Hi Paul,

Sorry that it took some time. Your question caught me in understanding that we never finished proper automation of that part (quite some manual messing was always required).

Base __was__ https://github.com/opentelekomcloud-infra/ansible-role-zookeeper which is having nothing to do with SSL, but already deployed cluster as podman/systemd
https://github.com/opentelekomcloud-infra/system-config/pull/186 - A PR into our system-config repo with the setup. There are still some activities to at least create any reasonable tests for that. (SSL certs are generated by x509 role with custom CA)

A bit of challenge is that if your SSL certs are not using IP addresses (at least as alt_name) you are forced to have DNS (forward and reverse) functioning properly, otherwise cluster doesn’t really build up. Additional stuff is that cli works only as “zkCli.sh -server MY_IP:2281”. For not yet identified reasons it simply doesn’t want to work with localhost. The same problem is for “zkServer.sh”, except that we have not found a way to make it working at all. There is somewhere likely a small bug, but after 1 day of fighting with it I simply do not see it.

Hope this helps.

Regards,
Artem



On 14. Jun 2021, at 14:48, Paul Belanger <pabelanger@redhat.com> wrote:

On Fri, Jun 11, 2021 at 02:23:03PM +0200, Artem Goncharov wrote:
We run ZK in containers using public images (pack it under systemd+podman). This way SSL is there.

Do you have any public code some place I could look at?  Working on this
process this week.

Paul


_______________________________________________
Zuul-discuss mailing list
Zuul-discuss@lists.zuul-ci.org
http://lists.zuul-ci.org/cgi-bin/mailman/listinfo/zuul-discuss