openstack/tripleo-heat-templates
Code Issues Proposed changes

Add node's FQDN to mysql certificate request and CA file

Browse Source 
This will add the node's FQDN to the mysql certificate request
besides the VIP's FQDN which we already use. This is needed for
adding TLS to the replication traffic. The CA file was also added
as hieradata, since the path will be needed for the TLS
configuration.

bp tls-via-certmonger

Change-Id: I9252303b92a2805ba83f86a85770db2551a014d3
This commit is contained in:
Juan Antonio Osorio Robles 2017-06-19 12:36:12 +00:00
parent cb0ae4a630
commit 53407bd8b7
2 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
puppet/services/database/mysql.yaml
View File

@ -118,6 +118,16 @@ outputs:
template: "%{hiera('cloud_name_NETWORK')}" template: "%{hiera('cloud_name_NETWORK')}"
params: params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
dnsnames:
- str_replace:
template: "%{hiera('cloud_name_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
- str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
principal: principal:
str_replace: str_replace:
template: "mysql/%{hiera('cloud_name_NETWORK')}" template: "mysql/%{hiera('cloud_name_NETWORK')}"
@ -132,6 +142,9 @@ outputs:
- service: mysql - service: mysql
network: {get_param: [ServiceNetMap, MysqlNetwork]} network: {get_param: [ServiceNetMap, MysqlNetwork]}
type: vip type: vip
- service: mysql
network: {get_param: [ServiceNetMap, MysqlNetwork]}
type: node
- null - null
upgrade_tasks: upgrade_tasks:
- name: Check for galera root password - name: Check for galera root password

7
puppet/services/pacemaker/database/mysql.yaml
View File

@ -27,6 +27,11 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry. via parameter_defaults in the resource registry.
type: json type: json
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
resources: resources:
@ -61,6 +66,8 @@ outputs:
# internal_api_subnet - > IP/CIDR # internal_api_subnet - > IP/CIDR
tripleo::profile::pacemaker::database::mysql::gmcast_listen_addr: tripleo::profile::pacemaker::database::mysql::gmcast_listen_addr:
get_param: [ServiceNetMap, MysqlNetwork] get_param: [ServiceNetMap, MysqlNetwork]
tripleo::profile::pacemaker::database::mysql::ca_file:
get_param: InternalTLSCAFile
step_config: | step_config: |
include ::tripleo::profile::pacemaker::database::mysql include ::tripleo::profile::pacemaker::database::mysql
metadata_settings: metadata_settings: