From 11516e0e4b42424d9843f6319770e926ec7274cd Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jim@acmegating.com>
Date: Thu, 22 Sep 2022 14:36:25 -0700
Subject: [PATCH] Make zk-ca role more generic

This renames zk-ca to opendev-ca and allows us to operate more than
one ca on bridge.  This way we can keep the CAs for ZooKeeper and
Jaeger distinct (so that a compromise of the jaeger server could not
be used to access the ZooKeeper cluster).

This also starts a new jaeger-ca and uses it on the Jaeger server.

Change-Id: I4e5bc4e3ccd78284ce785c971f7e6ad6e721f887
---
 doc/source/tracing.rst                        |  6 +--
 playbooks/roles/jaeger/tasks/main.yaml        |  9 ++--
 playbooks/roles/nodepool-base/tasks/main.yaml |  9 ++--
 .../roles/{zk-ca => opendev-ca}/README.rst    |  0
 playbooks/roles/opendev-ca/defaults/main.yaml |  7 +++
 .../zk-ca.sh => opendev-ca/opendev-ca.sh}     |  3 +-
 playbooks/roles/opendev-ca/tasks/main.yaml    | 49 +++++++++++++++++++
 playbooks/roles/zk-ca/defaults/main.yaml      |  5 --
 playbooks/roles/zk-ca/tasks/main.yaml         | 49 -------------------
 playbooks/roles/zookeeper/tasks/main.yaml     |  9 ++--
 playbooks/roles/zuul/tasks/main.yaml          |  8 +--
 11 files changed, 81 insertions(+), 73 deletions(-)
 rename playbooks/roles/{zk-ca => opendev-ca}/README.rst (100%)
 create mode 100644 playbooks/roles/opendev-ca/defaults/main.yaml
 rename playbooks/roles/{zk-ca/zk-ca.sh => opendev-ca/opendev-ca.sh} (97%)
 create mode 100644 playbooks/roles/opendev-ca/tasks/main.yaml
 delete mode 100644 playbooks/roles/zk-ca/defaults/main.yaml
 delete mode 100644 playbooks/roles/zk-ca/tasks/main.yaml

diff --git a/doc/source/tracing.rst b/doc/source/tracing.rst
index 961e2da995..ef8a27a38e 100644
--- a/doc/source/tracing.rst
+++ b/doc/source/tracing.rst
@@ -32,6 +32,6 @@ Badger database stored at ``/var/jaeger/badger``.
 
 Zuul sends telemetry information to Jaeger via the gRPC protocol.
 
-The internal CA (`zk-ca`) used to create ZooKeeper certs for Zuul is
-used to provide and validate client certificates for the gRPC
-connection to Jaeger as well.
+An internal CA is used to provide and validate client certificates for
+the gRPC connection to Jaeger.  The CA is distinct from other internal
+CAs (for example, ZooKeeper) for security purposes.
diff --git a/playbooks/roles/jaeger/tasks/main.yaml b/playbooks/roles/jaeger/tasks/main.yaml
index a53cbb5617..69a28e8477 100644
--- a/playbooks/roles/jaeger/tasks/main.yaml
+++ b/playbooks/roles/jaeger/tasks/main.yaml
@@ -34,11 +34,12 @@
 
 - name: Generate GRPC TLS cert
   include_role:
-    name: zk-ca
+    name: opendev-ca
   vars:
-    zk_ca_cert_dir: /var/jaeger/tls
-    zk_ca_cert_dir_owner: "{{ jaeger_user }}"
-    zk_ca_cert_dir_group: "{{ jaeger_group }}"
+    opendev_ca_name: jaeger
+    opendev_ca_cert_dir: /var/jaeger/tls
+    opendev_ca_cert_dir_owner: "{{ jaeger_user }}"
+    opendev_ca_cert_dir_group: "{{ jaeger_group }}"
 
 - name: Install apache2
   apt:
diff --git a/playbooks/roles/nodepool-base/tasks/main.yaml b/playbooks/roles/nodepool-base/tasks/main.yaml
index a6a1822163..902b062f2d 100644
--- a/playbooks/roles/nodepool-base/tasks/main.yaml
+++ b/playbooks/roles/nodepool-base/tasks/main.yaml
@@ -28,11 +28,12 @@
 
 - name: Generate ZooKeeper TLS cert
   include_role:
-    name: zk-ca
+    name: opendev-ca
   vars:
-    zk_ca_cert_dir: /etc/nodepool
-    zk_ca_cert_dir_owner: '{{ nodepool_user }}'
-    zk_ca_cert_dir_group: '{{ nodepool_group }}'
+    opendev_ca_name: zk
+    opendev_ca_cert_dir: /etc/nodepool
+    opendev_ca_cert_dir_owner: '{{ nodepool_user }}'
+    opendev_ca_cert_dir_group: '{{ nodepool_group }}'
 
