Merge "MySQL TLS support"
diff --git a/README.rst b/README.rst
index cd6b88a..dd2b3d1 100644
--- a/README.rst
+++ b/README.rst
@@ -159,7 +159,14 @@
Configuring TLS communications
------------------------------
-**RabbitMQ**
+In order to trust remote server's certificate during establishing tls
+connection the CA cert must be provided at client side. By default
+system wide installed CA certs are used. You can change this behavior
+by specifying cacert_file and cacert params (optional).
+See examples below:
+
+
+- **RabbitMQ**
.. code-block:: yaml
@@ -173,6 +180,18 @@
cacert_file: /etc/openstack/rabbitmq-ca.pem
+- **MySQL**
+
+.. code-block:: yaml
+
+ barbican:
+ server:
+ database:
+ ssl:
+ enabled: True
+ cacert: cert body if the cacert_file does not exists
+ cacert_file: /etc/openstack/mysql-ca.pem
+
Configuring plugins
-------------------
diff --git a/barbican/_ssl.sls b/barbican/_ssl.sls
index 685a439..bdce50f 100644
--- a/barbican/_ssl.sls
+++ b/barbican/_ssl.sls
@@ -6,6 +6,7 @@
tls communications paths used by Barbican:
- messaging (RabbitMQ Server): rabbitmq_ca_barbican_server
+- database (MySQL Server): mysql_ca_barbican_server
#}
@@ -27,3 +28,24 @@
- service: barbican-worker
{% endif %}
{% endif %}
+
+{%- if server.database.ssl.enabled %}
+mysql_ca_barbican_server:
+{% if server.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.database.ssl.cacert_file }}
+ - contents_pillar: barbican:server:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+{% else %}
+ file.exists:
+ - name: {{ server.database.ssl.get('cacert_file', system_cacerts_file) }}
+{% endif %}
+ - watch_in:
+ - service: barbican_server_services
+ {% if server.get('async_queues_enable', False) %}
+ - service: barbican-worker
+ {% endif %}
+ - require_in:
+ - cmd: barbican_syncdb
+{% endif %}
diff --git a/barbican/files/ocata/barbican.conf.Debian b/barbican/files/ocata/barbican.conf.Debian
index e896d98..a3247ea 100644
--- a/barbican/files/ocata/barbican.conf.Debian
+++ b/barbican/files/ocata/barbican.conf.Debian
@@ -40,7 +40,7 @@
#sql_connection = sqlite:///barbican.sqlite
# Note: For absolute addresses, use '////' slashes after 'sqlite:'
# Uncomment for a more global development environment
-sql_connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+sql_connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.ssl.enabled %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
db_auto_create = False
# Period in seconds after which SQLAlchemy should reestablish its connection
diff --git a/barbican/map.jinja b/barbican/map.jinja
index 0b63501..1910c0b 100644
--- a/barbican/map.jinja
+++ b/barbican/map.jinja
@@ -9,6 +9,9 @@
message_queue:
ssl:
enabled: False
+ database:
+ ssl:
+ enabled: False
Debian:
pkgs:
- barbican-api
diff --git a/barbican/server.sls b/barbican/server.sls
index 3b9da03..5880053 100644
--- a/barbican/server.sls
+++ b/barbican/server.sls
@@ -82,5 +82,4 @@
- service: barbican_server_services
{%- endif %}
-
{%- endif %}
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
index 715b360..a7e6d33 100644
--- a/tests/pillar/ssl.sls
+++ b/tests/pillar/ssl.sls
@@ -44,3 +44,7 @@
V0MAVuww51/1DqirRG6Ge/3Sw44eDZID22jjCwLrDH0GSX76cDTe6Bx/WS0Wg7y/
/86PB1o=
-----END CERTIFICATE-----
+ database:
+ # Case #2: use defaults - system wide installed CA certs
+ ssl:
+ enabled: True