Merge "Upload os_client_config to mine during upgrade"
diff --git a/README.rst b/README.rst
index a171ab2..7603911 100644
--- a/README.rst
+++ b/README.rst
@@ -845,6 +845,27 @@
 
 Currently the default fernet rotation driver is a shared filesystem
 
+Enable x509 and ssl communication between Keystone and Galera cluster.
+---------------------
+By default communication between Keystone and Galera is unsecure.
+
+You able to set custom certificates in pillar:
+server:
+  database:
+    x509:
+      enabled: True
+
+keystone:
+  server:
+    database:
+      x509:
+        cacert (certificate content)
+        cert (certificate content)
+        key (certificate content)
+
+You can read more about it here:
+    https://docs.openstack.org/security-guide/databases/database-access-control.html
+
 Documentation and Bugs
 ======================
 
diff --git a/keystone/_ssl/mysql.sls b/keystone/_ssl/mysql.sls
new file mode 100644
index 0000000..a2b93a9
--- /dev/null
+++ b/keystone/_ssl/mysql.sls
@@ -0,0 +1,58 @@
+{%- from "keystone/map.jinja" import server with context %}
+
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+
+  {%- set ca_file=server.database.x509.ca_file %}
+  {%- set key_file=server.database.x509.key_file %}
+  {%- set cert_file=server.database.x509.cert_file %}
+
+mysql_keystone_ssl_x509_ca:
+  {%- if server.database.x509.cacert is defined %}
+  file.managed:
+    - name: {{ ca_file }}
+    - contents_pillar: keystone:server:database:x509:cacert
+    - mode: 444
+    - makedirs: true
+  {%- else %}
+  file.exists:
+    - name: {{ ca_file }}
+  {%- endif %}
+
+mysql_keystone_client_ssl_cert:
+  {%- if server.database.x509.cert is defined %}
+  file.managed:
+    - name: {{ cert_file }}
+    - contents_pillar: keystone:server:database:x509:cert
+    - mode: 440
+    - makedirs: true
+  {%- else %}
+  file.exists:
+    - name: {{ cert_file }}
+  {%- endif %}
+
+mysql_keystone_client_ssl_private_key:
+  {%- if server.database.x509.key is defined %}
+  file.managed:
+    - name: {{ key_file }}
+    - contents_pillar: keystone:server:database:x509:key
+    - mode: 400
+    - makedirs: true
+  {%- else %}
+  file.exists:
+    - name: {{ key_file }}
+  {%- endif %}
+
+{% elif server.database.get('ssl',{}).get('enabled',False) %}
+mysql_ca_keystone:
+  {%- if server.database.ssl.cacert is defined %}
+  file.managed:
+    - name: {{ server.database.ssl.cacert_file }}
+    - contents_pillar: keystone:server:database:ssl:cacert
+    - mode: 0444
+    - makedirs: true
+  {%- else %}
+  file.exists:
+    - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
+  {%- endif %}
+
+{%- endif %}
\ No newline at end of file
diff --git a/keystone/client/os_client_config.sls b/keystone/client/os_client_config.sls
index bffed11..1b87982 100644
--- a/keystone/client/os_client_config.sls
+++ b/keystone/client/os_client_config.sls
@@ -12,7 +12,7 @@
     - name: {{ config.get('file', '/root/.config/openstack/clouds.yml') }}
     - contents: |
         {{ client.os_client_config.cfgs.get(conf_name).content |yaml(False)|indent(8) }}
-    - owner: {{ config.get('owner', 'root') }}
+    - user: {{ config.get('user', 'root') }}
     - group: {{ config.get('group', 'root') }}
     - makedirs: True
 
diff --git a/keystone/files/pike/keystone.conf.Debian b/keystone/files/pike/keystone.conf.Debian
index c0447e4..29f69d9 100644
--- a/keystone/files/pike/keystone.conf.Debian
+++ b/keystone/files/pike/keystone.conf.Debian
@@ -1,6 +1,13 @@
 {% from "keystone/map.jinja" import server with context %}
-[DEFAULT]
 
+{%- set connection_x509_ssl_option = '' %}
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+  {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.x509.ca_file ~ '&ssl_cert=' ~ server.database.x509.cert_file ~ '&ssl_key=' ~ server.database.x509.key_file %}
+{%- elif server.database.get('ssl',{}).get('enabled',False) %}
+  {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.ssl.get('cacert_file', server.cacert_file) %}
+{%- endif %}
+
+[DEFAULT]
 #
 # From keystone
 #
@@ -779,7 +786,7 @@
 # Deprecated group/name - [DATABASE]/sql_connection
 # Deprecated group/name - [sql]/connection
 #connection = <None>
-connection={{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
 
