diff options
Diffstat (limited to 'manifests/profile/pacemaker/database/mysql.pp')
| -rw-r--r-- | manifests/profile/pacemaker/database/mysql.pp | 82 |
1 files changed, 65 insertions, 17 deletions
diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp index 031e80c..22adbe9 100644 --- a/manifests/profile/pacemaker/database/mysql.pp +++ b/manifests/profile/pacemaker/database/mysql.pp @@ -26,6 +26,27 @@ # (Optional) The address that the local mysql instance should bind to. # Defaults to $::hostname # +# [*ca_file*] +# (Optional) The path to the CA file that will be used for the TLS +# configuration. It's only used if internal TLS is enabled. +# Defaults to undef +# +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'mysql' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::database::mysql::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*gmcast_listen_addr*] # (Optional) This variable defines the address on which the node listens to # connections from other nodes in the cluster. @@ -41,11 +62,14 @@ # Defaults to hiera('pcs_tries', 20) # class tripleo::profile::pacemaker::database::mysql ( - $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), - $bind_address = $::hostname, - $gmcast_listen_addr = hiera('mysql_bind_host'), - $step = hiera('step'), - $pcs_tries = hiera('pcs_tries', 20), + $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), + $bind_address = $::hostname, + $ca_file = undef, + $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $gmcast_listen_addr = hiera('mysql_bind_host'), + $step = Integer(hiera('step')), + $pcs_tries = hiera('pcs_tries', 20), ) { if $::hostname == downcase($bootstrap_node) { $pacemaker_master = true @@ -53,20 +77,35 @@ class tripleo::profile::pacemaker::database::mysql ( $pacemaker_master = false } - # use only mysql_node_names when we land a patch in t-h-t that - # switches to autogenerating these values from composable services - # The galera node names need to match the pacemaker node names... so if we - # want to use FQDNs for this, the cluster will not finish bootstrapping, - # since all the nodes will be marked as slaves. For now, we'll stick to the - # short name which is already registered in pacemaker until we get around - # this issue. - $galera_node_names_lookup = hiera('mysql_short_node_names', hiera('mysql_node_names', $::hostname)) + $galera_node_names_lookup = hiera('mysql_short_node_names', $::hostname) + $galera_fqdns_names_lookup = hiera('mysql_node_names', $::hostname) + if is_array($galera_node_names_lookup) { - $galera_nodes = downcase(join($galera_node_names_lookup, ',')) + $galera_nodes_count = length($galera_node_names_lookup) + $galera_nodes = downcase(join($galera_fqdns_names_lookup, ',')) + $galera_name_pairs = zip($galera_node_names_lookup, $galera_fqdns_names_lookup) } else { + $galera_nodes_count = 1 $galera_nodes = downcase($galera_node_names_lookup) + $galera_name_pairs = [[$galera_node_names_lookup, $galera_fqdns_names_lookup]] + } + + # NOTE(jaosorior): The usage of cluster_host_map requires resource-agents-3.9.5-82.el7_3.11 + $processed_galera_name_pairs = $galera_name_pairs.map |$pair| { join($pair, ':') } + $cluster_host_map = join($processed_galera_name_pairs, ';') + + if $enable_internal_tls { + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + if $ca_file { + $tls_ca_options = "socket.ssl_ca=${ca_file}" + } else { + $tls_ca_options = '' + } + $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};" + } else { + $tls_options = '' } - $galera_nodes_count = count(split($galera_nodes, ',')) $mysqld_options = { 'mysqld' => { @@ -96,10 +135,19 @@ class tripleo::profile::pacemaker::database::mysql ( 'wsrep_drupal_282555_workaround'=> '0', 'wsrep_causal_reads' => '0', 'wsrep_sst_method' => 'rsync', - 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;", + 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}", } } + # since we are configuring rsync for wsrep_sst_method, we ought to make sure + # it's installed. We only includ this at step 2 since puppet-rsync may be + # included later and also adds the package resource. + if $step == 2 { + if ! defined(Package['rsync']) { + package {'rsync':} + } + } + # remove_default_accounts parameter will execute some mysql commands # to remove the default accounts created by MySQL package. # We need MySQL running to run the commands successfully, so better to @@ -136,7 +184,7 @@ class tripleo::profile::pacemaker::database::mysql ( op_params => 'promote timeout=300s on-fail=block', master_params => '', meta_params => "master-max=${galera_nodes_count} ordered=true", - resource_params => "additional_parameters='--open-files-limit=16384' enable_creation=true wsrep_cluster_address='gcomm://${galera_nodes}'", + resource_params => "additional_parameters='--open-files-limit=16384' enable_creation=true wsrep_cluster_address='gcomm://${galera_nodes}' cluster_host_map='${cluster_host_map}'", tries => $pcs_tries, location_rule => { resource_discovery => 'exclusive', |