Add variables and configuration to manage TLS on the mongodb server. See https://support.d4science.org/issues/12450

2018-09-11 17:12:04 +02:00 · 2018-09-11 17:12:04 +02:00 · 4a127ac136
parent 3cd806d2b6
commit 4a127ac136
4 changed files with 76 additions and 1 deletions
--- a/mongodb-org-3.2/defaults/main.yml
+++ b/mongodb-org-3.2/defaults/main.yml
@ -14,7 +14,7 @@ mongodb_install_packages: True
 mongodb_install_server: True
 mongodb_install_conf: True
 mongodb_upgrade_from_older_version: False
-mongodb_version: 3.2
+mongodb_version: 3.6
 # Set to 'latest' if you want to get the latest available package
 mongodb_pkg_state: present
 mongodb_server_pkgs:
@ -48,6 +48,15 @@ mongodb_allowed_hosts:

 mongodb_storage_engine: wiredTiger

+mongodb_ssl_enabled: False
+mongodb_ssl_letsencrypt_managed: True
+# Options: disabled, requireSSL, allowSSL, preferSSL
+mongodb_ssl_mode: requireSSL
+mongodb_ssl_certkey_file: /etc/pki/mongodb/mongodb.pem
+mongodb_ssl_CA_file: /etc/ssl/certs/ca-certificates.crt
+mongodb_ssl_allowConnectionsWithoutCertificates: 'true'
+mongodb_ssl_disabled_protocols: 'TLS1_0,TLS1_1'
+
 # Do not change the default. We do not manage a logrotate configuration yet
 mongodb_systemlog_external_logrotate: False
 mongodb_systemlog_destination: file
--- a/mongodb-org-3.2/templates/mongod-3.2.conf.j2
+++ b/mongodb-org-3.2/templates/mongod-3.2.conf.j2
@ -32,6 +32,12 @@ net:
    enabled: {{ mongodb_http_interface }}
    JSONPEnabled: {{ mongodb_http_interface }}
    RESTInterfaceEnabled: {{ mongodb_http_interface }}
+{% if mongodb_ssl_enabled %}
+  ssl:
+    mode: {{ mongodb_ssl_mode }}
+    PEMKeyFile: '{{ mongodb_ssl_certkey_file }}'
+    CAFile: '{{ mongodb_ssl_CA_file }}'
+{% endif %}
  
 #processManagement:

--- a/mongodb-org-3.2/templates/mongod-3.4.conf.j2
+++ b/mongodb-org-3.2/templates/mongod-3.4.conf.j2
@ -0,0 +1,52 @@
+# mongod.conf
+
+# for documentation of all options, see:
+#   http://docs.mongodb.org/manual/reference/configuration-options/
+
+# Where and how to store data.
+storage:
+  dbPath: {{ mongodb_dbpath }}
+  journal:
+    enabled: true
+  directoryPerDB: {{ mongodb_directoryperdb }}
+  engine: {{ mongodb_storage_engine }}
+#  mmapv1:
+#  wiredTiger:
+
+# where to write logging data.
+systemLog:
+  destination: {{ mongodb_systemlog_destination }}
+  path: {{ mongodb_logpath }}
+{% if not mongodb_systemlog_external_logrotate %}
+  logRotate: rename
+  logAppend: false
+{% else %}
+  logRotate: reopen
+  logAppend: true
+{% endif %}
+# network information
+net:
+  port: {{ mongodb_tcp_port }}
+  bindIp: {{ mongo_bind_ip }}
+{% if mongodb_ssl_enabled %}
+  ssl:
+    mode: {{ mongodb_ssl_mode }}
+    PEMKeyFile: '{{ mongodb_ssl_certkey_file }}'
+    CAFile: '{{ mongodb_ssl_CA_file }}'
+    disabledProtocols: {{ mongodb_ssl_disabled_protocols }}
+    allowConnectionsWithoutCertificates: {{ mongodb_ssl_allowConnectionsWithoutCertificates }}
+{% endif %}
+
+#processManagement:
+
+{%if mongodb_cluster_enabled %}
+security:
+  keyFile: /data/mongo_home/dev-d4science-keyfile
+
+replication:
+  oplogSizeMB: 2000
+  replSetName: {{ mongodb_replicaset }}
+{% endif %}
+
+#sharding:
+
--- a/mongodb-org-3.2/templates/mongod-3.6.conf.j2
+++ b/mongodb-org-3.2/templates/mongod-3.6.conf.j2
@ -28,6 +28,14 @@ systemLog:
 net:
  port: {{ mongodb_tcp_port }}
  bindIp: {{ mongo_bind_ip }}
+{% if mongodb_ssl_enabled %}
+  ssl:
+    mode: {{ mongodb_ssl_mode }}
+    PEMKeyFile: '{{ mongodb_ssl_certkey_file }}'
+    CAFile: '{{ mongodb_ssl_CA_file }}'
+    disabledProtocols: {{ mongodb_ssl_disabled_protocols }}
+    allowConnectionsWithoutCertificates: {{ mongodb_ssl_allowConnectionsWithoutCertificates }}
+{% endif %}
  
 #processManagement: