Enable internal network TLS for etcd

bp secure-etcd Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649 Signed-off-by: Feng Pan <fpan@redhat.com>
2017-04-07 16:24:10 -04:00 · 2017-04-07 16:24:10 -04:00 · 60d187ee0b
commit 60d187ee0b
parent 39568b17ad
6 changed files with 193 additions and 10 deletions
--- a/manifests/certmonger/etcd.pp
+++ b/manifests/certmonger/etcd.pp
@ -0,0 +1,73 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::etcd
+#
+# Request a certificate for the etcd service and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+#   The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+#   The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+#   The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+#   (Optional) The CA that certmonger will use to generate the certificates.
+#   Defaults to hiera('certmonger_ca', 'local').
+#
+# [*principal*]
+#   (Optional) The haproxy service principal that is set for etcd in kerberos.
+#   Defaults to undef
+#
+class tripleo::certmonger::etcd (
+  $hostname,
+  $service_certificate,
+  $service_key,
+  $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $principal     = undef,
+) {
+  include ::certmonger
+
+  $postsave_cmd = 'systemctl reload etcd'
+  certmonger_certificate { 'etcd' :
+    ensure       => 'present',
+    certfile     => $service_certificate,
+    keyfile      => $service_key,
+    hostname     => $hostname,
+    dnsname      => $hostname,
+    principal    => $principal,
+    postsave_cmd => $postsave_cmd,
+    ca           => $certmonger_ca,
+    wait         => true,
+    require      => Class['::certmonger'],
+  }
+  file { $service_certificate :
+    owner   => 'etcd',
+    group   => 'etcd',
+    require => Certmonger_certificate['etcd'],
+  }
+  file { $service_key :
+    owner   => 'etcd',
+    group   => 'etcd',
+    require => Certmonger_certificate['etcd'],
+  }
+
+  File[$service_certificate] ~> Service<| title == 'etcd' |>
+  File[$service_key] ~> Service<| title == 'etcd' |>
+}
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@ -1353,6 +1353,7 @@ class tripleo::haproxy (
      ip_addresses    => hiera('etcd_node_ips', $controller_hosts_real),
      server_names    => hiera('etcd_node_names', $controller_hosts_names_real),
      service_network => $etcd_network,
+      member_options  => union($haproxy_member_options, $internal_tls_member_options),
      listen_options  => {
        'balance' => 'source',
      }
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@ -58,12 +58,18 @@
 #   it will create.
 #   Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}).
 #
+# [*etcd_certificate_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Defaults to hiera('tripleo::profile::base::etcd::certificate_specs', {}).
+#
 class tripleo::profile::base::certmonger_user (
  $apache_certificates_specs  = hiera('apache_certificates_specs', {}),
  $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
  $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
  $mysql_certificate_specs    = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
  $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
+  $etcd_certificate_specs     = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
 ) {
  include ::tripleo::certmonger::ca::libvirt

@ -86,4 +92,7 @@ class tripleo::profile::base::certmonger_user (
  unless empty($rabbitmq_certificate_specs) {
    ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs)
  }
+  unless empty($etcd_certificate_specs) {
+    ensure_resource('class', 'tripleo::certmonger::etcd', $etcd_certificate_specs)
+  }
 }
--- a/manifests/profile/base/etcd.pp
+++ b/manifests/profile/base/etcd.pp
@ -34,26 +34,63 @@
 #   (Optional) Array of host(s) for etcd nodes.
 #   Defaults to hiera('etcd_node_ips', []).
 #
+# [*certificate_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate
+#   it will create. Note that the certificate nickname must be 'etcd' in
+#   the case of this service.
+#   Example with hiera:
+#     tripleo::profile::base::etcd::certificate_specs:
+#       hostname: <overcloud controller fqdn>
+#       service_certificate: <service certificate path>
+#       service_key: <service key path>
+#       principal: "etcd/<overcloud controller fqdn>"
+#   Defaults to {}.
+#
+# [*enable_internal_tls*]
+#   (Optional) Whether TLS in the internal network is enabled or not.
