zuul/zuul-operator
Code Issues Proposed changes

Generate TLS certificats for the gearman service

Browse Source 
This change demonstrates how the zuul-operator performs runtime operation
using Ansible by configuring TLS for the gearman service.

Change-Id: I0f728e81ca6f469cb37eb12625cb702c52d3ed1c
This commit is contained in:
Tristan Cacqueray 2020-01-15 18:15:32 +00:00
parent 2937272624
commit b7daff7067
3 changed files with 59 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
conf/zuul/resources.dhall
View File

@ -205,9 +205,15 @@ let {- This method renders the zuul.conf
in '' in ''
[gearman] [gearman]
server=scheduler server=scheduler
ssl_ca=/etc/zuul-gearman/ca.pem
ssl_cert=/etc/zuul-gearman/client.pem
ssl_key=/etc/zuul-gearman/client.key
[gearman_server] [gearman_server]
start=true start=true
ssl_ca=/etc/zuul-gearman/ca.pem
ssl_cert=/etc/zuul-gearman/server.pem
ssl_key=/etc/zuul-gearman/server.key
[zookeeper] [zookeeper]
hosts=${zk-hosts} hosts=${zk-hosts}
@ -622,13 +628,19 @@ in \(input : Input)
, dir = "/etc/zuul-scheduler" , dir = "/etc/zuul-scheduler"
} }
let gearman-config =
Volume::{
, name = input.name ++ "-gearman-tls"
, dir = "/etc/zuul-gearman"
}
let executor-ssh-key = let executor-ssh-key =
Volume::{ Volume::{
, name = input.executor.ssh_key.secretName , name = input.executor.ssh_key.secretName
, dir = "/etc/zuul-executor" , dir = "/etc/zuul-executor"
} }
let conn-keys = [] : List Volume.Type let conn-keys = [ gearman-config ]
let web-volumes = [ etc-zuul ] let web-volumes = [ etc-zuul ]

44
roles/zuul-ensure-gearman-tls/tasks/main.yaml Normal file
View File

@ -0,0 +1,44 @@
- name: Check if gearman tls cert is already created
set_fact:
gearman_certs: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, resource_name=zuul_name + '-gearman-tls') }}"
- name: Generate and store certs
when: gearman_certs.data is not defined
block:
- name: Generate certs
command: "{{ item }}"
loop:
# CA
- "openssl req -new -newkey rsa:2048 -nodes -keyout ca-{{ zuul_name }}.key -x509 -days 3650 -out ca-{{ zuul_name }}.pem -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=gearman-ca'"
# Server
- "openssl req -new -newkey rsa:2048 -nodes -keyout server-{{ zuul_name }}.key -out server-{{ zuul_name }}.csr -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=server-{{ zuul_name }}'"
- "openssl x509 -req -days 3650 -in server-{{ zuul_name }}.csr -out server-{{ zuul_name }}.pem -CA ca-{{ zuul_name }}.pem -CAkey ca-{{ zuul_name }}.key -CAcreateserial"
# Client
- "openssl req -new -newkey rsa:2048 -nodes -keyout client-{{ zuul_name }}.key -out client-{{ zuul_name }}.csr -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=client-{{ zuul_name }}'"
- "openssl x509 -req -days 3650 -in client-{{ zuul_name }}.csr -out client-{{ zuul_name }}.pem -CA ca-{{ zuul_name }}.pem -CAkey ca-{{ zuul_name }}.key -CAcreateserial"
- name: Create k8s secret
k8s:
state: "{{ state }}"
namespace: "{{ namespace }}"
definition:
apiVersion: v1
kind: Secret
metadata:
name: "{{ zuul_name }}-gearman-tls"
stringData:
ca.pem: "{{ lookup('file', 'ca-' + zuul_name + '.pem') }}"
server.key: "{{ lookup('file', 'server-' + zuul_name + '.key') }}"
server.pem: "{{ lookup('file', 'server-' + zuul_name + '.pem') }}"
client.key: "{{ lookup('file', 'client-' + zuul_name + '.key') }}"
client.pem: "{{ lookup('file', 'client-' + zuul_name + '.pem') }}"
- name: Write client certs locally
when: gearman_certs.data is defined
copy:
content: "{{ gearman_certs.data[item] | b64decode }}"
dest: "{{ item }}"
loop:
- ca.pem
- client.key
- client.pem

3
roles/zuul/tasks/main.yaml
View File

@ -1,4 +1,5 @@
# TODO: Generate tls cert secret - include_role:
name: zuul-ensure-gearman-tls
- name: Convert spec to template input - name: Convert spec to template input
json_to_dhall: json_to_dhall: