From 60d187ee0bc87c33e4b6e4d79983089157ce7565 Mon Sep 17 00:00:00 2001
From: Feng Pan <fpan@redhat.com>
Date: Fri, 7 Apr 2017 16:24:10 -0400
Subject: Enable internal network TLS for etcd

bp secure-etcd

Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649
Signed-off-by: Feng Pan <fpan@redhat.com>
---
 manifests/profile/base/certmonger_user.pp |  9 +++++
 manifests/profile/base/etcd.pp            | 57 +++++++++++++++++++++++++------
 2 files changed, 56 insertions(+), 10 deletions(-)

(limited to 'manifests/profile')

diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
index 424ef09..ab632e5 100644
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -58,12 +58,18 @@
 #   it will create.
 #   Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}).
 #
+# [*etcd_certificate_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Defaults to hiera('tripleo::profile::base::etcd::certificate_specs', {}).
+#
 class tripleo::profile::base::certmonger_user (
   $apache_certificates_specs  = hiera('apache_certificates_specs', {}),
   $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
   $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
   $mysql_certificate_specs    = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
   $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
+  $etcd_certificate_specs     = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
 ) {
   include ::tripleo::certmonger::ca::libvirt
 
@@ -86,4 +92,7 @@ class tripleo::profile::base::certmonger_user (
   unless empty($rabbitmq_certificate_specs) {
     ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs)
   }
+  unless empty($etcd_certificate_specs) {
+    ensure_resource('class', 'tripleo::certmonger::etcd', $etcd_certificate_specs)
+  }
 }
diff --git a/manifests/profile/base/etcd.pp b/manifests/profile/base/etcd.pp
index c29c937..9f5d180 100644
--- a/manifests/profile/base/etcd.pp
+++ b/manifests/profile/base/etcd.pp
@@ -34,26 +34,63 @@
 #   (Optional) Array of host(s) for etcd nodes.
 #   Defaults to hiera('etcd_node_ips', []).
 #
+# [*certificate_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate
+#   it will create. Note that the certificate nickname must be 'etcd' in
+#   the case of this service.
+#   Example with hiera:
+#     tripleo::profile::base::etcd::certificate_specs:
+#       hostname: <overcloud controller fqdn>
+#       service_certificate: <service certificate path>
+#       service_key: <service key path>
+#       principal: "etcd/<overcloud controller fqdn>"
+#   Defaults to {}.
+#
+# [*enable_internal_tls*]
+#   (Optional) Whether TLS in the internal network is enabled or not.
+#   Defaults to hiera('enable_internal_tls', false)
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
 #   Defaults to hiera('step')
 #
 class tripleo::profile::base::etcd (
-  $bind_ip     = '127.0.0.1',
-  $client_port = '2379',
-  $peer_port   = '2380',
-  $nodes       = hiera('etcd_node_names', []),
-  $step        = hiera('step'),
+  $bind_ip             = '127.0.0.1',
+  $client_port         = '2379',
+  $peer_port           = '2380',
+  $nodes               = hiera('etcd_node_names', []),
+  $certificate_specs   = {},
+  $enable_internal_tls = hiera('enable_internal_tls', false),
+  $step                = hiera('step'),
 ) {
+
+  validate_hash($certificate_specs)
+
+  if $enable_internal_tls {
+    $tls_certfile = $certificate_specs['service_certificate']
+    $tls_keyfile = $certificate_specs['service_key']
+    $protocol = 'https'
+  } else {
+    $tls_certfile = undef
+    $tls_keyfile = undef
+    $protocol = 'http'
+  }
+
   if $step >= 2 {
     class {'::etcd':
-      listen_client_urls          => "http://${bind_ip}:${client_port}",
-      advertise_client_urls       => "http://${bind_ip}:${client_port}",
-      listen_peer_urls            => "http://${bind_ip}:${peer_port}",
-      initial_advertise_peer_urls => "http://${bind_ip}:${peer_port}",
-      initial_cluster             => regsubst($nodes, '.+', "\\0=http://\\0:${peer_port}"),
+      listen_client_urls          => "${protocol}://${bind_ip}:${client_port}",
+      advertise_client_urls       => "${protocol}://${bind_ip}:${client_port}",
+      listen_peer_urls            => "${protocol}://${bind_ip}:${peer_port}",
+      initial_advertise_peer_urls => "${protocol}://${bind_ip}:${peer_port}",
+      initial_cluster             => regsubst($nodes, '.+', "\\0=${protocol}://\\0:${peer_port}"),
       proxy                       => 'off',
+      cert_file                   => $tls_certfile,
+      key_file                    => $tls_keyfile,
+      client_cert_auth            => $enable_internal_tls,
+      peer_cert_file              => $tls_certfile,
+      peer_key_file               => $tls_keyfile,
+      peer_client_cert_auth       => $enable_internal_tls,
     }
   }
 }
-- 
cgit 1.2.3-korg