summaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-05-02 16:17:16 +0300
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-05-17 07:44:47 +0000
commitb743b82815e1ed247ffc125af5761525f3c12cb0 (patch)
tree495ae719c8733cbec41667bfa05e90290a96cc1e /puppet
parente4c07e2ab055481a0e3986122eca499659aebd33 (diff)
TLS everywhere: configure mongodb's TLS settings
This configures the mongodb server to use TLS in the internal network, while also passing the necessary attributes to generate the needed cert and key. bp tls-via-certmonger Depends-On: I85dda29bcad686372a74bd7f094bfd62777a3032 Change-Id: If6c603b074cfa7e122579cec29d034fd3312868d
Diffstat (limited to 'puppet')
-rw-r--r--puppet/services/database/mongodb.yaml37
1 files changed, 37 insertions, 0 deletions
diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml
index 72a37c68..17eca134 100644
--- a/puppet/services/database/mongodb.yaml
+++ b/puppet/services/database/mongodb.yaml
@@ -40,6 +40,13 @@ parameters:
format: >-
/(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d+\+\d{4})
(?<message>.*)$/
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
MongoDbBase:
@@ -79,6 +86,28 @@ outputs:
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
mongodb::server::bind_ip: {get_param: [ServiceNetMap, MongodbNetwork]}
+ -
+ if:
+ - internal_tls_enabled
+ -
+ generate_service_certificates: true
+ mongodb::server::ssl: true
+ mongodb::server::ssl_key: '/etc/pki/tls/certs/mongodb.pem'
+ mongodb_certificate_specs:
+ service_pem: '/etc/pki/tls/certs/mongodb.pem'
+ service_certificate: '/etc/pki/tls/certs/mongodb.crt'
+ service_key: '/etc/pki/tls/private/mongodb.key'
+ hostname:
+ str_replace:
+ template: "%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MongodbNetwork]}
+ principal:
+ str_replace:
+ template: "mongodb/%{hiera('fqdn_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, MongodbNetwork]}
+ - {}
step_config: |
include ::tripleo::profile::base::database::mongodb
upgrade_tasks:
@@ -88,3 +117,11 @@ outputs:
- name: Start mongodb service
tags: step4
service: name=mongod state=started
+ metadata_settings:
+ if:
+ - internal_tls_enabled
+ -
+ - service: mongodb
+ network: {get_param: [ServiceNetMap, MongodbNetwork]}
+ type: node
+ - null