MySQL TLS Support
Change-Id: I46cb98d8ada7e0521e9adaabb080d8ce939c2f71
diff --git a/heat/files/liberty/heat.conf.Debian b/heat/files/liberty/heat.conf.Debian
index 697fdb0..f764987 100644
--- a/heat/files/liberty/heat.conf.Debian
+++ b/heat/files/liberty/heat.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "heat/map.jinja" import server with context %}
+{%- from "heat/map.jinja" import server, system_cacerts_file with context %}
[DEFAULT]
#
@@ -331,7 +331,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/heat/files/mitaka/heat.conf.Debian b/heat/files/mitaka/heat.conf.Debian
index 3ddf3c3..88a7ffa 100644
--- a/heat/files/mitaka/heat.conf.Debian
+++ b/heat/files/mitaka/heat.conf.Debian
@@ -336,7 +336,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/heat/files/newton/heat.conf.Debian b/heat/files/newton/heat.conf.Debian
index 43fbf7c..bc05929 100644
--- a/heat/files/newton/heat.conf.Debian
+++ b/heat/files/newton/heat.conf.Debian
@@ -346,7 +346,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/heat/files/ocata/heat.conf.Debian b/heat/files/ocata/heat.conf.Debian
index edef658..9e7f4e4 100644
--- a/heat/files/ocata/heat.conf.Debian
+++ b/heat/files/ocata/heat.conf.Debian
@@ -1232,7 +1232,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/heat/server.sls b/heat/server.sls
index 2f9ebb1..f0ab5ac 100644
--- a/heat/server.sls
+++ b/heat/server.sls
@@ -132,6 +132,9 @@
{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca
{%- endif %}
+ {%- if server.database.get('ssl',{}).get('enabled', False) %}
+ - file: mysql_ca_heat_server
+ {%- endif %}
{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
rabbitmq_ca:
@@ -147,4 +150,20 @@
{%- endif %}
{%- endif %}
+{%- if server.database.get('ssl',{}).get('enabled', False) %}
+mysql_ca_heat_server:
+{%- if server.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.database.ssl.cacert_file }}
+ - contents_pillar: heat:server:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+{%- else %}
+ file.exists:
+ - name: {{ server.database.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+ - require_in:
+ - file: /etc/heat/heat.conf
+{%- endif %}
+
{%- endif %}
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
index f11f67c..27bf62b 100644
--- a/tests/pillar/ssl.sls
+++ b/tests/pillar/ssl.sls
@@ -1,11 +1,15 @@
# Test of enabling SSL for the following communication paths:
# - messaging (rabbitmq)
+# - database
include:
- .server_cluster
heat:
server:
+ database:
+ ssl:
+ enabled: True
message_queue:
port: 5671
ssl: