Enable TLS in the internal networkf or Mysql

This adds the necessary hieradata for enabling TLS for MySQL (which
happens to run on the internal network). It also adds a template so
this can be done via certmonger. As with other services, this will
fill the necessary specs for the certificate to be requested in a
hash that will be consumed in puppet-tripleo.

Note that this only enables that we can now use TLS, however, we still
need to configure the services (or limit the users the services use)
to only connect via SSL. But that will be done in another patch, as
there is some things that need to land before we can do this (changes
in puppetlabs-mysql and puppet-openstacklib).

Change-Id: I71e1d4e54f2be845f131bad7b8db83498e21c118
Depends-On: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4

4 files changed, 94 insertions, 39 deletions

diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml
index 7116da37..c01b4888 100644
--- a/environments/enable-internal-tls.yaml
+++ b/environments/enable-internal-tls.yaml
@@ -4,3 +4,4 @@ parameter_defaults:
   EnableInternalTLS: true
 resource_registry:
   OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml
+  OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 19766ad8..aaf9ac0f 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -125,6 +125,7 @@ resource_registry:
   OS::TripleO::Services::HeatEngine: puppet/services/heat-engine.yaml
   OS::TripleO::Services::Kernel: puppet/services/kernel.yaml
   OS::TripleO::Services::MySQL: puppet/services/database/mysql.yaml
+  OS::TripleO::Services::MySQLTLS: OS::Heat::None
   OS::TripleO::Services::NeutronDhcpAgent: puppet/services/neutron-dhcp.yaml
   OS::TripleO::Services::NeutronL3Agent: puppet/services/neutron-l3.yaml
   OS::TripleO::Services::NeutronMetadataAgent: puppet/services/neutron-metadata.yaml
diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml
new file mode 100644
index 00000000..3ba51fb6
--- /dev/null
+++ b/puppet/services/database/mysql-internal-tls-certmonger.yaml
@@ -0,0 +1,43 @@
+heat_template_version: 2016-10-14
+
+description: >
+  MySQL configurations for using TLS via certmonger.
+
+parameters:
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  # The following parameters are not needed by the template but are
+  # required to pass the pep8 tests
+  DefaultPasswords:
+    default: {}
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+
+outputs:
+  role_data:
+    description: MySQL configurations for using TLS via certmonger.
+    value:
+      service_name: mysql_internal_tls_certmonger
+      config_settings:
+        generate_service_certificates: true
+        tripleo::profile::base::database::mysql::certificate_specs:
+          service_certificate: '/etc/pki/tls/certs/mysql.crt'
+          service_key: '/etc/pki/tls/private/mysql.key'
+          hostname:
+            str_replace:
+              template: "%{hiera('cloud_name_NETWORK')}"
+              params:
+                NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+          principal:
+            str_replace:
+              template: "mysql/%{hiera('cloud_name_NETWORK')}"
+              params:
+                NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml
index 094a7c9f..651bf4b1 100644
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@@ -35,50 +35,60 @@ parameters:
     description: Whether to use Galera instead of regular MariaDB.
     type: boolean
 
+resources:
+
+  MySQLTLS:
+    type: OS::TripleO::Services::MySQLTLS
+    properties:
+      ServiceNetMap: {get_param: ServiceNetMap}
+
 outputs:
   role_data:
     description: Service MySQL using composable services.
     value:
       service_name: mysql
       config_settings:
-        # The Galera package should work in cluster and
-        # non-cluster modes based on the config file.
-        # We set the package name here explicitly so
-        # that it matches what we pre-install
-        # in tripleo-puppet-elements.
-        mysql::server::package_name: 'mariadb-galera-server'
-        mysql::server::manage_config_file: true
-        tripleo.mysql.firewall_rules:
-          '104 mysql galera':
-            dport:
-              - 873
-              - 3306
-              - 4444
-              - 4567
-              - 4568
-              - 9200
-        mysql_max_connections: {get_param: MysqlMaxConnections}
-        mysql::server::root_password:
-          yaql:
-            expression: $.data.passwords.where($ != '').first()
-            data:
-              passwords:
-                - {get_param: MysqlRootPassword}
-                - {get_param: [DefaultPasswords, mysql_root_password]}
-        mysql_clustercheck_password: {get_param: MysqlClustercheckPassword}
-        enable_galera: {get_param: EnableGalera}
-        # NOTE: bind IP is found in Heat replacing the network name with the
-        # local node IP for the given network; replacement examples
-        # (eg. for internal_api):
-        # internal_api -> IP
-        # internal_api_uri -> [IP]
-        # internal_api_subnet - > IP/CIDR
-        mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]}
-        tripleo::profile::base::database::mysql::bind_address:
-          str_replace:
-            template:
-              '"%{::fqdn_$NETWORK}"'
-            params:
-              $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+        map_merge:
+          - get_attr: [MySQLTLS, role_data, config_settings]
+          -
+            # The Galera package should work in cluster and
+            # non-cluster modes based on the config file.
+            # We set the package name here explicitly so
+            # that it matches what we pre-install
+            # in tripleo-puppet-elements.
+            mysql::server::package_name: 'mariadb-galera-server'
+            mysql::server::manage_config_file: true
+            tripleo.mysql.firewall_rules:
+              '104 mysql galera':
+                dport:
+                  - 873
+                  - 3306
+                  - 4444
+                  - 4567
+                  - 4568
+                  - 9200
+            mysql_max_connections: {get_param: MysqlMaxConnections}
+            mysql::server::root_password:
+              yaql:
+                expression: $.data.passwords.where($ != '').first()
+                data:
+                  passwords:
+                    - {get_param: MysqlRootPassword}
+                    - {get_param: [DefaultPasswords, mysql_root_password]}
+            mysql_clustercheck_password: {get_param: MysqlClustercheckPassword}
+            enable_galera: {get_param: EnableGalera}
+            # NOTE: bind IP is found in Heat replacing the network name with the
+            # local node IP for the given network; replacement examples
+            # (eg. for internal_api):
+            # internal_api -> IP
+            # internal_api_uri -> [IP]
+            # internal_api_subnet - > IP/CIDR
+            mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]}
+            tripleo::profile::base::database::mysql::bind_address:
+              str_replace:
+                template:
+                  '"%{::fqdn_$NETWORK}"'
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
       step_config: |
         include ::tripleo::profile::base::database::mysql