Request certificate for using host service principals

This removes the usage of the VIP service principals for requesting the certificate, and uses the host instead. Closes-Bug: #1818513 Depends-On: I245516257da280b91779313ffb18f84c8a4e3635 Change-Id: Ie2c3eb8e863184ffd943dd5b4a003790032542a4 (cherry picked from commit b53f6bacde)
2019-03-04 18:52:08 +02:00 · 2019-03-04 18:52:08 +02:00 · 6cfa2976a8
parent 10a6610f4c
commit 6cfa2976a8
3 changed files with 68 additions and 6 deletions
--- a/docker/services/database/redis.yaml
+++ b/docker/services/database/redis.yaml
@ -68,6 +68,52 @@ outputs:
          - redis::daemonize: false
            tripleo::stunnel::manage_service: false
            tripleo::stunnel::foreground: 'yes'
+          - tripleo::redis::firewall_rules:
+              '108 redis':
+                dport:
+                  - 6379
+                  - 26379
+            tripleo::profile::base::database::redis::tls_proxy_bind_ip:
+              str_replace:
+                template:
+                  "%{hiera('$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+            tripleo::profile::base::database::redis::tls_proxy_fqdn:
+              str_replace:
+                template:
+                  "%{hiera('fqdn_$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+            tripleo::profile::base::database::redis::tls_proxy_port: 6379
+          - if:
+            - internal_tls_enabled
+            - tripleo::redis::service_certificate: '/etc/pki/tls/certs/redis.crt'
+              redis_certificate_specs:
+                service_certificate: '/etc/pki/tls/certs/redis.crt'
+                service_key: '/etc/pki/tls/private/redis.key'
+                hostname:
+                  str_replace:
+                    template: "%{hiera('fqdn_NETWORK')}"
+                    params:
+                      NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+                dnsnames:
+                  - str_replace:
+                      template: "%{hiera('cloud_name_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+                  - str_replace:
+                      template:
+                        "%{hiera('fqdn_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+                principal:
+                  str_replace:
+                    template: "redis/%{hiera('fqdn_NETWORK')}"
+                    params:
+                      NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+                postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh"
+            - {}
      logging_source: {get_attr: [RedisBase, role_data, logging_source]}
      logging_groups: {get_attr: [RedisBase, role_data, logging_groups]}
      service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
@ -152,6 +198,16 @@ outputs:
                - {}
      metadata_settings:
        get_attr: [RedisBase, role_data, metadata_settings]
+        if:
+          - internal_tls_enabled
+          -
+            - service: redis
+              network: {get_param: [ServiceNetMap, RedisNetwork]}
+              type: vip
+            - service: redis
+              network: {get_param: [ServiceNetMap, RedisNetwork]}
+              type: node
+          - null
      host_prep_tasks:
        - name: create persistent directories
          file:
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@ -128,7 +128,7 @@ outputs:
                service_key: '/etc/pki/tls/private/mysql.key'
                hostname:
                  str_replace:
-                    template: "%{hiera('cloud_name_NETWORK')}"
+                    template: "%{hiera('fqdn_NETWORK')}"
                    params:
                      NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
                dnsnames:
@ -138,12 +138,12 @@ outputs:
                        NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
                  - str_replace:
                      template:
-                        "%{hiera('fqdn_$NETWORK')}"
+                        "%{hiera('fqdn_NETWORK')}"
                      params:
-                        $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+                        NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
                principal:
                  str_replace:
-                    template: "mysql/%{hiera('cloud_name_NETWORK')}"
+                    template: "mysql/%{hiera('fqdn_NETWORK')}"
                    params:
                      NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
            - {}
--- a/puppet/services/haproxy-internal-tls-certmonger.j2.yaml
+++ b/puppet/services/haproxy-internal-tls-certmonger.j2.yaml
@ -86,8 +86,11 @@ outputs:
                  - ''
                  - - {get_param: HAProxyInternalTLSKeysDirectory}
                    - '/overcloud-haproxy-NETWORK.key'
-                hostname: "%{hiera('cloud_name_NETWORK')}"
-                principal: "haproxy/%{hiera('cloud_name_NETWORK')}"
+                hostname: "%{hiera('fqdn_NETWORK')}"
+                dnsnames:
+                  - "%{hiera('cloud_name_NETWORK')}"
+                  - "%{hiera('fqdn_NETWORK')}"
+                principal: "haproxy/%{hiera('fqdn_NETWORK')}"
                postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK"
            for_each:
              NETWORK: {get_attr: [HAProxyNetworks, value]}
@ -97,5 +100,8 @@ outputs:
          - service: haproxy
            network: $NETWORK
            type: vip
+          - service: haproxy
+            network: $NETWORK
+            type: node
          for_each:
            $NETWORK: {get_attr: [HAProxyNetworks, value]}