Enable TLS configuration for containerized Galera

In non-containerized deployments, Galera can be configured to use TLS
for gcomm group communication when enable_internal_tls is set to true.

Fix the metadata service definition and update the Kolla configuration
to make gcomm use TLS in containers, if configured.

bp tls-via-certmonger-containers

Change-Id: Ibead27be81910f946d64b8e5421bcc41210d7430
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Closes-Bug: #1708135
Depends-On: If845baa7b0a437c28148c817b7f94d540ca15814

1 files changed, 35 insertions, 0 deletions

diff --git a/docker/services/pacemaker/database/mysql.yaml b/docker/services/pacemaker/database/mysql.yaml
index f12852f8..5042b438 100644
--- a/docker/services/pacemaker/database/mysql.yaml
+++ b/docker/services/pacemaker/database/mysql.yaml
@@ -40,6 +40,14 @@ parameters:
     default: {}
     description: Parameters specific to the role
     type: json
+  EnableInternalTLS:
+    type: boolean
+    default: false
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
 
 resources:
 
@@ -56,6 +64,10 @@ resources:
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
 
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
 outputs:
   role_data:
     description: Containerized service MySQL using composable services.
@@ -76,6 +88,13 @@ outputs:
                   - 4567
                   - 4568
                   - 9200
+          -
+            if:
+            - internal_tls_enabled
+            -
+              tripleo::profile::pacemaker::database::mysql_bundle::ca_file:
+                get_param: InternalTLSCAFile
+            - {}
       step_config: ""
       # BEGIN DOCKER SETTINGS #
       puppet_config:
@@ -100,6 +119,20 @@ outputs:
               dest: "/"
               merge: true
               preserve_properties: true
+            - source: "/var/lib/kolla/config_files/src-tls/*"
+              dest: "/"
+              merge: true
+              optional: true
+              preserve_properties: true
+          permissions:
+            - path: /etc/pki/tls/certs/mysql.crt
+              owner: mysql:mysql
+              perm: '0600'
+              optional: true
+            - path: /etc/pki/tls/private/mysql.key
+              owner: mysql:mysql
+              perm: '0600'
+              optional: true
       docker_config:
         step_1:
           mysql_data_ownership:
@@ -174,6 +207,8 @@ outputs:
           file:
             path: /var/lib/mysql
             state: directory
+      metadata_settings:
+        get_attr: [MysqlPuppetBase, role_data, metadata_settings]
       upgrade_tasks:
         - name: get bootstrap nodeid
           tags: common