MySQL TLS Support
PROD-14218
Change-Id: I455cade6845695ea180701cfeea35086bf8edc24
diff --git a/designate/files/liberty/designate.conf.Debian b/designate/files/liberty/designate.conf.Debian
index 9419a83..2f4218c 100644
--- a/designate/files/liberty/designate.conf.Debian
+++ b/designate/files/liberty/designate.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "designate/map.jinja" import server with context %}
+{%- from "designate/map.jinja" import server, system_cacerts_file with context %}
[DEFAULT]
# Where an option is commented out, but filled in this shows the default
# value of that option
@@ -319,7 +319,8 @@
# SQLAlchemy Pool Manager Cache
#-----------------------
[pool_manager_cache:sqlalchemy]
-connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.pool_manager }}
+connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.pool_manager }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+
#connection_debug = 100
#connection_trace = False
#sqlite_synchronous = True
diff --git a/designate/files/mitaka/designate.conf.Debian b/designate/files/mitaka/designate.conf.Debian
index 5c63b5e..a913fd9 100644
--- a/designate/files/mitaka/designate.conf.Debian
+++ b/designate/files/mitaka/designate.conf.Debian
@@ -421,7 +421,7 @@
#-----------------------
[pool_manager_cache:sqlalchemy]
#connection = sqlite:///$state_path/designate_pool_manager.sqlite
-connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.pool_manager }}
+connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.pool_manager }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
#connection_debug = 100
#connection_trace = False
diff --git a/designate/files/ocata/designate.conf.Debian b/designate/files/ocata/designate.conf.Debian
index 28534b7..35680d3 100644
--- a/designate/files/ocata/designate.conf.Debian
+++ b/designate/files/ocata/designate.conf.Debian
@@ -469,7 +469,7 @@
#-----------------------
[pool_manager_cache:sqlalchemy]
#connection = sqlite:///$state_path/designate_pool_manager.sqlite
-connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.pool_manager }}
+connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.pool_manager }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
#connection_debug = 100
#connection_trace = False
diff --git a/designate/server.sls b/designate/server.sls
index 1228817..ee20f54 100644
--- a/designate/server.sls
+++ b/designate/server.sls
@@ -68,6 +68,9 @@
{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca
{%- endif %}
+ {%- if server.database.get('ssl',{}).get('enabled', False) %}
+ - file: mysql_ca_designate_server
+ {%- endif %}
{%- endif %}
{%- if server.version not in ['liberty', 'juno', 'kilo'] and server.pools is defined %}
@@ -98,9 +101,32 @@
- contents_pillar: designate:server:message_queue:ssl:cacert
- mode: 0444
- makedirs: true
+ - require_in:
+ - file: /etc/designate/designate.conf
{%- else %}
file.exists:
- name: {{ server.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+ - require_in:
+ - file: /etc/designate/designate.conf
+{%- endif %}
+{%- endif %}
+
+
+{%- if server.database.get('ssl',{}).get('enabled', False) %}
+mysql_ca_designate_server:
+{%- if server.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.database.ssl.cacert_file }}
+ - contents_pillar: designate:server:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ - require_in:
+ - file: /etc/designate/designate.conf
+{%- else %}
+ file.exists:
+ - name: {{ server.database.ssl.get('cacert_file', system_cacerts_file) }}
+ - require_in:
+ - file: /etc/designate/designate.conf
{%- endif %}
{%- endif %}
diff --git a/tests/pillar/designate_liberty.sls b/tests/pillar/designate_liberty.sls
index 3ed12f5..8022e0c 100644
--- a/tests/pillar/designate_liberty.sls
+++ b/tests/pillar/designate_liberty.sls
@@ -9,6 +9,15 @@
mdns:
address: 0.0.0.0
port: 5354
+ database:
+ engine: mysql
+ host: 127.0.0.1
+ port: 3306
+ name:
+ main_database: designate
+ pool_manager: designate_pool_manager
+ user: designate
+ password: passw0rd
message_queue:
members:
- host: 127.0.0.1
diff --git a/tests/pillar/designate_mitaka.sls b/tests/pillar/designate_mitaka.sls
index 90775a5..caffa4f 100644
--- a/tests/pillar/designate_mitaka.sls
+++ b/tests/pillar/designate_mitaka.sls
@@ -9,6 +9,15 @@
mdns:
address: 0.0.0.0
port: 5354
+ database:
+ engine: mysql
+ host: 127.0.0.1
+ port: 3306
+ name:
+ main_database: designate
+ pool_manager: designate_pool_manager
+ user: designate
+ password: passw0rd
message_queue:
members:
- host: 127.0.0.1
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
index bc033e8..7168c35 100644
--- a/tests/pillar/ssl.sls
+++ b/tests/pillar/ssl.sls
@@ -3,6 +3,9 @@
designate:
server:
+ database:
+ ssl:
+ enabled: True
message_queue:
port: 5671
ssl: