Require TLS for zookeeper connections

Change-Id: I1d42b3425c948e1e735ba3acaa2ede2b92b050c7
1 week ago · 24405c9c74
--- a/doc/source/discussion/components.rst
+++ b/doc/source/discussion/components.rst
@ -183,7 +183,7 @@ The following sections of ``zuul.conf`` are used by all Zuul components:

 .. attr:: zookeeper

   Client connection information for ZooKeeper
   Client connection information for ZooKeeper.  TLS is required.

   .. attr:: hosts
      :required:
@ -191,22 +191,25 @@ The following sections of ``zuul.conf`` are used by all Zuul components:
      A list of zookeeper hosts for Zuul to use when communicating
      with Nodepool.

   .. attr:: session_timeout
      :default: 10.0

      The ZooKeeper session timeout, in seconds.

   .. attr:: tls_cert
      :required:

      If using TLS, the path to the PEM encoded certificate file.
      The path to the PEM encoded certificate file.

   .. attr:: tls_key
      :required:

      If using TLS, the path to the PEM encoded key file.
      The path to the PEM encoded key file.

   .. attr:: tls_ca
      :required:

      The path to the PEM encoded CA certificate file.

   .. attr:: session_timeout
      :default: 10.0

      If using TLS, the path to the PEM encoded CA certificate file.
      The ZooKeeper session timeout, in seconds.

 .. _scheduler:

--- a/releasenotes/notes/4.0.0-d707ea7649a815dd.yaml
+++ b/releasenotes/notes/4.0.0-d707ea7649a815dd.yaml
@ -0,0 +1,24 @@
 ---
 prelude: >
  This is the first 4.x release of Zuul.  It requires some deployment
  changes by operators which have been carefully planned in order to
  facilitate work on Zuul version 5, which will be the first version
  of Zuul where every component is fault tolerant and able to scale.

  If you read the release notes for the last 3.x release, you may have
  already made all of the required changes.  If not, please do so
  before upgrading to version 4.  Every required change in version 4
  is optionally supported in 3.19, so it is safe to make these changes
  and then upgrade.

  Please read all of the notes below, especially in the "Upgrading"
  section for details.  The primary additional requirements are:

    * TLS ZooKeeper connections
    * Network connectivity from all components to ZooKeeper
    * An SQL database

  With these changes in place, it is anticipated that further upgrades
  to Zuul made in support of the scale-out-scheduler work will be done
  with minimal disruption in the course of normal releases between
  version 4 and 5.
--- a/releasenotes/notes/zookeeper-connections-e19eb2dfd2804087.yaml
+++ b/releasenotes/notes/zookeeper-connections-e19eb2dfd2804087.yaml
@ -3,4 +3,5 @@ upgrade:
  - |
    The :attr:`zookeeper` section in ``zuul.conf`` is required for all
    components, and all components must now be able to connect to
    ZooKeeper.
    ZooKeeper.  Additionally, TLS is now required for all ZooKeeper
    connections.  See :ref:`zk-encrypted-connections` for more details.
--- a/zuul/cmd/executor.py
+++ b/zuul/cmd/executor.py
@ -98,12 +98,15 @@ class Executor(zuul.cmd.ZuulDaemonApp):
        self.start_log_streamer()

        zk_client = ZooKeeperClient()
        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
        if not zookeeper_hosts:
            raise Exception("The zookeeper hosts config value is required")
        zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
        zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
        zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
        if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
            raise Exception("A TLS ZooKeeper connection is required; "
                            "please supply the tls_* zookeeper config values.")
        zookeeper_timeout = float(get_default(self.config, 'zookeeper',
                                              'session_timeout', 10.0))
        zk_client.connect(
--- a/zuul/cmd/fingergw.py
+++ b/zuul/cmd/fingergw.py
@ -74,12 +74,15 @@ class FingerGatewayApp(zuul.cmd.ZuulDaemonApp):
        ssl_ca = get_default(self.config, 'gearman', 'ssl_ca')

        zk_client = ZooKeeperClient()
        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
        if not zookeeper_hosts:
            raise Exception("The zookeeper hosts config value is required")
        zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
        zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
        zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
        if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
            raise Exception("A TLS ZooKeeper connection is required; "
                            "please supply the tls_* zookeeper config values.")
        zookeeper_timeout = float(get_default(self.config, 'zookeeper',
                                              'session_timeout', 10.0))
        zk_client.connect(
--- a/zuul/cmd/merger.py
+++ b/zuul/cmd/merger.py
@ -54,12 +54,15 @@ class Merger(zuul.cmd.ZuulDaemonApp):
        self.setup_logging('merger', 'log_config')

        zk_client = ZooKeeperClient()
        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
        if not zookeeper_hosts:
            raise Exception("The zookeeper hosts config value is required")
        zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
        zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
        zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
        if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
            raise Exception("A TLS ZooKeeper connection is required; "
                            "please supply the tls_* zookeeper config values.")
        zookeeper_timeout = float(get_default(self.config, 'zookeeper',
                                              'session_timeout', 10.0))
        zk_client.connect(
--- a/zuul/cmd/scheduler.py
+++ b/zuul/cmd/scheduler.py
@ -139,12 +139,15 @@ class Scheduler(zuul.cmd.ZuulDaemonApp):
        nodepool = zuul.nodepool.Nodepool(self.sched)

        zk_client = ZooKeeperClient()
        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
        if not zookeeper_hosts:
            raise Exception("The zookeeper hosts config value is required")
        zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
        zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
        zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
        if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
            raise Exception("A TLS ZooKeeper connection is required; "
                            "please supply the tls_* zookeeper config values.")
        zookeeper_timeout = float(get_default(self.config, 'zookeeper',
                                              'session_timeout', 10.0))
        zk_client.connect(