Add Memcached certificate generation
Adding certification generation and pass it down to puppet-memcached. NOTE(moguimar): Squashing one extra fix that was merged after the first patch made it into master. Squashes: - Fix memcached restart on cert renewal (cherry picked from commit4586911ef7
) Conflicts: manifests/profile/base/memcached.pp Note: Relative names were replaced by absolute names to pass the lint tests for stable/train. Change-Id: I8eb2b45e8868b99dfe402fee514afa8f8c42f086 (cherry picked from commitb0b7b4069a
) (cherry picked from commit9103303816
)
This commit is contained in:
parent
5ceab69bd7
commit
623f448392
20
files/certmonger-memcached-refresh.sh
Normal file
20
files/certmonger-memcached-refresh.sh
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
container_cli=$(hiera -c /etc/puppet/hiera.yaml container_cli podman)
|
||||||
|
container_name=$($container_cli ps --format="{{.Names}}" | grep metrics_qdr)
|
||||||
|
|
||||||
|
service_certificate="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::memcached::certificate_specs.service_certificate)"
|
||||||
|
service_key="$(hiera -c /etc/puppet/hiera.yaml tripleo::profile::base::memcached::certificate_specs.service_key)"
|
||||||
|
|
||||||
|
# Copy the new cert and key from the mount-point to the real path
|
||||||
|
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_certificate" "$service_certificate"
|
||||||
|
$container_cli exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||||
|
|
||||||
|
# Set appropriate permissions
|
||||||
|
$container_cli exec "$container_name" chown qdrouterd:qdrouterd "$service_certificate"
|
||||||
|
$container_cli exec "$container_name" chown qdrouterd:qdrouterd "$service_key"
|
||||||
|
|
||||||
|
# Send refresh_certs command to memcached
|
||||||
|
memcached_ip="$(hiera -c /etc/puppet/hiera.yaml memcached::listen.0 127.0.0.1)"
|
||||||
|
memcached_port="$(hiera -c /etc/puppet/hiera.yaml memcached::tcp_port 11211)"
|
||||||
|
echo refresh_certs | openssl s_client -connect $memcached_ip:$memcached_port
|
79
manifests/certmonger/memcached.pp
Normal file
79
manifests/certmonger/memcached.pp
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
# Copyright 2020 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
#
|
||||||
|
# == Class: tripleo::certmonger::memcached
|
||||||
|
#
|
||||||
|
# Request a certificate for Memcached and do the necessary setup.
|
||||||
|
#
|
||||||
|
# === Parameters
|
||||||
|
#
|
||||||
|
# [*hostname*]
|
||||||
|
# The hostname of the node. this will be set in the CN of the certificate.
|
||||||
|
#
|
||||||
|
# [*service_certificate*]
|
||||||
|
# The path to the certificate that will be used for TLS in this service.
|
||||||
|
#
|
||||||
|
# [*service_key*]
|
||||||
|
# The path to the key that will be used for TLS in this service.
|
||||||
|
#
|
||||||
|
# [*certmonger_ca*]
|
||||||
|
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||||
|
# Defaults to hiera('certmonger_ca', 'local').
|
||||||
|
#
|
||||||
|
# [*postsave_cmd*]
|
||||||
|
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||||
|
# If nothing is given, it will default to: "systemctl restart ${service name}"
|
||||||
|
# Defaults to undef.
|
||||||
|
#
|
||||||
|
# [*principal*]
|
||||||
|
# (Optional) The service principal that is set for the service in kerberos.
|
||||||
|
# Defaults to undef
|
||||||
|
#
|
||||||
|
class tripleo::certmonger::memcached (
|
||||||
|
$hostname,
|
||||||
|
$service_certificate,
|
||||||
|
$service_key,
|
||||||
|
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||||
|
$postsave_cmd = '/usr/bin/certmonger-memcached-refresh.sh',
|
||||||
|
$principal = undef,
|
||||||
|
) {
|
||||||
|
include ::certmonger
|
||||||
|
|
||||||
|
ensure_resource('file', '/usr/bin/certmonger-memcached-refresh.sh', {
|
||||||
|
source => 'puppet:///modules/tripleo/certmonger-memcached-refresh.sh',
|
||||||
|
mode => '0700',
|
||||||
|
seltype => 'bin_t',
|
||||||
|
notify => Service['certmonger']
|
||||||
|
})
|
||||||
|
|
||||||
|
certmonger_certificate { 'memcached' :
|
||||||
|
ensure => 'present',
|
||||||
|
certfile => $service_certificate,
|
||||||
|
keyfile => $service_key,
|
||||||
|
hostname => $hostname,
|
||||||
|
dnsname => $hostname,
|
||||||
|
principal => $principal,
|
||||||
|
postsave_cmd => $postsave_cmd,
|
||||||
|
ca => $certmonger_ca,
|
||||||
|
wait => true,
|
||||||
|
require => Class['::certmonger'],
|
||||||
|
}
|
||||||
|
|
||||||
|
file { $service_certificate :
|
||||||
|
require => Certmonger_certificate['memcached'],
|
||||||
|
}
|
||||||
|
file { $service_key :
|
||||||
|
require => Certmonger_certificate['memcached'],
|
||||||
|
}
|
||||||
|
}
|
@ -92,6 +92,11 @@
|
|||||||
# it will create.
|
# it will create.
|
||||||
# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}).