 - name: Create nodepool log dir
   file:
diff --git a/playbooks/roles/zk-ca/README.rst b/playbooks/roles/opendev-ca/README.rst
similarity index 100%
rename from playbooks/roles/zk-ca/README.rst
rename to playbooks/roles/opendev-ca/README.rst
diff --git a/playbooks/roles/opendev-ca/defaults/main.yaml b/playbooks/roles/opendev-ca/defaults/main.yaml
new file mode 100644
index 0000000000..2fc26a86b0
--- /dev/null
+++ b/playbooks/roles/opendev-ca/defaults/main.yaml
@@ -0,0 +1,7 @@
+# Do not define a default here to make sure we select a specific CA
+# opendev_ca_name: zk
+opendev_ca_root: /var/{{ opendev_ca_name }}-ca
+opendev_ca_server: "{{ inventory_hostname }}"
+# opendev_ca_cert_dir: /etc/zuul
+opendev_ca_cert_dir_owner: 10001
+opendev_ca_cert_dir_group: 10001
diff --git a/playbooks/roles/zk-ca/zk-ca.sh b/playbooks/roles/opendev-ca/opendev-ca.sh
similarity index 97%
rename from playbooks/roles/zk-ca/zk-ca.sh
rename to playbooks/roles/opendev-ca/opendev-ca.sh
index 69c393bb02..60d2c0ddcb 100755
--- a/playbooks/roles/zk-ca/zk-ca.sh
+++ b/playbooks/roles/opendev-ca/opendev-ca.sh
@@ -14,7 +14,8 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-# Manage a CA for Zookeeper
+# Manage a CA.
+# This is based on the zk-ca.sh script from Zuul.
 
