Merge "TLS everywhere: configure mongodb's TLS settings"

2017-05-22 07:56:00 +00:00 · 2017-05-22 07:56:00 +00:00 · 14276d79af
parent 0900c88428 b743b82815
commit 14276d79af
1 changed files with 37 additions and 0 deletions
--- a/puppet/services/database/mongodb.yaml
+++ b/puppet/services/database/mongodb.yaml
@ -40,6 +40,13 @@ parameters:
      format: >-
        /(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d+\+\d{4})
        (?<message>.*)$/
+  EnableInternalTLS:
+    type: boolean
+    default: false
+
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}

 resources:
  MongoDbBase:
@ -79,6 +86,28 @@ outputs:
            # internal_api_uri -> [IP]
            # internal_api_subnet - > IP/CIDR
            mongodb::server::bind_ip: {get_param: [ServiceNetMap, MongodbNetwork]}
+          -
+            if:
+              - internal_tls_enabled
+              -
+                generate_service_certificates: true
+                mongodb::server::ssl: true
+                mongodb::server::ssl_key: '/etc/pki/tls/certs/mongodb.pem'
+                mongodb_certificate_specs:
+                  service_pem: '/etc/pki/tls/certs/mongodb.pem'
+                  service_certificate: '/etc/pki/tls/certs/mongodb.crt'
+                  service_key: '/etc/pki/tls/private/mongodb.key'
+                  hostname:
+                    str_replace:
+                      template: "%{hiera('fqdn_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, MongodbNetwork]}
+                  principal:
+                    str_replace:
+                      template: "mongodb/%{hiera('fqdn_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, MongodbNetwork]}
+              - {}
      step_config: |
        include ::tripleo::profile::base::database::mongodb
      upgrade_tasks:
@ -88,3 +117,11 @@ outputs:
        - name: Start mongodb service
          tags: step4
          service: name=mongod state=started
+      metadata_settings:
+        if:
+          - internal_tls_enabled
+          -
+            - service: mongodb
+              network: {get_param: [ServiceNetMap, MongodbNetwork]}
+              type: node
+          - null