ b/nodepool/tests/fixtures/node_min_ready_capacity.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 0 diff --git a/nodepool/tests/fixtures/node_net_name.yaml b/nodepool/tests/fixtures/node_net_name.yaml index 8b08f3c4a..31cc986a5 100644 --- a/nodepool/tests/fixtures/node_net_name.yaml +++ b/nodepool/tests/fixtures/node_net_name.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label1 min-ready: 1 diff --git a/nodepool/tests/fixtures/node_no_min_ready.yaml b/nodepool/tests/fixtures/node_no_min_ready.yaml index e5d19c0b2..d9e7e37de 100644 --- a/nodepool/tests/fixtures/node_no_min_ready.yaml +++ b/nodepool/tests/fixtures/node_no_min_ready.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 0 diff --git a/nodepool/tests/fixtures/node_quota_cloud.yaml b/nodepool/tests/fixtures/node_quota_cloud.yaml index 8605319ca..15f29dc25 100644 --- a/nodepool/tests/fixtures/node_quota_cloud.yaml +++ b/nodepool/tests/fixtures/node_quota_cloud.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 0 diff --git a/nodepool/tests/fixtures/node_quota_pool_cores.yaml b/nodepool/tests/fixtures/node_quota_pool_cores.yaml index 9af51cda2..420045c33 100644 --- a/nodepool/tests/fixtures/node_quota_pool_cores.yaml +++ b/nodepool/tests/fixtures/node_quota_pool_cores.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 0 diff --git a/nodepool/tests/fixtures/node_quota_pool_instances.yaml b/nodepool/tests/fixtures/node_quota_pool_instances.yaml index d96c283b8..62886a54c 100644 --- a/nodepool/tests/fixtures/node_quota_pool_instances.yaml +++ b/nodepool/tests/fixtures/node_quota_pool_instances.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 0 diff --git a/nodepool/tests/fixtures/node_quota_pool_ram.yaml b/nodepool/tests/fixtures/node_quota_pool_ram.yaml index 77ddef5a0..a4d940b73 100644 --- a/nodepool/tests/fixtures/node_quota_pool_ram.yaml +++ b/nodepool/tests/fixtures/node_quota_pool_ram.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 0 diff --git a/nodepool/tests/fixtures/node_second_provider.yaml b/nodepool/tests/fixtures/node_second_provider.yaml index 51cb66d25..c8c274ff9 100644 --- a/nodepool/tests/fixtures/node_second_provider.yaml +++ b/nodepool/tests/fixtures/node_second_provider.yaml @@ -6,6 +6,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 0 diff --git a/nodepool/tests/fixtures/node_security_group.yaml b/nodepool/tests/fixtures/node_security_group.yaml index 2f9f97fba..01fa64ed8 100644 --- a/nodepool/tests/fixtures/node_security_group.yaml +++ b/nodepool/tests/fixtures/node_security_group.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node_two_image.yaml b/nodepool/tests/fixtures/node_two_image.yaml index d07c37ee0..bd3c0716e 100644 --- a/nodepool/tests/fixtures/node_two_image.yaml +++ b/nodepool/tests/fixtures/node_two_image.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node_two_image_remove.yaml b/nodepool/tests/fixtures/node_two_image_remove.yaml index 786dbfd4f..004fe5439 100644 --- a/nodepool/tests/fixtures/node_two_image_remove.yaml +++ b/nodepool/tests/fixtures/node_two_image_remove.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node_two_provider.yaml b/nodepool/tests/fixtures/node_two_provider.yaml index 9fabd0f5d..f846db94c 100644 --- a/nodepool/tests/fixtures/node_two_provider.yaml +++ b/nodepool/tests/fixtures/node_two_provider.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node_two_provider_remove.yaml b/nodepool/tests/fixtures/node_two_provider_remove.yaml index 97a98f6ac..3a02bec39 100644 --- a/nodepool/tests/fixtures/node_two_provider_remove.yaml +++ b/nodepool/tests/fixtures/node_two_provider_remove.