diff options
| author |   Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-08-24 13:21:11 +0000 |
|---|---|---|
| committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-08-31 14:10:30 +0000 |
| commit | f130e6c8c0b4dd6b4e59ded722445a3864333057 (patch) | |
| tree | ec32580969ea11fcbc2aaf7773255ef44b3fed4a /manifests/stunnel | |
| parent | 0457aa12e65e3d1fa6125da6e609fbd547d1b9d7 (diff) | |
Add manifests to install and configure stunnel
Some services (such as Redis) can't use mod_proxy as a TLS proxy,
since they're not HTTP services. So stunnel is necessary for these.
Thus, we add manifests to configure it as such.
bp tls-via-certmonger
Change-Id: Ic4a2dac7b3831e4780105e3b05e9c5afcf15c79c
(cherry picked from commit f85199c77826017e383534051ada57ef1ea4ddcc)
Diffstat (limited to 'manifests/stunnel')
| -rw-r--r-- | manifests/stunnel/service_proxy.pp | 61 | ||||
| -rw-r--r-- | manifests/stunnel/systemd_unit.pp | 24 |
2 files changed, 85 insertions, 0 deletions
diff --git a/manifests/stunnel/service_proxy.pp b/manifests/stunnel/service_proxy.pp new file mode 100644 index 0000000..2c9519a --- /dev/null +++ b/manifests/stunnel/service_proxy.pp @@ -0,0 +1,61 @@ +# Copyright 2017 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: tripleo::stunnel::service_proxy +# +# Configures a TLS proxy for a service. +# +# === Parameters +# +# [*accept_host*] +# Host or IP where the tunnel will be accepting connections. +# +# [*accept_port*] +# Port where the tunnel will be accepting connections. +# +# [*connect_port*] +# Port where the tunnel will be proxying to. +# +# [*certificate*] +# Cert that the TLS proxy will be using for the TLS connection. +# +# [*key*] +# Key that the TLS proxy will be using for the TLS connection. +# +# [*client*] +# Whether this proxy is meant for client connections. +# Defaults to 'no' +# +# [*connect_host*] +# Host where the tunnel will be proxying to. +# Defaults to 'localhost' +# +define tripleo::stunnel::service_proxy ( + $accept_host, + $accept_port, + $connect_port, + $certificate, + $key, + $client = 'no', + $connect_host = 'localhost', +) { + concat::fragment { "stunnel-service-${name}": + target => '/etc/stunnel/stunnel.conf', + order => "20-${name}", + content => template('tripleo/stunnel/service.erb'), + } + + Concat::Fragment["stunnel-service-${name}"] ~> Service<| title == 'stunnel' |> +} diff --git a/manifests/stunnel/systemd_unit.pp b/manifests/stunnel/systemd_unit.pp new file mode 100644 index 0000000..c82e825 --- /dev/null +++ b/manifests/stunnel/systemd_unit.pp @@ -0,0 +1,24 @@ +# Copyright 2017 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: tripleo::stunnel::systemd_unit +# +# Configures the systemd unit for stunnel +# +class tripleo::stunnel::systemd_unit { + systemd::unit_file {'stunnel.service': + source => 'puppet:///modules/tripleo/stunnel.service' + } +} |