diff options
-rw-r--r-- | manifests/certmonger/mysql.pp | 84 | ||||
-rw-r--r-- | manifests/firewall/rule.pp | 11 | ||||
-rw-r--r-- | manifests/profile/base/database/mysql.pp | 53 | ||||
-rw-r--r-- | manifests/profile/base/swift/proxy.pp | 5 | ||||
-rw-r--r-- | spec/classes/tripleo_firewall_spec.rb | 4 |
5 files changed, 148 insertions, 9 deletions
diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp new file mode 100644 index 0000000..62aff9a --- /dev/null +++ b/manifests/certmonger/mysql.pp @@ -0,0 +1,84 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::mysql +# +# Request a certificate for the MySQL/Mariadb service and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*mysql_network*] +# (Optional) The network name where the mysql endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('mysql_network', undef) +# +# [*principal*] +# (Optional) The haproxy service principal that is set for MySQL in kerberos. +# Defaults to undef +# +class tripleo::certmonger::mysql ( + $hostname, + $service_certificate, + $service_key, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $mysql_network = hiera('mysql_network', undef), + $principal = undef, +) { + include ::certmonger + include ::mysql::params + + if !$mysql_network { + fail('mysql_network is not set in the hieradata.') + } + + $postsave_cmd = "systemctl reload ${::mysql::params::service_name}" + certmonger_certificate { 'mysql' : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + require => Class['::certmonger'], + } + file { $service_certificate : + owner => 'mysql', + group => 'mysql', + require => Certmonger_certificate['mysql'], + } + file { $service_key : + owner => 'mysql', + group => 'mysql', + require => Certmonger_certificate['mysql'], + } + + File[$service_certificate] ~> Service<| title == $::mysql::params::service_name |> + File[$service_key] ~> Service<| title == $::mysql::params::service_name |> +} diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp index c63162b..6801dc4 100644 --- a/manifests/firewall/rule.pp +++ b/manifests/firewall/rule.pp @@ -83,14 +83,21 @@ define tripleo::firewall::rule ( 'sport' => $sport, 'proto' => $proto, 'action' => $action, - 'state' => $state, 'source' => $source, 'iniface' => $iniface, 'chain' => $chain, 'destination' => $destination, } + if $proto != 'gre' { + $state_rule = { + 'state' => $state + } + } else { + $state_rule = {} + } + - $rule = merge($basic, $extras) + $rule = merge($basic, $state_rule, $extras) validate_hash($rule) create_resources('firewall', { "${title}" => $rule }) diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 8bef7c4..e5f366e 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -26,6 +26,28 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'mysql' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::database::mysql::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# Defaults to {}. +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# MySQL. This could be as many as specified by the $certificates_specs +# variable. +# Defaults to hiera('generate_service_certificate', false). +# # [*manage_resources*] # (Optional) Whether or not manage root user, root my.cnf, and service. # Defaults to true @@ -45,12 +67,15 @@ # Defaults to hiera('step') # class tripleo::profile::base::database::mysql ( - $bind_address = $::hostname, - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $manage_resources = true, - $mysql_server_options = {}, - $remove_default_accounts = true, - $step = hiera('step'), + $bind_address = $::hostname, + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificate_specs = {}, + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $manage_resources = true, + $mysql_server_options = {}, + $remove_default_accounts = true, + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { @@ -60,6 +85,18 @@ class tripleo::profile::base::database::mysql ( } validate_hash($mysql_server_options) + validate_hash($certificate_specs) + + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resource('class', 'tripleo::certmonger::mysql', $certificate_specs) + } + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } # non-ha scenario if $manage_resources { @@ -84,6 +121,10 @@ class tripleo::profile::base::database::mysql ( 'bind-address' => $bind_address, 'max_connections' => hiera('mysql_max_connections'), 'open_files_limit' => '-1', + 'ssl' => $enable_internal_tls, + 'ssl-key' => $tls_keyfile, + 'ssl-cert' => $tls_certfile, + 'ssl-ca' => undef, } } $mysql_server_options_real = deep_merge($mysql_server_default, $mysql_server_options) diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp index 15b4686..ea309db 100644 --- a/manifests/profile/base/swift/proxy.pp +++ b/manifests/profile/base/swift/proxy.pp @@ -68,5 +68,10 @@ class tripleo::profile::base::swift::proxy ( rabbit_hosts => $swift_rabbit_hosts, } include ::swift::proxy::versioned_writes + include ::swift::proxy::slo + include ::swift::proxy::dlo + include ::swift::proxy::copy + include ::swift::proxy::container_quotas + include ::swift::proxy::account_quotas } } diff --git a/spec/classes/tripleo_firewall_spec.rb b/spec/classes/tripleo_firewall_spec.rb index 1270aa7..3116a51 100644 --- a/spec/classes/tripleo_firewall_spec.rb +++ b/spec/classes/tripleo_firewall_spec.rb @@ -76,7 +76,8 @@ describe 'tripleo::firewall' do '301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'}, '302 fwd custom cidr 1' => {'chain' => 'FORWARD', 'destination' => '192.0.2.0/24'}, '303 add custom application 3' => {'dport' => '8081', 'proto' => 'tcp', 'action' => 'accept'}, - '304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'} + '304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'}, + '305 add gre rule' => {'proto' => 'gre'} } ) end @@ -109,6 +110,7 @@ describe 'tripleo::firewall' do :action => 'accept', :state => ['NEW'], ) + is_expected.to contain_firewall('305 add gre rule').without(:state) end end |