Merge "Enable TLS in the internal networkf or Mysql"
This commit is contained in:
commit
d144f5e204
|
@ -4,3 +4,4 @@ parameter_defaults:
|
|||
EnableInternalTLS: true
|
||||
resource_registry:
|
||||
OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml
|
||||
OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml
|
||||
|
|
|
@ -125,6 +125,7 @@ resource_registry:
|
|||
OS::TripleO::Services::HeatEngine: puppet/services/heat-engine.yaml
|
||||
OS::TripleO::Services::Kernel: puppet/services/kernel.yaml
|
||||
OS::TripleO::Services::MySQL: puppet/services/database/mysql.yaml
|
||||
OS::TripleO::Services::MySQLTLS: OS::Heat::None
|
||||
OS::TripleO::Services::NeutronDhcpAgent: puppet/services/neutron-dhcp.yaml
|
||||
OS::TripleO::Services::NeutronL3Agent: puppet/services/neutron-l3.yaml
|
||||
OS::TripleO::Services::NeutronMetadataAgent: puppet/services/neutron-metadata.yaml
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
heat_template_version: 2016-10-14
|
||||
|
||||
description: >
|
||||
MySQL configurations for using TLS via certmonger.
|
||||
|
||||
parameters:
|
||||
ServiceNetMap:
|
||||
default: {}
|
||||
description: Mapping of service_name -> network name. Typically set
|
||||
via parameter_defaults in the resource registry. This
|
||||
mapping overrides those in ServiceNetMapDefaults.
|
||||
type: json
|
||||
# The following parameters are not needed by the template but are
|
||||
# required to pass the pep8 tests
|
||||
DefaultPasswords:
|
||||
default: {}
|
||||
type: json
|
||||
EndpointMap:
|
||||
default: {}
|
||||
description: Mapping of service endpoint -> protocol. Typically set
|
||||
via parameter_defaults in the resource registry.
|
||||
type: json
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: MySQL configurations for using TLS via certmonger.
|
||||
value:
|
||||
service_name: mysql_internal_tls_certmonger
|
||||
config_settings:
|
||||
generate_service_certificates: true
|
||||
tripleo::profile::base::database::mysql::certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/mysql.crt'
|
||||
service_key: '/etc/pki/tls/private/mysql.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('cloud_name_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "mysql/%{hiera('cloud_name_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
|
@ -35,50 +35,60 @@ parameters:
|
|||
description: Whether to use Galera instead of regular MariaDB.
|
||||
type: boolean
|
||||
|
||||
resources:
|
||||
|
||||
MySQLTLS:
|
||||
type: OS::TripleO::Services::MySQLTLS
|
||||
properties:
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Service MySQL using composable services.
|
||||
value:
|
||||
service_name: mysql
|
||||
config_settings:
|
||||
# The Galera package should work in cluster and
|
||||
# non-cluster modes based on the config file.
|
||||
# We set the package name here explicitly so
|
||||
# that it matches what we pre-install
|
||||
# in tripleo-puppet-elements.
|
||||
mysql::server::package_name: 'mariadb-galera-server'
|
||||
mysql::server::manage_config_file: true
|
||||
tripleo.mysql.firewall_rules:
|
||||
'104 mysql galera':
|
||||
dport:
|
||||
- 873
|
||||
- 3306
|
||||
- 4444
|
||||
- 4567
|
||||
- 4568
|
||||
- 9200
|
||||
mysql_max_connections: {get_param: MysqlMaxConnections}
|
||||
mysql::server::root_password:
|
||||
yaql:
|
||||
expression: $.data.passwords.where($ != '').first()
|
||||
data:
|
||||
passwords:
|
||||
- {get_param: MysqlRootPassword}
|
||||
- {get_param: [DefaultPasswords, mysql_root_password]}
|
||||
mysql_clustercheck_password: {get_param: MysqlClustercheckPassword}
|
||||
enable_galera: {get_param: EnableGalera}
|
||||
# NOTE: bind IP is found in Heat replacing the network name with the
|
||||
# local node IP for the given network; replacement examples
|
||||
# (eg. for internal_api):
|
||||
# internal_api -> IP
|
||||
# internal_api_uri -> [IP]
|
||||
# internal_api_subnet - > IP/CIDR
|
||||
mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
tripleo::profile::base::database::mysql::bind_address:
|
||||
str_replace:
|
||||
template:
|
||||
'"%{::fqdn_$NETWORK}"'
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
map_merge:
|
||||
- get_attr: [MySQLTLS, role_data, config_settings]
|
||||
-
|
||||
# The Galera package should work in cluster and
|
||||
# non-cluster modes based on the config file.
|
||||
# We set the package name here explicitly so
|
||||
# that it matches what we pre-install
|
||||
# in tripleo-puppet-elements.
|
||||
mysql::server::package_name: 'mariadb-galera-server'
|
||||
mysql::server::manage_config_file: true
|
||||
tripleo.mysql.firewall_rules:
|
||||
'104 mysql galera':
|
||||
dport:
|
||||
- 873
|
||||
- 3306
|
||||
- 4444
|
||||
- 4567
|
||||
- 4568
|
||||
- 9200
|
||||
mysql_max_connections: {get_param: MysqlMaxConnections}
|
||||
mysql::server::root_password:
|
||||
yaql:
|
||||
expression: $.data.passwords.where($ != '').first()
|
||||
data:
|
||||
passwords:
|
||||
- {get_param: MysqlRootPassword}
|
||||
- {get_param: [DefaultPasswords, mysql_root_password]}
|
||||
mysql_clustercheck_password: {get_param: MysqlClustercheckPassword}
|
||||
enable_galera: {get_param: EnableGalera}
|
||||
# NOTE: bind IP is found in Heat replacing the network name with the
|
||||
# local node IP for the given network; replacement examples
|
||||
# (eg. for internal_api):
|
||||
# internal_api -> IP
|
||||
# internal_api_uri -> [IP]
|
||||
# internal_api_subnet - > IP/CIDR
|
||||
mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
tripleo::profile::base::database::mysql::bind_address:
|
||||
str_replace:
|
||||
template:
|
||||
'"%{::fqdn_$NETWORK}"'
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
step_config: |
|
||||
include ::tripleo::profile::base::database::mysql
|
||||
|
|
Loading…
Reference in New Issue