Generate TLS certificats for the gearman service

This change demonstrates how the zuul-operator performs runtime operation
using Ansible by configuring TLS for the gearman service.

Change-Id: I0f728e81ca6f469cb37eb12625cb702c52d3ed1c

conf/zuul/resources.dhall

@@ -205,9 +205,15 @@ let {- This method renders the zuul.conf
           in      ''
                   [gearman]
                   server=scheduler
+                  ssl_ca=/etc/zuul-gearman/ca.pem
+                  ssl_cert=/etc/zuul-gearman/client.pem
+                  ssl_key=/etc/zuul-gearman/client.key
 
                   [gearman_server]
                   start=true
+                  ssl_ca=/etc/zuul-gearman/ca.pem
+                  ssl_cert=/etc/zuul-gearman/server.pem
+                  ssl_key=/etc/zuul-gearman/server.key
 
                   [zookeeper]
                   hosts=${zk-hosts}
@@ -622,13 +628,19 @@ in      \(input : Input)
                         , dir = "/etc/zuul-scheduler"
                         }
 
+                  let gearman-config =
+                        Volume::{
+                        , name = input.name ++ "-gearman-tls"
+                        , dir = "/etc/zuul-gearman"
+                        }
+
                   let executor-ssh-key =
                         Volume::{
                         , name = input.executor.ssh_key.secretName
                         , dir = "/etc/zuul-executor"
                         }
 
-                  let conn-keys = [] : List Volume.Type
+                  let conn-keys = [ gearman-config ]
 
                   let web-volumes = [ etc-zuul ]
 

roles/zuul-ensure-gearman-tls/tasks/main.yaml

@@ -0,0 +1,44 @@
+- name: Check if gearman tls cert is already created
+  set_fact:
+    gearman_certs: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, resource_name=zuul_name + '-gearman-tls') }}"
+
+- name: Generate and store certs
+  when: gearman_certs.data is not defined
+  block:
+    - name: Generate certs
+      command: "{{ item }}"
+      loop:
+        # CA
+        - "openssl req -new -newkey rsa:2048 -nodes -keyout ca-{{ zuul_name }}.key -x509 -days 3650 -out ca-{{ zuul_name }}.pem -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=gearman-ca'"
+        # Server
+        - "openssl req -new -newkey rsa:2048 -nodes -keyout server-{{ zuul_name }}.key -out server-{{ zuul_name }}.csr -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=server-{{ zuul_name }}'"
+        - "openssl x509 -req -days 3650 -in server-{{ zuul_name }}.csr -out server-{{ zuul_name }}.pem -CA ca-{{ zuul_name }}.pem -CAkey ca-{{ zuul_name }}.key -CAcreateserial"
+        # Client
+        - "openssl req -new -newkey rsa:2048 -nodes -keyout client-{{ zuul_name }}.key -out client-{{ zuul_name }}.csr -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=client-{{ zuul_name }}'"
+        - "openssl x509 -req -days 3650 -in client-{{ zuul_name }}.csr -out client-{{ zuul_name }}.pem -CA ca-{{ zuul_name }}.pem -CAkey ca-{{ zuul_name }}.key -CAcreateserial"
+
+    - name: Create k8s secret
+      k8s:
+        state: "{{ state }}"
+        namespace: "{{ namespace }}"
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: "{{ zuul_name }}-gearman-tls"
+          stringData:
+            ca.pem: "{{ lookup('file', 'ca-' + zuul_name + '.pem') }}"
+            server.key: "{{ lookup('file', 'server-' + zuul_name + '.key') }}"
+            server.pem: "{{ lookup('file', 'server-' + zuul_name + '.pem') }}"
+            client.key: "{{ lookup('file', 'client-' + zuul_name + '.key') }}"
+            client.pem: "{{ lookup('file', 'client-' + zuul_name + '.pem') }}"
+
+- name: Write client certs locally
+  when: gearman_certs.data is defined
+  copy:
+    content: "{{ gearman_certs.data[item] | b64decode }}"
+    dest: "{{ item }}"
+  loop:
+    - ca.pem
+    - client.key
+    - client.pem

roles/zuul/tasks/main.yaml

@@ -1,4 +1,5 @@
-# TODO: Generate tls cert secret
+- include_role:
+    name: zuul-ensure-gearman-tls
 
 - name: Convert spec to template input
   json_to_dhall: