From a786681b5007d743a108526b754290a72e9d8e38 Mon Sep 17 00:00:00 2001 From: Paul Belanger Date: Mon, 21 Jun 2021 22:51:15 -0400 Subject: [PATCH] Add nodepool SSL certs Depends-On: https://review.opendev.org/c/windmill/ansible-role-nodepool/+/777436/ Change-Id: I8750ed096a806dcb4697e177a9689860b3769e70 Signed-off-by: Paul Belanger --- ansible/group_vars/nodepool.yaml | 197 +++++++++++++++++++++++++++++++ nodepool/secure.conf.j2 | 7 +- 2 files changed, 203 insertions(+), 1 deletion(-) diff --git a/ansible/group_vars/nodepool.yaml b/ansible/group_vars/nodepool.yaml index a51a13a..7a8c7a0 100644 --- a/ansible/group_vars/nodepool.yaml +++ b/ansible/group_vars/nodepool.yaml @@ -39,6 +39,203 @@ nodepool_service_nodepool_launcher_enabled: false nodepool_service_nodepool_launcher_manage: false nodepool_service_nodepool_launcher_state: stopped +nodepool_file_zookeeper_tls_cacert_content: | + Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2a:bc:ea:bd:f2:11:1c:aa:d4:45:40:1c:c0:b5:46:f4:8b:78:ee:68 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=California, O=Company Name, OU=Org, CN=caroot + Validity + Not Before: Jun 22 02:38:55 2021 GMT + Not After : Mar 22 02:38:55 2031 GMT + Subject: C=US, ST=California, O=Company Name, OU=Org, CN=caroot + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:da:9a:37:0c:81:2d:9a:df:50:95:16:d1:59:1f: + d3:2e:88:3d:00:c9:d4:41:46:e2:56:50:ff:ca:a8: + df:d8:78:4a:bb:19:db:cf:f5:59:ce:76:a2:e3:10: + 58:45:7d:28:75:2a:57:8a:d0:52:a1:2d:c8:08:d5: + d0:03:4b:cd:74:49:e5:95:64:2d:05:30:6f:41:a7: + a9:31:5d:93:b0:9d:62:ed:7b:89:bd:7c:75:9d:47: + ca:89:3b:50:06:99:85:c0:f9:b3:1f:1f:d8:94:90: + 10:75:e7:65:0d:18:34:4e:df:46:f3:88:32:a5:c8: + a0:67:d2:d3:9b:ed:13:1b:b9:02:74:0c:95:cf:93: + 59:c8:a2:95:53:0f:3c:75:b2:39:b9:15:98:28:f8: + 9b:24:72:02:f3:d9:33:28:bd:32:d9:f3:b0:f7:9c: + cb:bb:87:1b:86:57:c1:72:31:38:3c:4f:6f:8b:26: + e1:fc:73:4e:25:a7:29:d6:22:2c:2d:7b:c1:c0:58: + 95:01:a9:23:e9:f4:30:d7:49:35:17:08:a2:89:dd: + b3:51:ad:50:67:9e:f7:f4:36:19:e8:97:d6:04:12: + d6:8c:15:bf:2f:9b:c4:33:c6:18:bd:28:91:78:85: + 80:ff:97:88:8c:8a:58:06:17:ee:58:37:42:bb:d2: + b3:3d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + