OpenStack-Ansible role for Zookeeper deployment

This role installs a Zookeeper cluster that is part of OpenStack infratructure and used as a coordination service by multiple services through Tooz.

To clone or view the source code for this repository, visit the role repository for zookeeper.

To install role requirements, please run

ansible-galaxy install -r requirements.yml

Default variables

# Define zookepeer version and download URI
zookeeper_download_version: 3.9.3
zookeeper_download_version_checksum: >-
  sha512:d44d870c1691662efbf1a8baf1859c901b820dc5ff163b36e81beb27b6fbf3cd31b5f1f075697edaaf6d3e7a4cb0cc92f924dcff64b294ef13d535589bdaf143
zookeeper_download_url: >-
  https://archive.apache.org/dist/zookeeper/zookeeper-{{ zookeeper_download_version }}/apache-zookeeper-{{ zookeeper_download_version }}-bin.tar.gz

# Define zookeeper clustering option
zookeeper_cluster_members: "{{ groups['zookeeper_all'] }}"
# The first port is used by followers to connect to the leader
# The second one is used for leader election
zookeeper_cluster_peer_ports: 2888:3888
# This variable is used to define what fact which will be taken out of
# hostvars for each cluster member as it's address
zookeeper_cluster_address_hostvars_key: "ansible_host"

# Ports and TLS
zookeeper_client_port: 2181
zookeeper_secure_client_port: 2281
zookeeper_ssl_client_enable: True
zookeeper_ssl_quorum_enable: True
zookeeper_ssl_protocols:
  - TLSv1.2
  - TLSv1.3

# Storage location for SSL certificate authority
zookeeper_pki_dir: "{{ openstack_pki_dir | default('/etc/pki/zookeeper-ca') }}"

# Delegated host for operating the certificate authority
zookeeper_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"

# Create a certificate authority if one does not already exist
zookeeper_pki_create_ca: "{{ openstack_pki_authorities is not defined | bool }}"
zookeeper_pki_regen_ca: ''
zookeeper_pki_authorities:
  - name: "ZookeeperRoot"
    country: "GB"
    state_or_province_name: "England"
    organization_name: "Example Corporation"
    organizational_unit_name: "IT Security"
    cn: "Zookeeper Root CA"
    provider: selfsigned
    basic_constraints: "CA:TRUE"
    key_usage:
      - digitalSignature
      - cRLSign
      - keyCertSign
    not_after: "+3650d"
  - name: "ZookeeperIntermediate"
    country: "GB"
    state_or_province_name: "England"
    organization_name: "Example Corporation"
    organizational_unit_name: "IT Security"
    cn: "Zookeeper Intermediate CA"
    provider: ownca
    basic_constraints: "CA:TRUE,pathlen:0"
    key_usage:
      - digitalSignature
      - cRLSign
      - keyCertSign
    not_after: "+3650d"
    signed_by: "ZookeeperRoot"

# Installation details for certificate authorities
zookeeper_pki_install_ca:
  - name: "ZookeeperRoot"
    condition: "{{ zookeeper_pki_create_ca }}"

# Zookeeper server certificate
zookeeper_pki_keys_path: "{{ zookeeper_pki_dir ~ '/certs/private/' }}"
zookeeper_pki_certs_path: "{{ zookeeper_pki_dir ~ '/certs/certs/' }}"
zookeeper_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ZookeeperIntermediate') }}"
zookeeper_pki_intermediate_cert_path: >-
  {{ zookeeper_pki_dir ~ '/roots/' ~ zookeeper_pki_intermediate_cert_name ~ '/certs/' ~ zookeeper_pki_intermediate_cert_name ~ '.crt' }}
zookeeper_pki_regen_cert: ''
zookeeper_pki_certificates:
  - name: "zookeeper_{{ ansible_facts['hostname'] }}"
    provider: ownca
    cn: "{{ hostvars[inventory_hostname][zookeeper_cluster_address_hostvars_key] }}"
    san: "{{ 'DNS:' ~ ansible_facts['fqdn'] ~ ',IP:' ~ ansible_host }}"
    signed_by: "{{ zookeeper_pki_intermediate_cert_name }}"
    condition: "{{ zookeeper_ssl_client_enable or zookeeper_ssl_quorum_enable }}"
    key_format: pkcs8

# Installation details for SSL certificates
zookeeper_pki_install_certificates:
  - src: "{{ zookeeper_user_ssl_cert | default(zookeeper_pki_certs_path ~ 'zookeeper_' ~ ansible_facts['hostname'] ~ '.crt') }}"
    dest: "{{ zookeeper_ssl_cert }}"
    owner: "{{ zookeeper_system_user_name }}"
    group: "{{ zookeeper_system_group_name }}"
    mode: "0644"
    condition: "{{ zookeeper_ssl_client_enable or zookeeper_ssl_quorum_enable }}"
  - src: "{{ zookeeper_user_ssl_key | default(zookeeper_pki_keys_path ~ 'zookeeper_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
    dest: "{{ zookeeper_ssl_key }}"
    owner: "{{ zookeeper_system_user_name }}"
    group: "{{ zookeeper_system_group_name }}"
    mode: "0600"
    condition: "{{ zookeeper_ssl_client_enable or zookeeper_ssl_quorum_enable }}"
  - src: "{{ zookeeper_user_ssl_ca_cert | default(zookeeper_pki_intermediate_cert_path) }}"
    dest: "{{ zookeeper_ssl_ca_cert }}"
    owner: "{{ zookeeper_system_user_name }}"
    group: "{{ zookeeper_system_group_name }}"
    mode: "0644"
    condition: "{{ zookeeper_ssl_client_enable or zookeeper_ssl_quorum_enable }}"

zookeeper_ssl_cert: "{{ zookeeper_config_dir }}/certs/certs/zookeeper.crt"
zookeeper_ssl_key: "{{ zookeeper_config_dir }}/certs/private/zookeeper.key"
zookeeper_ssl_ca_cert: "{{ zookeeper_config_dir }}/certs/certs/zookeeper-ca.crt"
zookeeper_ssl_keystore_location: "{{ zookeeper_config_dir }}/certs/private/zookeeper.pem"
zookeeper_ssl_truststore_location: "{{ _zookeeper_ssl_truststore_location }}"
zookeeper_ssl_client_auth: want
zookeeper_ssl_quorum_client_auth: need

# Define operating system user/group names
zookeeper_system_user_name: zookeeper
zookeeper_system_group_name: zookeeper
zookeeper_system_comment: zookeeper system user
zookeeper_system_shell: /bin/false
zookeeper_system_user_home: /var/lib/zookeeper

zookeeper_file_zoo_conf_mode: "0644"
zookeeper_config_dir: "/etc/zookeeper"
zookeeper_data_dir: "{{ zookeeper_system_user_home }}"
zookeeper_data_log_dir: "{{ zookeeper_data_dir }}/log"
zookeeper_file_myid_dest: "{{ zookeeper_data_dir }}/myid"


# Set the package install state for distribution packages
zookeeper_package_requirements: "{{ _zookeeper_package_requirements }}"
zookeeper_package_state: "{{ package_state | default('latest') }}"

# autopurge configuration
# Amount of most recent snapshots and the corresponding transaction logs to keep
zookeeper_snap_retain_count: 3
# The time interval in hours for which the purge task has to be triggered
zookeeper_purge_interval: 1

# Service configuration
zookeeper_service:
  name: zookeeper
  execstarts: "/opt/zookeeper/bin/zkServer.sh --config {{ zookeeper_config_dir }} start-foreground"
  execstops: "/opt/zookeeper/bin/zkServer.sh --config {{ zookeeper_config_dir }} stop"

zookeeper_init_config_overrides: {}

zookeeper_commands_whitelist:
  - stat
  - ruok
  - isro
  - envi

zookeeper_prometheus_enable: False
zookeeper_prometheus_port: 7000

Example playbook

---
- name: Install zookeeper cluster
  hosts: zookeeper_all
  become: yes
  vars:
    management_address: "{{ ansible_host }}"
  roles:
    - role: zookeeper
      tags:
        - zookeeper