Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / ironic / 258bf7c2c403621b17151ab84dc9a551e3dc4f98^! / .
commit258bf7c2c403621b17151ab84dc9a551e3dc4f98[log] [tgz]
authorOleksandr Shyshko <oshyshko@mirantis.com>Thu Sep 13 14:23:29 2018 +0300
committerOleksandr Shyshko <oshyshko@mirantis.com>Mon Sep 17 12:31:25 2018 +0300
tree288ff17cd122323164554ec92b03e65859bdc627
parent1a33d962bc34907b316cde3c84ad4ffb9fef8957 [diff]
Implement X.509 auth for MySQL and Ironic

Related-PROD: PROD-22747

Change-Id: I5fc208d97c09bace1543c88614d8141af70bc02f

diff --git a/.gitreview b/.gitreview
index 1ab9f24..b22bed5 100644
--- a/.gitreview
+++ b/.gitreview

@@ -1,4 +1,4 @@
 [gerrit]
-host=mcp-ci-gerrit
+host=gerrit.mcp.mirantis.net
 port=29418
 project=salt-formulas/ironic.git

diff --git a/README.rst b/README.rst
index 1beb5ac..0efe785 100644
--- a/README.rst
+++ b/README.rst

@@ -103,3 +103,37 @@
         user: openstack
         password: password
         virtual_host: '/openstack'
+
+Enable x509 and ssl communication between Ironic and Galera cluster.
+---------------------
+By default communication between Ironic and Galera is unsecure.
+
+ironic:
+  api:
+    database:
+      x509:
+        enabled: True
+  conductor:
+    database:
+      x509:
+        enabled: True
+
+You able to set custom certificates in pillar:
+
+ironic:
+  api:
+    database:
+      x509:
+        cacert: (certificate content)
+        cert: (certificate content)
+        key: (certificate content)
+  conductor:
+    database:
+      x509:
+        cacert: (certificate content)
+        cert: (certificate content)
+        key: (certificate content)
+
+You can read more about it here:
+    https://docs.openstack.org/security-guide/databases/database-access-control.html
+

diff --git a/ironic/_common.sls b/ironic/_common.sls
index a60f0a6..1cf72ef 100644
--- a/ironic/_common.sls
+++ b/ironic/_common.sls

@@ -5,10 +5,15 @@
   {%- set ironic, service_name = conductor, 'conductor' %}
 {%- endif %}
 
+include:
+  - ironic._ssl.mysql
+
 ironic_common_pkgs:
   pkg.installed:
     - name: 'ironic-common'
     - install_recommends: False
+    - require_in:
+      - sls: ironic._ssl.mysql
 
 /etc/ironic/ironic.conf:
   file.managed:
@@ -16,6 +21,7 @@
   - template: jinja
   - require:
     - pkg: ironic_common_pkgs
+    - sls: ironic._ssl.mysql
 
 {%- if ironic.message_queue.get('ssl',{}).get('enabled', False) %}
 rabbitmq_ca_ironic_file:
@@ -30,17 +36,3 @@
    - name: {{ ironic.message_queue.ssl.get('cacert_file', ironic.cacert_file) }}
 {%- endif %}
 {%- endif %}
-
-{%- if ironic.database.get('ssl',{}).get('enabled', False) %}
-mysql_ca_ironic_file:
-{%- if ironic.database.ssl.cacert is defined %}
-  file.managed:
-    - name: {{ ironic.databse.ssl.cacert_file }}
-    - contents_pillar: ironic:{{ service_name }}:database:ssl:cacert
-    - mode: 0444
-    - makedirs: true
-{%- else %}
-  file.exists:
-   - name: {{ ironic.database.ssl.get('cacert_file', ironic.cacert_file) }}
-{%- endif %}
-{%- endif %}

diff --git a/ironic/_ssl/mysql.sls b/ironic/_ssl/mysql.sls
new file mode 100644
index 0000000..9f13be7
--- /dev/null
+++ b/ironic/_ssl/mysql.sls

