aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/profile
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/profile')
-rw-r--r--manifests/profile/pacemaker/database/mysql_bundle.pp192
1 files changed, 118 insertions, 74 deletions
diff --git a/manifests/profile/pacemaker/database/mysql_bundle.pp b/manifests/profile/pacemaker/database/mysql_bundle.pp
index 21d671c..e07ac2e 100644
--- a/manifests/profile/pacemaker/database/mysql_bundle.pp
+++ b/manifests/profile/pacemaker/database/mysql_bundle.pp
@@ -34,6 +34,27 @@
# (Optional) The address that the local mysql instance should bind to.
# Defaults to $::hostname
#
+# [*ca_file*]
+# (Optional) The path to the CA file that will be used for the TLS
+# configuration. It's only used if internal TLS is enabled.
+# Defaults to undef
+#
+# [*certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate
+# it will create. Note that the certificate nickname must be 'mysql' in
+# the case of this service.
+# Example with hiera:
+# tripleo::profile::base::database::mysql::certificate_specs:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "mysql/<overcloud controller fqdn>"
+# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
# [*gmcast_listen_addr*]
# (Optional) This variable defines the address on which the node listens to
# connections from other nodes in the cluster.
@@ -50,13 +71,16 @@
#
#
class tripleo::profile::pacemaker::database::mysql_bundle (
- $mysql_docker_image = hiera('tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image', undef),
- $control_port = hiera('tripleo::profile::pacemaker::database::mysql_bundle::control_port', '3123'),
- $bootstrap_node = hiera('mysql_short_bootstrap_node_name'),
- $bind_address = $::hostname,
- $gmcast_listen_addr = hiera('mysql_bind_host'),
- $pcs_tries = hiera('pcs_tries', 20),
- $step = Integer(hiera('step')),
+ $mysql_docker_image = hiera('tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image', undef),
+ $control_port = hiera('tripleo::profile::pacemaker::database::mysql_bundle::control_port', '3123'),
+ $bootstrap_node = hiera('mysql_short_bootstrap_node_name'),
+ $bind_address = $::hostname,
+ $ca_file = undef,
+ $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $gmcast_listen_addr = hiera('mysql_bind_host'),
+ $pcs_tries = hiera('pcs_tries', 20),
+ $step = Integer(hiera('step')),
) {
if $::hostname == downcase($bootstrap_node) {
$pacemaker_master = true
@@ -64,16 +88,11 @@ class tripleo::profile::pacemaker::database::mysql_bundle (
$pacemaker_master = false
}
- # use only mysql_node_names when we land a patch in t-h-t that
- # switches to autogenerating these values from composable services
- # The galera node names need to match the pacemaker node names... so if we
- # want to use FQDNs for this, the cluster will not finish bootstrapping,
- # since all the nodes will be marked as slaves. For now, we'll stick to the
- # short name which is already registered in pacemaker until we get around
- # this issue.
- $galera_node_names_lookup = hiera('mysql_short_node_names', hiera('mysql_node_names', $::hostname))
+ $galera_node_names_lookup = hiera('mysql_short_node_names', $::hostname)
+ $galera_fqdns_names_lookup = hiera('mysql_node_names', $::hostname)
+
if is_array($galera_node_names_lookup) {
- $galera_nodes = downcase(join($galera_node_names_lookup, ','))
+ $galera_nodes = downcase(join($galera_fqdns_names_lookup, ','))
} else {
$galera_nodes = downcase($galera_node_names_lookup)
}
@@ -87,6 +106,19 @@ class tripleo::profile::pacemaker::database::mysql_bundle (
}
$cluster_host_map_string = join($host_map_array, ';')
+ if $enable_internal_tls {
+ $tls_certfile = $certificate_specs['service_certificate']
+ $tls_keyfile = $certificate_specs['service_key']
+ if $ca_file {
+ $tls_ca_options = "socket.ssl_ca=${ca_file}"
+ } else {
+ $tls_ca_options = ''
+ }
+ $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};"
+ } else {
+ $tls_options = ''
+ }
+
$mysqld_options = {
'mysqld' => {
'pid-file' => '/var/lib/mysql/mariadb.pid',
@@ -116,7 +148,7 @@ class tripleo::profile::pacemaker::database::mysql_bundle (
