From 22003fbcba00c31a6044fe4599b38060dbfe1c35 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Wed, 28 Sep 2016 09:51:13 +0000
Subject: Enable TLS in the internal networkf or Mysql

This adds the necessary hieradata for enabling TLS for MySQL (which
happens to run on the internal network). It also adds a template so
this can be done via certmonger. As with other services, this will
fill the necessary specs for the certificate to be requested in a
hash that will be consumed in puppet-tripleo.

Note that this only enables that we can now use TLS, however, we still
need to configure the services (or limit the users the services use)
to only connect via SSL. But that will be done in another patch, as
there is some things that need to land before we can do this (changes
in puppetlabs-mysql and puppet-openstacklib).

Change-Id: I71e1d4e54f2be845f131bad7b8db83498e21c118
Depends-On: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4
---
 .../database/mysql-internal-tls-certmonger.yaml    | 43 ++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 puppet/services/database/mysql-internal-tls-certmonger.yaml

(limited to 'puppet/services/database/mysql-internal-tls-certmonger.yaml')

diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml
new file mode 100644
index 00000000..3ba51fb6
--- /dev/null
+++ b/puppet/services/database/mysql-internal-tls-certmonger.yaml
@@ -0,0 +1,43 @@
+heat_template_version: 2016-10-14
+
+description: >
+  MySQL configurations for using TLS via certmonger.
+
+parameters:
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  # The following parameters are not needed by the template but are
+  # required to pass the pep8 tests
+  DefaultPasswords:
+    default: {}
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+
+outputs:
+  role_data:
+    description: MySQL configurations for using TLS via certmonger.
+    value:
+      service_name: mysql_internal_tls_certmonger
+      config_settings:
+        generate_service_certificates: true
+        tripleo::profile::base::database::mysql::certificate_specs:
+          service_certificate: '/etc/pki/tls/certs/mysql.crt'
+          service_key: '/etc/pki/tls/private/mysql.key'
+          hostname:
+            str_replace:
+              template: "%{hiera('cloud_name_NETWORK')}"
+              params:
+                NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+          principal:
+            str_replace:
+              template: "mysql/%{hiera('cloud_name_NETWORK')}"
+              params:
+                NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
-- 
cgit 1.2.3-korg