MySQL TLS Support
Adds ability to use secure TLS connection
from OS service to MySQL database.
PROD-14217
Change-Id: Ic8f7deda05d9a101ec882273211dbddc034c73dd
diff --git a/glance/files/mitaka/glance-api.conf.Debian b/glance/files/mitaka/glance-api.conf.Debian
index 7776dfe..50ebbdd 100644
--- a/glance/files/mitaka/glance-api.conf.Debian
+++ b/glance/files/mitaka/glance-api.conf.Debian
@@ -688,7 +688,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave
# database. (string value)
diff --git a/glance/files/mitaka/glance-registry.conf.Debian b/glance/files/mitaka/glance-registry.conf.Debian
index e85c990..3a2e8fb 100644
--- a/glance/files/mitaka/glance-registry.conf.Debian
+++ b/glance/files/mitaka/glance-registry.conf.Debian
@@ -391,7 +391,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave
# database. (string value)
diff --git a/glance/files/newton/glance-api.conf.Debian b/glance/files/newton/glance-api.conf.Debian
index ea18c08..881a62f 100644
--- a/glance/files/newton/glance-api.conf.Debian
+++ b/glance/files/newton/glance-api.conf.Debian
@@ -1810,7 +1810,8 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/glance/files/newton/glance-glare.conf.Debian b/glance/files/newton/glance-glare.conf.Debian
index 3936c0b..0076336 100644
--- a/glance/files/newton/glance-glare.conf.Debian
+++ b/glance/files/newton/glance-glare.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "glance/map.jinja" import server with context %}
+{%- from "glance/map.jinja" import server, system_cacerts_file with context %}
{% set storage_engines = server.storage.engine.split(',') %}
[DEFAULT]
@@ -567,7 +567,8 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8&read_timeout=60
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8&read_timeout=60{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/glance/files/newton/glance-registry.conf.Debian b/glance/files/newton/glance-registry.conf.Debian
index 915ff6b..7615b05 100644
--- a/glance/files/newton/glance-registry.conf.Debian
+++ b/glance/files/newton/glance-registry.conf.Debian
@@ -1058,7 +1058,8 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
+
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/glance/files/ocata/glance-api.conf.Debian b/glance/files/ocata/glance-api.conf.Debian
index 9175c78..96cf507 100644
--- a/glance/files/ocata/glance-api.conf.Debian
+++ b/glance/files/ocata/glance-api.conf.Debian
@@ -1876,7 +1876,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/glance/files/ocata/glance-glare.conf.Debian b/glance/files/ocata/glance-glare.conf.Debian
index 3936c0b..e688edf 100644
--- a/glance/files/ocata/glance-glare.conf.Debian
+++ b/glance/files/ocata/glance-glare.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "glance/map.jinja" import server with context %}
+{%- from "glance/map.jinja" import server, system_cacerts_file with context %}
{% set storage_engines = server.storage.engine.split(',') %}
[DEFAULT]
@@ -567,7 +567,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8&read_timeout=60
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8&read_timeout=60{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/glance/files/ocata/glance-registry.conf.Debian b/glance/files/ocata/glance-registry.conf.Debian
index a6a6044..f62a7e3 100644
--- a/glance/files/ocata/glance-registry.conf.Debian
+++ b/glance/files/ocata/glance-registry.conf.Debian
@@ -1058,7 +1058,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/glance/server.sls b/glance/server.sls
index dab4dc8..a8de0e1 100644
--- a/glance/server.sls
+++ b/glance/server.sls
@@ -100,6 +100,9 @@
{%- if server.message_queue.get('ssl',{}).get('enabled',False) %}
- file: rabbitmq_ca
{% endif %}
+ {%- if server.database.get('ssl',{}).get('enabled',False) %}
+ - file: mysql_ca
+ {% endif %}
{%- endif %}
{%- endif %}
@@ -128,6 +131,9 @@
{%- if server.message_queue.get('ssl',{}).get('enabled',False) %}
- file: rabbitmq_ca
{% endif %}
+ {%- if server.database.get('ssl',{}).get('enabled',False) %}
+ - file: mysql_ca
+ {% endif %}
glance_install_database:
cmd.run:
@@ -275,6 +281,20 @@
{%- else %}
file.exists:
- name: {{ server.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+{% endif %}
+{% endif %}
+
+{%- if server.database.get('ssl',{}).get('enabled',False) %}
+mysql_ca:
+{%- if server.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.database.ssl.cacert_file }}
+ - contents_pillar: glance:server:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+{%- else %}
+ file.exists:
+ - name: {{ server.database.ssl.get('cacert_file', system_cacerts_file) }}
{%- endif %}
{%- endif %}
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
index c0bb4af..47b1e71 100644
--- a/tests/pillar/ssl.sls
+++ b/tests/pillar/ssl.sls
@@ -3,6 +3,9 @@
glance:
server:
+ database:
+ ssl:
+ enabled: True
message_queue:
port: 5671
ssl: