Require TLS for zookeeper connections
Change-Id: I1d42b3425c948e1e735ba3acaa2ede2b92b050c7
This commit is contained in:
parent
f1e7ffab93
commit
24405c9c74
|
@ -183,7 +183,7 @@ The following sections of ``zuul.conf`` are used by all Zuul components:
|
||||||
|
|
||||||
.. attr:: zookeeper
|
.. attr:: zookeeper
|
||||||
|
|
||||||
Client connection information for ZooKeeper
|
Client connection information for ZooKeeper. TLS is required.
|
||||||
|
|
||||||
.. attr:: hosts
|
.. attr:: hosts
|
||||||
:required:
|
:required:
|
||||||
|
@ -191,23 +191,26 @@ The following sections of ``zuul.conf`` are used by all Zuul components:
|
||||||
A list of zookeeper hosts for Zuul to use when communicating
|
A list of zookeeper hosts for Zuul to use when communicating
|
||||||
with Nodepool.
|
with Nodepool.
|
||||||
|
|
||||||
|
.. attr:: tls_cert
|
||||||
|
:required:
|
||||||
|
|
||||||
|
The path to the PEM encoded certificate file.
|
||||||
|
|
||||||
|
.. attr:: tls_key
|
||||||
|
:required:
|
||||||
|
|
||||||
|
The path to the PEM encoded key file.
|
||||||
|
|
||||||
|
.. attr:: tls_ca
|
||||||
|
:required:
|
||||||
|
|
||||||
|
The path to the PEM encoded CA certificate file.
|
||||||
|
|
||||||
.. attr:: session_timeout
|
.. attr:: session_timeout
|
||||||
:default: 10.0
|
:default: 10.0
|
||||||
|
|
||||||
The ZooKeeper session timeout, in seconds.
|
The ZooKeeper session timeout, in seconds.
|
||||||
|
|
||||||
.. attr:: tls_cert
|
|
||||||
|
|
||||||
If using TLS, the path to the PEM encoded certificate file.
|
|
||||||
|
|
||||||
.. attr:: tls_key
|
|
||||||
|
|
||||||
If using TLS, the path to the PEM encoded key file.
|
|
||||||
|
|
||||||
.. attr:: tls_ca
|
|
||||||
|
|
||||||
If using TLS, the path to the PEM encoded CA certificate file.
|
|
||||||
|
|
||||||
.. _scheduler:
|
.. _scheduler:
|
||||||
|
|
||||||
Scheduler
|
Scheduler
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
---
|
||||||
|
prelude: >
|
||||||
|
This is the first 4.x release of Zuul. It requires some deployment
|
||||||
|
changes by operators which have been carefully planned in order to
|
||||||
|
facilitate work on Zuul version 5, which will be the first version
|
||||||
|
of Zuul where every component is fault tolerant and able to scale.
|
||||||
|
|
||||||
|
If you read the release notes for the last 3.x release, you may have
|
||||||
|
already made all of the required changes. If not, please do so
|
||||||
|
before upgrading to version 4. Every required change in version 4
|
||||||
|
is optionally supported in 3.19, so it is safe to make these changes
|
||||||
|
and then upgrade.
|
||||||
|
|
||||||
|
Please read all of the notes below, especially in the "Upgrading"
|
||||||
|
section for details. The primary additional requirements are:
|
||||||
|
|
||||||
|
* TLS ZooKeeper connections
|
||||||
|
* Network connectivity from all components to ZooKeeper
|
||||||
|
* An SQL database
|
||||||
|
|
||||||
|
With these changes in place, it is anticipated that further upgrades
|
||||||
|
to Zuul made in support of the scale-out-scheduler work will be done
|
||||||
|
with minimal disruption in the course of normal releases between
|
||||||
|
version 4 and 5.
|
|
@ -3,4 +3,5 @@ upgrade:
|
||||||
- |
|
- |
|
||||||
The :attr:`zookeeper` section in ``zuul.conf`` is required for all
|
The :attr:`zookeeper` section in ``zuul.conf`` is required for all
|
||||||
components, and all components must now be able to connect to
|
components, and all components must now be able to connect to
|
||||||
ZooKeeper.
|
ZooKeeper. Additionally, TLS is now required for all ZooKeeper
|
||||||
|
connections. See :ref:`zk-encrypted-connections` for more details.
|
||||||
|
|
|
@ -98,12 +98,15 @@ class Executor(zuul.cmd.ZuulDaemonApp):
|
||||||
self.start_log_streamer()
|
self.start_log_streamer()
|
||||||
|
|
||||||
zk_client = ZooKeeperClient()
|
zk_client = ZooKeeperClient()
|
||||||
zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
|
zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
|
||||||
if not zookeeper_hosts:
|
if not zookeeper_hosts:
|
||||||
raise Exception("The zookeeper hosts config value is required")
|
raise Exception("The zookeeper hosts config value is required")
|
||||||
zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
|
zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
|
||||||
zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
|
zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
|
||||||
zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
|
zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
|
||||||
|
if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
|
||||||
|
raise Exception("A TLS ZooKeeper connection is required; "
|
||||||
|
"please supply the tls_* zookeeper config values.")