B3:D9:9B:12:EA:74:B0:37:C3:1C:28:75:D4:3E:5D:E3:7F:1E:CB:09 + X509v3 Authority Key Identifier: + keyid:B3:D9:9B:12:EA:74:B0:37:C3:1C:28:75:D4:3E:5D:E3:7F:1E:CB:09 + + X509v3 Basic Constraints: critical + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + 99:5f:30:95:02:b1:f4:32:ef:09:8d:c1:30:68:6a:5c:16:2c: + 15:cf:65:71:0c:42:a7:46:bc:57:12:6d:c7:43:30:7c:71:63: + c2:ba:87:9e:c3:59:68:ff:52:5f:80:71:41:d2:c9:53:eb:71: + 62:09:c0:f4:28:93:89:a5:79:0d:de:44:59:da:62:46:d0:d3: + da:5d:f0:f4:b2:a6:38:43:f1:d6:81:e7:80:cd:83:e6:b2:4d: + 04:54:9a:63:50:c5:4e:56:ae:44:76:d1:13:ef:79:a3:00:19: + d6:46:e6:90:ca:0a:de:2d:89:43:0b:73:11:82:94:35:ad:12: + bd:2c:f0:c4:0b:e5:27:25:c3:d8:c8:0d:1f:2e:7e:c7:4b:8b: + 32:f7:13:da:04:fe:9d:1a:31:db:79:02:12:ca:cf:67:0c:d9: + 85:59:da:7a:88:16:d1:ee:e8:f3:36:d6:30:50:09:98:74:d5: + 97:92:06:15:3f:e7:bf:63:9d:fe:b3:50:ce:e4:80:6b:4f:49: + 34:26:96:eb:13:47:69:9f:a1:45:35:93:38:9b:a2:09:e8:65: + e0:2b:c8:d9:a6:56:d7:ab:a2:f3:5b:fc:f5:aa:82:21:8c:0b: + 43:67:1b:9c:fe:52:40:25:68:65:87:cc:cc:5c:a1:bc:60:a4: + dc:7c:1f:5d + -----BEGIN CERTIFICATE----- + MIIDkTCCAnmgAwIBAgIUKrzqvfIRHKrURUAcwLVG9It47mgwDQYJKoZIhvcNAQEL + BQAwWDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoM + DENvbXBhbnkgTmFtZTEMMAoGA1UECwwDT3JnMQ8wDQYDVQQDDAZjYXJvb3QwHhcN + MjEwNjIyMDIzODU1WhcNMzEwMzIyMDIzODU1WjBYMQswCQYDVQQGEwJVUzETMBEG + A1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMQ29tcGFueSBOYW1lMQwwCgYDVQQL + DANPcmcxDzANBgNVBAMMBmNhcm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC + AQoCggEBANqaNwyBLZrfUJUW0Vkf0y6IPQDJ1EFG4lZQ/8qo39h4SrsZ28/1Wc52 + ouMQWEV9KHUqV4rQUqEtyAjV0ANLzXRJ5ZVkLQUwb0GnqTFdk7CdYu17ib18dZ1H + yok7UAaZhcD5sx8f2JSQEHXnZQ0YNE7fRvOIMqXIoGfS05vtExu5AnQMlc+TWcii + lVMPPHWyObkVmCj4myRyAvPZMyi9MtnzsPecy7uHG4ZXwXIxODxPb4sm4fxzTiWn + KdYiLC17wcBYlQGpI+n0MNdJNRcIoonds1GtUGee9/Q2GeiX1gQS1owVvy+bxDPG + GL0okXiFgP+XiIyKWAYX7lg3QrvSsz0CAwEAAaNTMFEwHQYDVR0OBBYEFLPZmxLq + dLA3wxwoddQ+XeN/HssJMB8GA1UdIwQYMBaAFLPZmxLqdLA3wxwoddQ+XeN/HssJ + MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJlfMJUCsfQy7wmN + wTBoalwWLBXPZXEMQqdGvFcSbcdDMHxxY8K6h57DWWj/Ul+AcUHSyVPrcWIJwPQo + k4mleQ3eRFnaYkbQ09pd8PSypjhD8daB54DNg+ayTQRUmmNQxU5WrkR20RPveaMA + GdZG5pDKCt4tiUMLcxGClDWtEr0s8MQL5Sclw9jIDR8ufsdLizL3E9oE/p0aMdt5 + AhLKz2cM2YVZ2nqIFtHu6PM21jBQCZh01ZeSBhU/579jnf6zUM7kgGtPSTQmlusT + R2mfoUU1kzibognoZeAryNmmVterovNb/PWqgiGMC0NnG5z+UkAlaGWHzMxcobxg + pNx8H10= + -----END CERTIFICATE----- + +nodepool_file_zookeeper_tls_cert_content: | + Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2a:bc:ea:bd:f2:11:1c:aa:d4:45:40:1c:c0:b5:46:f4:8b:78:ee:69 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=California, O=Company Name, OU=Org, CN=caroot + Validity + Not Before: Jun 22 02:38:55 2021 GMT + Not After : Mar 22 02:38:55 2031 GMT + Subject: C=US, ST=California, L=Oakland, O=Company Name, OU=Org, CN=client + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:cd:09:00:63:6b:45:d2:85:2b:44:60:15:f5:7a: + 45:9e:db:36:8b:8c:4f:49:56:1f:2b:81:2c:3a:76: + c9:20:3c:3d:66:8b:c4:dc:2a:73:a9:fc:a8:03:07: + a0:6d:85:b4:01:1e:1f:4b:73:91:0c:f0:75:8c:5e: + 2d:28:e7:4f:d7:24:3f:78:69:b6:e3:94:a1:7f:87: + 9f:d1:a4:e5:3f:f0:39:67:46:90:c8:ea:d4:cf:d8: + 95:8e:60:46:05:77:4d:5c:36:32:0b:fd:72:4b:af: + 15:dc:f8:d9:c8:4a:3e:48:3d:1f:bf:60:b9:c6:47: + 18:55:f5:00:83:ee:ed:10:2b:0c:f9:07:0b:14:3b: + d8:a4:c8:95:28:52:24:79:cd:e9:db:23:24:2c:94: + 2e:b8:28:ec:5d:0e:5e:ef:83:99:0a:3d:1a:b2:3a: + 2d:6d:62:9d:64:3c:82:8c:8c:a2:23:c5:71:ad:59: + e2:a1:db:22:2a:b7:a3:eb:a1:39:01:ed:60:3a:ff: + 8b:03:43:30:98:ef:6e:6f:d7:1b:1d:33:aa:a0:77: + 53:38:bb:91:4a:8a:ce:3c:e9:e7:32:29:d7:bf:5a: + 7b:4d:40:db:77:6e:84:b9:2e:e9:53:65:4d:36:d5: + dd:f5:69:27:a4:19:52:e0:d1:f4:21:81:a9:d1:bb: + ef:f1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 9A:31:97:A5:1F:07:BA:BE:75:C6:2D:14:FF:1C:13:03:2E:33:3C:3B + X509v3 Authority Key Identifier: + keyid:B3:D9:9B:12:EA:74:B0:37:C3:1C:28:75:D4:3E:5D:E3:7F:1E:CB:09 + + Signature Algorithm: sha256WithRSAEncryption + 69:d7:75:e5:8b:07:96:9a:3c:97:10:61:49:6f:2a:03:63:d5: + d0:46:f3:47:2c:a6:08:90:a5:e2:8a:f1:75:c9:4c:56:ee:54: + 0c:20:cf:60:93:c2:3d:23:c1:7d:97:50:61:5d:42:a0:c4:7d: + cb:d7:c4:5a:d7:47:eb:69:83:bf:36:20:26:20:fa:69:82:c3: + c2:f2:71:30:c5:42:28:d8:78:87:03:91:2a:b5:b2:32:5a:49: + 61:be:4f:1a:b0:e8:cf:17:56:ee:86:54:bc:a5:10:a3:5e:45: + 67:d4:28:ce:e7:b4:c1:64:46:47:bb:91:4c:56:d5:1f:ff:be: + 21:f9:7f:9b:23:9d:74:93:ee:64:64:60:10:67:50:bf:ec:f2: + 74:5d:0a:4b:19:60:b7:24:ad:29:4a:37:13:b9:17:20:b9:1e: + 2c:f1:ab:dc:e9:6a:f6:5f:c2:32:5a:d4:54:88:b9:59:44:6f: + b1:52:da:af:96:96:a5:17:98:07:56:45:a2:7f:bd:44:a7:58: + d7:04:d0:e0:ab:2d:7f:83:2a:b9:8a:56:c4:c4:9e:1a:35:d5: + fc:e9:10:31:e7:1d:6f:aa:8a:6d:c0:b6:a4:de:77:11:6d:27: + ed:fe:7f:5d:43:ed:4b:68:1b:d1:51:33:cd:94:12:82:d3:0f: + 5b:21:16:e8 + -----BEGIN CERTIFICATE----- + MIIDyzCCArOgAwIBAgIUKrzqvfIRHKrURUAcwLVG9It47mkwDQYJKoZIhvcNAQEL + BQAwWDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoM + DENvbXBhbnkgTmFtZTEMMAoGA1UECwwDT3JnMQ8wDQYDVQQDDAZjYXJvb3QwHhcN + MjEwNjIyMDIzODU1WhcNMzEwMzIyMDIzODU1WjBqMQswCQYDVQQGEwJVUzETMBEG + A1UECAwKQ2FsaWZvcm5pYTEQMA4GA1UEBwwHT2FrbGFuZDEVMBMGA1UECgwMQ29t + cGFueSBOYW1lMQwwCgYDVQQLDANPcmcxDzANBgNVBAMMBmNsaWVudDCCASIwDQYJ + KoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0JAGNrRdKFK0RgFfV6RZ7bNouMT0lW + HyuBLDp2ySA8PWaLxNwqc6n8qAMHoG2FtAEeH0tzkQzwdYxeLSjnT9ckP3hptuOU + oX+Hn9Gk5T/wOWdGkMjq1M/YlY5gRgV3TVw2Mgv9ckuvFdz42chKPkg9H79gucZH + GFX1AIPu7RArDPkHCxQ72KTIlShSJHnN6dsjJCyULrgo7F0OXu+DmQo9GrI6LW1i + nWQ8goyMoiPFca1Z4qHbIiq3o+uhOQHtYDr/iwNDMJjvbm/XGx0zqqB3Uzi7kUqK + zjzp5zIp179ae01A23duhLku6VNlTTbV3fVpJ6QZUuDR9CGBqdG77/ECAwEAAaN7 + MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg + Q2VydGlmaWNhdGUwHQYDVR0OBBYEFJoxl6UfB7q+dcYtFP8cEwMuMzw7MB8GA1Ud + IwQYMBaAFLPZmxLqdLA3wxwoddQ+XeN/HssJMA0GCSqGSIb3DQEBCwUAA4IBAQBp + 13XliweWmjyXEGFJbyoDY9XQRvNHLKYIkKXiivF1yUxW7lQMIM9gk8I9I8F9l1Bh + XUKgxH3L18Ra10fraYO/NiAmIPppgsPC8nEwxUIo2HiHA5EqtbIyWklhvk8asOjP + F1buhlS8pRCjXkVn1CjO57TBZEZHu5FMVtUf/74h+X+bI510k+5kZGAQZ1C/7PJ0 + XQpLGWC3JK0pSjcTuRcguR4s8avc6Wr2X8IyWtRUiLlZRG+xUtqvlpalF5gHVkWi + f71Ep1jXBNDgqy1/gyq5ilbExJ4aNdX86RAx5x1vqoptwLak3ncRbSft/n9dQ+1L + aBvRUTPNlBKC0w9bIRbo + -----END CERTIFICATE----- + +nodepool_file_zookeeper_tls_key_content: | + -----BEGIN PRIVATE KEY----- + MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDNCQBja0XShStE + YBX1ekWe2zaLjE9JVh8rgSw6dskgPD1mi8TcKnOp/KgDB6BthbQBHh9Lc5EM8HWM + Xi0o50/XJD94abbjlKF/h5/RpOU/8DlnRpDI6tTP2JWOYEYFd01cNjIL/XJLrxXc + +NnISj5IPR+/YLnGRxhV9QCD7u0QKwz5BwsUO9ikyJUoUiR5zenbIyQslC64KOxd + Dl7vg5kKPRqyOi1tYp1kPIKMjKIjxXGtWeKh2yIqt6ProTkB7WA6/4sDQzCY725v + 1xsdM6qgd1M4u5FKis486ecyKde/WntNQNt3boS5LulTZU021d31aSekGVLg0fQh + ganRu+/xAgMBAAECggEBALMhfyZc7UaMtA1rySOLbNHqAVCQCCExTdArbaGyb+tq + 1dYGnLohmKXVqE/lVOL64hXr5Dl+QSbF2l0FVn0bAiUbdRxVd8SC8UnDCv0VDHj8 + /pndC9eNWtowBhG6yNIztfGvI7BYAIhg8j/5ZgPX4WwpgtgnwIabTIako4ugrZrl + /2WhPpLr1rT2J6zS5//dnZCuP6+/DgC2Ccdeo3/2jUjePBGB5qzNNOX7o1xmgEtJ + tXs/YfTdhFCudQJB65yT9TJbDB/CUjd/QhQU9RxdCTS9uFoXKaWq24VCLxZsNGoa + sulpSMYRHwsBSwz6ur638uoEh+VZECBMo/a9ITmxP0ECgYEA/c4XQuvxk8zTVA8C + Rr7auJbAnxLqAmAQnbETLeLSZ91w3C/D6iHT6OzxB3xKX50ZNccwM9oXVJWryzvJ + gpqGKLTy+xWjpu6ePJIlFcfVC82r/z/KdQGJ1ywEyfLhOL5Reo64seLyFTHw4Fy0 + B9VF18z7oyzfrpIBAYw7CVwm8UkCgYEAzs7v42T3E9CSiyz21aN/GEEwWTHCr0s4 + +ag10kF5D6mWZ2Kh73ozPdtL/kxUCKK3Hz+oBnmKmEyyStSAUS5gatrFMDr2NaQt + H8UiugfBc2owf7tMAizFbEwCIB6QJmZpY+BWNffA0xt88VUz8ZddRSaldbh+d6Pp + HxmPnNj0MWkCgYEAlthxXNXsi6KWC4SsHq36QvFeZG0SZf0AgyimNIR190NWe5ds + AnC+iNaiXoeRkIhHXn4XeQnrCdu28iCDoLsEd5csPuzaijGSHH/jyLEvP0erLRaV + 1rrmWNuRsRFIqLf8pzHCNf+jT9ORzVdrrKgmTZ9IA/B8tT2TmX7l66c4gfkCgYAN + TQPitSCq9pQmPVsWvHA1KCQq6GdkDMt6SxZDEpDtr/OLbK2LkGlxRgRqM5CICacL + bHWrDPAcAXrKE0a5cekjljRueKxTIN8CFxS3sD4B5Ud/P5WQ4j5ES9MrK6wLvDR1 + Bv2kdO3C5hawEtHHbPvDscuceaQwn6sjo+o3pUB3WQKBgQDFsHdiHEJrUqu2Q3i8 + +2o8YgPIneDUR6ba4laIyPmRH5It1NBweCCb6lquiIx1Kd7KQ78R/QSq4Q0+UEym + ACrb+j56IbOPn/YurnltHGo/TQjItj+MRjU7iEg3jTofCFXm1FkUmW3MADzqSoMm + MepbDLDFecFZBbTEVe5tF/JgZw== + -----END PRIVATE KEY----- + # windmill.openstacksdk openstacksdk_user_name: nodepool openstacksdk_user_group: nodepool diff --git a/nodepool/secure.conf.j2 b/nodepool/secure.conf.j2 index cc18c9d..fdc83b7 100644 --- a/nodepool/secure.conf.j2 +++ b/nodepool/secure.conf.j2 @@ -5,6 +5,11 @@ zookeeper-servers: {% if 'zookeeper' in groups %} {% for host in groups['zookeeper'] %} - host: '{{ hostvars[host].ansible_host | ipwrap }}' - port: 2181 + port: 2281 {% endfor %} {% endif %} + +zookeeper-tls: + ca: {{ nodepool_file_zookeeper_tls_cacert_dest }} + cert: {{ nodepool_file_zookeeper_tls_cert_dest }} + key: {{ nodepool_file_zookeeper_tls_key_dest }}