From 9167794c3464500808c9709f0f08ea3c0551b451 Mon Sep 17 00:00:00 2001 From: Paul Belanger Date: Tue, 3 Apr 2018 19:10:52 -0400 Subject: [PATCH] Add support to manage SSL cert Since gear support SSL certs, add in some support to place them into the SSL folder. It is possible we might want to move this into an ansible role, but for now it seems minimal to support it. Change-Id: I5a3097a6026f648c6dbabb1e26e6a4d201f68c1c Signed-off-by: Paul Belanger --- defaults/main.yaml | 21 ++++++++++++++ tasks/config.yaml | 31 ++++++++++++++++++++ templates/etc/zuul/ssl/client.key | 4 +++ templates/etc/zuul/ssl/client.pem | 4 +++ templates/etc/zuul/ssl/root-ca.pem | 4 +++ tests/collect-logs.yaml | 5 ++-- tests/test.yaml | 45 ++++++++++++++++++++++++++++++ 7 files changed, 112 insertions(+), 2 deletions(-) create mode 100644 templates/etc/zuul/ssl/client.key create mode 100644 templates/etc/zuul/ssl/client.pem create mode 100644 templates/etc/zuul/ssl/root-ca.pem diff --git a/defaults/main.yaml b/defaults/main.yaml index 8125cd3..ad30ded 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -36,6 +36,27 @@ zuul_file_gearman_logging_conf_mode: 0644 zuul_file_gearman_logging_conf_owner: "{{ zuul_user_name }}" zuul_file_gearman_logging_conf_src: etc/zuul/gearman-logging.conf +zuul_file_gearman_ssl_ca_content: +zuul_file_gearman_ssl_ca_dest: /etc/zuul/ssl/root-ca.pem +zuul_file_gearman_ssl_ca_group: "{{ zuul_user_group }}" +zuul_file_gearman_ssl_ca_mode: 0644 +zuul_file_gearman_ssl_ca_owner: "{{ zuul_user_name }}" +zuul_file_gearman_ssl_ca_src: etc/zuul/ssl/root-ca.pem + +zuul_file_gearman_ssl_cert_content: +zuul_file_gearman_ssl_cert_dest: /etc/zuul/ssl/client.pem +zuul_file_gearman_ssl_cert_group: "{{ zuul_user_group }}" +zuul_file_gearman_ssl_cert_mode: 0644 +zuul_file_gearman_ssl_cert_owner: "{{ zuul_user_name }}" +zuul_file_gearman_ssl_cert_src: etc/zuul/ssl/client.pem + +zuul_file_gearman_ssl_key_content: +zuul_file_gearman_ssl_key_dest: /etc/zuul/ssl/client.key +zuul_file_gearman_ssl_key_group: "{{ zuul_user_group }}" +zuul_file_gearman_ssl_key_mode: 0600 +zuul_file_gearman_ssl_key_owner: "{{ zuul_user_name }}" +zuul_file_gearman_ssl_key_src: etc/zuul/ssl/client.key + zuul_file_executor_logging_conf_dest: /etc/zuul/executor-logging.conf zuul_file_executor_logging_conf_group: "{{ zuul_user_group }}" zuul_file_executor_logging_conf_mode: 0644 diff --git a/tasks/config.yaml b/tasks/config.yaml index 8fa76c5..67b8a52 100644 --- a/tasks/config.yaml +++ b/tasks/config.yaml @@ -21,6 +21,7 @@ state: directory with_items: - /etc/zuul + - /etc/zuul/ssl - /var/log/zuul - name: Install gearman logging file. @@ -78,6 +79,36 @@ register: zuul_file_scheduler_logging_conf notify: Reload zuul-scheduler +- name: Install zuul gearman ssl ca configuration. + become: yes + template: + dest: "{{ zuul_file_gearman_ssl_ca_dest }}" + group: "{{ zuul_file_gearman_ssl_ca_group }}" + mode: "{{ zuul_file_gearman_ssl_ca_mode }}" + owner: "{{ zuul_file_gearman_ssl_ca_owner }}" + src: "{{ zuul_file_gearman_ssl_ca_src }}" + register: zuul_file_gearman_ssl_ca + +- name: Install zuul gearman ssl cert configuration. + become: yes + template: + dest: "{{ zuul_file_gearman_ssl_cert_dest }}" + group: "{{ zuul_file_gearman_ssl_cert_group }}" + mode: "{{ zuul_file_gearman_ssl_cert_mode }}" + owner: "{{ zuul_file_gearman_ssl_cert_owner }}" + src: "{{ zuul_file_gearman_ssl_cert_src }}" + register: zuul_file_gearman_ssl_cert + +- name: Install zuul gearman ssl key configuration. + become: yes + template: + dest: "{{ zuul_file_gearman_ssl_key_dest }}" + group: "{{ zuul_file_gearman_ssl_key_group }}" + mode: "{{ zuul_file_gearman_ssl_key_mode }}" + owner: "{{ zuul_file_gearman_ssl_key_owner }}" + src: "{{ zuul_file_gearman_ssl_key_src }}" + register: zuul_file_gearman_ssl_key + - name: Install web logging file. become: yes template: diff --git a/templates/etc/zuul/ssl/client.key b/templates/etc/zuul/ssl/client.key new file mode 100644 index 0000000..7371c1e --- /dev/null +++ b/templates/etc/zuul/ssl/client.key @@ -0,0 +1,4 @@ +# This file is generated by Ansible +# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN +# +{{ zuul_file_gearman_ssl_key_content }} diff --git a/templates/etc/zuul/ssl/client.pem b/templates/etc/zuul/ssl/client.pem new file mode 100644 index 0000000..9a35af6 --- /dev/null +++ b/templates/etc/zuul/ssl/client.pem @@ -0,0 +1,4 @@ +# This file is generated by Ansible +# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN +# +{{ zuul_file_gearman_ssl_cert_content }} diff --git a/templates/etc/zuul/ssl/root-ca.pem b/templates/etc/zuul/ssl/root-ca.pem new file mode 100644 index 0000000..c547b43 --- /dev/null +++ b/templates/etc/zuul/ssl/root-ca.pem @@ -0,0 +1,4 @@ +# This file is generated by Ansible +# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN +# +{{ zuul_file_gearman_ssl_ca_content }} diff --git a/tests/collect-logs.yaml b/tests/collect-logs.yaml index 2564039..901afcc 100644 --- a/tests/collect-logs.yaml +++ b/tests/collect-logs.yaml @@ -37,10 +37,11 @@ synchronize: dest: "{{ zuul.executor.log_root }}/logs" mode: pull + recursive: false rsync_opts: - "--relative" src: "{{ item }}" verify_host: true with_items: - - /etc/zuul - - /var/log/zuul + - /etc/zuul/* + - /var/log/zuul/* diff --git a/tests/test.yaml b/tests/test.yaml index 52fdec2..3643a71 100644 --- a/tests/test.yaml +++ b/tests/test.yaml @@ -32,6 +32,9 @@ assert: that: - zuul_file_gearman_logging_conf + - zuul_file_gearman_ssl_ca + - zuul_file_gearman_ssl_cert + - zuul_file_gearman_ssl_key - zuul_file_executor_logging_conf - zuul_file_fingergw_logging_conf - zuul_file_merger_logging_conf @@ -135,6 +138,48 @@ - zuul_conf_stat.stat.pw_name == 'zuul-test' - zuul_conf_stat.stat.gr_name == 'zuul-test' + - name: Register /etc/zuul/ssl/root-ca.pem + stat: + path: /etc/zuul/ssl/root-ca.pem + register: _zuul_file_gearman_ssl_ca_stat + + - name: Assert _zuul_file_gearman_ssl_ca_stat tests. + assert: + that: + - _zuul_file_gearman_ssl_ca_stat.stat.exists + - _zuul_file_gearman_ssl_ca_stat.stat.isreg + - _zuul_file_gearman_ssl_ca_stat.stat.pw_name == 'zuul-test' + - _zuul_file_gearman_ssl_ca_stat.stat.gr_name == 'zuul-test' + - _zuul_file_gearman_ssl_ca_stat.stat.mode == '0644' + + - name: Register /etc/zuul/ssl/client.pem + stat: + path: /etc/zuul/ssl/client.pem + register: _zuul_file_gearman_ssl_cert_stat + + - name: Assert _zuul_file_gearman_ssl_cert_stat tests. + assert: + that: + - _zuul_file_gearman_ssl_cert_stat.stat.exists + - _zuul_file_gearman_ssl_cert_stat.stat.isreg + - _zuul_file_gearman_ssl_cert_stat.stat.pw_name == 'zuul-test' + - _zuul_file_gearman_ssl_cert_stat.stat.gr_name == 'zuul-test' + - _zuul_file_gearman_ssl_cert_stat.stat.mode == '0644' + + - name: Register /etc/zuul/ssl/client.key + stat: + path: /etc/zuul/ssl/client.key + register: _zuul_file_gearman_ssl_key_stat + + - name: Assert _zuul_file_gearman_ssl_key_stat tests. + assert: + that: + - _zuul_file_gearman_ssl_key_stat.stat.exists + - _zuul_file_gearman_ssl_key_stat.stat.isreg + - _zuul_file_gearman_ssl_key_stat.stat.pw_name == 'zuul-test' + - _zuul_file_gearman_ssl_key_stat.stat.gr_name == 'zuul-test' + - _zuul_file_gearman_ssl_key_stat.stat.mode == '0600' + - name: Register /etc/systemd/system/zuul-executor.service.d/override.conf stat: path: /etc/systemd/system/zuul-executor.service.d/override.conf