|
# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}).
|
||||||
#
|
#
|
||||||
|
# [*memcached_certificate_specs*]
|
||||||
|
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||||
|
# it will create.
|
||||||
|
# Defaults to hiera('tripleo::profile::base::memcached::certificate_specs', {}).
|
||||||
|
#
|
||||||
# [*rabbitmq_certificate_specs*]
|
# [*rabbitmq_certificate_specs*]
|
||||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||||
# it will create.
|
# it will create.
|
||||||
@ -197,6 +202,7 @@ class tripleo::profile::base::certmonger_user (
|
|||||||
$qemu_postsave_cmd = undef,
|
$qemu_postsave_cmd = undef,
|
||||||
$qdr_certificate_specs = hiera('tripleo::profile::base::metrics::qdr::certificate_specs', {}),
|
$qdr_certificate_specs = hiera('tripleo::profile::base::metrics::qdr::certificate_specs', {}),
|
||||||
$mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
|
$mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
|
||||||
|
$memcached_certificate_specs = hiera('tripleo::profile::base::memcached::certificate_specs', {}),
|
||||||
$rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
|
$rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
|
||||||
$redis_certificate_specs = hiera('redis_certificate_specs', {}),
|
$redis_certificate_specs = hiera('redis_certificate_specs', {}),
|
||||||
$etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
|
$etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
|
||||||
@ -278,6 +284,9 @@ class tripleo::profile::base::certmonger_user (
|
|||||||
unless empty($qdr_certificate_specs) {
|
unless empty($qdr_certificate_specs) {
|
||||||
ensure_resource('class', 'tripleo::certmonger::metrics_qdr', $qdr_certificate_specs)
|
ensure_resource('class', 'tripleo::certmonger::metrics_qdr', $qdr_certificate_specs)
|
||||||
}
|
}
|
||||||
|
unless empty($memcached_certificate_specs) {
|
||||||
|
ensure_resource('class', 'tripleo::certmonger::memcached', $memcached_certificate_specs)
|
||||||
|
}
|
||||||
unless empty($mysql_certificate_specs) {
|
unless empty($mysql_certificate_specs) {
|
||||||
ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs)
|
ensure_resource('class', 'tripleo::certmonger::mysql', $mysql_certificate_specs)
