diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-05-02 16:17:16 +0300 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-05-17 07:44:47 +0000 |
commit | b743b82815e1ed247ffc125af5761525f3c12cb0 (patch) | |
tree | 495ae719c8733cbec41667bfa05e90290a96cc1e /puppet/services | |
parent | e4c07e2ab055481a0e3986122eca499659aebd33 (diff) |
TLS everywhere: configure mongodb's TLS settings
This configures the mongodb server to use TLS in the internal network,
while also passing the necessary attributes to generate the needed cert
and key.
bp tls-via-certmonger
Depends-On: I85dda29bcad686372a74bd7f094bfd62777a3032
Change-Id: If6c603b074cfa7e122579cec29d034fd3312868d
Diffstat (limited to 'puppet/services')
-rw-r--r-- | puppet/services/database/mongodb.yaml | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml index 72a37c68..17eca134 100644 --- a/puppet/services/database/mongodb.yaml +++ b/puppet/services/database/mongodb.yaml @@ -40,6 +40,13 @@ parameters: format: >- /(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d+\+\d{4}) (?<message>.*)$/ + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: MongoDbBase: @@ -79,6 +86,28 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR mongodb::server::bind_ip: {get_param: [ServiceNetMap, MongodbNetwork]} + - + if: + - internal_tls_enabled + - + generate_service_certificates: true + mongodb::server::ssl: true + mongodb::server::ssl_key: '/etc/pki/tls/certs/mongodb.pem' + mongodb_certificate_specs: + service_pem: '/etc/pki/tls/certs/mongodb.pem' + service_certificate: '/etc/pki/tls/certs/mongodb.crt' + service_key: '/etc/pki/tls/private/mongodb.key' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, MongodbNetwork]} + principal: + str_replace: + template: "mongodb/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, MongodbNetwork]} + - {} step_config: | include ::tripleo::profile::base::database::mongodb upgrade_tasks: @@ -88,3 +117,11 @@ outputs: - name: Start mongodb service tags: step4 service: name=mongod state=started + metadata_settings: + if: + - internal_tls_enabled + - + - service: mongodb + network: {get_param: [ServiceNetMap, MongodbNetwork]} + type: node + - null |