Skip to content

Commit

Permalink
feat(config): allow cert reload without restart
Browse files Browse the repository at this point in the history
  • Loading branch information
@minorOffense
minorOffense committed Oct 15, 2024
1 parent 22e1ac6 commit 47d1d1b
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 0 deletions.
2 changes: 2 additions & 0 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,7 @@
String $cleanup_sh = $zookeeper::params::cleanup_sh,
Optional[String] $client_ip = $zookeeper::params::client_ip,
Integer $client_port = $zookeeper::params::client_port,
Optional[Boolean] $client_cert_reload = $zookeeper::params::client_cert_reload,

Check warning on line 202 in manifests/init.pp

View workflow job for this annotation

GitHub Actions / lint 

missing documentation for class parameter zookeeper::client_cert_reload (check: parameter_documentation)
Optional[Integer] $secure_client_port = $zookeeper::params::secure_client_port,
Optional[Boolean] $secure_port_only = $zookeeper::params::secure_port_only,
Optional[Boolean] $ssl = $zookeeper::params::ssl,
Expand All @@ -221,6 +222,7 @@
Optional[Boolean] $ssl_quorum_hostname_verification = $zookeeper::params::ssl_quorum_hostname_verification,
Optional[String] $ssl_quorum_ciphersuites = $zookeeper::params::ssl_quorum_ciphersuites,
Optional[String] $ssl_quorum_protocol = $zookeeper::params::ssl_quorum_protocol,
Optional[Boolean] $ssl_quorum_reload_cert_files = $zookeeper::params::ssl_quorum_reload_cert_files,
Optional[Boolean] $ssl_quorum = $zookeeper::params::ssl_quorum,
Optional[Boolean] $port_unification = $zookeeper::params::port_unification,
String $datastore = $zookeeper::params::datastore,
Expand Down
2 changes: 2 additions & 0 deletions manifests/params.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,7 @@
$cleanup_sh = '/usr/share/zookeeper/bin/zkCleanup.sh'
$client_ip = undef # use e.g. $::ipaddress if you want to bind to single interface
$client_port = 2181
$client_cert_reload = undef
$secure_client_port = undef
$secure_port_only = false
$ssl = false
Expand All @@ -152,6 +153,7 @@
$ssl_quorum_ciphersuites = undef
$ssl_quorum_hostname_verification = true
$ssl_quorum_protocol = 'TLSv1.2'
$ssl_quorum_reload_cert_files = undef
$ssl_quorum = false
$quorum_listen_on_all_ips = false
$audit_enable = false
Expand Down
34 changes: 34 additions & 0 deletions templates/conf/zoo.cfg.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,15 @@ secureClientPort=<%= scope.lookupvar("zookeeper::secure_client_port") %>

# Client TLS configuration
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory

# Autoreload client certfiles. New in 3.7.2, 3.8.1, 3.9.0
<% if ! [nil, :undefined, :undef].include?scope.lookupvar("zookeeper::client_cert_reload") %>
client.certReload=<%=scope.lookupvar("zookeeper::client_cert_reload") %>
<% else -%>
#client.certReload=
<% end -%>
<% end -%>

# Force TLS version
ssl.protocol=<%= scope.lookupvar("zookeeper::ssl_protocol") %>
# Hostname verification (default yes)
Expand Down Expand Up @@ -200,6 +209,15 @@ ssl.ciphersuites=<%= scope.lookupvar("zookeeper::ssl_ciphersuites") %>

# Server TLS configuration
sslQuorum=<%= scope.lookupvar("zookeeper::ssl_quorum") %>

# Autoreload certfiles. New in 3.5.5, 3.6.0
<% if ! [nil, :undefined, :undef].include?scope.lookupvar("zookeeper::ssl_quorum_reload_cert_files") %>
sslQuorumReloadCertFiles=<%=scope.lookupvar("zookeeper::ssl_quorum_reload_cert_files") %>
<% else -%>
#sslQuorumReloadCertFiles=
<% end -%>
<% end -%>

# Force TLS version
ssl.quorum.protocol=<%= scope.lookupvar("zookeeper::ssl_quorum_protocol") %>
# Hostname verification from node to node (default yes)
Expand Down Expand Up @@ -231,6 +249,22 @@ ssl.quorum.ciphersuites=<%=scope.lookupvar("zookeeper::ssl_quorum_ciphersuites")
<% end -%>
<% end -%>

# Set allowed Ciphers
<% if ! [nil, :undefined, :undef].include?scope.lookupvar("zookeeper::ssl_quorum_ciphersuites") %>
ssl.quorum.ciphersuites=<%=scope.lookupvar("zookeeper::ssl_quorum_ciphersuites") %>
<% else -%>
#ssl.quorum.ciphersuites=
<% end -%>
<% end -%>

# Set allowed Ciphers
<% if ! [nil, :undefined, :undef].include?scope.lookupvar("zookeeper::ssl_quorum_ciphersuites") %>
ssl.quorum.ciphersuites=<%=scope.lookupvar("zookeeper::ssl_quorum_ciphersuites") %>
<% else -%>
#ssl.quorum.ciphersuites=
<% end -%>
<% end -%>

<% unless scope.lookupvar("zookeeper::whitelist_4lw").empty? -%>
# Supported since 3.4.10
4lw.commands.whitelist=<%= scope.lookupvar("zookeeper::whitelist_4lw").join(',') %>
Expand Down

0 comments on commit 47d1d1b

Please sign in to comment.