Merge "Enable TLS in the internal networkf or Mysql"

2016-11-28 10:17:03 +00:00 · 2016-11-28 10:17:03 +00:00 · d144f5e204
parent 52d9139135 22003fbcba
commit d144f5e204
4 changed files with 94 additions and 39 deletions
--- a/environments/enable-internal-tls.yaml
+++ b/environments/enable-internal-tls.yaml
@ -4,3 +4,4 @@ parameter_defaults:
  EnableInternalTLS: true
 resource_registry:
  OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml
+  OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@ -125,6 +125,7 @@ resource_registry:
  OS::TripleO::Services::HeatEngine: puppet/services/heat-engine.yaml
  OS::TripleO::Services::Kernel: puppet/services/kernel.yaml
  OS::TripleO::Services::MySQL: puppet/services/database/mysql.yaml
+  OS::TripleO::Services::MySQLTLS: OS::Heat::None
  OS::TripleO::Services::NeutronDhcpAgent: puppet/services/neutron-dhcp.yaml
  OS::TripleO::Services::NeutronL3Agent: puppet/services/neutron-l3.yaml
  OS::TripleO::Services::NeutronMetadataAgent: puppet/services/neutron-metadata.yaml
--- a/puppet/services/database/mysql-internal-tls-certmonger.yaml
+++ b/puppet/services/database/mysql-internal-tls-certmonger.yaml
@ -0,0 +1,43 @@
+heat_template_version: 2016-10-14
+
+description: >
+  MySQL configurations for using TLS via certmonger.
+
+parameters:
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  # The following parameters are not needed by the template but are
+  # required to pass the pep8 tests
+  DefaultPasswords:
+    default: {}
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+
+outputs:
+  role_data:
+    description: MySQL configurations for using TLS via certmonger.
+    value:
+      service_name: mysql_internal_tls_certmonger
+      config_settings:
+        generate_service_certificates: true
+        tripleo::profile::base::database::mysql::certificate_specs:
+          service_certificate: '/etc/pki/tls/certs/mysql.crt'
+          service_key: '/etc/pki/tls/private/mysql.key'
+          hostname:
+            str_replace:
+              template: "%{hiera('cloud_name_NETWORK')}"
+              params:
+                NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+          principal:
+            str_replace:
+              template: "mysql/%{hiera('cloud_name_NETWORK')}"
+              params:
+                NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@ -35,50 +35,60 @@ parameters:
    description: Whether to use Galera instead of regular MariaDB.
    type: boolean

+resources:
+
+  MySQLTLS:
+    type: OS::TripleO::Services::MySQLTLS
+    properties:
+      ServiceNetMap: {get_param: ServiceNetMap}
+
 outputs:
  role_data:
    description: Service MySQL using composable services.
    value:
      service_name: mysql
      config_settings:
-        # The Galera package should work in cluster and
-        # non-cluster modes based on the config file.
-        # We set the package name here explicitly so
-        # that it matches what we pre-install
-        # in tripleo-puppet-elements.
-        mysql::server::package_name: 'mariadb-galera-server'
-        mysql::server::manage_config_file: true
-        tripleo.mysql.firewall_rules:
-          '104 mysql galera':
-            dport:
-              - 873
-              - 3306
-              - 4444
-              - 4567
-              - 4568
-              - 9200
-        mysql_max_connections: {get_param: MysqlMaxConnections}
-        mysql::server::root_password:
-          yaql:
-            expression: $.data.passwords.where($ != '').first()
-            data:
-              passwords:
-                - {get_param: MysqlRootPassword}
-                - {get_param: [DefaultPasswords, mysql_root_password]}
-        mysql_clustercheck_password: {get_param: MysqlClustercheckPassword}
-        enable_galera: {get_param: EnableGalera}
-        # NOTE: bind IP is found in Heat replacing the network name with the
-        # local node IP for the given network; replacement examples
-        # (eg. for internal_api):
-        # internal_api -> IP
-        # internal_api_uri -> [IP]
-        # internal_api_subnet - > IP/CIDR
-        mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]}
-        tripleo::profile::base::database::mysql::bind_address:
-          str_replace:
-            template:
-              '"%{::fqdn_$NETWORK}"'
-            params:
-              $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+        map_merge:
+          - get_attr: [MySQLTLS, role_data, config_settings]
+          -
+            # The Galera package should work in cluster and
+            # non-cluster modes based on the config file.
+            # We set the package name here explicitly so
+            # that it matches what we pre-install
+            # in tripleo-puppet-elements.
+            mysql::server::package_name: 'mariadb-galera-server'
+            mysql::server::manage_config_file: true
+            tripleo.mysql.firewall_rules:
+              '104 mysql galera':
+                dport:
+                  - 873
+                  - 3306
+                  - 4444
+                  - 4567
+                  - 4568
+                  - 9200
+            mysql_max_connections: {get_param: MysqlMaxConnections}
+            mysql::server::root_password:
+              yaql:
+                expression: $.data.passwords.where($ != '').first()
+                data:
+                  passwords:
+                    - {get_param: MysqlRootPassword}
+                    - {get_param: [DefaultPasswords, mysql_root_password]}
+            mysql_clustercheck_password: {get_param: MysqlClustercheckPassword}
+            enable_galera: {get_param: EnableGalera}
+            # NOTE: bind IP is found in Heat replacing the network name with the
+            # local node IP for the given network; replacement examples
+            # (eg. for internal_api):
+            # internal_api -> IP
+            # internal_api_uri -> [IP]
+            # internal_api_subnet - > IP/CIDR
+            mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]}
+            tripleo::profile::base::database::mysql::bind_address:
+              str_replace:
+                template:
+                  '"%{::fqdn_$NETWORK}"'
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
      step_config: |
        include ::tripleo::profile::base::database::mysql