[certificates] Introduce cluster certs, and useSystemCa switch

Johan De Wit · Johan De Wit · commit 8b615a70af45 · 2024-02-20T10:43:19.000+01:00
diff --git a/lib/puppet/provider/mongodb.rb b/lib/puppet/provider/mongodb.rb
@@ -31,7 +31,7 @@ def self.mongo_conf
     config = YAML.load_file(mongod_conf_file) || {}
     mongosh_config = {}
     mongosh_config = YAML.load_file("#{Facter.value(:root_home)}/.mongosh.yaml") if File.file?("#{Facter.value(:root_home)}/.mongosh.yaml")
-    # determine if we need the tls for connecion or client
+    # determine if we need tls for the admin user
     if mongosh_config['admin'] && mongosh_config['admin']['tlsCertificateKeyFile']
       tlscert = mongosh_config['admin']['tlsCertificateKeyFile']
       auth_mech = mongosh_config['admin']['auth_mechanism'] if mongosh_config['admin']['auth_mechanism']
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -293,6 +293,21 @@
 #
 # @param tls_mode
 #   Defines if TLS is used for all network connections. Allowed values are 'requireTLS', 'preferTLS' or 'allowTLS'.
+#
+# @param tls_use_system_ca
+#   Use the system-wide CA certificate store when connecting to a TLS-enabled server.
+#
+# @param tls_cluster_key
+#   File that contains the x.509 certificate-key file for membership authentication for the cluster or replica set.
+#
+# @param tls_cluster_ca
+#   file that contains the root certificate chain from the Certificate Authority used to validate the certificate
+#   presented by a client establishing a connection.
+#
+# @param tls_invalid_certificates
+#   Enable or disable the validation checks for TLS/SSL certificates on other servers in the cluster and allows
+#   the use of invalid certificates.
+#
 # @param admin_password_hash
 #   Hashed password. Hex encoded md5 hash of mongodb password.
 #
@@ -316,7 +331,8 @@
 #   Administrator authentication mechanism. scram_sha_256 password synchronization verification is not supported.
 #
 # @param supported_auth_mechanisms
-#   Set the supported authentication mechanisms that the mmongoserver will support. Is set, make sure the $admin_auth_mechanism is also included.
+#   Set the supported authentication mechanisms that the mmongoserver will support. Is set, make sure the
+#   $admin_auth_mechanism is also included.
 #
 # @param admin_tls_key
 #   Filepath of the administrators x509 certificate. Its the user of this class that needs to manage this certificate.
@@ -399,18 +415,24 @@
   $config_content                                                    = undef,
   Optional[String] $config_template                                  = undef,
   Optional[Hash] $config_data                                        = undef,
-  Optional[Boolean] $ssl                                             = undef,
+  Boolean $ssl                                                       = false,
   Optional[Stdlib::Absolutepath] $ssl_key                            = undef,
   Optional[Stdlib::Absolutepath] $ssl_ca                             = undef,
   Boolean $ssl_weak_cert                                             = false,
   Boolean $ssl_invalid_hostnames                                     = false,
-  Enum['requireSSL', 'preferSSL', 'allowSSL'] $ssl_mode              = 'requireSSL',
-  Boolean $tls                                                       = false,
+  Enum['disabled', 'requireSSL', 'preferSSL', 'allowSSL'] $ssl_mode  = 'disabled',
+  Boolean $tls                                                       = true,
+  Enum['disabled', 'requireTLS', 'preferTLS', 'allowTLS'] $tls_mode  = 'requireTLS',
+  # cluster tls settings
+  Optional[Boolean] $tls_use_system_ca                               = undef,
+  Optional[Stdlib::Absolutepath] $tls_cluster_key                    = undef,
+  Optional[Stdlib::Absolutepath] $tls_cluster_ca                     = undef,
+  #client tls settings
   Optional[Stdlib::Absolutepath] $tls_key                            = undef,
   Optional[Stdlib::Absolutepath] $tls_ca                             = undef,
   Boolean $tls_conn_without_cert                                     = false,
   Boolean $tls_invalid_hostnames                                     = false,
-  Enum['requireTLS', 'preferTLS', 'allowTLS'] $tls_mode              = 'requireTLS',
+  Boolean $tls_invalid_certificates                                  = false,
   Boolean $restart                                                   = $mongodb::params::restart,
   Optional[String] $storage_engine                                   = undef,
   Boolean $create_admin                                              = $mongodb::params::create_admin,
@@ -449,11 +471,11 @@
     $admin_password
   }
 
-  # using x509, we need the admin clent certificate in the parameter --tlsCertificateKeyFile
+  # Using x509, we need the admin client certificate in the parameter --tlsCertificateKeyFile
   # there is no way where we can set this in neither the /etc/momgosh.yaml or the /etc/mongod.conf
   # The mongodb provider reads in /etc/mongod.conf  setParameters.authenticationMechanisms: MONGODB-X509 settings
   # to determine that a client cert authentication is used. There is no setting to set the client cert to be used.
-  # so we store it in a file in roots home directory. (this is done in mongodb::server::config
+  # so we store it in a file in roots home directory. (this is done in mongodb::server::config)
 
   if $create_admin and ($service_ensure == 'running' or $service_ensure == true) {
     mongodb::db { 'admin':
diff --git a/templates/mongodb.conf.erb b/templates/mongodb.conf.erb
@@ -121,10 +121,22 @@ net.ssl.allowInvalidHostnames: <%= @ssl_invalid_hostnames %>
 <% end -%>
 <% if @tls -%>
 net.tls.mode: <%= @tls_mode %>
+<% if @tls_key -%>
 net.tls.certificateKeyFile: <%= @tls_key %>
+<% end -%>
+<% if @tls_cluster_key -%>
+net.tls.ClusterFile = <%= @tls_cluster_key %>
+<% end -%>
+<% if ! @tls_use_system_ca -%>
+<%# its this parameter or the explicit ca file location %>
+<%# This options will be set in the setparameter section below %>
 <% if @tls_ca -%>
 net.tls.CAFile: <%= @tls_ca %>
 <% end -%>
+<% if @tls_cluster_ca -%>
+net.tls.clusterCAFile: <%= @tls_ca %>
+<% end -%>
+<% end -%>
 <% if @tls_conn_without_cert -%>
 net.tls.allowConnectionsWithoutCertificates: <%= @tls_conn_without_cert %>
 <% end -%>
@@ -167,13 +179,18 @@ setParameter:
   <%= v %>
 <% end -%>
 <% end -%>
-<% if @supported_auth_mechanisms -%>
-<%# setParameters.auth... gives an error on startup status=2/INVALIDARGUMENT -%>
+<% if @supported_auth_mechanisms || @tls_use_system_ca -%>
 <% if !@set_parameter -%>
 setParameter:
 <% end -%>
+<% if @supported_auth_mechanisms -%>
+  <%# setParameters.auth... gives an error on startup status=2/INVALIDARGUMENT -%>
   authenticationMechanisms: <%= @supported_auth_mechanisms.join(',') %>
 <% end -%>
+<% if @tls_use_system_ca -%>
+  tlsUseSystemCA: true
+<% end -%>
+<% end -%>
 
 <% if @config_data -%>
 <% @config_data.each do |k,v| -%>
