diff options
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/certmonger/mysql.pp | 9 | ||||
| -rw-r--r-- | manifests/haproxy.pp | 40 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/database/mysql.pp | 49 |
3 files changed, 78 insertions, 20 deletions
diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp index dd9b184..0988c55 100644 --- a/manifests/certmonger/mysql.pp +++ b/manifests/certmonger/mysql.pp @@ -31,6 +31,12 @@ # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). # +# [*dnsnames*] +# (Optional) The DNS names that will be added for the SubjectAltNames entry +# in the certificate. If left unset, the value will be set to the $hostname. +# This parameter can take both a string or an array of strings. +# Defaults to $hostname +# # [*principal*] # (Optional) The haproxy service principal that is set for MySQL in kerberos. # Defaults to undef @@ -40,6 +46,7 @@ class tripleo::certmonger::mysql ( $service_certificate, $service_key, $certmonger_ca = hiera('certmonger_ca', 'local'), + $dnsnames = $hostname, $principal = undef, ) { include ::certmonger @@ -51,7 +58,7 @@ class tripleo::certmonger::mysql ( certfile => $service_certificate, keyfile => $service_key, hostname => $hostname, - dnsname => $hostname, + dnsname => $dnsnames, principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 6da6dcf..2f29674 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -155,6 +155,10 @@ # When set, enables SSL on the haproxy stats endpoint using the specified file. # Defaults to undef # +# [*haproxy_stats*] +# (optional) Enable or not the haproxy stats interface +# Defaults to true +# # [*keystone_admin*] # (optional) Enable or not Keystone Admin API binding # Defaults to hiera('keystone_enabled', false) @@ -279,6 +283,10 @@ # (optional) Enable check via clustercheck for mysql # Defaults to false # +# [*mysql_max_conn*] +# (optional) Set the maxconn parameter for mysql +# Defaults to undef +# # [*mysql_member_options*] # The options to use for the mysql HAProxy balancer members. # If this parameter is undefined, the actual value configured will depend @@ -571,6 +579,7 @@ class tripleo::haproxy ( $ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt', $crl_file = undef, $haproxy_stats_certificate = undef, + $haproxy_stats = true, $keystone_admin = hiera('keystone_enabled', false), $keystone_public = hiera('keystone_enabled', false), $neutron = hiera('neutron_api_enabled', false), @@ -602,6 +611,7 @@ class tripleo::haproxy ( $ironic_inspector = hiera('ironic_inspector_enabled', false), $mysql = hiera('mysql_enabled', false), $mysql_clustercheck = false, + $mysql_max_conn = undef, $mysql_member_options = undef, $rabbitmq = false, $etcd = hiera('etcd_enabled', false), @@ -871,19 +881,21 @@ class tripleo::haproxy ( listen_options => $default_listen_options, } - $stats_base = ['enable', 'uri /'] - if $haproxy_stats_password { - $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) - } else { - $stats_config = $stats_base - } - haproxy::listen { 'haproxy.stats': - bind => $haproxy_stats_bind_opts, - mode => 'http', - options => { - 'stats' => $stats_config, - }, - collect_exported => false, + if $haproxy_stats { + $stats_base = ['enable', 'uri /'] + if $haproxy_stats_password { + $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) + } else { + $stats_config = $stats_base + } + haproxy::listen { 'haproxy.stats': + bind => $haproxy_stats_bind_opts, + mode => 'http', + options => { + 'stats' => $stats_config, + }, + collect_exported => false, + } } if $keystone_admin { @@ -1314,6 +1326,7 @@ class tripleo::haproxy ( 'timeout server' => '90m', 'stick-table' => 'type ip size 1000', 'stick' => 'on dst', + 'maxconn' => $mysql_max_conn } if $mysql_member_options { $mysql_member_options_real = $mysql_member_options @@ -1324,6 +1337,7 @@ class tripleo::haproxy ( $mysql_listen_options = { 'timeout client' => '90m', 'timeout server' => '90m', + 'maxconn' => $mysql_max_conn } if $mysql_member_options { $mysql_member_options_real = $mysql_member_options diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp index 3aff62f..22adbe9 100644 --- a/manifests/profile/pacemaker/database/mysql.pp +++ b/manifests/profile/pacemaker/database/mysql.pp @@ -26,6 +26,27 @@ # (Optional) The address that the local mysql instance should bind to. # Defaults to $::hostname # +# [*ca_file*] +# (Optional) The path to the CA file that will be used for the TLS +# configuration. It's only used if internal TLS is enabled. +# Defaults to undef +# +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'mysql' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::database::mysql::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*gmcast_listen_addr*] # (Optional) This variable defines the address on which the node listens to # connections from other nodes in the cluster. @@ -41,11 +62,14 @@ # Defaults to hiera('pcs_tries', 20) # class tripleo::profile::pacemaker::database::mysql ( - $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), - $bind_address = $::hostname, - $gmcast_listen_addr = hiera('mysql_bind_host'), - $step = Integer(hiera('step')), - $pcs_tries = hiera('pcs_tries', 20), + $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), + $bind_address = $::hostname, + $ca_file = undef, + $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $gmcast_listen_addr = hiera('mysql_bind_host'), + $step = Integer(hiera('step')), + $pcs_tries = hiera('pcs_tries', 20), ) { if $::hostname == downcase($bootstrap_node) { $pacemaker_master = true @@ -70,6 +94,19 @@ class tripleo::profile::pacemaker::database::mysql ( $processed_galera_name_pairs = $galera_name_pairs.map |$pair| { join($pair, ':') } $cluster_host_map = join($processed_galera_name_pairs, ';') + if $enable_internal_tls { + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + if $ca_file { + $tls_ca_options = "socket.ssl_ca=${ca_file}" + } else { + $tls_ca_options = '' + } + $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};" + } else { + $tls_options = '' + } + $mysqld_options = { 'mysqld' => { 'skip-name-resolve' => '1', @@ -98,7 +135,7 @@ class tripleo::profile::pacemaker::database::mysql ( 'wsrep_drupal_282555_workaround'=> '0', 'wsrep_causal_reads' => '0', 'wsrep_sst_method' => 'rsync', - 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;", + 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}", } } |