MySQL TLS support
PROD-14216
Change-Id: I46cb98d8ada7e0521e9adaabb080d8ce939c2f77
diff --git a/cinder/controller.sls b/cinder/controller.sls
index ab189d9..9f9f088 100644
--- a/cinder/controller.sls
+++ b/cinder/controller.sls
@@ -66,6 +66,9 @@
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca
{%- endif %}
+ {%- if controller.database.get('ssl',{}).get('enabled', False) %}
+ - file: mysql_ca_cinder_controller
+ {%- endif %}
- file: /etc/cinder/cinder.conf
- file: /etc/cinder/api-paste.ini
- file: /etc/apache2/conf-available/cinder-wsgi.conf
@@ -83,6 +86,9 @@
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca
{%- endif %}
+ {%- if controller.database.get('ssl',{}).get('enabled', False) %}
+ - file: mysql_ca_cinder_controller
+ {%- endif %}
- file: /etc/cinder/cinder.conf
- file: /etc/cinder/api-paste.ini
@@ -111,6 +117,9 @@
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca
{%- endif %}
+ {%- if controller.database.get('ssl',{}).get('enabled', False) %}
+ - file: mysql_ca_cinder_controller
+ {%- endif %}
- file: /etc/cinder/cinder.conf
- file: /etc/cinder/api-paste.ini
@@ -217,4 +226,20 @@
{%- endif %}
{%- endif %}
+{%- if controller.database.get('ssl',{}).get('enabled', False) %}
+mysql_ca_cinder_controller:
+{%- if controller.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ controller.database.ssl.cacert_file }}
+ - contents_pillar: cinder:controller:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+
+{%- else %}
+ file.exists:
+ - name: {{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+{%- endif %}
+
+
{%- endif %}
diff --git a/cinder/files/mitaka/cinder.conf.controller.Debian b/cinder/files/mitaka/cinder.conf.controller.Debian
index 2fd4277..7451507 100644
--- a/cinder/files/mitaka/cinder.conf.controller.Debian
+++ b/cinder/files/mitaka/cinder.conf.controller.Debian
@@ -174,7 +174,7 @@
max_pool_size=30
max_retries=-1
max_overflow=40
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
{%- if controller.backend is defined %}
@@ -235,4 +235,4 @@
{%- endif %}
[oslo_middleware]
-secure_proxy_ssl_header = X-Forwarded-Proto
\ No newline at end of file
+secure_proxy_ssl_header = X-Forwarded-Proto
diff --git a/cinder/files/mitaka/cinder.conf.volume.Debian b/cinder/files/mitaka/cinder.conf.volume.Debian
index 8e90e4d..537d8bd 100644
--- a/cinder/files/mitaka/cinder.conf.volume.Debian
+++ b/cinder/files/mitaka/cinder.conf.volume.Debian
@@ -159,7 +159,7 @@
max_pool_size=30
max_retries=-1
max_overflow=40
-connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}
+connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8{%- if volume.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ volume.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
{%- if volume.backend is defined %}
diff --git a/cinder/files/newton/cinder.conf.controller.Debian b/cinder/files/newton/cinder.conf.controller.Debian
index 9d2e42b..2badf88 100644
--- a/cinder/files/newton/cinder.conf.controller.Debian
+++ b/cinder/files/newton/cinder.conf.controller.Debian
@@ -187,7 +187,7 @@
max_pool_size=30
max_retries=-1
max_overflow=40
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
{%- if controller.backend is defined %}
diff --git a/cinder/files/newton/cinder.conf.volume.Debian b/cinder/files/newton/cinder.conf.volume.Debian
index 04d8cc0..d814522 100644
--- a/cinder/files/newton/cinder.conf.volume.Debian
+++ b/cinder/files/newton/cinder.conf.volume.Debian
@@ -175,7 +175,7 @@
max_pool_size=30
max_retries=-1
max_overflow=40
-connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8
+connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8{%- if volume.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ volume.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
{%- if volume.backend is defined %}
