diff --git a/lib/puppet/provider/mongodb.rb b/lib/puppet/provider/mongodb.rb index 9cae1ea63..b9a62e94a 100644 --- a/lib/puppet/provider/mongodb.rb +++ b/lib/puppet/provider/mongodb.rb @@ -31,7 +31,7 @@ def self.mongo_conf config = YAML.load_file(mongod_conf_file) || {} mongosh_config = {} mongosh_config = YAML.load_file("#{Facter.value(:root_home)}/.mongosh.yaml") if File.file?("#{Facter.value(:root_home)}/.mongosh.yaml") - # determine if we need the tls for connecion or client + # determine if we need tls for the admin user if mongosh_config['admin'] && mongosh_config['admin']['tlsCertificateKeyFile'] tlscert = mongosh_config['admin']['tlsCertificateKeyFile'] auth_mech = mongosh_config['admin']['auth_mechanism'] if mongosh_config['admin']['auth_mechanism'] diff --git a/manifests/server.pp b/manifests/server.pp index d9209adb4..71514289f 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -293,6 +293,21 @@ # # @param tls_mode # Defines if TLS is used for all network connections. Allowed values are 'requireTLS', 'preferTLS' or 'allowTLS'. +# +# @param tls_use_system_ca +# Use the system-wide CA certificate store when connecting to a TLS-enabled server. +# +# @param tls_cluster_key +# File that contains the x.509 certificate-key file for membership authentication for the cluster or replica set. +# +# @param tls_cluster_ca +# file that contains the root certificate chain from the Certificate Authority used to validate the certificate +# presented by a client establishing a connection. +# +# @param tls_invalid_certificates +# Enable or disable the validation checks for TLS/SSL certificates on other servers in the cluster and allows +# the use of invalid certificates. +# # @param admin_password_hash # Hashed password. Hex encoded md5 hash of mongodb password. # @@ -316,7 +331,8 @@ # Administrator authentication mechanism. scram_sha_256 password synchronization verification is not supported. # # @param supported_auth_mechanisms -# Set the supported authentication mechanisms that the mmongoserver will support. Is set, make sure the $admin_auth_mechanism is also included. +# Set the supported authentication mechanisms that the mmongoserver will support. Is set, make sure the +# $admin_auth_mechanism is also included. # # @param admin_tls_key # Filepath of the administrators x509 certificate. Its the user of this class that needs to manage this certificate. @@ -399,18 +415,24 @@ $config_content = undef, Optional[String] $config_template = undef, Optional[Hash] $config_data = undef, - Optional[Boolean] $ssl = undef, + Boolean $ssl = false, Optional[Stdlib::Absolutepath] $ssl_key = undef, Optional[Stdlib::Absolutepath] $ssl_ca = undef, Boolean $ssl_weak_cert = false, Boolean $ssl_invalid_hostnames = false, - Enum['requireSSL', 'preferSSL', 'allowSSL'] $ssl_mode = 'requireSSL', - Boolean $tls = false, + Enum['disabled', 'requireSSL', 'preferSSL', 'allowSSL'] $ssl_mode = 'disabled', + Boolean $tls = true, + Enum['disabled', 'requireTLS', 'preferTLS', 'allowTLS'] $tls_mode = 'requireTLS', + # cluster tls settings + Optional[Boolean] $tls_use_system_ca = undef, + Optional[Stdlib::Absolutepath] $tls_cluster_key = undef, + Optional[Stdlib::Absolutepath] $tls_cluster_ca = undef, + #client tls settings Optional[Stdlib::Absolutepath] $tls_key = undef, Optional[Stdlib::Absolutepath] $tls_ca = undef, Boolean $tls_conn_without_cert = false, Boolean $tls_invalid_hostnames = false, - Enum['requireTLS', 'preferTLS', 'allowTLS'] $tls_mode = 'requireTLS', + Boolean $tls_invalid_certificates = false, Boolean $restart = $mongodb::params::restart, Optional[String] $storage_engine = undef, Boolean $create_admin = $mongodb::params::create_admin, @@ -449,11 +471,11 @@ $admin_password } - # using x509, we need the admin clent certificate in the parameter --tlsCertificateKeyFile + # Using x509, we need the admin client certificate in the parameter --tlsCertificateKeyFile # there is no way where we can set this in neither the /etc/momgosh.yaml or the /etc/mongod.conf # The mongodb provider reads in /etc/mongod.conf setParameters.authenticationMechanisms: MONGODB-X509 settings # to determine that a client cert authentication is used. There is no setting to set the client cert to be used. - # so we store it in a file in roots home directory. (this is done in mongodb::server::config + # so we store it in a file in roots home directory. (this is done in mongodb::server::config) if $create_admin and ($service_ensure == 'running' or $service_ensure == true) { mongodb::db { 'admin': diff --git a/templates/mongodb.conf.erb b/templates/mongodb.conf.erb index 10e0e600b..709e688bb 100644 --- a/templates/mongodb.conf.erb +++ b/templates/mongodb.conf.erb @@ -121,10 +121,22 @@ net.ssl.allowInvalidHostnames: <%= @ssl_invalid_hostnames %> <% end -%> <% if @tls -%> net.tls.mode: <%= @tls_mode %> +<% if @tls_key -%> net.tls.certificateKeyFile: <%= @tls_key %> +<% end -%> +<% if @tls_cluster_key -%> +net.tls.ClusterFile = <%= @tls_cluster_key %> +<% end -%> +<% if ! @tls_use_system_ca -%> +<%# its this parameter or the explicit ca file location %> +<%# This options will be set in the setparameter section below %> <% if @tls_ca -%> net.tls.CAFile: <%= @tls_ca %> <% end -%> +<% if @tls_cluster_ca -%> +net.tls.clusterCAFile: <%= @tls_ca %> +<% end -%> +<% end -%> <% if @tls_conn_without_cert -%> net.tls.allowConnectionsWithoutCertificates: <%= @tls_conn_without_cert %> <% end -%> @@ -167,13 +179,18 @@ setParameter: <%= v %> <% end -%> <% end -%> -<% if @supported_auth_mechanisms -%> -<%# setParameters.auth... gives an error on startup status=2/INVALIDARGUMENT -%> +<% if @supported_auth_mechanisms || @tls_use_system_ca -%> <% if !@set_parameter -%> setParameter: <% end -%> +<% if @supported_auth_mechanisms -%> + <%# setParameters.auth... gives an error on startup status=2/INVALIDARGUMENT -%> authenticationMechanisms: <%= @supported_auth_mechanisms.join(',') %> <% end -%> +<% if @tls_use_system_ca -%> + tlsUseSystemCA: true +<% end -%> +<% end -%> <% if @config_data -%> <% @config_data.each do |k,v| -%>