|
||||||
zookeeper_timeout = float(get_default(self.config, 'zookeeper',
|
zookeeper_timeout = float(get_default(self.config, 'zookeeper',
|
||||||
'session_timeout', 10.0))
|
'session_timeout', 10.0))
|
||||||
zk_client.connect(
|
zk_client.connect(
|
||||||
|
|
|
@ -74,12 +74,15 @@ class FingerGatewayApp(zuul.cmd.ZuulDaemonApp):
|
||||||
ssl_ca = get_default(self.config, 'gearman', 'ssl_ca')
|
ssl_ca = get_default(self.config, 'gearman', 'ssl_ca')
|
||||||
|
|
||||||
zk_client = ZooKeeperClient()
|
zk_client = ZooKeeperClient()
|
||||||
zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
|
zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
|
||||||
if not zookeeper_hosts:
|
if not zookeeper_hosts:
|
||||||
raise Exception("The zookeeper hosts config value is required")
|
raise Exception("The zookeeper hosts config value is required")
|
||||||
zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
|
zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
|
||||||
zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
|
zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
|
||||||
zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
|
zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
|
||||||
|
if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
|
||||||
|
raise Exception("A TLS ZooKeeper connection is required; "
|
||||||
|
"please supply the tls_* zookeeper config values.")
|
||||||
zookeeper_timeout = float(get_default(self.config, 'zookeeper',
|
zookeeper_timeout = float(get_default(self.config, 'zookeeper',
|
||||||
'session_timeout', 10.0))
|
'session_timeout', 10.0))
|
||||||
zk_client.connect(
|
zk_client.connect(
|
||||||
|
|
|
@ -54,12 +54,15 @@ class Merger(zuul.cmd.ZuulDaemonApp):
|
||||||
self.setup_logging('merger', 'log_config')
|
self.setup_logging('merger', 'log_config')
|
||||||
|
|
||||||
zk_client = ZooKeeperClient()
|
zk_client = ZooKeeperClient()
|
||||||
zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
|
zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
|
||||||
if not zookeeper_hosts:
|
if not zookeeper_hosts:
|
||||||
raise Exception("The zookeeper hosts config value is required")
|
raise Exception("The zookeeper hosts config value is required")
|
||||||
zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
|
zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
|
||||||
zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
|
zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
|
||||||
zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
|
zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
|
||||||
|
if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
|
||||||
|
raise Exception("A TLS ZooKeeper connection is required; "
|
||||||
|
"please supply the tls_* zookeeper config values.")
|
||||||
zookeeper_timeout = float(get_default(self.config, 'zookeeper',
|
zookeeper_timeout = float(get_default(self.config, 'zookeeper',
|
||||||
'session_timeout', 10.0))
|
'session_timeout', 10.0))
|
||||||
zk_client.connect(
|
zk_client.connect(
|
||||||
|
|
|
@ -139,12 +139,15 @@ class Scheduler(zuul.cmd.ZuulDaemonApp):
|
||||||
nodepool = zuul.nodepool.Nodepool(self.sched)
|
nodepool = zuul.nodepool.Nodepool(self.sched)
|
||||||
|
|
||||||
zk_client = ZooKeeperClient()
|
zk_client = ZooKeeperClient()
|
||||||
zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts', None)
|
zookeeper_hosts = get_default(self.config, 'zookeeper', 'hosts')
|
||||||
if not zookeeper_hosts:
|
if not zookeeper_hosts:
|
||||||
raise Exception("The zookeeper hosts config value is required")
|
raise Exception("The zookeeper hosts config value is required")
|
||||||
zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
|
zookeeper_tls_key = get_default(self.config, 'zookeeper', 'tls_key')
|
||||||
zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
|
zookeeper_tls_cert = get_default(self.config, 'zookeeper', 'tls_cert')
|
||||||
zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
|
zookeeper_tls_ca = get_default(self.config, 'zookeeper', 'tls_ca')
|
||||||
|
if not (zookeeper_tls_key and zookeeper_tls_cert and zookeeper_tls_ca):
|
||||||
|
raise Exception("A TLS ZooKeeper connection is required; "
|
||||||
|
"please supply the tls_* zookeeper config values.")
|
||||||
zookeeper_timeout = float(get_default(self.config, 'zookeeper',
|
zookeeper_timeout = float(get_default(self.config, 'zookeeper',
|
||||||
'session_timeout', 10.0))
|
'session_timeout', 10.0))
|
||||||
zk_client.connect(
|
zk_client.connect(
|
||||||
|
|
Loading…
Reference in New Issue