diff --git a/cinder/files/ocata/cinder.conf.controller.Debian b/cinder/files/ocata/cinder.conf.controller.Debian
index 7e28979..27febf4 100644
--- a/cinder/files/ocata/cinder.conf.controller.Debian
+++ b/cinder/files/ocata/cinder.conf.controller.Debian
@@ -191,7 +191,7 @@
max_pool_size=30
max_retries=-1
max_overflow=40
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
{%- if controller.backend is defined %}
diff --git a/cinder/files/ocata/cinder.conf.volume.Debian b/cinder/files/ocata/cinder.conf.volume.Debian
index b17a903..b7dc395 100644
--- a/cinder/files/ocata/cinder.conf.volume.Debian
+++ b/cinder/files/ocata/cinder.conf.volume.Debian
@@ -179,7 +179,7 @@
max_pool_size=30
max_retries=-1
max_overflow=40
-connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8
+connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8{%- if volume.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ volume.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
{%- if volume.backend is defined %}
diff --git a/cinder/volume.sls b/cinder/volume.sls
index 80addca..1fcd7a8 100644
--- a/cinder/volume.sls
+++ b/cinder/volume.sls
@@ -36,6 +36,20 @@
{%- endif %}
{%- endif %}
+{%- if volume.database.get('ssl',{}).get('enabled', False) %}
+mysql_ca_cinder_volume:
+{%- if volume.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ volume.database.ssl.cacert_file }}
+ - contents_pillar: cinder:volume:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+{%- else %}
+ file.exists:
+ - name: {{ volume.database.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+{%- endif %}
+
/etc/cinder/cinder.conf:
file.managed:
- source: salt://cinder/files/{{ volume.version }}/cinder.conf.volume.{{ grains.os_family }}
@@ -67,6 +81,9 @@
{%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca
{%- endif %}
+ {%- if volume.database.get('ssl',{}).get('enabled', False) %}
+ - file: mysql_ca_cinder_volume
+ {%- endif %}
- file: /etc/cinder/cinder.conf
- file: /etc/cinder/api-paste.ini
@@ -85,6 +102,9 @@
{%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca
{%- endif %}
+ {%- if volume.database.get('ssl',{}).get('enabled', False) %}
+ - file: mysql_ca_cinder_volume
+ {%- endif %}
- file: /etc/cinder/cinder.conf
- file: /etc/cinder/api-paste.ini
diff --git a/tests/pillar/netapp.sls b/tests/pillar/netapp.sls
index 1508d22..1f72880 100644
--- a/tests/pillar/netapp.sls
+++ b/tests/pillar/netapp.sls
@@ -17,6 +17,13 @@
user: cinder
password: pwd
region: regionOne
+ database:
+ engine: mysql
+ host: 127.0.0.1
+ port: 3306
+ name: cinder
+ user: cinder
+ password: pwd
backend:
netapp:
engine: netapp
@@ -39,6 +46,13 @@
volume:
enabled: true
version: mitaka
+ database:
+ engine: mysql
+ host: 127.0.0.1
+ port: 3306
+ name: cinder
+ user: cinder
+ password: pwd
message_queue:
engine: rabbitmq
host: 127.0.0.1
diff --git a/tests/pillar/nfs.sls b/tests/pillar/nfs.sls
index c53e486..9cec3cb 100644
--- a/tests/pillar/nfs.sls
+++ b/tests/pillar/nfs.sls
@@ -18,6 +18,13 @@
user: cinder
password: pwd
region: regionOne
+ database:
+ engine: mysql
+ host: 127.0.0.1
+ port: 3306
+ name: cinder
+ user: cinder
+ password: pwd
backend:
nfs-driver:
engine: nfs
@@ -31,6 +38,13 @@
enabled: true
version: liberty
default_volume_type: nfs-driver
+ database:
+ engine: mysql
+ host: 127.0.0.1
+ port: 3306
+ name: cinder
+ user: cinder
+ password: pwd
message_queue:
engine: rabbitmq
host: 127.0.0.1
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
index c929373..abb1ec6 100644
--- a/tests/pillar/ssl.sls
+++ b/tests/pillar/ssl.sls
@@ -2,11 +2,17 @@
- .ceph_single
cinder:
controller:
+ database:
+ ssl:
+ enabled: True
message_queue:
port: 5671
ssl:
enabled: True
volume:
+ database:
+ ssl:
+ enabled: True
message_queue:
port: 5671
ssl: