Add node's FQDN to mysql certificate request and CA file

This will add the node's FQDN to the mysql certificate request besides the VIP's FQDN which we already use. This is needed for adding TLS to the replication traffic. The CA file was also added as hieradata, since the path will be needed for the TLS configuration. bp tls-via-certmonger Change-Id: I9252303b92a2805ba83f86a85770db2551a014d3
2017-06-19 12:36:12 +00:00 · 2017-06-19 12:36:12 +00:00 · 53407bd8b7
commit 53407bd8b7
parent cb0ae4a630
2 changed files with 20 additions and 0 deletions
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@ -118,6 +118,16 @@ outputs:
                  template: "%{hiera('cloud_name_NETWORK')}"
                  params:
                    NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+              dnsnames:
+                - str_replace:
+                    template: "%{hiera('cloud_name_NETWORK')}"
+                    params:
+                      NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+                - str_replace:
+                    template:
+                      "%{hiera('fqdn_$NETWORK')}"
+                    params:
+                      $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
              principal:
                str_replace:
                  template: "mysql/%{hiera('cloud_name_NETWORK')}"
@ -132,6 +142,9 @@ outputs:
            - service: mysql
              network: {get_param: [ServiceNetMap, MysqlNetwork]}
              type: vip
+            - service: mysql
+              network: {get_param: [ServiceNetMap, MysqlNetwork]}
+              type: node
          - null
      upgrade_tasks:
        - name: Check for galera root password
--- a/puppet/services/pacemaker/database/mysql.yaml
+++ b/puppet/services/pacemaker/database/mysql.yaml
@ -27,6 +27,11 @@ parameters:
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.

 resources:

@ -61,6 +66,8 @@ outputs:
            # internal_api_subnet - > IP/CIDR
            tripleo::profile::pacemaker::database::mysql::gmcast_listen_addr:
              get_param: [ServiceNetMap, MysqlNetwork]
+            tripleo::profile::pacemaker::database::mysql::ca_file:
+              get_param: InternalTLSCAFile
      step_config: |
        include ::tripleo::profile::pacemaker::database::mysql
      metadata_settings: