openstack/tripleo-heat-templates
Code Issues Proposed changes
6df32707e9
tripleo-heat-templates/puppet/services/database/mysql-internal-tls-certmonger.yaml
Juan Antonio Osorio Robles 22003fbcba Enable TLS in the internal networkf or Mysql 
This adds the necessary hieradata for enabling TLS for MySQL (which
happens to run on the internal network). It also adds a template so
this can be done via certmonger. As with other services, this will
fill the necessary specs for the certificate to be requested in a
hash that will be consumed in puppet-tripleo.

Note that this only enables that we can now use TLS, however, we still
need to configure the services (or limit the users the services use)
to only connect via SSL. But that will be done in another patch, as
there is some things that need to land before we can do this (changes
in puppetlabs-mysql and puppet-openstacklib).

Change-Id: I71e1d4e54f2be845f131bad7b8db83498e21c118
Depends-On: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4
2016-11-25 08:45:36 +02:00

44 lines
1.5 KiB
YAML
Raw Blame History

heat_template_version: 2016-10-14
description: >
MySQL configurations for using TLS via certmonger.
parameters:
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
# The following parameters are not needed by the template but are
# required to pass the pep8 tests
DefaultPasswords:
default: {}
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
outputs:
role_data:
description: MySQL configurations for using TLS via certmonger.
value:
service_name: mysql_internal_tls_certmonger
config_settings:
generate_service_certificates: true
tripleo::profile::base::database::mysql::certificate_specs:
service_certificate: '/etc/pki/tls/certs/mysql.crt'
service_key: '/etc/pki/tls/private/mysql.key'
hostname:
str_replace:
template: "%{hiera('cloud_name_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
principal:
str_replace:
template: "mysql/%{hiera('cloud_name_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
View Git Blame Copy Permalink