@@ -0,0 +1,82 @@
+{%- from "ironic/map.jinja" import api,conductor with context %}
+{%- if api.get("enabled", False) %}
+  {%- set ironic, service_name = api, 'api' %}
+{%- elif conductor.get('enabled', False) %}
+  {%- set ironic, service_name = conductor, 'conductor' %}
+{%- endif %}
+
+ironic_ssl_mysql:
+  test.show_notification:
+    - text: "Running ironic._ssl.mysql"
+
+{%- if ironic.database.get('x509',{}).get('enabled',False) %}
+
+  {%- set ca_file=ironic.database.x509.ca_file %}
+  {%- set key_file=ironic.database.x509.key_file %}
+  {%- set cert_file=ironic.database.x509.cert_file %}
+
+mysql_ironic_ssl_x509_ca:
+  {%- if ironic.database.x509.cacert is defined %}
+  file.managed:
+    - name: {{ ca_file }}
+    - contents_pillar: ironic:{{ service_name }}:database:x509:cacert
+    - mode: 444
+    - user: ironic
+    - group: ironic
+    - makedirs: true
+  {%- else %}
+  file.exists:
+    - name: {{ ca_file }}
+  {%- endif %}
+
+mysql_ironic_client_ssl_cert:
+  {%- if ironic.database.x509.cert is defined %}
+  file.managed:
+    - name: {{ cert_file }}
+    - contents_pillar: ironic:{{ service_name }}:database:x509:cert
+    - mode: 440
+    - user: ironic
+    - group: ironic
+    - makedirs: true
+  {%- else %}
+  file.exists:
+    - name: {{ cert_file }}
+  {%- endif %}
+
+mysql_ironic_client_ssl_private_key:
+  {%- if ironic.database.x509.key is defined %}
+  file.managed:
+    - name: {{ key_file }}
+    - contents_pillar: ironic:{{ service_name }}:database:x509:key
+    - mode: 400
+    - user: ironic
+    - group: ironic
+    - makedirs: true
+  {%- else %}
+  file.exists:
+    - name: {{ key_file }}
+  {%- endif %}
+
+mysql_ironic_ssl_x509_set_user_and_group:
+  file.managed:
+    - names:
+      - {{ ca_file }}
+      - {{ cert_file }}
+      - {{ key_file }}
+    - user: ironic
+    - group: ironic
+
+{%- elif ironic.database.get('ssl',{}).get('enabled', False) %}
+mysql_ca_ironic_file:
+{%- if ironic.database.ssl.cacert is defined %}
+  file.managed:
+    - name: {{ ironic.databse.ssl.cacert_file }}
+    - contents_pillar: ironic:{{ service_name }}:database:ssl:cacert
+    - mode: 0444
+    - makedirs: true
+{%- else %}
+  file.exists:
+   - name: {{ ironic.database.ssl.get('cacert_file', ironic.cacert_file) }}
+{%- endif %}
+
+{%- endif %}
\ No newline at end of file

diff --git a/ironic/api.sls b/ironic/api.sls
index da1c539..99550f5 100644
--- a/ironic/api.sls
+++ b/ironic/api.sls

@@ -9,6 +9,7 @@
   - names: {{ api.pkgs }}
   - install_recommends: False
   - require_in:
+    - sls: ironic._common
     - sls: ironic.db.offline_sync
 
 {{ api.service }}:
@@ -16,6 +17,7 @@
     - enable: true
     - full_restart: true
     - require:
+      - sls: ironic._common
       - sls: ironic.db.offline_sync
     - watch:
       - file: /etc/ironic/ironic.conf
@@ -23,9 +25,6 @@
     {%- if api.message_queue.get('ssl',{}).get('enabled', False) %}
       - file: rabbitmq_ca_ironic_file
     {%- endif %}
-    {%- if api.database.get('ssl',{}).get('enabled', False) %}
-      - file: mysql_ca_ironic_file
-    {%- endif %}
 
 /etc/ironic/policy.json:
   file.managed:

diff --git a/ironic/conductor.sls b/ironic/conductor.sls
index 4bd2a1e..0d109af 100644
--- a/ironic/conductor.sls
+++ b/ironic/conductor.sls

@@ -7,6 +7,8 @@
   pkg.installed:
   - names: {{ conductor.pkgs }}
   - install_recommends: False
+  - require_in:
+    - sls: ironic._common
 
 {{ conductor.service }}:
   service.running:
@@ -16,12 +18,10 @@
       - file: /etc/ironic/ironic.conf
     - require:
       - pkg: ironic_conductor_packages
+      - sls: ironic._common
     {%- if conductor.message_queue.get('ssl',{}).get('enabled', False) %}
       - file: rabbitmq_ca_ironic_file
     {%- endif %}
-    {%- if conductor.database.get('ssl',{}).get('enabled', False) %}
-      - file: mysql_ca_ironic_file
-    {%- endif %}
 
 ironic_dirs:
   file.directory:

diff --git a/ironic/files/pike/ironic.conf b/ironic/files/pike/ironic.conf
index 0509bad..1c3f16f 100644
--- a/ironic/files/pike/ironic.conf
+++ b/ironic/files/pike/ironic.conf

@@ -4,6 +4,14 @@
 {%- elif conductor.get('enabled', False) %}
   {%- set ironic = conductor %}
 {%- endif %}
+
+{%- set connection_x509_ssl_option = '' %}
+{%- if ironic.database.get('x509',{}).get('enabled',False) %}
+  {%- set connection_x509_ssl_option = '&ssl_ca=' ~ ironic.database.x509.ca_file ~ '&ssl_cert=' ~ ironic.database.x509.cert_file ~ '&ssl_key=' ~ ironic.database.x509.key_file %}
+{%- elif ironic.database.get('ssl',{}).get('enabled',False) %}
+  {%- set connection_x509_ssl_option = '&ssl_ca=' ~ ironic.database.ssl.get('cacert_file', ironic.cacert_file) %}
+{%- endif %}
+
 [DEFAULT]
 
 #
@@ -1241,7 +1249,7 @@
 # Deprecated group/name - [DEFAULT]/sql_connection
 # Deprecated group/name - [DATABASE]/sql_connection
 # Deprecated group/name - [sql]/connection
-connection = {{ ironic.database.engine }}+pymysql://{{ ironic.database.user }}:{{ ironic.database.password }}@{{ ironic.database.host }}/{{ ironic.database.name }}?charset=utf8{%- if ironic.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ ironic.database.ssl.get('cacert_file', ironic.cacert_file) }}{% endif %}
+connection = {{ ironic.database.engine }}+pymysql://{{ ironic.database.user }}:{{ ironic.database.password }}@{{ ironic.database.host }}/{{ ironic.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
 
 # The SQLAlchemy connection string to use to connect to the
 # slave database. (string value)