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node_unmanaged_image.yaml b/nodepool/tests/fixtures/node_unmanaged_image.yaml index eb7f4e768..478652008 100644 --- a/nodepool/tests/fixtures/node_unmanaged_image.yaml +++ b/nodepool/tests/fixtures/node_unmanaged_image.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node_upload_fail.yaml b/nodepool/tests/fixtures/node_upload_fail.yaml index 9ba5ff2b5..ee4bd4a96 100644 --- a/nodepool/tests/fixtures/node_upload_fail.yaml +++ b/nodepool/tests/fixtures/node_upload_fail.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 2 diff --git a/nodepool/tests/fixtures/node_upload_hook.yaml b/nodepool/tests/fixtures/node_upload_hook.yaml index dcb4a8bf8..d898c7b1c 100644 --- a/nodepool/tests/fixtures/node_upload_hook.yaml +++ b/nodepool/tests/fixtures/node_upload_hook.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 0 diff --git a/nodepool/tests/fixtures/node_vhd.yaml b/nodepool/tests/fixtures/node_vhd.yaml index 3326c88f1..4d7e72fcb 100644 --- a/nodepool/tests/fixtures/node_vhd.yaml +++ b/nodepool/tests/fixtures/node_vhd.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/node_vhd_and_qcow2.yaml b/nodepool/tests/fixtures/node_vhd_and_qcow2.yaml index 782acdf68..ef3454f59 100644 --- a/nodepool/tests/fixtures/node_vhd_and_qcow2.yaml +++ b/nodepool/tests/fixtures/node_vhd_and_qcow2.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 2 diff --git a/nodepool/tests/fixtures/openshift.yaml b/nodepool/tests/fixtures/openshift.yaml index 203bd983d..d48f8c2df 100644 --- a/nodepool/tests/fixtures/openshift.yaml +++ b/nodepool/tests/fixtures/openshift.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: pod-fedora - name: openshift-project diff --git a/nodepool/tests/fixtures/openshiftpods.yaml b/nodepool/tests/fixtures/openshiftpods.yaml index ffbc8ccd3..f99724b39 100644 --- a/nodepool/tests/fixtures/openshiftpods.yaml +++ b/nodepool/tests/fixtures/openshiftpods.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: pod-fedora diff --git a/nodepool/tests/fixtures/pause_declined_1.yaml b/nodepool/tests/fixtures/pause_declined_1.yaml index dc517ab02..5f85ee484 100644 --- a/nodepool/tests/fixtures/pause_declined_1.yaml +++ b/nodepool/tests/fixtures/pause_declined_1.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 0 diff --git a/nodepool/tests/fixtures/pause_declined_2.yaml b/nodepool/tests/fixtures/pause_declined_2.yaml index 8eb3e86d3..e949f6e7b 100644 --- a/nodepool/tests/fixtures/pause_declined_2.yaml +++ b/nodepool/tests/fixtures/pause_declined_2.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 0 diff --git a/nodepool/tests/fixtures/secure_file_secure.yaml b/nodepool/tests/fixtures/secure_file_secure.yaml index 3d1d26e91..70af6c8d2 100644 --- a/nodepool/tests/fixtures/secure_file_secure.yaml +++ b/nodepool/tests/fixtures/secure_file_secure.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + diskimages: - name: fake-image env-vars: diff --git a/nodepool/tests/fixtures/static-2-nodes-multilabel.yaml b/nodepool/tests/fixtures/static-2-nodes-multilabel.yaml index 4256b1536..48e551129 100644 --- a/nodepool/tests/fixtures/static-2-nodes-multilabel.yaml +++ b/nodepool/tests/fixtures/static-2-nodes-multilabel.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label - name: fake-label2 diff --git a/nodepool/tests/fixtures/static-2-nodes.yaml b/nodepool/tests/fixtures/static-2-nodes.yaml index b7c10e035..35f5724c9 100644 --- a/nodepool/tests/fixtures/static-2-nodes.yaml +++ b/nodepool/tests/fixtures/static-2-nodes.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label diff --git a/nodepool/tests/fixtures/static-basic.yaml b/nodepool/tests/fixtures/static-basic.yaml index 12cc58c3f..f21ee6d53 100644 --- a/nodepool/tests/fixtures/static-basic.yaml +++ b/nodepool/tests/fixtures/static-basic.