From 4a127ac136f4f598ec7534e4a22f0fc8627fb3fd Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 11 Sep 2018 17:12:04 +0200 Subject: [PATCH] Add variables and configuration to manage TLS on the mongodb server. See https://support.d4science.org/issues/12450 --- mongodb-org-3.2/defaults/main.yml | 11 ++++- mongodb-org-3.2/templates/mongod-3.2.conf.j2 | 6 +++ mongodb-org-3.2/templates/mongod-3.4.conf.j2 | 52 ++++++++++++++++++++ mongodb-org-3.2/templates/mongod-3.6.conf.j2 | 8 +++ 4 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 mongodb-org-3.2/templates/mongod-3.4.conf.j2 diff --git a/mongodb-org-3.2/defaults/main.yml b/mongodb-org-3.2/defaults/main.yml index e4a0363a..f9133091 100644 --- a/mongodb-org-3.2/defaults/main.yml +++ b/mongodb-org-3.2/defaults/main.yml @@ -14,7 +14,7 @@ mongodb_install_packages: True mongodb_install_server: True mongodb_install_conf: True mongodb_upgrade_from_older_version: False -mongodb_version: 3.2 +mongodb_version: 3.6 # Set to 'latest' if you want to get the latest available package mongodb_pkg_state: present mongodb_server_pkgs: @@ -48,6 +48,15 @@ mongodb_allowed_hosts: mongodb_storage_engine: wiredTiger +mongodb_ssl_enabled: False +mongodb_ssl_letsencrypt_managed: True +# Options: disabled, requireSSL, allowSSL, preferSSL +mongodb_ssl_mode: requireSSL +mongodb_ssl_certkey_file: /etc/pki/mongodb/mongodb.pem +mongodb_ssl_CA_file: /etc/ssl/certs/ca-certificates.crt +mongodb_ssl_allowConnectionsWithoutCertificates: 'true' +mongodb_ssl_disabled_protocols: 'TLS1_0,TLS1_1' + # Do not change the default. We do not manage a logrotate configuration yet mongodb_systemlog_external_logrotate: False mongodb_systemlog_destination: file diff --git a/mongodb-org-3.2/templates/mongod-3.2.conf.j2 b/mongodb-org-3.2/templates/mongod-3.2.conf.j2 index a197f6b7..8b2ac20e 100644 --- a/mongodb-org-3.2/templates/mongod-3.2.conf.j2 +++ b/mongodb-org-3.2/templates/mongod-3.2.conf.j2 @@ -32,6 +32,12 @@ net: enabled: {{ mongodb_http_interface }} JSONPEnabled: {{ mongodb_http_interface }} RESTInterfaceEnabled: {{ mongodb_http_interface }} +{% if mongodb_ssl_enabled %} + ssl: + mode: {{ mongodb_ssl_mode }} + PEMKeyFile: '{{ mongodb_ssl_certkey_file }}' + CAFile: '{{ mongodb_ssl_CA_file }}' +{% endif %} #processManagement: diff --git a/mongodb-org-3.2/templates/mongod-3.4.conf.j2 b/mongodb-org-3.2/templates/mongod-3.4.conf.j2 new file mode 100644 index 00000000..57bde409 --- /dev/null +++ b/mongodb-org-3.2/templates/mongod-3.4.conf.j2 @@ -0,0 +1,52 @@ +# mongod.conf + +# for documentation of all options, see: +# http://docs.mongodb.org/manual/reference/configuration-options/ + +# Where and how to store data. +storage: + dbPath: {{ mongodb_dbpath }} + journal: + enabled: true + directoryPerDB: {{ mongodb_directoryperdb }} + engine: {{ mongodb_storage_engine }} +# mmapv1: +# wiredTiger: + +# where to write logging data. +systemLog: + destination: {{ mongodb_systemlog_destination }} + path: {{ mongodb_logpath }} +{% if not mongodb_systemlog_external_logrotate %} + logRotate: rename + logAppend: false +{% else %} + logRotate: reopen + logAppend: true +{% endif %} +# network information +net: + port: {{ mongodb_tcp_port }} + bindIp: {{ mongo_bind_ip }} +{% if mongodb_ssl_enabled %} + ssl: + mode: {{ mongodb_ssl_mode }} + PEMKeyFile: '{{ mongodb_ssl_certkey_file }}' + CAFile: '{{ mongodb_ssl_CA_file }}' + disabledProtocols: {{ mongodb_ssl_disabled_protocols }} + allowConnectionsWithoutCertificates: {{ mongodb_ssl_allowConnectionsWithoutCertificates }} +{% endif %} + +#processManagement: + +{%if mongodb_cluster_enabled %} +security: + keyFile: /data/mongo_home/dev-d4science-keyfile + +replication: + oplogSizeMB: 2000 + replSetName: {{ mongodb_replicaset }} +{% endif %} + +#sharding: + diff --git a/mongodb-org-3.2/templates/mongod-3.6.conf.j2 b/mongodb-org-3.2/templates/mongod-3.6.conf.j2 index b709965c..40dd3fe3 100644 --- a/mongodb-org-3.2/templates/mongod-3.6.conf.j2 +++ b/mongodb-org-3.2/templates/mongod-3.6.conf.j2 @@ -28,6 +28,14 @@ systemLog: net: port: {{ mongodb_tcp_port }} bindIp: {{ mongo_bind_ip }} +{% if mongodb_ssl_enabled %} + ssl: + mode: {{ mongodb_ssl_mode }} + PEMKeyFile: '{{ mongodb_ssl_certkey_file }}' + CAFile: '{{ mongodb_ssl_CA_file }}' + disabledProtocols: {{ mongodb_ssl_disabled_protocols }} + allowConnectionsWithoutCertificates: {{ mongodb_ssl_allowConnectionsWithoutCertificates }} +{% endif %} #processManagement: