MySQL TLS support

PROD-14216

Change-Id: I46cb98d8ada7e0521e9adaabb080d8ce939c2f77
diff --git a/cinder/controller.sls b/cinder/controller.sls
index ab189d9..9f9f088 100644
--- a/cinder/controller.sls
+++ b/cinder/controller.sls
@@ -66,6 +66,9 @@
     {%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
     - file: rabbitmq_ca
     {%- endif %}
+    {%- if controller.database.get('ssl',{}).get('enabled', False) %}
+    - file: mysql_ca_cinder_controller
+    {%- endif %}
     - file: /etc/cinder/cinder.conf
     - file: /etc/cinder/api-paste.ini
     - file: /etc/apache2/conf-available/cinder-wsgi.conf
@@ -83,6 +86,9 @@
     {%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
     - file: rabbitmq_ca
     {%- endif %}
+    {%- if controller.database.get('ssl',{}).get('enabled', False) %}
+    - file: mysql_ca_cinder_controller
+    {%- endif %}
     - file: /etc/cinder/cinder.conf
     - file: /etc/cinder/api-paste.ini
 
@@ -111,6 +117,9 @@
     {%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
     - file: rabbitmq_ca
     {%- endif %}
+    {%- if controller.database.get('ssl',{}).get('enabled', False) %}
+    - file: mysql_ca_cinder_controller
+    {%- endif %}
     - file: /etc/cinder/cinder.conf
     - file: /etc/cinder/api-paste.ini
 
@@ -217,4 +226,20 @@
 {%- endif %}
 {%- endif %}
 
+{%- if controller.database.get('ssl',{}).get('enabled', False) %}
+mysql_ca_cinder_controller:
+{%- if controller.database.ssl.cacert is defined %}
+  file.managed:
+    - name: {{ controller.database.ssl.cacert_file }}
+    - contents_pillar: cinder:controller:database:ssl:cacert
+    - mode: 0444
+    - makedirs: true
+
+{%- else %}
+  file.exists:
+   - name: {{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+{%- endif %}
+
+
 {%- endif %}
diff --git a/cinder/files/mitaka/cinder.conf.controller.Debian b/cinder/files/mitaka/cinder.conf.controller.Debian
index 2fd4277..7451507 100644
--- a/cinder/files/mitaka/cinder.conf.controller.Debian
+++ b/cinder/files/mitaka/cinder.conf.controller.Debian
@@ -174,7 +174,7 @@
 max_pool_size=30
 max_retries=-1
 max_overflow=40
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 
 {%- if controller.backend is defined %}
 
@@ -235,4 +235,4 @@
 {%- endif %}
 
 [oslo_middleware]
-secure_proxy_ssl_header = X-Forwarded-Proto
\ No newline at end of file
+secure_proxy_ssl_header = X-Forwarded-Proto
diff --git a/cinder/files/mitaka/cinder.conf.volume.Debian b/cinder/files/mitaka/cinder.conf.volume.Debian
index 8e90e4d..537d8bd 100644
--- a/cinder/files/mitaka/cinder.conf.volume.Debian
+++ b/cinder/files/mitaka/cinder.conf.volume.Debian
@@ -159,7 +159,7 @@
 max_pool_size=30
 max_retries=-1
 max_overflow=40
-connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}
+connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8{%- if volume.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ volume.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 
 {%- if volume.backend is defined %}
 
diff --git a/cinder/files/newton/cinder.conf.controller.Debian b/cinder/files/newton/cinder.conf.controller.Debian
index 9d2e42b..2badf88 100644
--- a/cinder/files/newton/cinder.conf.controller.Debian
+++ b/cinder/files/newton/cinder.conf.controller.Debian
@@ -187,7 +187,7 @@
 max_pool_size=30
 max_retries=-1
 max_overflow=40
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 
 {%- if controller.backend is defined %}
 
diff --git a/cinder/files/newton/cinder.conf.volume.Debian b/cinder/files/newton/cinder.conf.volume.Debian
index 04d8cc0..d814522 100644
--- a/cinder/files/newton/cinder.conf.volume.Debian
+++ b/cinder/files/newton/cinder.conf.volume.Debian
@@ -175,7 +175,7 @@
 max_pool_size=30
 max_retries=-1
 max_overflow=40
-connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8
+connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8{%- if volume.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ volume.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 
 {%- if volume.backend is defined %}
 
diff --git a/cinder/files/ocata/cinder.conf.controller.Debian b/cinder/files/ocata/cinder.conf.controller.Debian
index 7e28979..27febf4 100644
--- a/cinder/files/ocata/cinder.conf.controller.Debian
+++ b/cinder/files/ocata/cinder.conf.controller.Debian
@@ -191,7 +191,7 @@
 max_pool_size=30
 max_retries=-1
 max_overflow=40
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 
 {%- if controller.backend is defined %}
 