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label diff --git a/nodepool/tests/fixtures/static-multilabel.yaml b/nodepool/tests/fixtures/static-multilabel.yaml index ca74d2309..1463ccabb 100644 --- a/nodepool/tests/fixtures/static-multilabel.yaml +++ b/nodepool/tests/fixtures/static-multilabel.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label - name: fake-label2 diff --git a/nodepool/tests/fixtures/static-multiname.yaml b/nodepool/tests/fixtures/static-multiname.yaml index 3b7eb5a39..3b61db034 100644 --- a/nodepool/tests/fixtures/static-multiname.yaml +++ b/nodepool/tests/fixtures/static-multiname.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label - name: other-label diff --git a/nodepool/tests/fixtures/static-no-check.yaml b/nodepool/tests/fixtures/static-no-check.yaml index 222c9ea6d..82a5db08f 100644 --- a/nodepool/tests/fixtures/static-no-check.yaml +++ b/nodepool/tests/fixtures/static-no-check.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label diff --git a/nodepool/tests/fixtures/static-parallel-increase.yaml b/nodepool/tests/fixtures/static-parallel-increase.yaml index 01b64c1e1..7a07c27a3 100644 --- a/nodepool/tests/fixtures/static-parallel-increase.yaml +++ b/nodepool/tests/fixtures/static-parallel-increase.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label diff --git a/nodepool/tests/fixtures/static-python-path.yaml b/nodepool/tests/fixtures/static-python-path.yaml index d94404e4d..2e8f636f6 100644 --- a/nodepool/tests/fixtures/static-python-path.yaml +++ b/nodepool/tests/fixtures/static-python-path.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label diff --git a/nodepool/tests/fixtures/static-unresolvable.yaml b/nodepool/tests/fixtures/static-unresolvable.yaml index f459b7b8e..5387fdb2d 100644 --- a/nodepool/tests/fixtures/static-unresolvable.yaml +++ b/nodepool/tests/fixtures/static-unresolvable.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label diff --git a/nodepool/tests/fixtures/static-update.yaml b/nodepool/tests/fixtures/static-update.yaml index de5a4a693..d3cc4fe5f 100644 --- a/nodepool/tests/fixtures/static-update.yaml +++ b/nodepool/tests/fixtures/static-update.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label - name: fake-label2 diff --git a/nodepool/tests/fixtures/static.yaml b/nodepool/tests/fixtures/static.yaml index c9ce38392..42a3605e7 100644 --- a/nodepool/tests/fixtures/static.yaml +++ b/nodepool/tests/fixtures/static.yaml @@ -3,6 +3,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label - name: fake-label2 diff --git a/nodepool/tests/fixtures/unmanaged_image_provider_id.yaml b/nodepool/tests/fixtures/unmanaged_image_provider_id.yaml index 4d27583ed..de80d24da 100644 --- a/nodepool/tests/fixtures/unmanaged_image_provider_id.yaml +++ b/nodepool/tests/fixtures/unmanaged_image_provider_id.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/unmanaged_image_provider_name.yaml b/nodepool/tests/fixtures/unmanaged_image_provider_name.yaml index a5100a02f..c88af927b 100644 --- a/nodepool/tests/fixtures/unmanaged_image_provider_name.yaml +++ b/nodepool/tests/fixtures/unmanaged_image_provider_name.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label min-ready: 1 diff --git a/nodepool/tests/fixtures/wedge_test.yaml b/nodepool/tests/fixtures/wedge_test.yaml index 87620b99f..838a36988 100644 --- a/nodepool/tests/fixtures/wedge_test.yaml +++ b/nodepool/tests/fixtures/wedge_test.yaml @@ -7,6 +7,11 @@ zookeeper-servers: port: {zookeeper_port} chroot: {zookeeper_chroot} +zookeeper-tls: + ca: {zookeeper_ca} + cert: {zookeeper_cert} + key: {zookeeper_key} + labels: - name: fake-label1 min-ready: 1 diff --git a/nodepool/tests/unit/test_driver_aws.py b/nodepool/tests/unit/test_driver_aws.py index 511e4d49f..9343a6b3b 100644 --- a/nodepool/tests/unit/test_driver_aws.py +++ b/nodepool/tests/unit/test_driver_aws.py @@ -80,6 +80,11 @@ class TestDriverAws(tests.DBTestCase): 'port': self.zookeeper_port, 'chroot': self.zookeeper_chroot, } + raw_config['zookeeper-tls'] = { + 'ca': self.zookeeper_ca, + 'cert': self.zookeeper_cert, + 'key': self.zookeeper_key, + } raw_config['providers'][0]['pools'][0]['subnet-id'] = subnet_id raw_config['providers'][0]['pools'][0]['security-group-id'] = sg_id raw_config['providers'][0]['pools'][1]['subnet-id'] = subnet_id diff --git a/nodepool/tests/unit/test_driver_azure.py b/nodepool/tests/unit/test_driver_azure.py index f542dd738..4c9b73224 100644 --- a/nodepool/tests/unit/test_driver_azure.py +++ b/nodepool/tests/unit/test_driver_azure.py @@ -169,6 +169,11 @@ class TestDriverAzure(tests.DBTestCase): 'port': self.zookeeper_port, 'chroot': self.zookeeper_chroot, } + raw_config['zookeeper-tls'] = { + 'ca': self.zookeeper_ca, + 'cert': self.zookeeper_cert, + 'key': self.zookeeper_key, + } with tempfile.NamedTemporaryFile() as tf: tf.write(yaml.safe_dump( raw_config, default_flow_style=False).encode('utf-8')) diff --git a/nodepool/tests/unit/test_driver_gce.py b/nodepool/tests/unit/test_driver_gce.py index 1e3933b9a..894d8211a 100644 --- a/nodepool/tests/unit/test_driver_gce.py +++ b/nodepool/tests/unit/test_driver_gce.py @@ -248,6 +248,11 @@ class TestDriverGce(tests.DBTestCase): 'port': self.zookeeper_port, 'chroot': self.zookeeper_chroot, } + raw_config['zookeeper-tls'] = { + 'ca': self.zookeeper_ca, + 'cert': self.zookeeper_cert, + 'key': self.zookeeper_key, + } with tempfile.NamedTemporaryFile() as tf: tf.write(yaml.safe_dump( diff --git a/nodepool/zk.py b/nodepool/zk.py index 5fb358a10..f59e63ee7 100644 --- a/nodepool/zk.py +++ b/nodepool/zk.py @@ -983,11 +983,16 @@ class ZooKeeper(object): hosts = buildZooKeeperHosts(host_list) args = dict(hosts=hosts, read_only=read_only) - if tls_key: - args['use_ssl'] = True - args['keyfile'] = tls_key - args['certfile'] = tls_cert - args['ca'] = tls_ca + + args['use_ssl'] = True + if not (tls_key and tls_cert and tls_ca): + raise Exception("A TLS ZooKeeper connection is required; " + "please supply the zookeeper-tls " + "config values.") + + args['keyfile'] = tls_key + args['certfile'] = tls_cert + args['ca'] = tls_ca self.client = KazooClient(**args) self.client.add_listener(self._connection_listener) # Manually retry initial connection attempt diff --git a/playbooks/nodepool-functional-container-openstack/pre.yaml b/playbooks/nodepool-functional-container-openstack/pre.yaml index 7d0d9bc09..84d026e3c 100644 --- a/playbooks/nodepool-functional-container-openstack/pre.yaml +++ b/playbooks/nodepool-functional-container-openstack/pre.yaml @@ -5,6 +5,8 @@ bindep_dir: "{{ zuul.projects['opendev.org/zuul/nodepool'].src_dir }}" - role: test-setup zuul_work_dir: "{{ zuul.projects['opendev.org/zuul/nodepool'].src_dir }}" + - role: ensure-zookeeper + zookeeper_use_tls: true - ensure-docker # Note: keep after ensure-docker - use-buildset-registry diff --git a/playbooks/nodepool-functional-container-openstack/templates/docker-compose.yaml.j2 b/playbooks/nodepool-functional-container-openstack/templates/docker-compose.yaml.j2 index dc6ee75c6..7477ba9dd 100644 --- a/playbooks/nodepool-functional-container-openstack/templates/docker-compose.yaml.j2 +++ b/playbooks/nodepool-functional-container-openstack/templates/docker-compose.yaml.j2 @@ -23,6 +23,8 @@ services: - /var/log/nodepool:/var/log/nodepool # devstack tls-proxy puts CA here that is referenced by cloud config - /opt/stack/data:/opt/stack/data:ro + # zookeeper certs + - /opt/zookeeper/ca:/opt/zookeeper/ca:ro nodepool-launcher: image: zuul/nodepool-launcher{{ nodepool_container_tag|default('') }} @@ -41,3 +43,5 @@ services: - /var/log/nodepool:/var/log/nodepool # devstack tls-proxy puts CA here that is referenced by cloud config - /opt/stack/data:/opt/stack/data:ro + # zookeeper certs + - /opt/zookeeper/ca:/opt/zookeeper/ca:ro diff --git a/playbooks/nodepool-functional-container-openstack/templates/nodepool.yaml.j2 b/playbooks/nodepool-functional-container-openstack/templates/nodepool.yaml.j2 index adcf98988..ba020c995 100644 --- a/playbooks/nodepool-functional-container-openstack/templates/nodepool.yaml.j2 +++ b/playbooks/nodepool-functional-container-openstack/templates/nodepool.yaml.j2 @@ -3,7 +3,12 @@ images-dir: {{ NODEPOOL_DIB_BASE_PATH }}/images zookeeper-servers: - host: localhost - port: 2181 + port: 2281 + +zookeeper-tls: + ca: /opt/zookeeper/ca/certs/cacert.pem + cert: /opt/zookeeper/ca/certs/client.pem + key: /opt/zookeeper/ca/keys/clientkey.pem labels: - name: test-image diff --git a/playbooks/nodepool-functional-k8s/pre.yaml b/playbooks/nodepool-functional-k8s/pre.yaml index 54e4ee98c..26e14d8fe 100644 --- a/playbooks/nodepool-functional-k8s/pre.yaml +++ b/playbooks/nodepool-functional-k8s/pre.yaml @@ -1,6 +1,8 @@ - hosts: all roles: - role: bindep + - role: ensure-zookeeper + zookeeper_use_tls: true - role: ensure-tox - role: ensure-kubernetes docker_version: 18.06.1~ce~3-0~ubuntu diff --git a/playbooks/nodepool-functional-k8s/run.yaml b/playbooks/nodepool-functional-k8s/run.yaml index 5c5dcc9de..78d0c329d 100644 --- a/playbooks/nodepool-functional-k8s/run.yaml +++ b/playbooks/nodepool-functional-k8s/run.yaml @@ -2,3 +2,7 @@ roles: - role: tox tox_envlist: functional_kubernetes + tox_environment: + NODEPOOL_ZK_CA: /opt/zookeeper/ca/certs/cacert.pem + NODEPOOL_ZK_CERT: /opt/zookeeper/ca/certs/client.pem + NODEPOOL_ZK_KEY: /opt/zookeeper/ca/keys/clientkey.pem diff --git a/playbooks/nodepool-functional-openshift/pre.yaml b/playbooks/nodepool-functional-openshift/pre.yaml index 10e8386ee..3ac3cc323 100644 --- a/playbooks/nodepool-functional-openshift/pre.yaml +++ b/playbooks/nodepool-functional-openshift/pre.yaml @@ -12,6 +12,8 @@ - hosts: launcher roles: - role: bindep + - role: ensure-zookeeper + zookeeper_use_tls: true - role: ensure-tox tasks: - name: Ensure oc client is installed diff --git a/playbooks/nodepool-functional-openshift/run.yaml b/playbooks/nodepool-functional-openshift/run.yaml index 05abc6412..500d93ae2 100644 --- a/playbooks/nodepool-functional-openshift/run.yaml +++ b/playbooks/nodepool-functional-openshift/run.yaml @@ -9,6 +9,9 @@ oc login -u developer -p developer --insecure-skip-tls-verify=true https://{{ hostvars['cluster']['ansible_hostname'] }}:8443 roles: - - role: ensure-zookeeper - role: tox tox_envlist: functional_openshift + tox_environment: + NODEPOOL_ZK_CA: /opt/zookeeper/ca/certs/cacert.pem + NODEPOOL_ZK_CERT: /opt/zookeeper/ca/certs/client.pem + NODEPOOL_ZK_KEY: /opt/zookeeper/ca/keys/clientkey.pem diff --git a/playbooks/nodepool-functional-openstack/pre.yaml b/playbooks/nodepool-functional-openstack/pre.yaml index 35808b136..6cc393969 100644 --- a/playbooks/nodepool-functional-openstack/pre.yaml +++ b/playbooks/nodepool-functional-openstack/pre.yaml @@ -4,6 +4,8 @@ bindep_dir: "{{ zuul.projects['opendev.org/zuul/nodepool'].src_dir }}" - role: test-setup zuul_work_dir: "{{ zuul.projects['opendev.org/zuul/nodepool'].src_dir }}" + - role: ensure-zookeeper + zookeeper_use_tls: true - ensure-devstack - ensure-virtualenv tasks: diff --git a/playbooks/nodepool-functional-openstack/templates/nodepool.yaml.j2 b/playbooks/nodepool-functional-openstack/templates/nodepool.yaml.j2 index 78131a446..b68d5f382 100644 --- a/playbooks/nodepool-functional-openstack/templates/nodepool.yaml.j2 +++ b/playbooks/nodepool-functional-openstack/templates/nodepool.yaml.j2 @@ -3,7 +3,12 @@ images-dir: {{ NODEPOOL_DIB_BASE_PATH }}/images zookeeper-servers: - host: localhost - port: 2181 + port: 2281 + +zookeeper-tls: + ca: /opt/zookeeper/ca/certs/cacert.pem + cert: /opt/zookeeper/ca/certs/client.pem + key: /opt/zookeeper/ca/keys/clientkey.pem labels: - name: test-image diff --git a/playbooks/nodepool-tox/pre.yaml b/playbooks/nodepool-tox/pre.yaml new file mode 100644 index 000000000..45d213e97 --- /dev/null +++ b/playbooks/nodepool-tox/pre.yaml @@ -0,0 +1,4 @@ +- hosts: all + roles: + - role: ensure-zookeeper + zookeeper_use_tls: true diff --git a/releasenotes/notes/4-0-0-0d1d67a55c34acff.yaml b/releasenotes/notes/4-0-0-0d1d67a55c34acff.yaml index 66b1357f3..38e6187f0 100644 --- a/releasenotes/notes/4-0-0-0d1d67a55c34acff.yaml +++ b/releasenotes/notes/4-0-0-0d1d67a55c34acff.yaml @@ -1,7 +1,6 @@ --- -prelude: > - The 4.0.0 release of Nodepool is not substantially different than - 3.14 and is compatible with Zuul versions 3.19 and 4.0. Nodepool - and Zuul versions are not generally synchronized, but we elected - to increase the Nodepool major version to match the 4.0 release of - Zuul for clarity. +upgrade: + - | + TLS is now required for ZooKeeper connections. TLS support has + been optional since version 3.13. If you have not already enabled + it, we recommend enabling it before upgrading to 4.0. diff --git a/tools/docker-compose.yaml b/tools/docker-compose.yaml new file mode 100644 index 000000000..a594c471a --- /dev/null +++ b/tools/docker-compose.yaml @@ -0,0 +1,14 @@ +version: "3" + +services: + zookeeper: + container_name: nodepool-test-zookeeper + image: zookeeper + ports: + - "2281:2281" + tmpfs: + - /data + - /datalog + volumes: + - "./ca:/var/certs:z" + - "./zoo.cfg:/conf/zoo.cfg:z" diff --git a/tools/openssl.cnf b/tools/openssl.cnf new file mode 100644 index 000000000..7d1a8bb6e --- /dev/null +++ b/tools/openssl.cnf @@ -0,0 +1,352 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# Note that you can include other files from the main configuration +# file using the .include directive. +#.include filename + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several certs with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +basicConstraints = critical,CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha256 # Signing digest to use. (Optional) +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) +ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) diff --git a/tools/test-setup.sh b/tools/test-setup.sh deleted file mode 100755 index 092ea846a..000000000 --- a/tools/test-setup.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -xe - -# This script will be run by OpenStack CI before unit tests are run, -# it sets up the test system as needed. -# Developers should setup their test systems in a similar way. - -# This setup needs to be run as a user that can run sudo. - -# Config Zookeeper to run on tmpfs -sudo service zookeeper stop -DATADIR=$(sed -n -e 's/^dataDir=//p' /etc/zookeeper/conf/zoo.cfg) -sudo mount -t tmpfs -o nodev,nosuid,size=500M none $DATADIR -sudo service zookeeper start diff --git a/tools/zk-ca.sh b/tools/zk-ca.sh new file mode 100755 index 000000000..4cd72cac6 --- /dev/null +++ b/tools/zk-ca.sh @@ -0,0 +1,104 @@ +#!