Code Review / apex-tripleo-heat-templates.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: cb0ae4a)
Add node's FQDN to mysql certificate request and CA file
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>
Mon, 19 Jun 2017 12:36:12 +0000 (12:36 +0000)
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>
Mon, 19 Jun 2017 12:45:37 +0000 (12:45 +0000)
This will add the node's FQDN to the mysql certificate request
besides the VIP's FQDN which we already use. This is needed for
adding TLS to the replication traffic. The CA file was also added
as hieradata, since the path will be needed for the TLS
configuration.

bp tls-via-certmonger

Change-Id: I9252303b92a2805ba83f86a85770db2551a014d3

puppet/services/database/mysql.yaml patch | blob | history
puppet/services/pacemaker/database/mysql.yaml patch | blob | history

diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml
index 2bde903..882ba29 100644 (file)
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@@ -118,6 +118,16 @@ outputs:
                   template: "%{hiera('cloud_name_NETWORK')}"
                   params:
                     NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+              dnsnames:
+                - str_replace:
+                    template: "%{hiera('cloud_name_NETWORK')}"
+                    params:
+                      NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+                - str_replace:
+                    template:
+                      "%{hiera('fqdn_$NETWORK')}"
+                    params:
+                      $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
               principal:
                 str_replace:
                   template: "mysql/%{hiera('cloud_name_NETWORK')}"
@@ -132,6 +142,9 @@ outputs:
             - service: mysql
               network: {get_param: [ServiceNetMap, MysqlNetwork]}
               type: vip
+            - service: mysql
+              network: {get_param: [ServiceNetMap, MysqlNetwork]}
+              type: node
           - null
       upgrade_tasks:
         - name: Check for galera root password
diff --git a/puppet/services/pacemaker/database/mysql.yaml b/puppet/services/pacemaker/database/mysql.yaml
index d8e942d..0a7659e 100644 (file)
--- a/puppet/services/pacemaker/database/mysql.yaml
+++ b/puppet/services/pacemaker/database/mysql.yaml
@@ -27,6 +27,11 @@ parameters:
     description: Mapping of service endpoint -> protocol. Typically set
                  via parameter_defaults in the resource registry.
     type: json
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
 
 resources:
 
@@ -61,6 +66,8 @@ outputs:
             # internal_api_subnet - > IP/CIDR
             tripleo::profile::pacemaker::database::mysql::gmcast_listen_addr:
               get_param: [ServiceNetMap, MysqlNetwork]
+            tripleo::profile::pacemaker::database::mysql::ca_file:
+              get_param: InternalTLSCAFile
       step_config: |
         include ::tripleo::profile::pacemaker::database::mysql
       metadata_settings: