[certificates] Introduce cluster certs, and useSystemCa switch

lib/puppet/provider/mongodb.rb

@@ -31,7 +31,7 @@ def self.mongo_conf
  config = YAML.load_file(mongod_conf_file) || {}
  mongosh_config = {}
  mongosh_config = YAML.load_file("#{Facter.value(:root_home)}/.mongosh.yaml") if File.file?("#{Facter.value(:root_home)}/.mongosh.yaml")
- # determine if we need the tls for connecion or client
+ # determine if we need tls for the admin user
  if mongosh_config['admin'] && mongosh_config['admin']['tlsCertificateKeyFile']
  tlscert = mongosh_config['admin']['tlsCertificateKeyFile']
  auth_mech = mongosh_config['admin']['auth_mechanism'] if mongosh_config['admin']['auth_mechanism']

manifests/server.pp

@@ -293,6 +293,21 @@
 #
 # @param tls_mode
 # Defines if TLS is used for all network connections. Allowed values are 'requireTLS', 'preferTLS' or 'allowTLS'.
+#
+# @param tls_use_system_ca
+# Use the system-wide CA certificate store when connecting to a TLS-enabled server.
+#
+# @param tls_cluster_key
+# File that contains the x.509 certificate-key file for membership authentication for the cluster or replica set.
+#
+# @param tls_cluster_ca
+# file that contains the root certificate chain from the Certificate Authority used to validate the certificate
+# presented by a client establishing a connection.
+#
+# @param tls_invalid_certificates
+# Enable or disable the validation checks for TLS/SSL certificates on other servers in the cluster and allows
+# the use of invalid certificates.
+#
 # @param admin_password_hash
 # Hashed password. Hex encoded md5 hash of mongodb password.
 #
@@ -316,7 +331,8 @@
 # Administrator authentication mechanism. scram_sha_256 password synchronization verification is not supported.
 #
 # @param supported_auth_mechanisms
-# Set the supported authentication mechanisms that the mmongoserver will support. Is set, make sure the $admin_auth_mechanism is also included.
+# Set the supported authentication mechanisms that the mmongoserver will support. Is set, make sure the
+# $admin_auth_mechanism is also included.
 #
 # @param admin_tls_key
 # Filepath of the administrators x509 certificate. Its the user of this class that needs to manage this certificate.
@@ -399,18 +415,24 @@
  $config_content = undef,
  Optional[String] $config_template = undef,
  Optional[Hash] $config_data = undef,
- Optional[Boolean] $ssl = undef,
+ Boolean $ssl  = false,
  Optional[Stdlib::Absolutepath] $ssl_key = undef,
  Optional[Stdlib::Absolutepath] $ssl_ca = undef,
  Boolean $ssl_weak_cert = false,
  Boolean $ssl_invalid_hostnames = false,
- Enum['requireSSL', 'preferSSL', 'allowSSL'] $ssl_mode = 'requireSSL',
- Boolean $tls = false,
+ Enum['disabled', 'requireSSL', 'preferSSL', 'allowSSL'] $ssl_mode = 'disabled',
+ Boolean $tls = true,
+ Enum['disabled', 'requireTLS', 'preferTLS', 'allowTLS'] $tls_mode = 'requireTLS',
+ # cluster tls settings
+ Optional[Boolean] $tls_use_system_ca = undef,
+ Optional[Stdlib::Absolutepath] $tls_cluster_key = undef,
+ Optional[Stdlib::Absolutepath] $tls_cluster_ca = undef,
+ #client tls settings
  Optional[Stdlib::Absolutepath] $tls_key = undef,
  Optional[Stdlib::Absolutepath] $tls_ca = undef,
  Boolean $tls_conn_without_cert = false,
  Boolean $tls_invalid_hostnames = false,
- Enum['requireTLS', 'preferTLS', 'allowTLS'] $tls_mode = 'requireTLS',
+ Boolean $tls_invalid_certificates   = false,
  Boolean $restart = $mongodb::params::restart,
  Optional[String] $storage_engine = undef,
  Boolean $create_admin = $mongodb::params::create_admin,
@@ -449,11 +471,11 @@
  $admin_password
  }
 
- # using x509, we need the admin clent certificate in the parameter --tlsCertificateKeyFile
+ # Using x509, we need the admin client certificate in the parameter --tlsCertificateKeyFile
  # there is no way where we can set this in neither the /etc/momgosh.yaml or the /etc/mongod.conf
  # The mongodb provider reads in /etc/mongod.conf setParameters.authenticationMechanisms: MONGODB-X509 settings
  # to determine that a client cert authentication is used. There is no setting to set the client cert to be used.
- # so we store it in a file in roots home directory. (this is done in mongodb::server::config
+ # so we store it in a file in roots home directory. (this is done in mongodb::server::config)
 
  if $create_admin and ($service_ensure == 'running' or $service_ensure == true) {
  mongodb::db { 'admin':

templates/mongodb.conf.erb

@@ -121,10 +121,22 @@ net.ssl.allowInvalidHostnames: <%= @ssl_invalid_hostnames %>
 <% end -%>
 <% if @tls -%>
 net.tls.mode: <%= @tls_mode %>
+<% if @tls_key -%>
 net.tls.certificateKeyFile: <%= @tls_key %>
+<% end -%>
+<% if @tls_cluster_key -%>
+net.tls.ClusterFile = <%= @tls_cluster_key %>
+<% end -%>
+<% if ! @tls_use_system_ca -%>
+<%# its this parameter or the explicit ca file location %>
+<%# This options will be set in the setparameter section below %>
 <% if @tls_ca -%>
 net.tls.CAFile: <%= @tls_ca %>
 <% end -%>
+<% if @tls_cluster_ca -%>
+net.tls.clusterCAFile: <%= @tls_ca %>
+<% end -%>
+<% end -%>
 <% if @tls_conn_without_cert -%>
 net.tls.allowConnectionsWithoutCertificates: <%= @tls_conn_without_cert %>
 <% end -%>
@@ -167,13 +179,18 @@ setParameter:
  <%= v %>
 <% end -%>
 <% end -%>
-<% if @supported_auth_mechanisms -%>
-<%# setParameters.auth... gives an error on startup status=2/INVALIDARGUMENT -%>
+<% if @supported_auth_mechanisms || @tls_use_system_ca -%>
 <% if !@set_parameter -%>
 setParameter:
 <% end -%>
+<% if @supported_auth_mechanisms -%>
+ <%# setParameters.auth... gives an error on startup status=2/INVALIDARGUMENT -%>
  authenticationMechanisms: <%= @supported_auth_mechanisms.join(',') %>
 <% end -%>
+<% if @tls_use_system_ca -%>
+ tlsUseSystemCA: true
+<% end -%>
+<% end -%>
 
 <% if @config_data -%>
 <% @config_data.each do |k,v| -%>