From 9142b9c8aa0a9f1378e1bf0f90dd0f9e5e8c610a Mon Sep 17 00:00:00 2001 From: Paul Belanger Date: Fri, 16 Jun 2017 19:09:09 -0400 Subject: [PATCH] Add SSL/TLS for gearman service Encrypt our gearman traffic between zuulv3.o.o and ze01.o.o. Change-Id: I5ca497a10c18227aeedd6b2e39df2574a907fc97 Depends-On: Iecd4ccc230653ef803764d10c626879d9ad3b1d2 Signed-off-by: Paul Belanger --- hiera/common.yaml | 26 ++++++++++++++++++++++++++ hiera/fqdn/zuulv3.openstack.org.yaml | 28 ++++++++++++++++++++++++++++ hiera/group/zuul-executor.yaml | 28 ++++++++++++++++++++++++++++ manifests/site.pp | 28 +++++++++++++++++----------- 4 files changed, 99 insertions(+), 11 deletions(-) diff --git a/hiera/common.yaml b/hiera/common.yaml index e37051d4a4..7a09b9f4af 100644 --- a/hiera/common.yaml +++ b/hiera/common.yaml @@ -658,3 +658,29 @@ mosquitto_tls_ca_file: | c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE----- +gearman_ssl_ca: | + -----BEGIN CERTIFICATE----- + MIIERzCCAy+gAwIBAgIJAKkAn3gh0LBOMA0GCSqGSIb3DQEBCwUAMIG5MQswCQYD + VQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAcMBkF1c3RpbjEdMBsGA1UE + CgwUT3BlblN0YWNrIEZvdW5kYXRpb24xFzAVBgNVBAsMDkluZnJhc3RydWN0dXJl + MR0wGwYDVQQDDBR6dXVsdjMub3BlbnN0YWNrLm9yZzEyMDAGCSqGSIb3DQEJARYj + b3BlbnN0YWNrLWluZnJhQGxpc3RzLm9wZW5zdGFjay5vcmcwHhcNMTcwNjE2MjA1 + MjA3WhcNMjAwNjE1MjA1MjA3WjCBuTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRl + eGFzMQ8wDQYDVQQHDAZBdXN0aW4xHTAbBgNVBAoMFE9wZW5TdGFjayBGb3VuZGF0 + aW9uMRcwFQYDVQQLDA5JbmZyYXN0cnVjdHVyZTEdMBsGA1UEAwwUenV1bHYzLm9w + ZW5zdGFjay5vcmcxMjAwBgkqhkiG9w0BCQEWI29wZW5zdGFjay1pbmZyYUBsaXN0 + cy5vcGVuc3RhY2sub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA + zTnzmZkB/P+C0eHFmPyU8myEmubRVw2vK1aqx0Y7bFMlXAVH6CodI6r4VpS4vGPL + AfBGAmIZJlBuRysZHW3J6GuzhBFyBILHJX9PZkeJyHa3NU4ILDPMXAD/oWQnqlp1 + 3kYJ3xS1QWhPvaohC+Io3LErXOMp32mhrEmm3BGfWiXbV9STcseeLX6BKPdqBzaT + d8RFkrvsEJTTjwIJLreyrphrtXu/VS9uEMWaHj4/94lLXn8fn3CuUfs48kPDTlaw + vFg2lIGpfOui4s9Vhrafy1nrz1KzKHjhhnF80irrIo3kOkWaKeBuTyy7+MSx7PTi + 5RgSoKTKyMbMA6nbCj73KQIDAQABo1AwTjAdBgNVHQ4EFgQUU/wl91c+fyaFktpc + xrw1AgmWad4wHwYDVR0jBBgwFoAUU/wl91c+fyaFktpcxrw1AgmWad4wDAYDVR0T + BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAe/6S1DWRtXwzBgwTCW7FR3IrpZzP + 4eN3TUbJy6tvff+iY6+96WV9vyH62NU8oEn5TUqy8r+EiOchbXJq8pvlPAcwdaeC + a9pjJku40oVai0pncqDnF/WOiXNkW71bRs/qQtIuVwKwVm9OyizjWsQtjm4Ycpju + 92liz5Q/ZZu+7eIufQYRr7lthgmTLCjqeS4qxiY7Y03ZLZpvEL+KVskkjPzHvzTO + S1Rq0t3ssb4uH78rvXj1Q/C2gVucUBE86P9AckSZtANGlmiKBnO6Lc1xQbsFyfSn + Xbt2g9IiP3nTEapCx/M8/Zl5M+XwK7pbQWdtwGnvGPoeFNV1sVT4iO1dLg== + -----END CERTIFICATE----- diff --git a/hiera/fqdn/zuulv3.openstack.org.yaml b/hiera/fqdn/zuulv3.openstack.org.yaml index 074e018045..6bba9510c5 100644 --- a/hiera/fqdn/zuulv3.openstack.org.yaml +++ b/hiera/fqdn/zuulv3.openstack.org.yaml @@ -13,3 +13,31 @@ zuul_connections: canonical_hostname: 'git.openstack.org' user: 'zuul' sshkey: '/var/lib/zuul/ssh/id_rsa' + +gearman_server_ssl_cert: | + -----BEGIN CERTIFICATE----- + MIIEYTCCA0mgAwIBAgIJAKkAn3gh0LBPMA0GCSqGSIb3DQEBCwUAMIG5MQswCQYD + VQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAcMBkF1c3RpbjEdMBsGA1UE + CgwUT3BlblN0YWNrIEZvdW5kYXRpb24xFzAVBgNVBAsMDkluZnJhc3RydWN0dXJl + MR0wGwYDVQQDDBR6dXVsdjMub3BlbnN0YWNrLm9yZzEyMDAGCSqGSIb3DQEJARYj + b3BlbnN0YWNrLWluZnJhQGxpc3RzLm9wZW5zdGFjay5vcmcwHhcNMTcwNjE2MjA1 + NDAyWhcNMjcwNjE0MjA1NDAyWjCBszELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRl + eGFzMQ8wDQYDVQQHDAZBdXN0aW4xHTAbBgNVBAoMFE9wZW5TdGFjayBGb3VuZGF0 + aW9uMRcwFQYDVQQLDA5JbmZyYXN0cnVjdHVyZTEXMBUGA1UEAwwOZ2Vhcm1hbi5z + ZXJ2ZXIxMjAwBgkqhkiG9w0BCQEWI29wZW5zdGFjay1pbmZyYUBsaXN0cy5vcGVu + c3RhY2sub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3aMR61f/ + LZkP/acuqiCEiSFF4GI1ViNkOSPEq0CP4HfNckeW0///x6vI/uaR4MlF8g8qNFGB + j2FCYRW1gEzS7TLoP3xYs4SMnvXvZRbdxcozOop506quLmlfPDF1o2GzLSQYDNXe + WbpYiNM+EdgBjqLz4G5DdaXMMw2zYP21kbtSxJIvrpqeW/TKBGWDI2bBH81PFb9B + gq1P4XxI/Aw7Ez6hApLV2D6DP7JidQUGOzvGw7LUEZjLEscQU7HH8j1qDvrM2gV4 + FRSRrtw8Yr/erBsaNr84guEZQREqiOjr1HvMZK5o1vGb69ArWSk9b8PW+A2uxvfS + ukv7hvNsuCouHQIDAQABo3AwbjAJBgNVHRMEAjAAMCEGCWCGSAGG+EIBDQQUFhJj + bGllbnQgY2VydGlmaWNhdGUwHQYDVR0OBBYEFImAuHnbfxpEEZwiiro9KEa8YA+1 + MB8GA1UdIwQYMBaAFFP8JfdXPn8mhZLaXMa8NQIJlmneMA0GCSqGSIb3DQEBCwUA + A4IBAQBTNIVB758W+wBtCMlIRFUPBiR+w+7RRsY8HXME5unvO65PcsfLKQXOr3i/ + K2SliyyBliwKY+wtbvQZVltpBiloDqslSMD6veb5YsZDzTZ+x8xP1GEhcB3c6CsN + 0RDJ/xUGv2IXgQW8kw+MINILr9iQA6fn9dBN0OqimlchPHtvA9gO7Rv+IV3zZP+Q + yNWoBiZ6H5ANIt6vfcK0BHGDB6GXN9f1gpgsJd3l3vs3t/FgP1qYJiDd5VvcOXxt + uJziOvdg7jte0u609MWj3DOdey4HsxlEU27w13kzGI6RpPquvl/YB8Y6WMAIL8in + 1GRv9pIfENRRHOiC57p0RSQZZ/2V + -----END CERTIFICATE----- diff --git a/hiera/group/zuul-executor.yaml b/hiera/group/zuul-executor.yaml index dddd25b766..22e1f493cb 100644 --- a/hiera/group/zuul-executor.yaml +++ b/hiera/group/zuul-executor.yaml @@ -6,3 +6,31 @@ zuul_connections: canonical_hostname: 'git.openstack.org' user: 'zuul' sshkey: '/var/lib/zuul/ssh/id_rsa' + +gearman_client_ssl_cert: | + -----BEGIN CERTIFICATE----- + MIIEYTCCA0mgAwIBAgIJAKkAn3gh0LBQMA0GCSqGSIb3DQEBCwUAMIG5MQswCQYD + VQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAcMBkF1c3RpbjEdMBsGA1UE + CgwUT3BlblN0YWNrIEZvdW5kYXRpb24xFzAVBgNVBAsMDkluZnJhc3RydWN0dXJl + MR0wGwYDVQQDDBR6dXVsdjMub3BlbnN0YWNrLm9yZzEyMDAGCSqGSIb3DQEJARYj + b3BlbnN0YWNrLWluZnJhQGxpc3RzLm9wZW5zdGFjay5vcmcwHhcNMTcwNjE2MjMw + MjQyWhcNMjcwNjE0MjMwMjQyWjCBszELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRl + eGFzMQ8wDQYDVQQHDAZBdXN0aW4xHTAbBgNVBAoMFE9wZW5TdGFjayBGb3VuZGF0 + aW9uMRcwFQYDVQQLDA5JbmZyYXN0cnVjdHVyZTEXMBUGA1UEAwwOZ2Vhcm1hbi5j + bGllbnQxMjAwBgkqhkiG9w0BCQEWI29wZW5zdGFjay1pbmZyYUBsaXN0cy5vcGVu + c3RhY2sub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsh3qSWIp + w6kXS4IIPU7fPP2felHCtmZyfgKolYbq1iVafcc/EUHa1onlaM+w7OEHr68y3Qau + SY6ifEsUWCKJlhu+UlHGwVIZliL02+9EAZ1DDs6OtxKa7nOIkWq8P8kRex234QVd + y37+vV+/lDeCbLoGo5P0j51fnqy10afg2xRblmXgqeqaiJAvCmEnG9S9q9+gbisZ + 1D2r+JtoTUMZtPY9NomvgdNuwmF5+VeO+CQepRWlA+0ysCFVgVwm++PNXETadHOj + mOSJxiq2u6fysZb7ctHgGuu+Ce3PVwah+kK/PEXADs7SjhJruSmL1ap2izc6kTFW + GSU/wkkPXtbWJwIDAQABo3AwbjAJBgNVHRMEAjAAMCEGCWCGSAGG+EIBDQQUFhJj + bGllbnQgY2VydGlmaWNhdGUwHQYDVR0OBBYEFKTyA6hjUY8jNxOEM5zuU7qecogX + MB8GA1UdIwQYMBaAFFP8JfdXPn8mhZLaXMa8NQIJlmneMA0GCSqGSIb3DQEBCwUA + A4IBAQAiLYckNAx7GQGCSXC92R23o181FiCePuNAgCb4QsaQkA/JopaLrn11R33Y + XO1C5fvsopKvcmEJKX0BJwNy41tz/rNmKXYy4hsPKYMsNgJQtYe98Mp+VHgAmtZ3 + U0v49mUJA4YiLs/QmB6bmLknl1XjzJvbLu3gfVSGsquDXN1TcHLZy2fQlD6/D7HF + 2Zj44Af4b2xFcZc7J/iErIj8LGHx3alkGAgdXw+SQkgzDeXC/DhrXC1jVJQQQzfU + /4GjbLiPBLb+QIAaBVv+iVVok22DSvMydjI4Zr89NXDWEOZc8oZ7nBf9Sv1+I0xB + 6YQoN+t1YSx3G8AxPSZwyGlwhZo0 + -----END CERTIFICATE----- diff --git a/manifests/site.pp b/manifests/site.pp index d8b6ea916e..ec26c45905 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -1121,6 +1121,9 @@ node /^ze\d+\.openstack\.org$/ { zookeeper_hosts => 'nodepool.openstack.org:2181', zuulv3 => true, connections => hiera('zuul_connections', []), + gearman_client_ssl_cert => hiera('gearman_client_ssl_cert'), + gearman_client_ssl_key => hiera('gearman_client_ssl_key'), + gearman_ssl_ca => hiera('gearman_ssl_ca'), } class { '::zuul::executor': } @@ -1212,17 +1215,20 @@ node 'zuulv3.openstack.org' { # NOTE(pabelanger): We call ::zuul directly, so we can override all in one # settings. class { '::zuul': - gerrit_server => $gerrit_server, - gerrit_user => $gerrit_user, - zuul_ssh_private_key => $zuul_ssh_private_key, - git_email => $git_email, - git_name => $git_name, - revision => $revision, - python_version => 3, - zookeeper_hosts => 'nodepool.openstack.org:2181', - zuulv3 => true, - connections => hiera('zuul_connections', []), - zuul_status_url => 'http://127.0.0.1:8001/openstack', + gerrit_server => $gerrit_server, + gerrit_user => $gerrit_user, + zuul_ssh_private_key => $zuul_ssh_private_key, + git_email => $git_email, + git_name => $git_name, + revision => $revision, + python_version => 3, + zookeeper_hosts => 'nodepool.openstack.org:2181', + zuulv3 => true, + connections => hiera('zuul_connections', []), + zuul_status_url => 'http://127.0.0.1:8001/openstack', + gearman_server_ssl_cert => hiera('gearman_server_ssl_cert'), + gearman_server_ssl_key => hiera('gearman_server_ssl_key'), + gearman_ssl_ca => hiera('gearman_ssl_ca'), } class { '::zuul::scheduler':