|
||||||
}
|
}
|
||||||
|
@ -18,15 +18,46 @@
|
|||||||
#
|
#
|
||||||
# === Parameters
|
# === Parameters
|
||||||
#
|
#
|
||||||
|
# [*enable_internal_memcached_tls*]
|
||||||
|
# (Optional) Whether TLS in the internal network is enabled or not for
|
||||||
|
# Memcached servers.
|
||||||
|
# Defaults to undef
|
||||||
|
#
|
||||||
|
# [*certificate_specs*]
|
||||||
|
# (Optional) The specifications to give to certmonger for the certificate
|
||||||
|
# it will create. Note that the certificate nickname must be 'memcached' in
|
||||||
|
# the case of this service.
|
||||||
|
# Example with hiera:
|
||||||
|
# tripleo::profile::base::memcached::certificate_specs:
|
||||||
|
# hostname: <overcloud controller fqdn>
|
||||||
|
# service_certificate: <service certificate path>
|
||||||
|
# service_key: <service key path>
|
||||||
|
# principal: "memcached/<overcloud controller fqdn>"
|
||||||
|
# Defaults to {}.
|
||||||
|
#
|
||||||
# [*step*]
|
# [*step*]
|
||||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||||
# for more details.
|
# for more details.
|
||||||
# Defaults to hiera('step')
|
# Defaults to hiera('step')
|
||||||
#
|
#
|
||||||
class tripleo::profile::base::memcached (
|
class tripleo::profile::base::memcached (
|
||||||
|
$enable_internal_memcached_tls = false,
|
||||||
|
$certificate_specs = {},
|
||||||
$step = Integer(hiera('step')),
|
$step = Integer(hiera('step')),
|
||||||
) {
|
) {
|
||||||
if $step >= 1 {
|
if $step >= 1 {
|
||||||
include ::memcached
|
if $enable_internal_memcached_tls {
|
||||||
|
$tls_cert_chain = $certificate_specs['service_certificate']
|
||||||
|
$tls_key = $certificate_specs['service_key']
|
||||||
|
} else {
|
||||||
|
$tls_cert_chain = undef
|
||||||
|
$tls_key = undef
|
||||||
|
}
|
||||||
|
|
||||||
|
class { '::memcached':
|
||||||
|
use_tls => $enable_internal_memcached_tls,
|
||||||
|
tls_cert_chain => $tls_cert_chain,
|
||||||
|
tls_key => $tls_key
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
60
spec/classes/tripleo_certmonger_memcached_spec.rb
Normal file
60
spec/classes/tripleo_certmonger_memcached_spec.rb
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
#
|
||||||
|
# Copyright (C) 2020 Red Hat Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
#
|
||||||
|
# Unit tests for tripleo
|
||||||
|
#
|
||||||
|
|
||||||
|
require 'spec_helper'
|
||||||
|
|
||||||
|
describe 'tripleo::certmonger::memcached' do
|
||||||
|
|
||||||
|
shared_examples_for 'tripleo::certmonger::memcached' do
|
||||||
|
let :params do
|
||||||
|
{
|
||||||
|
:hostname => 'localhost',
|
||||||
|
:service_certificate => '/etc/pki/cert.crt',
|
||||||
|
:service_key => '/etc/pki/key.pem',
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should include the base for using certmonger' do
|
||||||
|
is_expected.to contain_class('certmonger')
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should request a certificate' do
|
||||||
|
is_expected.to contain_certmonger_certificate('memcached').with(
|
||||||
|
:ensure => 'present',
|
||||||
|
:certfile => '/etc/pki/cert.crt',
|
||||||
|
:keyfile => '/etc/pki/key.pem',
|
||||||
|
:hostname => 'localhost',
|
||||||
|
:dnsname => 'localhost',
|
||||||
|
:ca => 'local',
|
||||||
|
:wait => true,
|
||||||
|
)
|
||||||
|
is_expected.to contain_file('/etc/pki/cert.crt')
|
||||||
|
is_expected.to contain_file('/etc/pki/key.pem')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
on_supported_os.each do |os, facts|
|
||||||
|
context "on #{os}" do
|
||||||
|
let(:facts) do
|
||||||
|
facts.merge({})
|
||||||
|
end
|
||||||
|
|
||||||
|
it_behaves_like 'tripleo::certmonger::memcached'
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
76
spec/classes/tripleo_profile_base_memcached_spec.rb
Normal file
76
spec/classes/tripleo_profile_base_memcached_spec.rb
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
#
|
||||||
|
# Copyright (C) 2020 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
require 'spec_helper'
|
||||||
|
|
||||||
|
describe 'tripleo::profile::base::memcached' do
|
||||||
|
shared_examples_for 'tripleo::profile::base::memcached' do
|
||||||
|
context 'with step 0' do
|
||||||
|
let(:params) { {
|
||||||
|
:step => 0,
|
||||||
|
} }
|
||||||
|
|
||||||
|
it {
|
||||||
|
is_expected.to contain_class('tripleo::profile::base::memcached')
|
||||||
|
is_expected.to_not contain_class('memcached')
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with step 1' do
|
||||||
|
let(:params) { {
|
||||||
|
:step => 1,
|
||||||
|
} }
|
||||||
|
|
||||||
|
it {
|
||||||
|
is_expected.to contain_class('tripleo::profile::base::memcached')
|
||||||
|
is_expected.to contain_class('memcached').with(
|
||||||
|
:use_tls => false,
|
||||||
|
:tls_cert_chain => nil,
|
||||||
|
:tls_key => nil
|
||||||
|
)
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with step 1 and tls enabled' do
|
||||||
|
let(:params) { {
|
||||||
|
:step => 1,
|
||||||
|
:enable_internal_memcached_tls => true,
|
||||||
|
:certificate_specs => {
|
||||||
|
'service_certificate' => '/etc/pki/cert.crt',
|
||||||
|
'service_key' => '/etc/pki/key.pem'}
|
||||||
|
} }
|
||||||
|
|
||||||
|
it {
|
||||||
|
is_expected.to contain_class('tripleo::profile::base::memcached')
|
||||||
|
is_expected.to contain_class('memcached').with(
|
||||||
|
:use_tls => true,
|
||||||
|
:tls_cert_chain => '/etc/pki/cert.crt',
|
||||||
|
:tls_key => '/etc/pki/key.pem'
|
||||||
|
)
|
||||||
|
}
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
on_supported_os.each do |os, facts|
|
||||||
|
context "on #{os}" do
|
||||||
|
let(:facts) do
|
||||||
|
facts.merge({ :hostname => 'node.example.com' })
|
||||||
|
end
|
||||||
|
|
||||||
|
it_behaves_like 'tripleo::profile::base::memcached'
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue
Block a user