Enable internal network TLS for etcd

bp secure-etcd

Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649
Signed-off-by: Feng Pan <fpan@redhat.com>
This commit is contained in:
Feng Pan 2017-04-07 16:24:10 -04:00 committed by Juan Antonio Osorio Robles
parent 39568b17ad
commit 60d187ee0b
6 changed files with 193 additions and 10 deletions

View File

@ -0,0 +1,73 @@
# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::etcd
#
# Request a certificate for the etcd service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*principal*]
# (Optional) The haproxy service principal that is set for etcd in kerberos.
# Defaults to undef
#
class tripleo::certmonger::etcd (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef,
) {
include ::certmonger
$postsave_cmd = 'systemctl reload etcd'
certmonger_certificate { 'etcd' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
owner => 'etcd',
group => 'etcd',
require => Certmonger_certificate['etcd'],
}
file { $service_key :
owner => 'etcd',
group => 'etcd',
require => Certmonger_certificate['etcd'],
}
File[$service_certificate] ~> Service<| title == 'etcd' |>
File[$service_key] ~> Service<| title == 'etcd' |>
}

View File

@ -1353,6 +1353,7 @@ class tripleo::haproxy (
ip_addresses => hiera('etcd_node_ips', $controller_hosts_real),
server_names => hiera('etcd_node_names', $controller_hosts_names_real),
service_network => $etcd_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
listen_options => {
'balance' => 'source',
}

View File

@ -58,12 +58,18 @@
# it will create.
# Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}).
#
# [*etcd_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('tripleo::profile::base::etcd::certificate_specs', {}).
#
class tripleo::profile::base::certmonger_user (
$apache_certificates_specs = hiera('apache_certificates_specs', {}),
$haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
$libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
$mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
$rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
$etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
) {
include ::tripleo::certmonger::ca::libvirt
@ -86,4 +92,7 @@ class tripleo::profile::base::certmonger_user (
unless empty($rabbitmq_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs)
}
unless empty($etcd_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::etcd', $etcd_certificate_specs)
}
}

View File

@ -34,26 +34,63 @@
# (Optional) Array of host(s) for etcd nodes.
# Defaults to hiera('etcd_node_ips', []).
#
# [*certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate
# it will create. Note that the certificate nickname must be 'etcd' in
# the case of this service.
# Example with hiera:
# tripleo::profile::base::etcd::certificate_specs:
# hostname: <overcloud controller fqdn>
# service_certificate: <service certificate path>
# service_key: <service key path>
# principal: "etcd/<overcloud controller fqdn>"
# Defaults to {}.
#
# [*enable_internal_tls*]
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
class tripleo::profile::base::etcd (
$bind_ip = '127.0.0.1',
$client_port = '2379',
$peer_port = '2380',
$nodes = hiera('etcd_node_names', []),
$step = hiera('step'),
$bind_ip = '127.0.0.1',
$client_port = '2379',
$peer_port = '2380',
$nodes = hiera('etcd_node_names', []),
$certificate_specs = {},
$enable_internal_tls = hiera('enable_internal_tls', false),
$step = hiera('step'),
) {
validate_hash($certificate_specs)
if $enable_internal_tls {
$tls_certfile = $certificate_specs['service_certificate']
$tls_keyfile = $certificate_specs['service_key']
$protocol = 'https'
} else {
$tls_certfile = undef
$tls_keyfile = undef
$protocol = 'http'
}
if $step >= 2 {
class {'::etcd':
listen_client_urls => "http://${bind_ip}:${client_port}",
advertise_client_urls => "http://${bind_ip}:${client_port}",
listen_peer_urls => "http://${bind_ip}:${peer_port}",
initial_advertise_peer_urls => "http://${bind_ip}:${peer_port}",
initial_cluster => regsubst($nodes, '.+', "\\0=http://\\0:${peer_port}"),
listen_client_urls => "${protocol}://${bind_ip}:${client_port}",
advertise_client_urls => "${protocol}://${bind_ip}:${client_port}",
listen_peer_urls => "${protocol}://${bind_ip}:${peer_port}",
initial_advertise_peer_urls => "${protocol}://${bind_ip}:${peer_port}",
initial_cluster => regsubst($nodes, '.+', "\\0=${protocol}://\\0:${peer_port}"),
proxy => 'off',
cert_file => $tls_certfile,
key_file => $tls_keyfile,
client_cert_auth => $enable_internal_tls,
peer_cert_file => $tls_certfile,
peer_key_file => $tls_keyfile,
peer_client_cert_auth => $enable_internal_tls,
}
}
}

View File

@ -0,0 +1,3 @@
---
features:
- Enable internal network TLS for etcd

View File

@ -0,0 +1,60 @@
#
# Copyright (C) 2017 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Unit tests for tripleo
#
require 'spec_helper'
describe 'tripleo::certmonger::etcd' do
shared_examples_for 'tripleo::certmonger::etcd' do
let :params do
{
:hostname => 'localhost',
:service_certificate => '/etc/pki/cert.crt',
:service_key => '/etc/pki/key.pem',
}
end
it 'should include the base for using certmonger' do
is_expected.to contain_class('certmonger')
end
it 'should request a certificate' do
is_expected.to contain_certmonger_certificate('etcd').with(
:ensure => 'present',
:certfile => '/etc/pki/cert.crt',
:keyfile => '/etc/pki/key.pem',
:hostname => 'localhost',
:dnsname => 'localhost',
:ca => 'local',
:wait => true,
)
is_expected.to contain_file('/etc/pki/cert.crt')
is_expected.to contain_file('/etc/pki/key.pem')
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge({})
end
it_behaves_like 'tripleo::certmonger::etcd'
end
end
end