zuul
/
zuul-operator
Code Issues Proposed changes

Generate TLS certificats for the gearman service 

This change demonstrates how the zuul-operator performs runtime operation
using Ansible by configuring TLS for the gearman service.

Change-Id: I0f728e81ca6f469cb37eb12625cb702c52d3ed1c
This commit is contained in:
Tristan Cacqueray 2020-01-15 18:15:32 +00:00
parent bcd001bce2
commit 27d4d600e0
3 changed files with 62 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
conf/zuul/applications/Zuul.dhall
View File

@ -375,9 +375,15 @@ in { Input = Input
''
[gearman]
server=scheduler
ssl_ca=/etc/zuul-gearman/ca.pem
ssl_cert=/etc/zuul-gearman/client.pem
ssl_key=/etc/zuul-gearman/client.key
[gearman_server]
start=true
ssl_ca=/etc/zuul-gearman/ca.pem
ssl_cert=/etc/zuul-gearman/server.pem
ssl_key=/etc/zuul-gearman/server.key
[zookeeper]
hosts=${zk-hosts}
@ -539,6 +545,13 @@ in { Input = Input
}
]
let gearman-config =
[ Operator.Schemas.Volume::{
, name = input.name ++ "-gearman-tls"
, dir = "/etc/zuul-gearman"
}
]
let gerrits-key =
Helpers.mkConnVols
Gerrit
@ -561,7 +574,8 @@ in { Input = Input
}
)
let conn-keys = gerrits-key # githubs-key
let conn-keys =
gearman-config # gerrits-key # githubs-key
in merge
{ _All = NoVolume

44
roles/zuul-ensure-gearman-tls/tasks/main.yaml Normal file
View File

@ -0,0 +1,44 @@
- name: Check if gearman tls cert is already created
set_fact:
gearman_certs: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, resource_name=zuul_name + '-gearman-tls') }}"
- name: Generate and store certs
when: gearman_certs.data is not defined
block:
- name: Generate certs
command: "{{ item }}"
loop:
# CA
- "openssl req -new -newkey rsa:2048 -nodes -keyout ca-{{ zuul_name }}.key -x509 -days 3650 -out ca-{{ zuul_name }}.pem -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=gearman-ca'"
# Server
- "openssl req -new -newkey rsa:2048 -nodes -keyout server-{{ zuul_name }}.key -out server-{{ zuul_name }}.csr -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=server-{{ zuul_name }}'"
- "openssl x509 -req -days 3650 -in server-{{ zuul_name }}.csr -out server-{{ zuul_name }}.pem -CA ca-{{ zuul_name }}.pem -CAkey ca-{{ zuul_name }}.key -CAcreateserial"
# Client
- "openssl req -new -newkey rsa:2048 -nodes -keyout client-{{ zuul_name }}.key -out client-{{ zuul_name }}.csr -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=client-{{ zuul_name }}'"
- "openssl x509 -req -days 3650 -in client-{{ zuul_name }}.csr -out client-{{ zuul_name }}.pem -CA ca-{{ zuul_name }}.pem -CAkey ca-{{ zuul_name }}.key -CAcreateserial"
- name: Create k8s secret
k8s:
state: "{{ state }}"
namespace: "{{ namespace }}"
definition:
apiVersion: v1
kind: Secret
metadata:
name: "{{ zuul_name }}-gearman-tls"
stringData:
ca.pem: "{{ lookup('file', 'ca-' + zuul_name + '.pem') }}"
server.key: "{{ lookup('file', 'server-' + zuul_name + '.key') }}"
server.pem: "{{ lookup('file', 'server-' + zuul_name + '.pem') }}"
client.key: "{{ lookup('file', 'client-' + zuul_name + '.key') }}"
client.pem: "{{ lookup('file', 'client-' + zuul_name + '.pem') }}"
- name: Write client certs locally
when: gearman_certs.data is defined
copy:
content: "{{ gearman_certs.data[item] | b64decode }}"
dest: "{{ item }}"
loop:
- ca.pem
- client.key
- client.pem

4
roles/zuul/tasks/main.yaml
View File

@ -1,4 +1,6 @@
# TODO: Generate tls cert secret
- include_role:
name: zuul-ensure-gearman-tls
# TODO: query gearman for build queue size
# TODO: update the executor/merger replica count