diff options
| author |   Jenkins <jenkins@review.openstack.org> | 2017-04-25 17:33:53 +0000 |
|---|---|---|
| committer |   Gerrit Code Review <review@openstack.org> | 2017-04-25 17:33:53 +0000 |
| commit | baecff6c3ca47400ace7fb6ef5a83cd0a206041a (patch) | |
| tree | b5f7f850ad31af7a55eb5371b849fe1acedadc45 /manifests/profile/base/etcd.pp | |
| parent | 03828da512f0260b7f94e5edb9a9916b6187fbbb (diff) | |
| parent | 60d187ee0bc87c33e4b6e4d79983089157ce7565 (diff) | |
Merge "Enable internal network TLS for etcd"
Diffstat (limited to 'manifests/profile/base/etcd.pp')
| -rw-r--r-- | manifests/profile/base/etcd.pp | 57 |
1 files changed, 47 insertions, 10 deletions
diff --git a/manifests/profile/base/etcd.pp b/manifests/profile/base/etcd.pp index c29c937..9f5d180 100644 --- a/manifests/profile/base/etcd.pp +++ b/manifests/profile/base/etcd.pp @@ -34,26 +34,63 @@ # (Optional) Array of host(s) for etcd nodes. # Defaults to hiera('etcd_node_ips', []). # +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'etcd' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::etcd::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "etcd/<overcloud controller fqdn>" +# Defaults to {}. +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::etcd ( - $bind_ip = '127.0.0.1', - $client_port = '2379', - $peer_port = '2380', - $nodes = hiera('etcd_node_names', []), - $step = hiera('step'), + $bind_ip = '127.0.0.1', + $client_port = '2379', + $peer_port = '2380', + $nodes = hiera('etcd_node_names', []), + $certificate_specs = {}, + $enable_internal_tls = hiera('enable_internal_tls', false), + $step = hiera('step'), ) { + + validate_hash($certificate_specs) + + if $enable_internal_tls { + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + $protocol = 'https' + } else { + $tls_certfile = undef + $tls_keyfile = undef + $protocol = 'http' + } + if $step >= 2 { class {'::etcd': - listen_client_urls => "http://${bind_ip}:${client_port}", - advertise_client_urls => "http://${bind_ip}:${client_port}", - listen_peer_urls => "http://${bind_ip}:${peer_port}", - initial_advertise_peer_urls => "http://${bind_ip}:${peer_port}", - initial_cluster => regsubst($nodes, '.+', "\\0=http://\\0:${peer_port}"), + listen_client_urls => "${protocol}://${bind_ip}:${client_port}", + advertise_client_urls => "${protocol}://${bind_ip}:${client_port}", + listen_peer_urls => "${protocol}://${bind_ip}:${peer_port}", + initial_advertise_peer_urls => "${protocol}://${bind_ip}:${peer_port}", + initial_cluster => regsubst($nodes, '.+', "\\0=${protocol}://\\0:${peer_port}"), proxy => 'off', + cert_file => $tls_certfile, + key_file => $tls_keyfile, + client_cert_auth => $enable_internal_tls, + peer_cert_file => $tls_certfile, + peer_key_file => $tls_keyfile, + peer_client_cert_auth => $enable_internal_tls, } } } |