aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/certmonger/mysql.pp84
-rw-r--r--manifests/firewall/rule.pp11
-rw-r--r--manifests/profile/base/database/mysql.pp53
-rw-r--r--manifests/profile/base/swift/proxy.pp5
-rw-r--r--spec/classes/tripleo_firewall_spec.rb4
5 files changed, 148 insertions, 9 deletions
diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp
new file mode 100644
index 0000000..62aff9a
--- /dev/null
+++ b/manifests/certmonger/mysql.pp
@@ -0,0 +1,84 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::mysql
+#
+# Request a certificate for the MySQL/Mariadb service and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+# The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+# The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+# The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+# (Optional) The CA that certmonger will use to generate the certificates.
+# Defaults to hiera('certmonger_ca', 'local').
+#
+# [*mysql_network*]
+# (Optional) The network name where the mysql endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('mysql_network', undef)
+#
+# [*principal*]
+# (Optional) The haproxy service principal that is set for MySQL in kerberos.
+# Defaults to undef
+#
+class tripleo::certmonger::mysql (
+ $hostname,
+ $service_certificate,
+ $service_key,
+ $certmonger_ca = hiera('certmonger_ca', 'local'),
+ $mysql_network = hiera('mysql_network', undef),
+ $principal = undef,
+) {
+ include ::certmonger
+ include ::mysql::params
+
+ if !$mysql_network {
+ fail('mysql_network is not set in the hieradata.')
+ }
+
+ $postsave_cmd = "systemctl reload ${::mysql::params::service_name}"
+ certmonger_certificate { 'mysql' :
+ ensure => 'present',
+ certfile => $service_certificate,
+ keyfile => $service_key,
+ hostname => $hostname,
+ dnsname => $hostname,
+ principal => $principal,
+ postsave_cmd => $postsave_cmd,
+ ca => $certmonger_ca,
+ wait => true,
+ require => Class['::certmonger'],
+ }
+ file { $service_certificate :
+ owner => 'mysql',
+ group => 'mysql',
+ require => Certmonger_certificate['mysql'],
+ }
+ file { $service_key :
+ owner => 'mysql',
+ group => 'mysql',
+ require => Certmonger_certificate['mysql'],
+ }
+
+ File[$service_certificate] ~> Service<| title == $::mysql::params::service_name |>
+ File[$service_key] ~> Service<| title == $::mysql::params::service_name |>
+}
diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp
index c63162b..6801dc4 100644
--- a/manifests/firewall/rule.pp
+++ b/manifests/firewall/rule.pp
@@ -83,14 +83,21 @@ define tripleo::firewall::rule (
'sport' => $sport,
'proto' => $proto,
'action' => $action,
- 'state' => $state,
'source' => $source,
'iniface' => $iniface,
'chain' => $chain,
'destination' => $destination,
}
+ if $proto != 'gre' {
+ $state_rule = {
+ 'state' => $state
+ }
+ } else {
+ $state_rule = {}
+ }
+
- $rule = merge($basic, $extras)
+ $rule = merge($basic, $state_rule, $extras)
validate_hash($rule)
create_resources('firewall', { "${title}" => $rule })
diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp
index 8bef7c4..e5f366e 100644
--- a/manifests/profile/base/database/mysql.pp
+++ b/manifests/profile/base/database/mysql.pp
@@ -26,6 +26,28 @@
# (Optional) The hostname of the node responsible for bootstrapping tasks
# Defaults to hiera('bootstrap_nodeid')
#
+# [*certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate
+# it will create. Note that the certificate nickname must be 'mysql' in
+# the case of this service.
+# Example with hiera:
+# tripleo::profile::base::database::mysql::certificate_specs:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "mysql/<overcloud controller fqdn>"
+# Defaults to {}.
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
+# [*generate_service_certificates*]
+# (Optional) Whether or not certmonger will generate certificates for
+# MySQL. This could be as many as specified by the $certificates_specs
+# variable.
+# Defaults to hiera('generate_service_certificate', false).
+#
# [*manage_resources*]
# (Optional) Whether or not manage root user, root my.cnf, and service.
# Defaults to true
@@ -45,12 +67,15 @@
# Defaults to hiera('step')
#
class tripleo::profile::base::database::mysql (
- $bind_address = $::hostname,
- $bootstrap_node = hiera('bootstrap_nodeid', undef),
- $manage_resources = true,
- $mysql_server_options = {},
- $remove_default_accounts = true,
- $step = hiera('step'),
+ $bind_address = $::hostname,
+ $bootstrap_node = hiera('bootstrap_nodeid', undef),
+ $certificate_specs = {},
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $generate_service_certificates = hiera('generate_service_certificates', false),
+ $manage_resources = true,
+ $mysql_server_options = {},
+ $remove_default_accounts = true,
+ $step = hiera('step'),
) {
if $::hostname == downcase($bootstrap_node) {
@@ -60,6 +85,18 @@ class tripleo::profile::base::database::mysql (
}
validate_hash($mysql_server_options)
+ validate_hash($certificate_specs)
+
+ if $enable_internal_tls {
+ if $generate_service_certificates {
+ ensure_resource('class', 'tripleo::certmonger::mysql', $certificate_specs)
+ }
+ $tls_certfile = $certificate_specs['service_certificate']
+ $tls_keyfile = $certificate_specs['service_key']
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ }
# non-ha scenario
if $manage_resources {
@@ -84,6 +121,10 @@ class tripleo::profile::base::database::mysql (
'bind-address' => $bind_address,
'max_connections' => hiera('mysql_max_connections'),
'open_files_limit' => '-1',
+ 'ssl' => $enable_internal_tls,
+ 'ssl-key' => $tls_keyfile,
+ 'ssl-cert' => $tls_certfile,
+ 'ssl-ca' => undef,
}
}
$mysql_server_options_real = deep_merge($mysql_server_default, $mysql_server_options)
diff --git a/manifests/profile/base/swift/proxy.pp b/manifests/profile/base/swift/proxy.pp
index 15b4686..ea309db 100644
--- a/manifests/profile/base/swift/proxy.pp
+++ b/manifests/profile/base/swift/proxy.pp
@@ -68,5 +68,10 @@ class tripleo::profile::base::swift::proxy (
rabbit_hosts => $swift_rabbit_hosts,
}
include ::swift::proxy::versioned_writes
+ include ::swift::proxy::slo
+ include ::swift::proxy::dlo
+ include ::swift::proxy::copy
+ include ::swift::proxy::container_quotas
+ include ::swift::proxy::account_quotas
}
}
diff --git a/spec/classes/tripleo_firewall_spec.rb b/spec/classes/tripleo_firewall_spec.rb
index 1270aa7..3116a51 100644
--- a/spec/classes/tripleo_firewall_spec.rb
+++ b/spec/classes/tripleo_firewall_spec.rb
@@ -76,7 +76,8 @@ describe 'tripleo::firewall' do
'301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'},
'302 fwd custom cidr 1' => {'chain' => 'FORWARD', 'destination' => '192.0.2.0/24'},
'303 add custom application 3' => {'dport' => '8081', 'proto' => 'tcp', 'action' => 'accept'},
- '304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'}
+ '304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'},
+ '305 add gre rule' => {'proto' => 'gre'}
}
)
end
@@ -109,6 +110,7 @@ describe 'tripleo::firewall' do
:action => 'accept',
:state => ['NEW'],
)
+ is_expected.to contain_firewall('305 add gre rule').without(:state)
end
end