diff --git a/cinder/files/ocata/cinder.conf.volume.Debian b/cinder/files/ocata/cinder.conf.volume.Debian
index b17a903..b7dc395 100644
--- a/cinder/files/ocata/cinder.conf.volume.Debian
+++ b/cinder/files/ocata/cinder.conf.volume.Debian
@@ -179,7 +179,7 @@
 max_pool_size=30
 max_retries=-1
 max_overflow=40
-connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8
+connection = {{ volume.database.engine }}+pymysql://{{ volume.database.user }}:{{ volume.database.password }}@{{ volume.database.host }}/{{ volume.database.name }}?charset=utf8{%- if volume.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ volume.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 
 {%- if volume.backend is defined %}
 
diff --git a/cinder/volume.sls b/cinder/volume.sls
index 80addca..1fcd7a8 100644
--- a/cinder/volume.sls
+++ b/cinder/volume.sls
@@ -36,6 +36,20 @@
 {%- endif %}
 {%- endif %}
 
+{%- if volume.database.get('ssl',{}).get('enabled', False) %}
+mysql_ca_cinder_volume:
+{%- if volume.database.ssl.cacert is defined %}
+  file.managed:
+    - name: {{ volume.database.ssl.cacert_file }}
+    - contents_pillar: cinder:volume:database:ssl:cacert
+    - mode: 0444
+    - makedirs: true
+{%- else %}
+  file.exists:
+   - name: {{ volume.database.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+{%- endif %}
+
 /etc/cinder/cinder.conf:
   file.managed:
   - source: salt://cinder/files/{{ volume.version }}/cinder.conf.volume.{{ grains.os_family }}
@@ -67,6 +81,9 @@
     {%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
     - file: rabbitmq_ca
     {%- endif %}
+    {%- if volume.database.get('ssl',{}).get('enabled', False) %}
+    - file: mysql_ca_cinder_volume
+    {%- endif %}
     - file: /etc/cinder/cinder.conf
     - file: /etc/cinder/api-paste.ini
 
@@ -85,6 +102,9 @@
     {%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
     - file: rabbitmq_ca
     {%- endif %}
+    {%- if volume.database.get('ssl',{}).get('enabled', False) %}
+    - file: mysql_ca_cinder_volume
+    {%- endif %}
     - file: /etc/cinder/cinder.conf
     - file: /etc/cinder/api-paste.ini
 
diff --git a/tests/pillar/netapp.sls b/tests/pillar/netapp.sls
index 1508d22..1f72880 100644
--- a/tests/pillar/netapp.sls
+++ b/tests/pillar/netapp.sls
@@ -17,6 +17,13 @@
       user: cinder
       password: pwd
       region: regionOne
+    database:
+      engine: mysql
+      host: 127.0.0.1
+      port: 3306
+      name: cinder
+      user: cinder
+      password: pwd
     backend:
       netapp:
         engine: netapp
@@ -39,6 +46,13 @@
   volume:
     enabled: true
     version: mitaka
+    database:
+      engine: mysql
+      host: 127.0.0.1
+      port: 3306
+      name: cinder
+      user: cinder
+      password: pwd
     message_queue:
       engine: rabbitmq
       host: 127.0.0.1
diff --git a/tests/pillar/nfs.sls b/tests/pillar/nfs.sls
index c53e486..9cec3cb 100644
--- a/tests/pillar/nfs.sls
+++ b/tests/pillar/nfs.sls
@@ -18,6 +18,13 @@
       user: cinder
       password: pwd
       region: regionOne
+    database:
+      engine: mysql
+      host: 127.0.0.1
+      port: 3306
+      name: cinder
+      user: cinder
+      password: pwd
     backend:
       nfs-driver:
         engine: nfs
@@ -31,6 +38,13 @@
     enabled: true
     version: liberty
     default_volume_type: nfs-driver
+    database:
+      engine: mysql
+      host: 127.0.0.1
+      port: 3306
+      name: cinder
+      user: cinder
+      password: pwd
     message_queue:
       engine: rabbitmq
       host: 127.0.0.1
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
index c929373..abb1ec6 100644
--- a/tests/pillar/ssl.sls
+++ b/tests/pillar/ssl.sls
@@ -2,11 +2,17 @@
   - .ceph_single
 cinder:
   controller:
+    database:
+      ssl:
+        enabled: True
     message_queue:
       port: 5671
       ssl:
         enabled: True
   volume:
+    database:
+      ssl:
+        enabled: True
     message_queue:
       port: 5671
       ssl: