Allow to pass ssl-related args for zookeeper

Zookeeper does support TLS encryption and authentication for client connections. There's no reason not to pass these arguments to the kazoo to allow encrypted connections. We bump minimum kazoo version to 2.6.0 since change implementin SSL support has been merged with [1] and was first released with 2.6.0 tag. [1] https://github.com/python-zk/kazoo/commit/35ce10669ace9d0d7e787793f0d4937d5d389f69 Change-Id: Ied29512989f477a19753afcb789e5588877fd688
author: Dmitriy Rabotyagov <noonedeadpunk@ya.ru> 2022-11-24 12:40:49 +0100
committer: Dmitriy Rabotyagov <noonedeadpunk@gmail.com> 2022-12-08 19:54:11 +0000
commit: f11666b66c668dd731b59369ad3a62a6d16536c6 (patch)
tree: 16c5b7fedb6d553908b470716b46213916449221
parent: 7d50893625bd88d31c181a1c1c6f730ed64c4b3d (diff)
download: tooz-f11666b66c668dd731b59369ad3a62a6d16536c6.tar.gz
3 files changed, 36 insertions, 7 deletions
diff --git a/releasenotes/notes/zookeeper_tls-808355fd2ab1acae.yaml b/releasenotes/notes/zookeeper_tls-808355fd2ab1acae.yaml
new file mode 100644
index 0000000..c5ad768
--- /dev/null
+++ b/releasenotes/notes/zookeeper_tls-808355fd2ab1acae.yaml
@@ -0,0 +1,17 @@
+---
+features:
+  - |
+    Added TLS support for Zookeeper.
+
+    TLS-related options can be defined in a connection URL as query parameters
+    and they will be passed to the Kazoo driver as client arguments.
+
+    * ``ca``: SSL CA file to use for authentication
+    * ``certfile``: SSL certfile to use for authentication
+    * ``keyfile``: SSL keyfile to use for authentication
+    * ``keyfile_password``: keyfile password
+    * ``use_ssl``: controls whether SSL is used or not. Default to False.
+    * ``verify_certs``: when use_ssl is True you can control whether to
+      complete certificate validation
+
+    This also bumps minimum kazoo version to >=2.6.0
diff --git a/setup.cfg b/setup.cfg
index 2d5c7bc..0742249 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -62,7 +62,7 @@ postgresql =
 mysql =
   PyMySQL>=0.6.2 # MIT License
 zookeeper =
-  kazoo>=2.2 # Apache-2.0
+  kazoo>=2.6 # Apache-2.0
 memcached =
   pymemcache!=1.3.0,>=1.2.9 # Apache 2.0 License
 ipc =
diff --git a/tooz/drivers/zookeeper.py b/tooz/drivers/zookeeper.py
index 9c17299..92b4a10 100644
--- a/tooz/drivers/zookeeper.py
+++ b/tooz/drivers/zookeeper.py
@@ -95,11 +95,17 @@ class KazooDriver(coordination.CoordinationDriverCachedRunWatchers):
     ================  ===============================  ====================
     Name              Source                           Default
     ================  ===============================  ====================
-    hosts             url netloc + 'hosts' option key  localhost:2181
-    timeout           'timeout' options key            10.0 (kazoo default)
+    ca                'ca' options key                 None
+    certfile          'certfile' options key           None
     connection_retry  'connection_retry' options key   None
     command_retry     'command_retry' options key      None
+    hosts             url netloc + 'hosts' option key  localhost:2181
+    keyfile           'keyfile' options key            None
+    keyfile_password  'keyfile_password' options key   None
     randomize_hosts   'randomize_hosts' options key    True
+    timeout           'timeout' options key            10.0 (kazoo default)
+    use_ssl           'use_ssl' options key            False
+    verify_certs      'verify_certs' options key       True
     ================  ===============================  ====================
 
     .. _kazoo: http://kazoo.readthedocs.org/
@@ -472,13 +478,19 @@ class KazooDriver(coordination.CoordinationDriverCachedRunWatchers):
             hosts = ['localhost:2181']
         randomize_hosts = options.get('randomize_hosts', True)
         client_kwargs = {
-            'hosts': ",".join(hosts),
-            'timeout': float(options.get('timeout', self.timeout)),
+            'auth_data': auth_data,
+            'ca': options.get('ca', None),
+            'certfile': options.get('certfile', None),
             'connection_retry': options.get('connection_retry'),
             'command_retry': options.get('command_retry'),
-            'randomize_hosts': strutils.bool_from_string(randomize_hosts),
-            'auth_data': auth_data,
             'default_acl': default_acl,
+            'hosts': ",".join(hosts),
+            'keyfile': options.get('keyfile', None),
+            'keyfile_password': options.get('keyfile_password', None),
+            'randomize_hosts': strutils.bool_from_string(randomize_hosts),
+            'timeout': float(options.get('timeout', self.timeout)),
+            'use_ssl': bool(options.get('use_ssl', False)),
+            'verify_certs': bool(options.get('verify_certs', True)),
         }
         handler_kind = options.get('handler')
         if handler_kind:
author	Dmitriy Rabotyagov <noonedeadpunk@ya.ru>	2022-11-24 12:40:49 +0100
committer	Dmitriy Rabotyagov <noonedeadpunk@gmail.com>	2022-12-08 19:54:11 +0000
commit	f11666b66c668dd731b59369ad3a62a6d16536c6 (patch)
tree	16c5b7fedb6d553908b470716b46213916449221
parent	7d50893625bd88d31c181a1c1c6f730ed64c4b3d (diff)
download	tooz-f11666b66c668dd731b59369ad3a62a6d16536c6.tar.gz