+#   Defaults to hiera('enable_internal_tls', false)
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
 #   Defaults to hiera('step')
 #
 class tripleo::profile::base::etcd (
-  $bind_ip     = '127.0.0.1',
-  $client_port = '2379',
-  $peer_port   = '2380',
-  $nodes       = hiera('etcd_node_names', []),
-  $step        = hiera('step'),
+  $bind_ip             = '127.0.0.1',
+  $client_port         = '2379',
+  $peer_port           = '2380',
+  $nodes               = hiera('etcd_node_names', []),
+  $certificate_specs   = {},
+  $enable_internal_tls = hiera('enable_internal_tls', false),
+  $step                = hiera('step'),
 ) {
+
+  validate_hash($certificate_specs)
+
+  if $enable_internal_tls {
+    $tls_certfile = $certificate_specs['service_certificate']
+    $tls_keyfile = $certificate_specs['service_key']
+    $protocol = 'https'
+  } else {
+    $tls_certfile = undef
+    $tls_keyfile = undef
+    $protocol = 'http'
+  }
+
  if $step >= 2 {
    class {'::etcd':
-      listen_client_urls          => "http://${bind_ip}:${client_port}",
-      advertise_client_urls       => "http://${bind_ip}:${client_port}",
-      listen_peer_urls            => "http://${bind_ip}:${peer_port}",
-      initial_advertise_peer_urls => "http://${bind_ip}:${peer_port}",
-      initial_cluster             => regsubst($nodes, '.+', "\\0=http://\\0:${peer_port}"),
+      listen_client_urls          => "${protocol}://${bind_ip}:${client_port}",
+      advertise_client_urls       => "${protocol}://${bind_ip}:${client_port}",
+      listen_peer_urls            => "${protocol}://${bind_ip}:${peer_port}",
+      initial_advertise_peer_urls => "${protocol}://${bind_ip}:${peer_port}",
+      initial_cluster             => regsubst($nodes, '.+', "\\0=${protocol}://\\0:${peer_port}"),
      proxy                       => 'off',
+      cert_file                   => $tls_certfile,
+      key_file                    => $tls_keyfile,
+      client_cert_auth            => $enable_internal_tls,
+      peer_cert_file              => $tls_certfile,
+      peer_key_file               => $tls_keyfile,
+      peer_client_cert_auth       => $enable_internal_tls,
    }
  }
 }
--- a/releasenotes/notes/etcd-tls-bb8605c91ff8a94c.yaml
+++ b/releasenotes/notes/etcd-tls-bb8605c91ff8a94c.yaml
@ -0,0 +1,3 @@
+--- 
+features: 
+  - Enable internal network TLS for etcd
--- a/spec/classes/tripleo_certmonger_etcd.rb
+++ b/spec/classes/tripleo_certmonger_etcd.rb
@ -0,0 +1,60 @@
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for tripleo
+#
+
+require 'spec_helper'
+
+describe 'tripleo::certmonger::etcd' do
+
+  shared_examples_for 'tripleo::certmonger::etcd' do
+    let :params do
+      {
+        :hostname            => 'localhost',
+        :service_certificate => '/etc/pki/cert.crt',
+        :service_key         => '/etc/pki/key.pem',
+      }
+    end
+
+    it 'should include the base for using certmonger' do
+      is_expected.to contain_class('certmonger')
+    end
+
+    it 'should request a certificate' do
+      is_expected.to contain_certmonger_certificate('etcd').with(
+        :ensure       => 'present',
+        :certfile     => '/etc/pki/cert.crt',
+        :keyfile      => '/etc/pki/key.pem',
+        :hostname     => 'localhost',
+        :dnsname      => 'localhost',
+        :ca           => 'local',
+        :wait         => true,
+      )
+      is_expected.to contain_file('/etc/pki/cert.crt')
+      is_expected.to contain_file('/etc/pki/key.pem')
+    end
+  end
+
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let(:facts) do
+        facts.merge({})
+      end
+
+      it_behaves_like 'tripleo::certmonger::etcd'
+    end
+  end
+end