/bin/sh -e + +# Copyright 2020 Red Hat, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# Manage a CA for Zookeeper + +CAROOT=$1 +SERVER=$2 + +SUBJECT='/C=US/ST=California/L=Oakland/O=Company Name/OU=Org' +TOOLSDIR=$(dirname $0) +ABSTOOLSDIR=$(cd $TOOLSDIR ;pwd) +CONFIG="-config $ABSTOOLSDIR/openssl.cnf" + +make_ca() { + mkdir $CAROOT/demoCA + mkdir $CAROOT/demoCA/reqs + mkdir $CAROOT/demoCA/newcerts + mkdir $CAROOT/demoCA/crl + mkdir $CAROOT/demoCA/private + chmod 700 $CAROOT/demoCA/private + touch $CAROOT/demoCA/index.txt + touch $CAROOT/demoCA/index.txt.attr + mkdir $CAROOT/certs + mkdir $CAROOT/keys + mkdir $CAROOT/keystores + chmod 700 $CAROOT/keys + chmod 700 $CAROOT/keystores + + openssl req $CONFIG -new -nodes -subj "$SUBJECT/CN=caroot" \ + -keyout $CAROOT/demoCA/private/cakey.pem \ + -out $CAROOT/demoCA/reqs/careq.pem + openssl ca $CONFIG -create_serial -days 3560 -batch -selfsign -extensions v3_ca \ + -out $CAROOT/demoCA/cacert.pem \ + -keyfile $CAROOT/demoCA/private/cakey.pem \ + -infiles $CAROOT/demoCA/reqs/careq.pem + cp $CAROOT/demoCA/cacert.pem $CAROOT/certs +} + +make_client() { + openssl req $CONFIG -new -nodes -subj "$SUBJECT/CN=client" \ + -keyout $CAROOT/keys/clientkey.pem \ + -out $CAROOT/demoCA/reqs/clientreq.pem + openssl ca $CONFIG -batch -policy policy_anything -days 3560 \ + -out $CAROOT/certs/client.pem \ + -infiles $CAROOT/demoCA/reqs/clientreq.pem +} + +make_server() { + openssl req $CONFIG -new -nodes -subj "$SUBJECT/CN=$SERVER" \ + -keyout $CAROOT/keys/${SERVER}key.pem \ + -out $CAROOT/demoCA/reqs/${SERVER}req.pem + openssl ca $CONFIG -batch -policy policy_anything -days 3560 \ + -out $CAROOT/certs/$SERVER.pem \ + -infiles $CAROOT/demoCA/reqs/${SERVER}req.pem + cat $CAROOT/certs/$SERVER.pem $CAROOT/keys/${SERVER}key.pem \ + > $CAROOT/keystores/$SERVER.pem +} + +help() { + echo "$0 CAROOT [SERVER]" + echo + echo " CAROOT is the path to a directory in which to store the CA" + echo " and certificates." + echo " SERVER is the FQDN of a server for which a certificate should" + echo " be generated" +} + +if [ ! -d "$CAROOT" ]; then + echo "CAROOT must be a directory" + help + exit 1 +fi + +cd $CAROOT +CAROOT=`pwd` + +if [ ! -d "$CAROOT/demoCA" ]; then + echo 'Generate CA' + make_ca + echo 'Generate client certificate' + make_client +fi + +if [ -f "$CAROOT/certs/$SERVER.pem" ]; then + echo "Certificate for $SERVER already exists" + exit 0 +fi + +if [ "$SERVER" != "" ]; then + make_server +fi diff --git a/tools/zoo.cfg b/tools/zoo.cfg new file mode 100644 index 000000000..a30275790 --- /dev/null +++ b/tools/zoo.cfg @@ -0,0 +1,16 @@ +# zoo.cfg for use in test-setup.sh +dataDir=/data +dataLogDir=/datalog +tickTime=2000 +initLimit=5 +syncLimit=2 +autopurge.snapRetainCount=3 +autopurge.purgeInterval=0 +maxClientCnxns=1000 +standaloneEnabled=true +admin.enableServer=true +server.1=nodepool-test-zookeeper:2888:3888 +serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory +secureClientPort=2281 +ssl.keyStore.location=/var/certs/keystores/nodepool-test-zookeeper.pem +ssl.trustStore.location=/var/certs/certs/cacert.pem diff --git a/tox.ini b/tox.ini index 7769dfb5d..22f8ed3e7 100644 --- a/tox.ini +++ b/tox.ini @@ -17,7 +17,11 @@ usedevelop = True install_command = pip install {opts} {packages} deps = -r{toxinidir}/requirements.txt -r{toxinidir}/test-requirements.txt -passenv = NODEPOOL_ZK_HOST +passenv = + NODEPOOL_ZK_HOST + NODEPOOL_ZK_CA + NODEPOOL_ZK_CERT + NODEPOOL_ZK_KEY commands = stestr --test-path ./nodepool/tests/unit run --no-subunit-trace {posargs} stestr slowest