 CAROOT=$1
 SERVER=$2
diff --git a/playbooks/roles/opendev-ca/tasks/main.yaml b/playbooks/roles/opendev-ca/tasks/main.yaml
new file mode 100644
index 0000000000..8c1e5c350a
--- /dev/null
+++ b/playbooks/roles/opendev-ca/tasks/main.yaml
@@ -0,0 +1,49 @@
+- name: Ensure opendev-ca directory exists
+  delegate_to: localhost
+  file:
+    path: "{{ opendev_ca_root }}"
+    state: directory
+
+# Run this in flock so that we can run it in plays for multiple target
+# hosts in parallel while serializing access to the CA files.
+- name: Run opendev-ca.sh
+  delegate_to: localhost
+  script: "opendev-ca.sh {{ opendev_ca_root }} {{ opendev_ca_server }}"
+  args:
+    executable: "flock {{ opendev_ca_root }}/lock"
+
+- name: Ensure cert dir exists
+  file:
+    path: "{{ opendev_ca_cert_dir }}/certs"
+    state: directory
+    owner: "{{ opendev_ca_cert_dir_owner }}"
+    group: "{{ opendev_ca_cert_dir_group }}"
+    mode: '0755'
+
+- name: Ensure keys dir exists
+  file:
+    path: "{{ opendev_ca_cert_dir }}/keys"
+    state: directory
+    owner: "{{ opendev_ca_cert_dir_owner }}"
+    group: "{{ opendev_ca_cert_dir_group }}"
+    mode: '0700'
+
+- name: Copy TLS cacert into place
+  copy:
+    src: "{{ opendev_ca_root }}/certs/cacert.pem"
+    dest: "{{ opendev_ca_cert_dir }}/certs/cacert.pem"
+
+- name: Copy TLS cert into place
+  copy:
+    src: "{{ opendev_ca_root }}/certs/{{ inventory_hostname }}.pem"
+    dest: "{{ opendev_ca_cert_dir }}/certs/cert.pem"
+
+- name: Copy TLS key into place
+  copy:
+    src: "{{ opendev_ca_root }}/keys/{{ inventory_hostname }}key.pem"
+    dest: "{{ opendev_ca_cert_dir }}/keys/key.pem"
+
+- name: Copy TLS keystore into place
+  copy:
+    src: "{{ opendev_ca_root }}/keystores/{{ inventory_hostname }}.pem"
+    dest: "{{ opendev_ca_cert_dir }}/keys/keystore.pem"
diff --git a/playbooks/roles/zk-ca/defaults/main.yaml b/playbooks/roles/zk-ca/defaults/main.yaml
deleted file mode 100644
index db0eb65f72..0000000000
--- a/playbooks/roles/zk-ca/defaults/main.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-zk_ca_root: /var/zk-ca
-zk_ca_server: "{{ inventory_hostname }}"
-zk_ca_cert_dir: /etc/zuul
-zk_ca_cert_dir_owner: 10001
-zk_ca_cert_dir_group: 10001
diff --git a/playbooks/roles/zk-ca/tasks/main.yaml b/playbooks/roles/zk-ca/tasks/main.yaml
deleted file mode 100644
index f76f82937b..0000000000
--- a/playbooks/roles/zk-ca/tasks/main.yaml
+++ /dev/null
@@ -1,49 +0,0 @@
-- name: Ensure zk-ca directory exists
-  delegate_to: localhost
-  file:
-    path: "{{ zk_ca_root }}"
-    state: directory
-
-# Run this in flock so that we can run it in plays for multiple target
-# hosts in parallel while serializing access to the CA files.
-- name: Run zk-ca.sh
-  delegate_to: localhost
-  script: "zk-ca.sh {{ zk_ca_root }} {{ zk_ca_server }}"
-  args:
-    executable: "flock {{ zk_ca_root }}/lock"
-
-- name: Ensure cert dir exists
-  file:
-    path: "{{ zk_ca_cert_dir }}/certs"
-    state: directory
-    owner: "{{ zk_ca_cert_dir_owner }}"
-    group: "{{ zk_ca_cert_dir_group }}"
-    mode: '0755'
-
-- name: Ensure keys dir exists
-  file:
-    path: "{{ zk_ca_cert_dir }}/keys"
-    state: directory
-    owner: "{{ zk_ca_cert_dir_owner }}"
-    group: "{{ zk_ca_cert_dir_group }}"
-    mode: '0700'
-
-- name: Copy TLS cacert into place
-  copy:
-    src: "/var/zk-ca/certs/cacert.pem"
-    dest: "{{ zk_ca_cert_dir }}/certs/cacert.pem"
-
-- name: Copy TLS cert into place
-  copy:
-    src: "/var/zk-ca/certs/{{ inventory_hostname }}.pem"
-    dest: "{{ zk_ca_cert_dir }}/certs/cert.pem"
-
-- name: Copy TLS key into place
-  copy:
-    src: "/var/zk-ca/keys/{{ inventory_hostname }}key.pem"
-    dest: "{{ zk_ca_cert_dir }}/keys/key.pem"
-
-- name: Copy TLS keystore into place
-  copy:
-    src: "/var/zk-ca/keystores/{{ inventory_hostname }}.pem"
-    dest: "{{ zk_ca_cert_dir }}/keys/keystore.pem"
diff --git a/playbooks/roles/zookeeper/tasks/main.yaml b/playbooks/roles/zookeeper/tasks/main.yaml
index 4b901eb570..8e941b4a47 100644
--- a/playbooks/roles/zookeeper/tasks/main.yaml
+++ b/playbooks/roles/zookeeper/tasks/main.yaml
@@ -30,11 +30,12 @@
     - tls
 - name: Generate ZooKeeper TLS cert
   include_role:
-    name: zk-ca
+    name: opendev-ca
   vars:
-    zk_ca_cert_dir: /var/zookeeper/tls
-    zk_ca_cert_dir_owner: 10001
-    zk_ca_cert_dir_group: 10001
+    opendev_ca_name: zk
+    opendev_ca_cert_dir: /var/zookeeper/tls
+    opendev_ca_cert_dir_owner: 10001
+    opendev_ca_cert_dir_group: 10001
 - name: Write config
   template:
     src: zoo.cfg.j2
diff --git a/playbooks/roles/zuul/tasks/main.yaml b/playbooks/roles/zuul/tasks/main.yaml
index f8a1db283f..c90eae8f12 100644
--- a/playbooks/roles/zuul/tasks/main.yaml
+++ b/playbooks/roles/zuul/tasks/main.yaml
@@ -23,10 +23,12 @@
 
 - name: Generate ZooKeeper TLS cert
   include_role:
-    name: zk-ca
+    name: opendev-ca
   vars:
-    zk_ca_cert_dir_owner: "{{ zuul_user_id }}"
-    zk_ca_cert_dir_group: "{{ zuul_group_id }}"
+    opendev_ca_name: zk
+    opendev_ca_cert_dir: /etc/zuul
+    opendev_ca_cert_dir_owner: "{{ zuul_user_id }}"
+    opendev_ca_cert_dir_group: "{{ zuul_group_id }}"
 
 - name: Write Zuul Conf File
   template: