Add support to manage SSL cert

Since gear support SSL certs, add in some support to place them into
the SSL folder.  It is possible we might want to move this into an
ansible role, but for now it seems minimal to support it.

Change-Id: I5a3097a6026f648c6dbabb1e26e6a4d201f68c1c
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This commit is contained in:
Paul Belanger 2018-04-03 19:10:52 -04:00
parent 20729b2f30
commit 9167794c34
No known key found for this signature in database
GPG Key ID: 611A80832067AF38
7 changed files with 112 additions and 2 deletions

View File

@ -36,6 +36,27 @@ zuul_file_gearman_logging_conf_mode: 0644
zuul_file_gearman_logging_conf_owner: "{{ zuul_user_name }}"
zuul_file_gearman_logging_conf_src: etc/zuul/gearman-logging.conf
zuul_file_gearman_ssl_ca_content:
zuul_file_gearman_ssl_ca_dest: /etc/zuul/ssl/root-ca.pem
zuul_file_gearman_ssl_ca_group: "{{ zuul_user_group }}"
zuul_file_gearman_ssl_ca_mode: 0644
zuul_file_gearman_ssl_ca_owner: "{{ zuul_user_name }}"
zuul_file_gearman_ssl_ca_src: etc/zuul/ssl/root-ca.pem
zuul_file_gearman_ssl_cert_content:
zuul_file_gearman_ssl_cert_dest: /etc/zuul/ssl/client.pem
zuul_file_gearman_ssl_cert_group: "{{ zuul_user_group }}"
zuul_file_gearman_ssl_cert_mode: 0644
zuul_file_gearman_ssl_cert_owner: "{{ zuul_user_name }}"
zuul_file_gearman_ssl_cert_src: etc/zuul/ssl/client.pem
zuul_file_gearman_ssl_key_content:
zuul_file_gearman_ssl_key_dest: /etc/zuul/ssl/client.key
zuul_file_gearman_ssl_key_group: "{{ zuul_user_group }}"
zuul_file_gearman_ssl_key_mode: 0600
zuul_file_gearman_ssl_key_owner: "{{ zuul_user_name }}"
zuul_file_gearman_ssl_key_src: etc/zuul/ssl/client.key
zuul_file_executor_logging_conf_dest: /etc/zuul/executor-logging.conf
zuul_file_executor_logging_conf_group: "{{ zuul_user_group }}"
zuul_file_executor_logging_conf_mode: 0644

View File

@ -21,6 +21,7 @@
state: directory
with_items:
- /etc/zuul
- /etc/zuul/ssl
- /var/log/zuul
- name: Install gearman logging file.
@ -78,6 +79,36 @@
register: zuul_file_scheduler_logging_conf
notify: Reload zuul-scheduler
- name: Install zuul gearman ssl ca configuration.
become: yes
template:
dest: "{{ zuul_file_gearman_ssl_ca_dest }}"
group: "{{ zuul_file_gearman_ssl_ca_group }}"
mode: "{{ zuul_file_gearman_ssl_ca_mode }}"
owner: "{{ zuul_file_gearman_ssl_ca_owner }}"
src: "{{ zuul_file_gearman_ssl_ca_src }}"
register: zuul_file_gearman_ssl_ca
- name: Install zuul gearman ssl cert configuration.
become: yes
template:
dest: "{{ zuul_file_gearman_ssl_cert_dest }}"
group: "{{ zuul_file_gearman_ssl_cert_group }}"
mode: "{{ zuul_file_gearman_ssl_cert_mode }}"
owner: "{{ zuul_file_gearman_ssl_cert_owner }}"
src: "{{ zuul_file_gearman_ssl_cert_src }}"
register: zuul_file_gearman_ssl_cert
- name: Install zuul gearman ssl key configuration.
become: yes
template:
dest: "{{ zuul_file_gearman_ssl_key_dest }}"
group: "{{ zuul_file_gearman_ssl_key_group }}"
mode: "{{ zuul_file_gearman_ssl_key_mode }}"
owner: "{{ zuul_file_gearman_ssl_key_owner }}"
src: "{{ zuul_file_gearman_ssl_key_src }}"
register: zuul_file_gearman_ssl_key
- name: Install web logging file.
become: yes
template:

