Update README.rst for X.509 auth for MySQL and Designate
Related-PROD: PROD-22737
Change-Id: Ibddba4f477abd10bd67c4cb253bcc57e9487261f
diff --git a/README.rst b/README.rst
index 2ba22ba..990e84d 100644
--- a/README.rst
+++ b/README.rst
@@ -198,6 +198,29 @@
dig @127.0.0.1 test.example.com.
+Enable x509 and ssl communication between Designate and Galera cluster.
+---------------------
+By default communication between Designate and Galera is unsecure.
+
+designate:
+ server:
+ database:
+ x509:
+ enabled: True
+
+You able to set custom certificates in pillar:
+
+designate:
+ server:
+ database:
+ x509:
+ cacert: (certificate content)
+ cert: (certificate content)
+ key: (certificate content)
+
+You can read more about it here:
+ https://docs.openstack.org/security-guide/databases/database-access-control.html
+
Documentation and Bugs
======================
diff --git a/designate/_ssl/mysql.sls b/designate/_ssl/mysql.sls
new file mode 100644
index 0000000..4f02193
--- /dev/null
+++ b/designate/_ssl/mysql.sls
@@ -0,0 +1,77 @@
+{%- from "designate/map.jinja" import server with context %}
+
+designate_ssl_mysql:
+ test.show_notification:
+ - text: "Running designate._ssl.mysql"
+
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+
+ {%- set ca_file=server.database.x509.ca_file %}
+ {%- set key_file=server.database.x509.key_file %}
+ {%- set cert_file=server.database.x509.cert_file %}
+
+mysql_designate_ssl_x509_ca:
+ {%- if server.database.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: designate:server:database:x509:cacert
+ - mode: 444
+ - user: designate
+ - group: designate
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+mysql_designate_client_ssl_cert:
+ {%- if server.database.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: designate:server:database:x509:cert
+ - mode: 440
+ - user: designate
+ - group: designate
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ {%- endif %}
+
+mysql_designate_client_ssl_private_key:
+ {%- if server.database.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: designate:server:database:x509:key
+ - mode: 400
+ - user: designate
+ - group: designate
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+mysql_designate_ssl_x509_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - {{ cert_file }}
+ - {{ key_file }}
+ - user: designate
+ - group: designate
+
+{% elif server.database.get('ssl',{}).get('enabled',False) %}
+mysql_ca_designate:
+ {%- if server.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.database.ssl.cacert_file }}
+ - contents_pillar: designate:server:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
+ {%- endif %}
+
+{%- endif %}
\ No newline at end of file
diff --git a/designate/files/pike/designate.conf.Debian b/designate/files/pike/designate.conf.Debian
index bcf5570..08ece94 100644
--- a/designate/files/pike/designate.conf.Debian
+++ b/designate/files/pike/designate.conf.Debian
@@ -1,5 +1,12 @@
{%- from "designate/map.jinja" import server, pool_manager with context %}
+{%- set connection_x509_ssl_option = '' %}
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.x509.ca_file ~ '&ssl_cert=' ~ server.database.x509.cert_file ~ '&ssl_key=' ~ server.database.x509.key_file %}
+{%- elif server.database.get('ssl',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.ssl.get('cacert_file', server.cacert_file) %}
+{%- endif %}
+
[DEFAULT]
# Where an option is commented out, but filled in this shows the default
# value of that option
@@ -480,7 +487,7 @@
#-----------------------
[pool_manager_cache:sqlalchemy]
#connection = sqlite:///$state_path/designate_pool_manager.sqlite
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.pool_manager }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.pool_manager }}?charset=utf8{{ connection_x509_ssl_option|string }}
#connection_debug = 100
#connection_trace = False
@@ -522,7 +529,7 @@
# Database connection string - to configure options for a given implementation
# like sqlalchemy or other see below
#connection = sqlite:///$state_path/designate.sqlite
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.main_database }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name.main_database }}?charset=utf8{{ connection_x509_ssl_option|string }}
#connection_debug = 0
#connection_trace = False
diff --git a/designate/server.sls b/designate/server.sls
index 1a756c1..30ebdaa 100644
--- a/designate/server.sls
+++ b/designate/server.sls
@@ -1,8 +1,10 @@
{%- from "designate/map.jinja" import server with context %}
+
{%- if server.enabled %}
include:
- - designate.db.offline_sync
+ - designate.db.offline_sync
+ - designate._ssl.mysql
{%- if server.backend is defined %}
@@ -107,6 +109,7 @@
- names: {{ server.pkgs }}
- require_in:
- sls: designate.db.offline_sync
+ - sls: designate._ssl.mysql
/etc/designate/designate.conf:
file.managed:
@@ -116,8 +119,9 @@
- group: designate
- require:
- pkg: designate_server_packages
+ - sls: designate._ssl.mysql
- require_in:
- - sls: designate.db.offline_sync
+ - sls: designate.db.offline_sync
/etc/designate/api-paste.ini:
file.managed:
@@ -127,8 +131,9 @@
- group: designate
- require:
- pkg: designate_server_packages
+ - sls: designate._ssl.mysql
- require_in:
- - sls: designate.db.offline_sync
+ - sls: designate.db.offline_sync
designate_pool_sync:
cmd.run:
@@ -149,14 +154,12 @@
- require:
- sls: designate.db.offline_sync
- cmd: designate_pool_sync
+ - sls: designate._ssl.mysql
- watch:
- file: /etc/designate/designate.conf
{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_designate_server
{%- endif %}
- {%- if server.database.get('ssl',{}).get('enabled', False) %}
- - file: mysql_ca_designate_server
- {%- endif %}
{%- if server.version not in ['liberty', 'juno', 'kilo'] and server.pools is defined %}
# Since Mitaka it is recommended to use pools.yaml for pools configuration
@@ -199,23 +202,4 @@
{%- endif %}
{%- endif %}
-
-{%- if server.database.get('ssl',{}).get('enabled', False) %}
-mysql_ca_designate_server:
-{%- if server.database.ssl.cacert is defined %}
- file.managed:
- - name: {{ server.database.ssl.cacert_file }}
- - contents_pillar: designate:server:database:ssl:cacert
- - mode: 0444
- - makedirs: true
- - require_in:
- - file: /etc/designate/designate.conf
-{%- else %}
- file.exists:
- - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
- - require_in:
- - file: /etc/designate/designate.conf
-{%- endif %}
-{%- endif %}
-
{%- endif %}