summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2016-11-28 10:17:03 +0000
committerGerrit Code Review <review@openstack.org>2016-11-28 10:17:03 +0000
commitd144f5e2041d2631d4de4898986ce3c733813043 (patch)
treeff737d07afb48715636b213df00abe0ea25e6696
parent52d9139135061fc847823f6c7d9d9b51a319760c (diff)
parent22003fbcba00c31a6044fe4599b38060dbfe1c35 (diff)
Merge "Enable TLS in the internal networkf or Mysql"
-rw-r--r--environments/enable-internal-tls.yaml1
-rw-r--r--overcloud-resource-registry-puppet.j2.yaml1
-rw-r--r--puppet/services/database/mysql-internal-tls-certmonger.yaml43
-rw-r--r--puppet/services/database/mysql.yaml88
4 files changed, 94 insertions, 39 deletions
diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml
index 7116da37..c01b4888 100644
--- a/environments/enable-internal-tls.yaml
+++ b/environments/enable-internal-tls.yaml
@@ -4,3 +4,4 @@ parameter_defaults:
EnableInternalTLS: true
resource_registry:
OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml
+ OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 19766ad8..aaf9ac0f 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -125,6 +125,7 @@ resource_registry:
OS::TripleO::Services::HeatEngine: puppet/services/heat-engine.yaml
OS::TripleO::Services::Kernel: puppet/services/kernel.yaml
OS::TripleO::Services::MySQL: puppet/services/database/mysql.yaml
+ OS::TripleO::Services::MySQLTLS: OS::Heat::None
OS::TripleO::Services::NeutronDhcpAgent: puppet/services/neutron-dhcp.yaml
OS::TripleO::Services::NeutronL3Agent: puppet/services/neutron-l3.yaml
OS::TripleO::Services::NeutronMetadataAgent: puppet/services/neutron-metadata.yaml
diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml
new file mode 100644
index 00000000..3ba51fb6
--- /dev/null
+++ b/puppet/services/database/mysql-internal-tls-certmonger.yaml
@@ -0,0 +1,43 @@
+heat_template_version: 2016-10-14
+
+description: >
+ MySQL configurations for using TLS via certmonger.
+
+parameters:
+ ServiceNetMap:
+ default: {}
+ description: Mapping of service_name -> network name. Typically set
+ via parameter_defaults in the resource registry. This
+ mapping overrides those in ServiceNetMapDefaults.
+ type: json
+ # The following parameters are not needed by the template but are
+ # required to pass the pep8 tests
+ DefaultPasswords:
+ default: {}
+ type: json
+ EndpointMap:
+ default: {}
+ description: Mapping of service endpoint -> protocol. Typically set
+ via parameter_defaults in the resource registry.
+ type: json
+
+outputs:
+ role_data:
+ description: MySQL configurations for using TLS via certmonger.
+ value:
+ service_name: mysql_internal_tls_certmonger
+ config_settings:
+ generate_service_certificates: true
+ tripleo::profile::base::database::mysql::certificate_specs:
+ service_certificate: '/etc/pki/tls/certs/mysql.crt'
+ service_key: '/etc/pki/tls/private/mysql.key'
+ hostname:
+ str_replace:
+ template: "%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+ principal:
+ str_replace:
+ template: "mysql/%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml
index 094a7c9f..651bf4b1 100644
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@@ -35,50 +35,60 @@ parameters:
description: Whether to use Galera instead of regular MariaDB.
type: boolean
+resources:
+
+ MySQLTLS:
+ type: OS::TripleO::Services::MySQLTLS
+ properties:
+ ServiceNetMap: {get_param: ServiceNetMap}
+
outputs:
role_data:
description: Service MySQL using composable services.
value:
service_name: mysql
config_settings:
- # The Galera package should work in cluster and
- # non-cluster modes based on the config file.
- # We set the package name here explicitly so
- # that it matches what we pre-install
- # in tripleo-puppet-elements.
- mysql::server::package_name: 'mariadb-galera-server'
- mysql::server::manage_config_file: true
- tripleo.mysql.firewall_rules:
- '104 mysql galera':
- dport:
- - 873
- - 3306
- - 4444
- - 4567
- - 4568
- - 9200
- mysql_max_connections: {get_param: MysqlMaxConnections}
- mysql::server::root_password:
- yaql:
- expression: $.data.passwords.where($ != '').first()
- data:
- passwords:
- - {get_param: MysqlRootPassword}
- - {get_param: [DefaultPasswords, mysql_root_password]}
- mysql_clustercheck_password: {get_param: MysqlClustercheckPassword}
- enable_galera: {get_param: EnableGalera}
- # NOTE: bind IP is found in Heat replacing the network name with the
- # local node IP for the given network; replacement examples
- # (eg. for internal_api):
- # internal_api -> IP
- # internal_api_uri -> [IP]
- # internal_api_subnet - > IP/CIDR
- mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]}
- tripleo::profile::base::database::mysql::bind_address:
- str_replace:
- template:
- '"%{::fqdn_$NETWORK}"'
- params:
- $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+ map_merge:
+ - get_attr: [MySQLTLS, role_data, config_settings]
+ -
+ # The Galera package should work in cluster and
+ # non-cluster modes based on the config file.
+ # We set the package name here explicitly so
+ # that it matches what we pre-install
+ # in tripleo-puppet-elements.
+ mysql::server::package_name: 'mariadb-galera-server'
+ mysql::server::manage_config_file: true
+ tripleo.mysql.firewall_rules:
+ '104 mysql galera':
+ dport:
+ - 873
+ - 3306
+ - 4444
+ - 4567
+ - 4568
+ - 9200
+ mysql_max_connections: {get_param: MysqlMaxConnections}
+ mysql::server::root_password:
+ yaql:
+ expression: $.data.passwords.where($ != '').first()
+ data:
+ passwords:
+ - {get_param: MysqlRootPassword}
+ - {get_param: [DefaultPasswords, mysql_root_password]}
+ mysql_clustercheck_password: {get_param: MysqlClustercheckPassword}
+ enable_galera: {get_param: EnableGalera}
+ # NOTE: bind IP is found in Heat replacing the network name with the
+ # local node IP for the given network; replacement examples
+ # (eg. for internal_api):
+ # internal_api -> IP
+ # internal_api_uri -> [IP]
+ # internal_api_subnet - > IP/CIDR
+ mysql_bind_host: {get_param: [ServiceNetMap, MysqlNetwork]}
+ tripleo::profile::base::database::mysql::bind_address:
+ str_replace:
+ template:
+ '"%{::fqdn_$NETWORK}"'
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
step_config: |
include ::tripleo::profile::base::database::mysql