a514aa0f98
To prepare for switching to TLS, set up TLS certs for Zookeeper and all of Nodepool and Zuul, but do not have them connect over TLS yet. We have observed problems with Kazoo using TLS in production. This will let us run the ZK quorum using TLS internally, and have Zuul and Nodepool connect over plaintext while also exposing the TLS client port so that we can perform some more production tests. Change-Id: If93b27f5b55be42be1cf6ee23258127fab5ce9ea
57 lines
1.3 KiB
YAML
57 lines
1.3 KiB
YAML
- name: Create Zookeeper group
|
|
group:
|
|
name: "{{ zookeeper_group }}"
|
|
gid: "{{ zookeeper_gid }}"
|
|
system: yes
|
|
- name: Create Zookeeper User
|
|
user:
|
|
name: "{{ zookeeper_user }}"
|
|
group: "{{ zookeeper_group }}"
|
|
uid: "{{ zookeeper_uid }}"
|
|
home: "/home/{{ zookeeper_user }}"
|
|
create_home: yes
|
|
shell: /bin/bash
|
|
system: yes
|
|
- name: Synchronize compose directory
|
|
synchronize:
|
|
src: zookeeper-compose/
|
|
dest: /etc/zookeeper-compose/
|
|
- name: Ensure volume directories exist
|
|
file:
|
|
state: directory
|
|
path: "/var/zookeeper/{{ item }}"
|
|
owner: "{{ zookeeper_user }}"
|
|
group: "{{ zookeeper_group }}"
|
|
loop:
|
|
- conf
|
|
- data
|
|
- datalog
|
|
- logs
|
|
- tls
|
|
- name: Generate ZooKeeper TLS cert
|
|
include_role:
|
|
name: zk-ca
|
|
vars:
|
|
zk_ca_cert_dir: /var/zookeeper/tls
|
|
zk_ca_cert_dir_owner: 10001
|
|
zk_ca_cert_dir_group: 10001
|
|
- name: Write config
|
|
template:
|
|
src: zoo.cfg.j2
|
|
dest: /var/zookeeper/conf/zoo.cfg
|
|
- name: Write ID file
|
|
template:
|
|
src: myid.j2
|
|
dest: /var/zookeeper/data/myid
|
|
- name: Run docker-compose pull
|
|
shell:
|
|
cmd: docker-compose pull
|
|
chdir: /etc/zookeeper-compose/
|
|
- name: Run docker-compose up
|
|
shell:
|
|
cmd: docker-compose up -d
|
|
chdir: /etc/zookeeper-compose/
|
|
- name: Run docker prune to cleanup unneeded images
|
|
shell:
|
|
cmd: docker image prune -f
|