--- /dev/null
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::etcd
+#
+# Request a certificate for the etcd service and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+# The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+# The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+# The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+# (Optional) The CA that certmonger will use to generate the certificates.
+# Defaults to hiera('certmonger_ca', 'local').
+#
+# [*principal*]
+# (Optional) The haproxy service principal that is set for etcd in kerberos.
+# Defaults to undef
+#
+class tripleo::certmonger::etcd (
+ $hostname,
+ $service_certificate,
+ $service_key,
+ $certmonger_ca = hiera('certmonger_ca', 'local'),
+ $principal = undef,
+) {
+ include ::certmonger
+
+ $postsave_cmd = 'systemctl reload etcd'
+ certmonger_certificate { 'etcd' :
+ ensure => 'present',
+ certfile => $service_certificate,
+ keyfile => $service_key,
+ hostname => $hostname,
+ dnsname => $hostname,
+ principal => $principal,
+ postsave_cmd => $postsave_cmd,
+ ca => $certmonger_ca,
+ wait => true,
+ require => Class['::certmonger'],
+ }
+ file { $service_certificate :
+ owner => 'etcd',
+ group => 'etcd',
+ require => Certmonger_certificate['etcd'],
+ }
+ file { $service_key :
+ owner => 'etcd',
+ group => 'etcd',
+ require => Certmonger_certificate['etcd'],
+ }
+
+ File[$service_certificate] ~> Service<| title == 'etcd' |>
+ File[$service_key] ~> Service<| title == 'etcd' |>
+}
ip_addresses => hiera('etcd_node_ips', $controller_hosts_real),
server_names => hiera('etcd_node_names', $controller_hosts_names_real),
service_network => $etcd_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
listen_options => {
'balance' => 'source',
}
# it will create.
# Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}).
#
+# [*etcd_certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Defaults to hiera('tripleo::profile::base::etcd::certificate_specs', {}).
+#
class tripleo::profile::base::certmonger_user (
$apache_certificates_specs = hiera('apache_certificates_specs', {}),
$haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
$libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
$mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
$rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
+ $etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
) {
include ::tripleo::certmonger::ca::libvirt
unless empty($rabbitmq_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs)
}
+ unless empty($etcd_certificate_specs) {
+ ensure_resource('class', 'tripleo::certmonger::etcd', $etcd_certificate_specs)
+ }
}
# (Optional) Array of host(s) for etcd nodes.
# Defaults to hiera('etcd_node_ips', []).
#
+# [*certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate
+# it will create. Note that the certificate nickname must be 'etcd' in
+# the case of this service.
+# Example with hiera:
+# tripleo::profile::base::etcd::certificate_specs:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "etcd/<overcloud controller fqdn>"
+# Defaults to {}.
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
class tripleo::profile::base::etcd (
- $bind_ip = '127.0.0.1',
- $client_port = '2379',
- $peer_port = '2380',
- $nodes = hiera('etcd_node_names', []),
- $step = hiera('step'),
+ $bind_ip = '127.0.0.1',
+ $client_port = '2379',
+ $peer_port = '2380',
+ $nodes = hiera('etcd_node_names', []),
+ $certificate_specs = {},
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $step = hiera('step'),
) {
+
+ validate_hash($certificate_specs)
+
+ if $enable_internal_tls {
+ $tls_certfile = $certificate_specs['service_certificate']
+ $tls_keyfile = $certificate_specs['service_key']
+ $protocol = 'https'
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ $protocol = 'http'
+ }
+
if $step >= 2 {
class {'::etcd':
- listen_client_urls => "http://${bind_ip}:${client_port}",
- advertise_client_urls => "http://${bind_ip}:${client_port}",
- listen_peer_urls => "http://${bind_ip}:${peer_port}",
- initial_advertise_peer_urls => "http://${bind_ip}:${peer_port}",
- initial_cluster => regsubst($nodes, '.+', "\\0=http://\\0:${peer_port}"),
+ listen_client_urls => "${protocol}://${bind_ip}:${client_port}",
+ advertise_client_urls => "${protocol}://${bind_ip}:${client_port}",
+ listen_peer_urls => "${protocol}://${bind_ip}:${peer_port}",
+ initial_advertise_peer_urls => "${protocol}://${bind_ip}:${peer_port}",
+ initial_cluster => regsubst($nodes, '.+', "\\0=${protocol}://\\0:${peer_port}"),
proxy => 'off',
+ cert_file => $tls_certfile,
+ key_file => $tls_keyfile,
+ client_cert_auth => $enable_internal_tls,
+ peer_cert_file => $tls_certfile,
+ peer_key_file => $tls_keyfile,
+ peer_client_cert_auth => $enable_internal_tls,
}
}
}
--- /dev/null
+---
+features:
+ - Enable internal network TLS for etcd
--- /dev/null
+#
+# Copyright (C) 2017 Red Hat Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for tripleo
+#
+
+require 'spec_helper'
+
+describe 'tripleo::certmonger::etcd' do
+
+ shared_examples_for 'tripleo::certmonger::etcd' do
+ let :params do
+ {
+ :hostname => 'localhost',
+ :service_certificate => '/etc/pki/cert.crt',
+ :service_key => '/etc/pki/key.pem',
+ }
+ end
+
+ it 'should include the base for using certmonger' do
+ is_expected.to contain_class('certmonger')
+ end
+
+ it 'should request a certificate' do
+ is_expected.to contain_certmonger_certificate('etcd').with(
+ :ensure => 'present',
+ :certfile => '/etc/pki/cert.crt',
+ :keyfile => '/etc/pki/key.pem',
+ :hostname => 'localhost',
+ :dnsname => 'localhost',
+ :ca => 'local',
+ :wait => true,
+ )
+ is_expected.to contain_file('/etc/pki/cert.crt')
+ is_expected.to contain_file('/etc/pki/key.pem')
+ end
+ end
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) do
+ facts.merge({})
+ end
+
+ it_behaves_like 'tripleo::certmonger::etcd'
+ end
+ end
+end
Code Review / apex-puppet-tripleo.git / commitdiff