Google Git
Sign in
gerrit/zuul/ops/5af977bfd403b98701621d12b4e8505b5aef4ec2^!/.
commit
5af977bfd403b98701621d12b4e8505b5aef4ec2
[log]
author
James E. Blair <jeblair@redhat.com>
Tue Aug 11 16:07:09 2020 -0700
committer
James E. Blair <jeblair@redhat.com>
Tue Aug 11 16:07:09 2020 -0700
tree
a9767698a04ea15a3c9af37f953d89b6dd2536c3
parent
6d8c62761017418c57b0c6610fcc89154db2e6c6 [diff]
Fix cert usages and Zookeeper namespace

The certificates need the client auth usage in order for ZK to
accept them when presented by Zuul/Nodepool.

The zookeeper cluster also needs to be in the zookeeper namespace.

Finally, we need to run the certs.yaml file we recently added.

Change-Id: I9423ec7ff68f6e3f22cdb50334641314bcd2782b

diff --git a/k8s/zookeeper/certs.yaml b/k8s/zookeeper/certs.yaml
index b47fbf1..684438d 100644
--- a/k8s/zookeeper/certs.yaml
+++ b/k8s/zookeeper/certs.yaml

@@ -13,6 +13,11 @@
   keyEncoding: pkcs8
   secretName: zookeeper-server-tls
   commonName: server
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
   dnsNames:
   - zookeeper-0.zookeeper-headless.zookeeper.svc.cluster.local
   - zookeeper-0

diff --git a/k8s/zookeeper/zookeeper.yaml b/k8s/zookeeper/zookeeper.yaml
index b61fce6..4b55965 100644
--- a/k8s/zookeeper/zookeeper.yaml
+++ b/k8s/zookeeper/zookeeper.yaml

@@ -4,6 +4,7 @@
 kind: PodDisruptionBudget
 metadata:
   name: zookeeper
+  namespace: zookeeper
   labels:
     app: zookeeper
     chart: zookeeper-2.1.5
@@ -23,6 +24,7 @@
 kind: ConfigMap
 metadata:
   name: zookeeper
+  namespace: zookeeper
   labels:
     app: zookeeper
     chart: zookeeper-2.1.5
@@ -168,6 +170,7 @@
 kind: Service
 metadata:
   name: zookeeper-headless
+  namespace: zookeeper
   labels:
     app: zookeeper
     chart: zookeeper-2.1.5
@@ -198,6 +201,7 @@
 kind: Service
 metadata:
   name: zookeeper
+  namespace: zookeeper
   labels:
     app: zookeeper
     chart: zookeeper-2.1.5
@@ -219,6 +223,7 @@
 kind: StatefulSet
 metadata:
   name: zookeeper
+  namespace: zookeeper
   labels:
     app: zookeeper
     chart: zookeeper-2.1.5

diff --git a/k8s/zuul.yaml b/k8s/zuul.yaml
index 275039e..5aa2f28 100644
--- a/k8s/zuul.yaml
+++ b/k8s/zuul.yaml

@@ -8,6 +8,11 @@
   keyEncoding: pkcs8
   secretName: zookeeper-client-tls
   commonName: client
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
   issuerRef:
     name: ca-issuer
     kind: ClusterIssuer

diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml
index 9495de8..85a4627 100644
--- a/playbooks/deploy.yaml
+++ b/playbooks/deploy.yaml

@@ -19,6 +19,11 @@
         state: present
         src: "{{ root }}/k8s/certmanager.yaml"
 
+    - name: Update Zookeeper certs
+      k8s:
+        state: present
+        src: "{{ root }}/k8s/zookeeper/certs.yaml"
+
     - name: Update Zookeeper deployment
       k8s:
         state: present