Enable TLS configuration for containerized Galera

In non-containerized deployments, Galera can be configured to use TLS for gcomm group communication when enable_internal_tls is set to true. Fix the metadata service definition and update the Kolla configuration to make gcomm use TLS in containers, if configured. bp tls-via-certmonger-containers Change-Id: Ibead27be81910f946d64b8e5421bcc41210d7430 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Closes-Bug: #1708135 Depends-On: If845baa7b0a437c28148c817b7f94d540ca15814
2017-08-02 06:13:48 -04:00 · 2017-08-02 06:13:48 -04:00 · ac79bf92d0
parent 0adf7553f4
commit ac79bf92d0
1 changed files with 35 additions and 0 deletions
--- a/docker/services/pacemaker/database/mysql.yaml
+++ b/docker/services/pacemaker/database/mysql.yaml
@ -40,6 +40,14 @@ parameters:
    default: {}
    description: Parameters specific to the role
    type: json
+  EnableInternalTLS:
+    type: boolean
+    default: false
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.

 resources:

@ -56,6 +64,10 @@ resources:
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}

+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
 outputs:
  role_data:
    description: Containerized service MySQL using composable services.
@ -76,6 +88,13 @@ outputs:
                  - 4567
                  - 4568
                  - 9200
+          -
+            if:
+            - internal_tls_enabled
+            -
+              tripleo::profile::pacemaker::database::mysql_bundle::ca_file:
+                get_param: InternalTLSCAFile
+            - {}
      step_config: ""
      # BEGIN DOCKER SETTINGS #
      puppet_config:
@ -100,6 +119,20 @@ outputs:
              dest: "/"
              merge: true
              preserve_properties: true
+            - source: "/var/lib/kolla/config_files/src-tls/*"
+              dest: "/"
+              merge: true
+              optional: true
+              preserve_properties: true
+          permissions:
+            - path: /etc/pki/tls/certs/mysql.crt
+              owner: mysql:mysql
+              perm: '0600'
+              optional: true
+            - path: /etc/pki/tls/private/mysql.key
+              owner: mysql:mysql
+              perm: '0600'
+              optional: true
      docker_config:
        step_1:
          mysql_data_ownership:
@ -174,6 +207,8 @@ outputs:
          file:
            path: /var/lib/mysql
            state: directory
+      metadata_settings:
+        get_attr: [MysqlPuppetBase, role_data, metadata_settings]
      upgrade_tasks:
        - name: get bootstrap nodeid
          tags: common