Merge "Enable TLS for containerized MySQL"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
4af5f02c80
@ -40,6 +40,18 @@ parameters:
|
|||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
default: ''
|
default: ''
|
||||||
|
EnableInternalTLS:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
InternalTLSCAFile:
|
||||||
|
default: '/etc/ipa/ca.crt'
|
||||||
|
type: string
|
||||||
|
description: Specifies the default CA cert to use if TLS is used for
|
||||||
|
services in the internal network.
|
||||||
|
|
||||||
|
conditions:
|
||||||
|
|
||||||
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
@ -86,10 +98,21 @@ outputs:
|
|||||||
dest: "/"
|
dest: "/"
|
||||||
merge: true
|
merge: true
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||||
|
dest: "/"
|
||||||
|
merge: true
|
||||||
|
preserve_properties: true
|
||||||
|
optional: true
|
||||||
permissions:
|
permissions:
|
||||||
- path: /var/lib/mysql
|
- path: /var/lib/mysql
|
||||||
owner: mysql:mysql
|
owner: mysql:mysql
|
||||||
recurse: true
|
recurse: true
|
||||||
|
- path: /etc/pki/tls/certs/mysql.crt
|
||||||
|
owner: mysql:mysql
|
||||||
|
optional: true
|
||||||
|
- path: /etc/pki/tls/private/mysql.key
|
||||||
|
owner: mysql:mysql
|
||||||
|
optional: true
|
||||||
docker_config:
|
docker_config:
|
||||||
# Kolla_bootstrap runs before permissions set by kolla_config
|
# Kolla_bootstrap runs before permissions set by kolla_config
|
||||||
step_1:
|
step_1:
|
||||||
@ -108,12 +131,25 @@ outputs:
|
|||||||
# Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
|
# Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
|
||||||
command: ['bash', '-c', 'test -e /var/lib/mysql/mysql || kolla_start']
|
command: ['bash', '-c', 'test -e /var/lib/mysql/mysql || kolla_start']
|
||||||
volumes: &mysql_volumes
|
volumes: &mysql_volumes
|
||||||
|
list_concat:
|
||||||
|
-
|
||||||
- /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json
|
- /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json
|
||||||
- /var/lib/config-data/puppet-generated/mysql/:/var/lib/kolla/config_files/src:ro
|
- /var/lib/config-data/puppet-generated/mysql/:/var/lib/kolla/config_files/src:ro
|
||||||
- /etc/localtime:/etc/localtime:ro
|
- /etc/localtime:/etc/localtime:ro
|
||||||
- /etc/hosts:/etc/hosts:ro
|
- /etc/hosts:/etc/hosts:ro
|
||||||
- /var/lib/mysql:/var/lib/mysql
|
- /var/lib/mysql:/var/lib/mysql
|
||||||
- /var/log/containers/mysql:/var/log/mariadb
|
- /var/log/containers/mysql:/var/log/mariadb
|
||||||
|
- if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
-
|
||||||
|
- list_join:
|
||||||
|
- ':'
|
||||||
|
- - {get_param: InternalTLSCAFile}
|
||||||
|
- {get_param: InternalTLSCAFile}
|
||||||
|
- 'ro'
|
||||||
|
- /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
|
||||||
|
- /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
|
||||||
|
- null
|
||||||
environment:
|
environment:
|
||||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||||
- KOLLA_BOOTSTRAP=True
|
- KOLLA_BOOTSTRAP=True
|
||||||
@ -146,9 +182,24 @@ outputs:
|
|||||||
step_config: 'include ::tripleo::profile::base::database::mysql'
|
step_config: 'include ::tripleo::profile::base::database::mysql'
|
||||||
config_image: *mysql_config_image
|
config_image: *mysql_config_image
|
||||||
volumes:
|
volumes:
|
||||||
|
list_concat:
|
||||||
|
-
|
||||||
- /var/lib/mysql:/var/lib/mysql/:ro
|
- /var/lib/mysql:/var/lib/mysql/:ro
|
||||||
- /var/log/containers/mysql:/var/log/mariadb
|
- /var/log/containers/mysql:/var/log/mariadb
|
||||||
- /var/lib/config-data/mysql/root:/root:ro #provides .my.cnf
|
- /var/lib/config-data/mysql/root:/root:ro #provides .my.cnf
|
||||||
|
- if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
-
|
||||||
|
- list_join:
|
||||||
|
- ':'
|
||||||
|
- - {get_param: InternalTLSCAFile}
|
||||||
|
- {get_param: InternalTLSCAFile}
|
||||||
|
- 'ro'
|
||||||
|
- /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
|
||||||
|
- /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
|
||||||
|
- null
|
||||||
|
metadata_settings:
|
||||||
|
get_attr: [MysqlPuppetBase, role_data, metadata_settings]
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: create persistent directories
|
- name: create persistent directories
|
||||||
file:
|
file:
|
||||||
|
|||||||
@ -42,3 +42,4 @@ resource_registry:
|
|||||||
OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml
|
OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml
|
||||||
OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml
|
OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml
|
||||||
OS::TripleO::Services::HAproxy: ../docker/services/haproxy.yaml
|
OS::TripleO::Services::HAproxy: ../docker/services/haproxy.yaml
|
||||||
|
OS::TripleO::Services::MySQL: ../docker/services/database/mysql.yaml
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user