Require TLS for zookeeper connections

Change-Id: I1d42b3425c948e1e735ba3acaa2ede2b92b050c7
2021-02-17 09:47:11 -08:00 · 2021-02-17 09:47:11 -08:00 · 24405c9c74
commit 24405c9c74
parent f1e7ffab93
7 changed files with 58 additions and 18 deletions
--- a/doc/source/discussion/components.rst
+++ b/doc/source/discussion/components.rst
@ -183,7 +183,7 @@ The following sections of ``zuul.conf`` are used by all Zuul components:

 .. attr:: zookeeper

-   Client connection information for ZooKeeper
+   Client connection information for ZooKeeper.  TLS is required.

   .. attr:: hosts
      :required:
@ -191,23 +191,26 @@ The following sections of ``zuul.conf`` are used by all Zuul components:
      A list of zookeeper hosts for Zuul to use when communicating
      with Nodepool.

+   .. attr:: tls_cert
+      :required:
+
+      The path to the PEM encoded certificate file.
+
+   .. attr:: tls_key
+      :required:
+
+      The path to the PEM encoded key file.
+
+   .. attr:: tls_ca
+      :required:
+
+      The path to the PEM encoded CA certificate file.
+
   .. attr:: session_timeout
      :default: 10.0

      The ZooKeeper session timeout, in seconds.

-   .. attr:: tls_cert
-
-      If using TLS, the path to the PEM encoded certificate file.
-
-   .. attr:: tls_key
-
-      If using TLS, the path to the PEM encoded key file.
-
-   .. attr:: tls_ca
-
-      If using TLS, the path to the PEM encoded CA certificate file.
-
 .. _scheduler:

 Scheduler
--- a/releasenotes/notes/4.0.0-d707ea7649a815dd.yaml
+++ b/releasenotes/notes/4.0.0-d707ea7649a815dd.yaml
@ -0,0 +1,24 @@
+---
+prelude: >
+  This is the first 4.x release of Zuul.  It requires some deployment
+  changes by operators which have been carefully planned in order to
+  facilitate work on Zuul version 5, which will be the first version
+  of Zuul where every component is fault tolerant and able to scale.
+
+  If you read the release notes for the last 3.x release, you may have
+  already made all of the required changes.  If not, please do so
+  before upgrading to version 4.  Every required change in version 4
+  is optionally supported in 3.19, so it is safe to make these changes
+  and then upgrade.
+
+  Please read all of the notes below, especially in the "Upgrading"
+  section for details.  The primary additional requirements are:
+
+    * TLS ZooKeeper connections
+    * Network connectivity from all components to ZooKeeper
+    * An SQL database
+
+  With these changes in place, it is anticipated that further upgrades
+  to Zuul made in support of the scale-out-scheduler work will be done
+  with minimal disruption in the course of normal releases between
+  version 4 and 5.
--- a/releasenotes/notes/zookeeper-connections-e19eb2dfd2804087.yaml
+++ b/releasenotes/notes/zookeeper-connections-e19eb2dfd2804087.yaml
@ -3,4 +3,5 @@ upgrade:
  - |
    The :attr:`zookeeper` section in ``zuul.conf`` is required for all
    components, and all components must now be able to connect to
-    ZooKeeper.
+    ZooKeeper.  Additionally, TLS is now required for all ZooKeeper
+    connections.  See :ref:`zk-encrypted-connections` for more details.
--- a/zuul/cmd/executor.py
+++ b/zuul/cmd/executor.py
@ -98,12 +98,15 @@ class Executor(zuul.cmd.ZuulDaemonApp):
        self.start_log_streamer()

        zk_client = ZooKeeperClient()
-        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
+        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
        if not zookeeper_hosts:
            raise Exception("The zookeeper hosts config value is required")
        zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
        zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
        zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
+        if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
+            raise Exception("A TLS ZooKeeper connection is required; "
+                            "please supply the tls_* zookeeper config values.")
        zookeeper_timeout = float(get_default(self.config, 'zookeeper',
                                              'session_timeout', 10.0))
        zk_client.connect(
--- a/zuul/cmd/fingergw.py
+++ b/zuul/cmd/fingergw.py
@ -74,12 +74,15 @@ class FingerGatewayApp(zuul.cmd.ZuulDaemonApp):
        ssl_ca = get_default(self.config, 'gearman', 'ssl_ca')

        zk_client = ZooKeeperClient()
-        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
+        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
        if not zookeeper_hosts:
            raise Exception("The zookeeper hosts config value is required")
        zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
        zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
        zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
+        if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
+            raise Exception("A TLS ZooKeeper connection is required; "
+                            "please supply the tls_* zookeeper config values.")
        zookeeper_timeout = float(get_default(self.config, 'zookeeper',
                                              'session_timeout', 10.0))
        zk_client.connect(
--- a/zuul/cmd/merger.py
+++ b/zuul/cmd/merger.py
@ -54,12 +54,15 @@ class Merger(zuul.cmd.ZuulDaemonApp):
        self.setup_logging('merger', 'log_config')

        zk_client = ZooKeeperClient()
-        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
+        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
        if not zookeeper_hosts:
            raise Exception("The zookeeper hosts config value is required")
        zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
        zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
        zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
+        if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
+            raise Exception("A TLS ZooKeeper connection is required; "
+                            "please supply the tls_* zookeeper config values.")
        zookeeper_timeout = float(get_default(self.config, 'zookeeper',
                                              'session_timeout', 10.0))
        zk_client.connect(
--- a/zuul/cmd/scheduler.py
+++ b/zuul/cmd/scheduler.py
@ -139,12 +139,15 @@ class Scheduler(zuul.cmd.ZuulDaemonApp):
        nodepool = zuul.nodepool.Nodepool(self.sched)

        zk_client = ZooKeeperClient()
-        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
+        zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
        if not zookeeper_hosts:
            raise Exception("The zookeeper hosts config value is required")
        zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
        zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
        zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
+        if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
+            raise Exception("A TLS ZooKeeper connection is required; "
+                            "please supply the tls_* zookeeper config values.")
        zookeeper_timeout = float(get_default(self.config, 'zookeeper',
                                              'session_timeout', 10.0))
        zk_client.connect(