summaryrefslogtreecommitdiffstats
path: root/manifests/certmonger
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-09-28 09:32:35 +0000
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-11-25 06:44:49 +0000
commit7124ae91c7ead2b75945ff99f3322b31e0a6ac90 (patch)
tree79d02c30528a5cd9c1f62a36cc6d4987c757f6f0 /manifests/certmonger
parent7787653c89c89d14b65d1babc8f1abe8780ebedf (diff)
Enable internal TLS for MySQL
this adds the necessary code in the manfiest to configure TLS if internal TLS is enabled. this also adds the capability of auto-generating the certificate via certmonger. bp tls-via-certmonger Change-Id: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4
Diffstat (limited to 'manifests/certmonger')
-rw-r--r--manifests/certmonger/mysql.pp84
1 files changed, 84 insertions, 0 deletions
diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp
new file mode 100644
index 0000000..62aff9a
--- /dev/null
+++ b/manifests/certmonger/mysql.pp
@@ -0,0 +1,84 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::mysql
+#
+# Request a certificate for the MySQL/Mariadb service and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+# The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+# The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+# The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+# (Optional) The CA that certmonger will use to generate the certificates.
+# Defaults to hiera('certmonger_ca', 'local').
+#
+# [*mysql_network*]
+# (Optional) The network name where the mysql endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('mysql_network', undef)
+#
+# [*principal*]
+# (Optional) The haproxy service principal that is set for MySQL in kerberos.
+# Defaults to undef
+#
+class tripleo::certmonger::mysql (
+ $hostname,
+ $service_certificate,
+ $service_key,
+ $certmonger_ca = hiera('certmonger_ca', 'local'),
+ $mysql_network = hiera('mysql_network', undef),
+ $principal = undef,
+) {
+ include ::certmonger
+ include ::mysql::params
+
+ if !$mysql_network {
+ fail('mysql_network is not set in the hieradata.')
+ }
+
+ $postsave_cmd = "systemctl reload ${::mysql::params::service_name}"
+ certmonger_certificate { 'mysql' :
+ ensure => 'present',
+ certfile => $service_certificate,
+ keyfile => $service_key,
+ hostname => $hostname,
+ dnsname => $hostname,
+ principal => $principal,
+ postsave_cmd => $postsave_cmd,
+ ca => $certmonger_ca,
+ wait => true,
+ require => Class['::certmonger'],
+ }
+ file { $service_certificate :
+ owner => 'mysql',
+ group => 'mysql',
+ require => Certmonger_certificate['mysql'],
+ }
+ file { $service_key :
+ owner => 'mysql',
+ group => 'mysql',
+ require => Certmonger_certificate['mysql'],
+ }
+
+ File[$service_certificate] ~> Service<| title == $::mysql::params::service_name |>
+ File[$service_key] ~> Service<| title == $::mysql::params::service_name |>
+}