Add gearman server / client SSL support

Note this only works for zuulv3 today. Change-Id: Iecd4ccc230653ef803764d10c626879d9ad3b1d2 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2017-06-16 18:57:52 -04:00 · 2017-06-16 18:57:52 -04:00 · 1a08165eea
parent 58e66ed91f
commit 1a08165eea
2 changed files with 91 additions and 1 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -69,6 +69,11 @@ class zuul (
  $connections = [],
  $python_version = 2,
  $zuulv3 = false,
+  $gearman_client_ssl_cert = undef,
+  $gearman_client_ssl_key = undef,
+  $gearman_server_ssl_cert = undef,
+  $gearman_server_ssl_key = undef,
+  $gearman_ssl_ca = undef,
 ) {
  include ::httpd
  include ::pip
@ -182,7 +187,74 @@ class zuul (
  }

  file { '/etc/zuul':
-    ensure => directory,
+    ensure  => directory,
+    group   => 'zuul',
+    mode    => '0755',
+    owner   => 'zuul',
+    require => User['zuul'],
+  }
+
+  file { '/etc/zuul/ssl':
+    ensure  => directory,
+    group   => 'zuul',
+    mode    => '0755',
+    owner   => 'zuul',
+    require => File['/etc/zuul'],
+  }
+
+  if ($gearman_ssl_ca != undef) {
+    file { '/etc/zuul/ssl/ca.pem':
+      ensure  => file,
+      content => $gearman_ssl_ca,
+      group   => 'zuul',
+      mode    => '0644',
+      owner   => 'zuul',
+      require => File['/etc/zuul/ssl'],
+    }
+  }
+
+  if ($gearman_client_ssl_cert != undef) {
+    file { '/etc/zuul/ssl/client.pem':
+      ensure  => file,
+      content => $gearman_client_ssl_cert,
+      group   => 'zuul',
+      mode    => '0644',
+      owner   => 'zuul',
+      require => File['/etc/zuul/ssl'],
+    }
+  }
+
+  if ($gearman_client_ssl_key != undef) {
+    file { '/etc/zuul/ssl/client.key':
+      ensure  => file,
+      content => $gearman_client_ssl_key,
+      group   => 'zuul',
+      mode    => '0640',
+      owner   => 'zuul',
+      require => File['/etc/zuul/ssl'],
+    }
+  }
+
+  if ($gearman_server_ssl_cert != undef) {
+    file { '/etc/zuul/ssl/server.pem':
+      ensure  => file,
+      content => $gearman_server_ssl_cert,
+      group   => 'zuul',
+      mode    => '0644',
+      owner   => 'zuul',
+      require => File['/etc/zuul/ssl'],
+    }
+  }
+
+  if ($gearman_server_ssl_key != undef) {
+    file { '/etc/zuul/ssl/server.key':
+      ensure  => file,
+      content => $gearman_server_ssl_key,
+      group   => 'zuul',
+      mode    => '0640',
+      owner   => 'zuul',
+      require => File['/etc/zuul/ssl'],
+    }
  }

  if $zuulv3 {
--- a/templates/zuulv3.conf.erb
+++ b/templates/zuulv3.conf.erb
@ -1,10 +1,28 @@
 [gearman]
 server=<%= @gearman_server %>
 check_job_registration=<%= @gearman_check_job_registration %>
+<% if @gearman_ssl_ca != nil -%>
+ssl_ca=<%= gearman_ssl_ca %>
+<% end -%>
+<% if @gearman_client_ssl_cert != nil -%>
+ssl_cert=<%= gearman_client_ssl_cert %>
+<% end -%>
+<% if @gearman_client_ssl_key != nil -%>
+ssl_key=<%= gearman_client_ssl_key %>
+<% end -%>

 [gearman_server]
 start=<%= @internal_gearman %>
 log_config=/etc/zuul/gearman-logging.conf
+<% if @gearman_ssl_ca != nil -%>
+ssl_ca=<%= gearman_ssl_ca %>
+<% end -%>
+<% if @gearman_server_ssl_cert != nil -%>
+ssl_cert=<%= gearman_server_ssl_cert %>
+<% end -%>
+<% if @gearman_server_ssl_key != nil -%>
+ssl_key=<%= gearman_server_ssl_key %>
+<% end -%>

 [zuul]
 tenant_config=/etc/zuul/layout/<%= @tenant_file_name %>