 # The SQLAlchemy connection string to use to connect to the slave database.
 # (string value)
diff --git a/keystone/server.sls b/keystone/server.sls
index 4c3e17c..96adc87 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -1,11 +1,17 @@
 {%- from "keystone/map.jinja" import server with context %}
+
 {%- if server.enabled %}
 
+{%- set mysql_x509_ssl_enabled = server.database.get('x509',{}).get('enabled',False) or server.database.get('ssl',{}).get('enabled',False) %}
+
 include:
-{%- if server.service_name in ['apache2', 'httpd'] %}
-- apache
-{%- endif %}
-- keystone.db.offline_sync
+  {%- if server.service_name in ['apache2', 'httpd'] %}
+  - apache
+  {%- endif %}
+  - keystone.db.offline_sync
+  {%- if mysql_x509_ssl_enabled %}
+  - keystone._ssl.mysql
+  {%- endif %}
 
 keystone_packages:
   pkg.installed:
@@ -94,8 +100,13 @@
   file.managed:
   - source: salt://keystone/files/{{ server.version }}/keystone.conf.{{ grains.os_family }}
   - template: jinja
+  - mode: 0640
+  - group: keystone
   - require:
     - pkg: keystone_packages
+    {%- if mysql_x509_ssl_enabled %}
+    - sls: keystone._ssl.mysql
+    {%- endif %}
   - watch_in:
     - service: {{ keystone_service }}
 
@@ -104,6 +115,8 @@
 /etc/keystone/sso_callback_template.html:
   file.managed:
   - source: salt://keystone/files/sso_callback_template.html
+  - mode: 0640
+  - group: keystone
   - require:
     - pkg: keystone_packages
   - watch_in:
@@ -114,7 +127,8 @@
 /etc/keystone/keystone-paste.ini:
   file.managed:
   - source: salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family }}
-  - user: keystone
+  - mode: 0640
+  - user: root
   - group: keystone
   - template: jinja
   - require:
@@ -132,13 +146,16 @@
 
 /etc/keystone/logging.conf:
   file.managed:
-    - user: keystone
+    - mode: 0640
+    - user: root
     - group: keystone
     - source: salt://oslo_templates/files/logging/_logging.conf
     - template: jinja
     - defaults:
         service_name: keystone
         _data: {{ server.logging }}
+    - require_in:
+      - sls: keystone.db.offline_sync
     - require:
       - pkg: keystone_packages
 {%- if server.logging.log_handlers.get('fluentd', {}).get('enabled', False) %}
@@ -158,7 +175,8 @@
 
 /etc/keystone/policy.json:
   file.managed:
-  - user: keystone
+  - mode: 0640
+  - user: root
   - group: keystone
   - require:
     - pkg: keystone_packages
@@ -208,6 +226,8 @@
   file.managed:
     - source: salt://keystone/files/keystone.domain.conf
     - template: jinja
+    - mode: 0640
+    - group: keystone
     - require:
       - file: /etc/keystone/domains
     - watch_in:
@@ -298,6 +318,9 @@
   file.managed:
   - source: salt://keystone/files/keystonerc
   - template: jinja
+  - mode: 0640
+  - user: root
+  - group: root
   - require:
     - pkg: keystone_packages
 
@@ -305,6 +328,9 @@
   file.managed:
   - source: salt://keystone/files/keystonercv3
   - template: jinja
+  - mode: 0640
+  - user: root
+  - group: root
   - require:
     - pkg: keystone_packages
 
@@ -539,25 +565,6 @@
 {%- endfor %}
 {%- endif %} {# end noservices #}
 
-{%- if server.database.get('ssl',{}).get('enabled',False)  %}
-mysql_ca_keystone_server:
-{%- if server.database.ssl.cacert is defined %}
-  file.managed:
-    - name: {{ server.database.ssl.cacert_file }}
-    - contents_pillar: keystone:server:database:ssl:cacert
-    - mode: 0444
-    - makedirs: true
-    - require_in:
-      - file: /etc/keystone/keystone.conf
-{%- else %}
-  file.exists:
-   - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
-   - require_in:
-     - file: /etc/keystone/keystone.conf
-{% endif %}
-{% endif %}
-
-
 {%- if server.notification and server.message_queue.get('ssl',{}).get('enabled', False) %}
 rabbitmq_ca_keystone_server:
 {%- if server.message_queue.ssl.cacert is defined %}