'wsrep_drupal_282555_workaround'=> '0',
'wsrep_causal_reads' => '0',
'wsrep_sst_method' => 'rsync',
- 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;",
+ 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}",
},
'mysqld_safe' => {
'pid-file' => '/var/lib/mysql/mariadb.pid',
@@ -195,6 +227,74 @@ MYSQL_HOST=localhost\n",
}
# lint:endignore
}
+
+ $storage_maps = {
+ 'mysql-cfg-files' => {
+ 'source-dir' => '/var/lib/kolla/config_files/mysql.json',
+ 'target-dir' => '/var/lib/kolla/config_files/config.json',
+ 'options' => 'ro',
+ },
+ 'mysql-cfg-data' => {
+ 'source-dir' => '/var/lib/config-data/puppet-generated/mysql/',
+ 'target-dir' => '/var/lib/kolla/config_files/src',
+ 'options' => 'ro',
+ },
+ 'mysql-hosts' => {
+ 'source-dir' => '/etc/hosts',
+ 'target-dir' => '/etc/hosts',
+ 'options' => 'ro',
+ },
+ 'mysql-localtime' => {
+ 'source-dir' => '/etc/localtime',
+ 'target-dir' => '/etc/localtime',
+ 'options' => 'ro',
+ },
+ 'mysql-lib' => {
+ 'source-dir' => '/var/lib/mysql',
+ 'target-dir' => '/var/lib/mysql',
+ 'options' => 'rw',
+ },
+ 'mysql-log-mariadb' => {
+ 'source-dir' => '/var/log/mariadb',
+ 'target-dir' => '/var/log/mariadb',
+ 'options' => 'rw',
+ },
+ 'mysql-dev-log' => {
+ 'source-dir' => '/dev/log',
+ 'target-dir' => '/dev/log',
+ 'options' => 'rw',
+ },
+ }
+
+ if $enable_internal_tls {
+ $mysql_storage_maps_tls = {
+ 'mysql-pki-gcomm-key' => {
+ 'source-dir' => '/etc/pki/tls/private/mysql.key',
+ 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key',
+ 'options' => 'ro',
+ },
+ 'mysql-pki-gcomm-cert' => {
+ 'source-dir' => '/etc/pki/tls/certs/mysql.crt',
+ 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt',
+ 'options' => 'ro',
+ },
+ }
+ if $ca_file {
+ $ca_storage_maps_tls = {
+ 'mysql-pki-gcomm-ca' => {
+ 'source-dir' => $ca_file,
+ 'target-dir' => "/var/lib/kolla/config_files/src-tls${ca_file}",
+ 'options' => 'ro',
+ },
+ }
+ } else {
+ $ca_storage_maps_tls = {}
+ }
+ $storage_maps_tls = merge($mysql_storage_maps_tls, $ca_storage_maps_tls)
+ } else {
+ $storage_maps_tls = {}
+ }
+
pacemaker::resource::bundle { 'galera-bundle':
image => $mysql_docker_image,
replicas => $galera_nodes_count,
@@ -208,63 +308,7 @@ MYSQL_HOST=localhost\n",
options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS',
run_command => '/bin/bash /usr/local/bin/kolla_start',
network => "control-port=${control_port}",
- storage_maps => {
- 'mysql-cfg-files' => {
- 'source-dir' => '/var/lib/kolla/config_files/mysql.json',
- 'target-dir' => '/var/lib/kolla/config_files/config.json',
- 'options' => 'ro',
- },
- 'mysql-cfg-data' => {
- 'source-dir' => '/var/lib/config-data/puppet-generated/mysql/',
- 'target-dir' => '/var/lib/kolla/config_files/src',
- 'options' => 'ro',
- },
- 'mysql-hosts' => {
- 'source-dir' => '/etc/hosts',
- 'target-dir' => '/etc/hosts',
- 'options' => 'ro',
- },
- 'mysql-localtime' => {
- 'source-dir' => '/etc/localtime',
- 'target-dir' => '/etc/localtime',
- 'options' => 'ro',
- },
- 'mysql-lib' => {
- 'source-dir' => '/var/lib/mysql',
- 'target-dir' => '/var/lib/mysql',
- 'options' => 'rw',
- },
- 'mysql-log-mariadb' => {
- 'source-dir' => '/var/log/mariadb',
- 'target-dir' => '/var/log/mariadb',
- 'options' => 'rw',
- },
- 'mysql-pki-extracted' => {
- 'source-dir' => '/etc/pki/ca-trust/extracted',
- 'target-dir' => '/etc/pki/ca-trust/extracted',
- 'options' => 'ro',
- },
- 'mysql-pki-ca-bundle-crt' => {
- 'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt',
- 'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt',
- 'options' => 'ro',
- },
- 'mysql-pki-ca-bundle-trust-crt' => {
- 'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
- 'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
- 'options' => 'ro',
- },
- 'mysql-pki-cert' => {
- 'source-dir' => '/etc/pki/tls/cert.pem',
- 'target-dir' => '/etc/pki/tls/cert.pem',
- 'options' => 'ro',
- },
- 'mysql-dev-log' => {
- 'source-dir' => '/dev/log',
- 'target-dir' => '/dev/log',
- 'options' => 'rw',
- },
- },
+ storage_maps => merge($storage_maps, $storage_maps_tls),
}
pacemaker::resource::ocf { 'galera':