MySQL TLS support
Adds ability to use secure TLS connection
from OS service to MySQL database.
PROD-14220
Change-Id: I1b83e10d07647f16d9bf1f566296597647c76d8c
diff --git a/ironic/_common.sls b/ironic/_common.sls
index 61c587f..cc4b4bf 100644
--- a/ironic/_common.sls
+++ b/ironic/_common.sls
@@ -1,8 +1,8 @@
{%- from "ironic/map.jinja" import api,conductor, system_cacerts_file with context %}
{%- if api.get("enabled", False) %}
- {%- set ironic = api %}
+ {%- set ironic, service_name = api, 'api' %}
{%- elif conductor.get('enabled', False) %}
- {%- set ironic = conductor %}
+ {%- set ironic, service_name = conductor, 'conductor' %}
{%- endif %}
ironic_common_pkgs:
@@ -22,7 +22,7 @@
{%- if ironic.message_queue.ssl.cacert is defined %}
file.managed:
- name: {{ ironic.message_queue.ssl.cacert_file }}
- - contents_pillar: ironic:{{ 'api' if api.get("enabled", False) else 'conductor' }}:message_queue:ssl:cacert
+ - contents_pillar: ironic:{{ service_name }}:message_queue:ssl:cacert
- mode: 0444
- makedirs: true
{%- else %}
@@ -30,3 +30,17 @@
- name: {{ ironic.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
{%- endif %}
{%- endif %}
+
+{%- if ironic.database.get('ssl',{}).get('enabled', False) %}
+mysql_ca_ironic_{{ service_name }}:
+{%- if ironic.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ ironic.databse.ssl.cacert_file }}
+ - contents_pillar: ironic:{{ service_name }}:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+{%- else %}
+ file.exists:
+ - name: {{ ironic.database.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+{%- endif %}
diff --git a/ironic/api.sls b/ironic/api.sls
index cae9009..68df1a3 100644
--- a/ironic/api.sls
+++ b/ironic/api.sls
@@ -25,6 +25,9 @@
{%- if api.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca
{%- endif %}
+ {%- if api.database.get('ssl',{}).get('enabled', False) %}
+ - file: mysql_ca_ironic_api
+ {%- endif %}
/etc/ironic/policy.json:
file.managed:
diff --git a/ironic/conductor.sls b/ironic/conductor.sls
index 536a634..e16fccb 100644
--- a/ironic/conductor.sls
+++ b/ironic/conductor.sls
@@ -17,6 +17,9 @@
{%- if conductor.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca
{%- endif %}
+ {%- if conductor.database.get('ssl',{}).get('enabled', False) %}
+ - file: mysql_ca_ironic_conductor
+ {%- endif %}
ironic_dirs:
file.directory:
diff --git a/ironic/files/newton/ironic.conf b/ironic/files/newton/ironic.conf
index 2b984c2..7583ef1 100644
--- a/ironic/files/newton/ironic.conf
+++ b/ironic/files/newton/ironic.conf
@@ -939,7 +939,7 @@
# Deprecated group/name - [DEFAULT]/sql_connection
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
-connection = {{ ironic.database.engine }}+pymysql://{{ ironic.database.user }}:{{ ironic.database.password }}@{{ ironic.database.host }}/{{ ironic.database.name }}?charset=utf8
+connection = {{ ironic.database.engine }}+pymysql://{{ ironic.database.user }}:{{ ironic.database.password }}@{{ ironic.database.host }}/{{ ironic.database.name }}?charset=utf8{%- if ironic.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ ironic.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the
# slave database. (string value)
diff --git a/ironic/files/ocata/ironic.conf b/ironic/files/ocata/ironic.conf
index cc45876..87c1716 100644
--- a/ironic/files/ocata/ironic.conf
+++ b/ironic/files/ocata/ironic.conf
@@ -1237,7 +1237,7 @@
# Deprecated group/name - [DEFAULT]/sql_connection
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
-connection = {{ ironic.database.engine }}+pymysql://{{ ironic.database.user }}:{{ ironic.database.password }}@{{ ironic.database.host }}/{{ ironic.database.name }}?charset=utf8
+connection = {{ ironic.database.engine }}+pymysql://{{ ironic.database.user }}:{{ ironic.database.password }}@{{ ironic.database.host }}/{{ ironic.database.name }}?charset=utf8{%- if ironic.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ ironic.database.ssl.get('cacert_file',system_cacerts_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the
# slave database. (string value)
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
index 9855e0a..0930aa0 100644
--- a/tests/pillar/ssl.sls
+++ b/tests/pillar/ssl.sls
@@ -1,6 +1,7 @@
# Description:
# test of SSL enabling for the following communication paths:
# - messaging (rabbitmq)
+# - database
include:
- .api_single
@@ -8,11 +9,17 @@
ironic:
api:
+ database:
+ ssl:
+ enabled: True
message_queue:
port: 5671
ssl:
enabled: True
conductor:
+ database:
+ ssl:
+ enabled: True
message_queue:
port: 5671
ssl: