MySQL TLS Support
Adds ability to use secured TLS connection
from OS service to MySQL database.
Change-Id: I2e6f8b3d6ad1b99daa089ea3641c57db03aabddc
diff --git a/keystone/files/mitaka/keystone.conf.Debian b/keystone/files/mitaka/keystone.conf.Debian
index a526cee..e319050 100644
--- a/keystone/files/mitaka/keystone.conf.Debian
+++ b/keystone/files/mitaka/keystone.conf.Debian
@@ -1,4 +1,4 @@
-{% from "keystone/map.jinja" import server with context %}
+{% from "keystone/map.jinja" import server, system_cacerts_file with context %}
[DEFAULT]
#
@@ -601,7 +601,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection={{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection={{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/keystone/files/newton/keystone.conf.Debian b/keystone/files/newton/keystone.conf.Debian
index db95287..95858ed 100644
--- a/keystone/files/newton/keystone.conf.Debian
+++ b/keystone/files/newton/keystone.conf.Debian
@@ -1,4 +1,4 @@
-{% from "keystone/map.jinja" import server with context %}
+{% from "keystone/map.jinja" import server, system_cacerts_file with context %}
[DEFAULT]
#
@@ -703,7 +703,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection={{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection={{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/keystone/files/ocata/keystone.conf.Debian b/keystone/files/ocata/keystone.conf.Debian
index 375935c..fc04d71 100644
--- a/keystone/files/ocata/keystone.conf.Debian
+++ b/keystone/files/ocata/keystone.conf.Debian
@@ -1,4 +1,4 @@
-{% from "keystone/map.jinja" import server with context %}
+{% from "keystone/map.jinja" import server, system_cacerts_file with context %}
[DEFAULT]
#
@@ -776,7 +776,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection={{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection={{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
diff --git a/keystone/map.jinja b/keystone/map.jinja
index 1a40274..35a2613 100644
--- a/keystone/map.jinja
+++ b/keystone/map.jinja
@@ -1,3 +1,7 @@
+{%- set system_cacerts_file = salt['grains.filter_by']({
+ 'Debian': '/etc/ssl/certs/ca-certificates.crt',
+ 'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
+})%}
{% set server = salt['grains.filter_by']({
'Debian': {
diff --git a/keystone/server.sls b/keystone/server.sls
index b29e39e..a05d7d0 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -1,4 +1,4 @@
-{%- from "keystone/map.jinja" import server with context %}
+{%- from "keystone/map.jinja" import server, system_cacerts_file with context %}
{%- if server.enabled %}
keystone_packages:
@@ -419,4 +419,22 @@
{%- endfor %}
{%- endif %} {# end noservices #}
+{%- if server.database.get('ssl',{}).get('enabled',False) %}
+mysql_ca:
+{%- if server.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.database.ssl.cacert_file }}
+ - contents_pillar: keystone:server:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ - require_in:
+ - file: /etc/keystone/keystone.conf
+{%- else %}
+ file.exists:
+ - name: {{ server.database.ssl.get('cacert_file', system_cacerts_file) }}
+ - require_in:
+ - file: /etc/keystone/keystone.conf
+{%- endif %}
+{%- endif %}
+
{%- endif %}