[REFACTOR] Implement X.509 auth for MySQL and Cinder
Change-Id: I7c498c858675f265352f9bc541fbaa259c9eac70
Related-PROD: PROD-22519
diff --git a/README.rst b/README.rst
index 555ef91..7c2787f 100644
--- a/README.rst
+++ b/README.rst
@@ -766,30 +766,31 @@
---------------------
By default communication between Cinder and Galera is unsecure.
-You able to set custom certificates in pillar:
-controller:
- database:
- x509:
- enabled: True
+cinder:
+ volume:
+ database:
+ x509:
+ enabled: True
+ controller:
+ database:
+ x509:
+ enabled: True
-volume:
- database:
- x509:
- enabled: True
+You able to set custom certificates in pillar:
cinder:
controller:
database:
x509:
- cacert (certificate content)
- cert (certificate content)
- key (certificate content)
+ cacert: (certificate content)
+ cert: (certificate content)
+ key: (certificate content)
volume:
database:
x509:
- cacert (certificate content)
- cert (certificate content)
- key (certificate content)
+ cacert: (certificate content)
+ cert: (certificate content)
+ key: (certificate content)
You can read more about it here:
https://docs.openstack.org/security-guide/databases/database-access-control.html
diff --git a/cinder/_ssl/controller-mysql.sls b/cinder/_ssl/controller_mysql.sls
similarity index 97%
rename from cinder/_ssl/controller-mysql.sls
rename to cinder/_ssl/controller_mysql.sls
index 9a542e8..06dc0cb 100644
--- a/cinder/_ssl/controller-mysql.sls
+++ b/cinder/_ssl/controller_mysql.sls
@@ -2,7 +2,7 @@
cinder_controller_ssl_mysql:
test.show_notification:
- - text: "Running cinder._ssl.controller-mysql"
+ - text: "Running cinder._ssl.controller_mysql"
{%- if controller.database.get('x509',{}).get('enabled',False) %}
diff --git a/cinder/_ssl/volume-mysql.sls b/cinder/_ssl/volume_mysql.sls
similarity index 97%
rename from cinder/_ssl/volume-mysql.sls
rename to cinder/_ssl/volume_mysql.sls
index 3038217..5bd6e4b 100644
--- a/cinder/_ssl/volume-mysql.sls
+++ b/cinder/_ssl/volume_mysql.sls
@@ -2,7 +2,7 @@
cinder_volume_ssl_mysql:
test.show_notification:
- - text: "Running cinder._ssl.volume-mysql"
+ - text: "Running cinder._ssl.volume_mysql"
{%- if volume.database.get('x509',{}).get('enabled',False) %}
diff --git a/cinder/controller.sls b/cinder/controller.sls
index 2492a43..8dffd36 100644
--- a/cinder/controller.sls
+++ b/cinder/controller.sls
@@ -7,7 +7,7 @@
- apache
{%- endif %}
- cinder.db.offline_sync
- - cinder._ssl.controller-mysql
+ - cinder._ssl.controller_mysql
{%- set user = controller %}
{%- include "cinder/user.sls" %}
@@ -20,6 +20,7 @@
pkg.installed:
- names: {{ controller.pkgs }}
- require_in:
+ - sls: cinder._ssl.controller_mysql
- sls: cinder.db.offline_sync
/etc/cinder/cinder.conf:
@@ -31,7 +32,7 @@
- group: cinder
- require:
- pkg: cinder_controller_packages
- - sls: cinder._ssl.controller-mysql
+ - sls: cinder._ssl.controller_mysql
- require_in:
- sls: cinder.db.offline_sync
@@ -43,7 +44,7 @@
- group: cinder
- require:
- pkg: cinder_controller_packages
- - sls: cinder._ssl.controller-mysql
+ - sls: cinder._ssl.controller_mysql
- require_in:
- sls: cinder.db.offline_sync
@@ -99,7 +100,7 @@
_data: {{ controller.logging }}
- require:
- pkg: cinder_controller_packages
- - sls: cinder._ssl.controller-mysql
+ - sls: cinder._ssl.controller_mysql
- require_in:
- sls: cinder.db.offline_sync
{%- if controller.logging.log_handlers.get('fluentd', {}).get('enabled', False) %}
@@ -228,7 +229,7 @@
- pkg: cinder_controller_packages
- service: cinder_api_service_dead
- sls: cinder.db.offline_sync
- - sls: cinder._ssl.controller-mysql
+ - sls: cinder._ssl.controller_mysql
- watch:
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_cinder_controller
@@ -250,7 +251,7 @@
- require:
- pkg: cinder_controller_packages
- sls: cinder.db.offline_sync
- - sls: cinder._ssl.controller-mysql
+ - sls: cinder._ssl.controller_mysql
- watch:
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_cinder_controller
@@ -282,7 +283,7 @@
- require:
- pkg: cinder_controller_packages
- sls: cinder.db.offline_sync
- - sls: cinder._ssl.controller-mysql
+ - sls: cinder._ssl.controller_mysql
- watch:
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_cinder_controller
diff --git a/cinder/volume.sls b/cinder/volume.sls
index 080466f..e902832 100644
--- a/cinder/volume.sls
+++ b/cinder/volume.sls
@@ -3,7 +3,7 @@
{%- if volume.enabled %}
include:
- - cinder._ssl.volume-mysql
+ - cinder._ssl.volume_mysql
{%- if not pillar.cinder.get('controller', {}).get('enabled', False) %}
{%- set user = volume %}
@@ -13,6 +13,8 @@
cinder_volume_packages:
pkg.installed:
- names: {{ volume.pkgs }}
+ - require_in:
+ - sls: cinder._ssl.volume_mysql
/var/lock/cinder:
file.directory:
@@ -50,7 +52,7 @@
- user: root
- group: cinder
- require:
- - sls: cinder._ssl.volume-mysql
+ - sls: cinder._ssl.volume_mysql
- pkg: cinder_volume_packages
/etc/cinder/api-paste.ini:
@@ -80,7 +82,7 @@
- onlyif: /bin/false
{%- endif %}
- require:
- - sls: cinder._ssl.volume-mysql
+ - sls: cinder._ssl.volume_mysql
- watch:
{%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_cinder_volume
@@ -159,7 +161,7 @@
- onlyif: /bin/false
{%- endif %}
- require:
- - sls: cinder._ssl.volume-mysql
+ - sls: cinder._ssl.volume_mysql
- watch:
{%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_cinder_volume