5b6ee968b9
This change enables ZooKeeper TLS configuration when no zookeeper external connection is provided. Depends-On: https://review.opendev.org/712816 Depends-On: https://review.opendev.org/712531 Depends-On: https://review.opendev.org/712733 Change-Id: I2bef362bf7fba16fcd99229417c3e30494b2988d
31 lines
1.1 KiB
YAML
31 lines
1.1 KiB
YAML
- name: Check if zookeeper tls cert is already created
|
|
set_fact:
|
|
zookeeper_certs: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, resource_name=zuul_name + '-zookeeper-tls') }}"
|
|
|
|
- name: Generate and store certs
|
|
when: zookeeper_certs.data is not defined
|
|
block:
|
|
- name: Generate certs
|
|
command: "sh -c 'mkdir -p zk-ca; {{ role_path }}/files/zk-ca.sh zk-ca/ {{ item }}'"
|
|
loop:
|
|
# TODO: support multiple zk pod
|
|
- zk
|
|
args:
|
|
creates: zk-ca/keys/clientkey.pem
|
|
|
|
- name: Create k8s secret
|
|
k8s:
|
|
state: "{{ state }}"
|
|
namespace: "{{ namespace }}"
|
|
definition:
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: "{{ zuul_name }}-zookeeper-tls"
|
|
stringData:
|
|
ca.crt: "{{ lookup('file', 'zk-ca/demoCA/cacert.pem') }}"
|
|
tls.crt: "{{ lookup('file', 'zk-ca/certs/client.pem') }}"
|
|
tls.key: "{{ lookup('file', 'zk-ca/keys/clientkey.pem') }}"
|
|
data:
|
|
zk.pem: "{{ lookup('file', 'zk-ca/keystores/zk.pem') | b64encode }}"
|