Browse Source

Require TLS for zookeeper connections

Change-Id: I1d42b3425c948e1e735ba3acaa2ede2b92b050c7
changes/49/776249/1 4.0.0
James E. Blair 1 week ago
parent
commit
24405c9c74
7 changed files with 54 additions and 14 deletions
  1. +12
    -9
      doc/source/discussion/components.rst
  2. +24
    -0
      releasenotes/notes/4.0.0-d707ea7649a815dd.yaml
  3. +2
    -1
      releasenotes/notes/zookeeper-connections-e19eb2dfd2804087.yaml
  4. +4
    -1
      zuul/cmd/executor.py
  5. +4
    -1
      zuul/cmd/fingergw.py
  6. +4
    -1
      zuul/cmd/merger.py
  7. +4
    -1
      zuul/cmd/scheduler.py

+ 12
- 9
doc/source/discussion/components.rst View File

@ -183,7 +183,7 @@ The following sections of ``zuul.conf`` are used by all Zuul components:
.. attr:: zookeeper
Client connection information for ZooKeeper
Client connection information for ZooKeeper. TLS is required.
.. attr:: hosts
:required:
@ -191,22 +191,25 @@ The following sections of ``zuul.conf`` are used by all Zuul components:
A list of zookeeper hosts for Zuul to use when communicating
with Nodepool.
.. attr:: session_timeout
:default: 10.0
The ZooKeeper session timeout, in seconds.
.. attr:: tls_cert
:required:
If using TLS, the path to the PEM encoded certificate file.
The path to the PEM encoded certificate file.
.. attr:: tls_key
:required:
If using TLS, the path to the PEM encoded key file.
The path to the PEM encoded key file.
.. attr:: tls_ca
:required:
The path to the PEM encoded CA certificate file.
.. attr:: session_timeout
:default: 10.0
If using TLS, the path to the PEM encoded CA certificate file.
The ZooKeeper session timeout, in seconds.
.. _scheduler:


+ 24
- 0
releasenotes/notes/4.0.0-d707ea7649a815dd.yaml View File

@ -0,0 +1,24 @@
---
prelude: >
This is the first 4.x release of Zuul. It requires some deployment
changes by operators which have been carefully planned in order to
facilitate work on Zuul version 5, which will be the first version
of Zuul where every component is fault tolerant and able to scale.
If you read the release notes for the last 3.x release, you may have
already made all of the required changes. If not, please do so
before upgrading to version 4. Every required change in version 4
is optionally supported in 3.19, so it is safe to make these changes
and then upgrade.
Please read all of the notes below, especially in the "Upgrading"
section for details. The primary additional requirements are:
* TLS ZooKeeper connections
* Network connectivity from all components to ZooKeeper
* An SQL database
With these changes in place, it is anticipated that further upgrades
to Zuul made in support of the scale-out-scheduler work will be done
with minimal disruption in the course of normal releases between
version 4 and 5.

+ 2
- 1
releasenotes/notes/zookeeper-connections-e19eb2dfd2804087.yaml View File

@ -3,4 +3,5 @@ upgrade:
- |
The :attr:`zookeeper` section in ``zuul.conf`` is required for all
components, and all components must now be able to connect to
ZooKeeper.
ZooKeeper. Additionally, TLS is now required for all ZooKeeper
connections. See :ref:`zk-encrypted-connections` for more details.

+ 4
- 1
zuul/cmd/executor.py View File

@ -98,12 +98,15 @@ class Executor(zuul.cmd.ZuulDaemonApp):
self.start_log_streamer()
zk_client = ZooKeeperClient()
zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
if not zookeeper_hosts:
raise Exception("The zookeeper hosts config value is required")
zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
raise Exception("A TLS ZooKeeper connection is required; "
"please supply the tls_* zookeeper config values.")
zookeeper_timeout = float(get_default(self.config, 'zookeeper',
'session_timeout', 10.0))
zk_client.connect(


+ 4
- 1
zuul/cmd/fingergw.py View File

@ -74,12 +74,15 @@ class FingerGatewayApp(zuul.cmd.ZuulDaemonApp):
ssl_ca = get_default(self.config, 'gearman', 'ssl_ca')
zk_client = ZooKeeperClient()
zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
if not zookeeper_hosts:
raise Exception("The zookeeper hosts config value is required")
zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
raise Exception("A TLS ZooKeeper connection is required; "
"please supply the tls_* zookeeper config values.")
zookeeper_timeout = float(get_default(self.config, 'zookeeper',
'session_timeout', 10.0))
zk_client.connect(


+ 4
- 1
zuul/cmd/merger.py View File

@ -54,12 +54,15 @@ class Merger(zuul.cmd.ZuulDaemonApp):
self.setup_logging('merger', 'log_config')
zk_client = ZooKeeperClient()
zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
if not zookeeper_hosts:
raise Exception("The zookeeper hosts config value is required")
zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
raise Exception("A TLS ZooKeeper connection is required; "
"please supply the tls_* zookeeper config values.")
zookeeper_timeout = float(get_default(self.config, 'zookeeper',
'session_timeout', 10.0))
zk_client.connect(


+ 4
- 1
zuul/cmd/scheduler.py View File

@ -139,12 +139,15 @@ class Scheduler(zuul.cmd.ZuulDaemonApp):
nodepool = zuul.nodepool.Nodepool(self.sched)
zk_client = ZooKeeperClient()
zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
if not zookeeper_hosts:
raise Exception("The zookeeper hosts config value is required")
zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
raise Exception("A TLS ZooKeeper connection is required; "
"please supply the tls_* zookeeper config values.")
zookeeper_timeout = float(get_default(self.config, 'zookeeper',
'session_timeout', 10.0))
zk_client.connect(


Loading…
Cancel
Save