Generate TLS certificats for the gearman service
This change demonstrates how the zuul-operator performs runtime operation using Ansible by configuring TLS for the gearman service. Change-Id: I0f728e81ca6f469cb37eb12625cb702c52d3ed1c
This commit is contained in:
parent
bcd001bce2
commit
27d4d600e0
|
@ -375,9 +375,15 @@ in { Input = Input
|
|||
''
|
||||
[gearman]
|
||||
server=scheduler
|
||||
ssl_ca=/etc/zuul-gearman/ca.pem
|
||||
ssl_cert=/etc/zuul-gearman/client.pem
|
||||
ssl_key=/etc/zuul-gearman/client.key
|
||||
|
||||
[gearman_server]
|
||||
start=true
|
||||
ssl_ca=/etc/zuul-gearman/ca.pem
|
||||
ssl_cert=/etc/zuul-gearman/server.pem
|
||||
ssl_key=/etc/zuul-gearman/server.key
|
||||
|
||||
[zookeeper]
|
||||
hosts=${zk-hosts}
|
||||
|
@ -539,6 +545,13 @@ in { Input = Input
|
|||
}
|
||||
]
|
||||
|
||||
let gearman-config =
|
||||
[ Operator.Schemas.Volume::{
|
||||
, name = input.name ++ "-gearman-tls"
|
||||
, dir = "/etc/zuul-gearman"
|
||||
}
|
||||
]
|
||||
|
||||
let gerrits-key =
|
||||
Helpers.mkConnVols
|
||||
Gerrit
|
||||
|
@ -561,7 +574,8 @@ in { Input = Input
|
|||
}
|
||||
)
|
||||
|
||||
let conn-keys = gerrits-key # githubs-key
|
||||
let conn-keys =
|
||||
gearman-config # gerrits-key # githubs-key
|
||||
|
||||
in merge
|
||||
{ _All = NoVolume
|
||||
|
|
|
@ -0,0 +1,44 @@
|
|||
- name: Check if gearman tls cert is already created
|
||||
set_fact:
|
||||
gearman_certs: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, resource_name=zuul_name + '-gearman-tls') }}"
|
||||
|
||||
- name: Generate and store certs
|
||||
when: gearman_certs.data is not defined
|
||||
block:
|
||||
- name: Generate certs
|
||||
command: "{{ item }}"
|
||||
loop:
|
||||
# CA
|
||||
- "openssl req -new -newkey rsa:2048 -nodes -keyout ca-{{ zuul_name }}.key -x509 -days 3650 -out ca-{{ zuul_name }}.pem -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=gearman-ca'"
|
||||
# Server
|
||||
- "openssl req -new -newkey rsa:2048 -nodes -keyout server-{{ zuul_name }}.key -out server-{{ zuul_name }}.csr -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=server-{{ zuul_name }}'"
|
||||
- "openssl x509 -req -days 3650 -in server-{{ zuul_name }}.csr -out server-{{ zuul_name }}.pem -CA ca-{{ zuul_name }}.pem -CAkey ca-{{ zuul_name }}.key -CAcreateserial"
|
||||
# Client
|
||||
- "openssl req -new -newkey rsa:2048 -nodes -keyout client-{{ zuul_name }}.key -out client-{{ zuul_name }}.csr -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=client-{{ zuul_name }}'"
|
||||
- "openssl x509 -req -days 3650 -in client-{{ zuul_name }}.csr -out client-{{ zuul_name }}.pem -CA ca-{{ zuul_name }}.pem -CAkey ca-{{ zuul_name }}.key -CAcreateserial"
|
||||
|
||||
- name: Create k8s secret
|
||||
k8s:
|
||||
state: "{{ state }}"
|
||||
namespace: "{{ namespace }}"
|
||||
definition:
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "{{ zuul_name }}-gearman-tls"
|
||||
stringData:
|
||||
ca.pem: "{{ lookup('file', 'ca-' + zuul_name + '.pem') }}"
|
||||
server.key: "{{ lookup('file', 'server-' + zuul_name + '.key') }}"
|
||||
server.pem: "{{ lookup('file', 'server-' + zuul_name + '.pem') }}"
|
||||
client.key: "{{ lookup('file', 'client-' + zuul_name + '.key') }}"
|
||||
client.pem: "{{ lookup('file', 'client-' + zuul_name + '.pem') }}"
|
||||
|
||||
- name: Write client certs locally
|
||||
when: gearman_certs.data is defined
|
||||
copy:
|
||||
content: "{{ gearman_certs.data[item] | b64decode }}"
|
||||
dest: "{{ item }}"
|
||||
loop:
|
||||
- ca.pem
|
||||
- client.key
|
||||
- client.pem
|
|
@ -1,4 +1,6 @@
|
|||
# TODO: Generate tls cert secret
|
||||
- include_role:
|
||||
name: zuul-ensure-gearman-tls
|
||||
|
||||
# TODO: query gearman for build queue size
|
||||
# TODO: update the executor/merger replica count
|
||||
|
||||
|
|
Loading…
Reference in New Issue