View File

@ -0,0 +1,4 @@
# This file is generated by Ansible
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
{{ zuul_file_gearman_ssl_key_content }}

View File

@ -0,0 +1,4 @@
# This file is generated by Ansible
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
{{ zuul_file_gearman_ssl_cert_content }}

View File

@ -0,0 +1,4 @@
# This file is generated by Ansible
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#
{{ zuul_file_gearman_ssl_ca_content }}

View File

@ -37,10 +37,11 @@
synchronize:
dest: "{{ zuul.executor.log_root }}/logs"
mode: pull
recursive: false
rsync_opts:
- "--relative"
src: "{{ item }}"
verify_host: true
with_items:
- /etc/zuul
- /var/log/zuul
- /etc/zuul/*
- /var/log/zuul/*

View File

@ -32,6 +32,9 @@
assert:
that:
- zuul_file_gearman_logging_conf
- zuul_file_gearman_ssl_ca
- zuul_file_gearman_ssl_cert
- zuul_file_gearman_ssl_key
- zuul_file_executor_logging_conf
- zuul_file_fingergw_logging_conf
- zuul_file_merger_logging_conf
@ -135,6 +138,48 @@
- zuul_conf_stat.stat.pw_name == 'zuul-test'
- zuul_conf_stat.stat.gr_name == 'zuul-test'
- name: Register /etc/zuul/ssl/root-ca.pem
stat:
path: /etc/zuul/ssl/root-ca.pem
register: _zuul_file_gearman_ssl_ca_stat
- name: Assert _zuul_file_gearman_ssl_ca_stat tests.
assert:
that:
- _zuul_file_gearman_ssl_ca_stat.stat.exists
- _zuul_file_gearman_ssl_ca_stat.stat.isreg
- _zuul_file_gearman_ssl_ca_stat.stat.pw_name == 'zuul-test'
- _zuul_file_gearman_ssl_ca_stat.stat.gr_name == 'zuul-test'
- _zuul_file_gearman_ssl_ca_stat.stat.mode == '0644'
- name: Register /etc/zuul/ssl/client.pem
stat:
path: /etc/zuul/ssl/client.pem
register: _zuul_file_gearman_ssl_cert_stat
- name: Assert _zuul_file_gearman_ssl_cert_stat tests.
assert:
that:
- _zuul_file_gearman_ssl_cert_stat.stat.exists
- _zuul_file_gearman_ssl_cert_stat.stat.isreg
- _zuul_file_gearman_ssl_cert_stat.stat.pw_name == 'zuul-test'
- _zuul_file_gearman_ssl_cert_stat.stat.gr_name == 'zuul-test'
- _zuul_file_gearman_ssl_cert_stat.stat.mode == '0644'
- name: Register /etc/zuul/ssl/client.key
stat:
path: /etc/zuul/ssl/client.key
register: _zuul_file_gearman_ssl_key_stat
- name: Assert _zuul_file_gearman_ssl_key_stat tests.
assert:
that:
- _zuul_file_gearman_ssl_key_stat.stat.exists
- _zuul_file_gearman_ssl_key_stat.stat.isreg
- _zuul_file_gearman_ssl_key_stat.stat.pw_name == 'zuul-test'
- _zuul_file_gearman_ssl_key_stat.stat.gr_name == 'zuul-test'
- _zuul_file_gearman_ssl_key_stat.stat.mode == '0600'
- name: Register /etc/systemd/system/zuul-executor.service.d/override.conf
stat:
path: /etc/systemd/system/zuul-executor.service.d/override.conf