aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-05-02 16:17:16 +0300
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-05-17 07:44:47 +0000
commitb743b82815e1ed247ffc125af5761525f3c12cb0 (patch)
tree495ae719c8733cbec41667bfa05e90290a96cc1e
parente4c07e2ab055481a0e3986122eca499659aebd33 (diff)
TLS everywhere: configure mongodb's TLS settings
This configures the mongodb server to use TLS in the internal network, while also passing the necessary attributes to generate the needed cert and key. bp tls-via-certmonger Depends-On: I85dda29bcad686372a74bd7f094bfd62777a3032 Change-Id: If6c603b074cfa7e122579cec29d034fd3312868d
-rw-r--r--puppet/services/database/mongodb.yaml37
1 files changed, 37 insertions, 0 deletions
diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml
index 72a37c68..17eca134 100644
--- a/puppet/services/database/mongodb.yaml
+++ b/puppet/services/database/mongodb.yaml
@@ -40,6 +40,13 @@ parameters:
format: >-
/(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d+\+\d{4})
(?<message>.*)$/
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
MongoDbBase:
@@ -79,6 +86,28 @@ outputs:
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
mongodb::server::bind_ip: {get_param: [ServiceNetMap, MongodbNetwork]}
+ -
+ if:
+ - internal_tls_enabled
+ -
+ generate_service_certificates: true
+ mongodb::server::ssl: true
+ mongodb::server::ssl_key: '/etc/pki/tls/certs/mongodb.pem'
+ mongodb_certificate_specs:
+ service_pem: '/etc/pki/tls/certs/mongodb.pem'
+ service_certificate: '/etc/pki/tls/certs/mongodb.crt'
+ service_key: '/etc/pki/tls/private/mongodb.key'
+ hostname:
+ str_replace:
+ template: "%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MongodbNetwork]}
+ principal:
+ str_replace:
+ template: "mongodb/%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MongodbNetwork]}
+ - {}
step_config: |
include ::tripleo::profile::base::database::mongodb
upgrade_tasks:
@@ -88,3 +117,11 @@ outputs:
- name: Start mongodb service
tags: step4
service: name=mongod state=started
+ metadata_settings:
+ if:
+ - internal_tls_enabled
+ -
+ - service: mongodb
+ network: {get_param: [ServiceNetMap, MongodbNetwork]}
+ type: node
+ - null