Move key_store_password to keystore section in zuul.conf

This is likely to be needed by executors as well since passing decrypted secrets to the executors via zookeeper has the same encrypted-at-rest concerns as they keystore itself. To avoid confusion around executors needing a zuul.conf with a scheduler section, start a new keystore section which we can later indicate is used by schedulers and executors. It also makes it convenient to add new options (like those dealing with rotation, or even using an external keystore). Also change some log levels from debug to info where it's useful for the operator to know that the backup keystore was used (or a key was generated). Change-Id: If2491bbe4eb80b76435a274cf5354a4918315e65
author: James E. Blair <jim@acmegating.com> 2021-04-12 13:53:51 -0700
committer: James E. Blair <jim@acmegating.com> 2021-04-14 06:42:44 -0700
commit: 3647139920f977c4db0bd371366e41ca64b57060 (patch)
tree: f5f1c9d82812d5e5bae33a483c01519e146d6224 /etc
parent: dd2d7fee4c2b98c34a90d56710dc32ceff1e8581 (diff)
download: zuul-3647139920f977c4db0bd371366e41ca64b57060.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/etc/zuul.conf-sample b/etc/zuul.conf-sample
index 318498254..4a83e04ed 100644
--- a/etc/zuul.conf-sample
+++ b/etc/zuul.conf-sample
@@ -18,8 +18,10 @@ start=true
 ;ssl_key=/path/to/server.key
 ;port=4730
 
+[keystore]
+password=secret
+
 [scheduler]
-key_store_password=secret
 tenant_config=/etc/zuul/main.yaml
 log_config=/etc/zuul/logging.conf
 pidfile=/var/run/zuul/zuul.pid
author	James E. Blair <jim@acmegating.com>	2021-04-12 13:53:51 -0700
committer	James E. Blair <jim@acmegating.com>	2021-04-14 06:42:44 -0700
commit	3647139920f977c4db0bd371366e41ca64b57060 (patch)
tree	f5f1c9d82812d5e5bae33a483c01519e146d6224 /etc
parent	dd2d7fee4c2b98c34a90d56710dc32ceff1e8581 (diff)
download	zuul-3647139920f977c4db0bd371366e41ca64b57060.tar.gz