From 60d187ee0bc87c33e4b6e4d79983089157ce7565 Mon Sep 17 00:00:00 2001 From: Feng Pan Date: Fri, 7 Apr 2017 16:24:10 -0400 Subject: Enable internal network TLS for etcd bp secure-etcd Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649 Signed-off-by: Feng Pan --- manifests/certmonger/etcd.pp | 73 +++++++++++++++++++++++++++++++ manifests/haproxy.pp | 1 + manifests/profile/base/certmonger_user.pp | 9 ++++ manifests/profile/base/etcd.pp | 57 +++++++++++++++++++----- 4 files changed, 130 insertions(+), 10 deletions(-) create mode 100644 manifests/certmonger/etcd.pp (limited to 'manifests') diff --git a/manifests/certmonger/etcd.pp b/manifests/certmonger/etcd.pp new file mode 100644 index 0000000..0bddfb4 --- /dev/null +++ b/manifests/certmonger/etcd.pp @@ -0,0 +1,73 @@ +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::etcd +# +# Request a certificate for the etcd service and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*principal*] +# (Optional) The haproxy service principal that is set for etcd in kerberos. +# Defaults to undef +# +class tripleo::certmonger::etcd ( + $hostname, + $service_certificate, + $service_key, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $principal = undef, +) { + include ::certmonger + + $postsave_cmd = 'systemctl reload etcd' + certmonger_certificate { 'etcd' : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + require => Class['::certmonger'], + } + file { $service_certificate : + owner => 'etcd', + group => 'etcd', + require => Certmonger_certificate['etcd'], + } + file { $service_key : + owner => 'etcd', + group => 'etcd', + require => Certmonger_certificate['etcd'], + } + + File[$service_certificate] ~> Service<| title == 'etcd' |> + File[$service_key] ~> Service<| title == 'etcd' |> +} diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index a32c8d9..5021af6 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -1353,6 +1353,7 @@ class tripleo::haproxy ( ip_addresses => hiera('etcd_node_ips', $controller_hosts_real), server_names => hiera('etcd_node_names', $controller_hosts_names_real), service_network => $etcd_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), listen_options => { 'balance' => 'source', } diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 424ef09..ab632e5 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -58,12 +58,18 @@ # it will create. # Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}). # +# [*etcd_certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('tripleo::profile::base::etcd::certificate_specs', {}). +# class tripleo::profile::base::certmonger_user ( $apache_certificates_specs = hiera('apache_certificates_specs', {}), $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}), $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}), $mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}), + $etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}), ) { include ::tripleo::certmonger::ca::libvirt @@ -86,4 +92,7 @@ class tripleo::profile::base::certmonger_user ( unless empty($rabbitmq_certificate_specs) { ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs) } + unless empty($etcd_certificate_specs) { + ensure_resource('class', 'tripleo::certmonger::etcd', $etcd_certificate_specs) + } } diff --git a/manifests/profile/base/etcd.pp b/manifests/profile/base/etcd.pp index c29c937..9f5d180 100644 --- a/manifests/profile/base/etcd.pp +++ b/manifests/profile/base/etcd.pp @@ -34,26 +34,63 @@ # (Optional) Array of host(s) for etcd nodes. # Defaults to hiera('etcd_node_ips', []). # +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'etcd' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::etcd::certificate_specs: +# hostname: +# service_certificate: +# service_key: +# principal: "etcd/" +# Defaults to {}. +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::etcd ( - $bind_ip = '127.0.0.1', - $client_port = '2379', - $peer_port = '2380', - $nodes = hiera('etcd_node_names', []), - $step = hiera('step'), + $bind_ip = '127.0.0.1', + $client_port = '2379', + $peer_port = '2380', + $nodes = hiera('etcd_node_names', []), + $certificate_specs = {}, + $enable_internal_tls = hiera('enable_internal_tls', false), + $step = hiera('step'), ) { + + validate_hash($certificate_specs) + + if $enable_internal_tls { + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + $protocol = 'https' + } else { + $tls_certfile = undef + $tls_keyfile = undef + $protocol = 'http' + } + if $step >= 2 { class {'::etcd': - listen_client_urls => "http://${bind_ip}:${client_port}", - advertise_client_urls => "http://${bind_ip}:${client_port}", - listen_peer_urls => "http://${bind_ip}:${peer_port}", - initial_advertise_peer_urls => "http://${bind_ip}:${peer_port}", - initial_cluster => regsubst($nodes, '.+', "\\0=http://\\0:${peer_port}"), + listen_client_urls => "${protocol}://${bind_ip}:${client_port}", + advertise_client_urls => "${protocol}://${bind_ip}:${client_port}", + listen_peer_urls => "${protocol}://${bind_ip}:${peer_port}", + initial_advertise_peer_urls => "${protocol}://${bind_ip}:${peer_port}", + initial_cluster => regsubst($nodes, '.+', "\\0=${protocol}://\\0:${peer_port}"), proxy => 'off', + cert_file => $tls_certfile, + key_file => $tls_keyfile, + client_cert_auth => $enable_internal_tls, + peer_cert_file => $tls_certfile, + peer_key_file => $tls_keyfile, + peer_client_cert_auth => $enable_internal_tls, } } } -- cgit 1.2.3-korg