MySQL TLS Support PROD-14215 Change-Id: Id5c83b02dbdd49b09515c60b1a01ab1843dbff77

commit: cd8a32136719507da8c9891b48c9ed6d09e6f100 [log] [tgz]
author: Kirill Bespalov <kbespalov@mirantis.com> Tue Sep 19 17:11:38 2017 +0300
committer: Kirill Bespalov <kbespalov@mirantis.com> Tue Oct 31 08:39:10 2017 +0000
tree: 5a06306ba25432b3913170b32254f4a929646049
parent: 8bcc3d04517dd27d26b413ad34b6aef4c37c4461 [diff]
diff --git a/neutron/files/mitaka/neutron-server.conf.Debian b/neutron/files/mitaka/neutron-server.conf.Debian
index ad90ee9..a3dcdc1 100644
--- a/neutron/files/mitaka/neutron-server.conf.Debian
+++ b/neutron/files/mitaka/neutron-server.conf.Debian

@@ -750,7 +750,7 @@
 # Deprecated group/name - [DATABASE]/sql_connection
 # Deprecated group/name - [sql]/connection
 {% if server.backend.engine == "ml2" %}
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 {% else %}
 connection = sqlite:////var/lib/neutron/neutron.sqlite
 {% endif %}

diff --git a/neutron/files/newton/neutron-server.conf.Debian b/neutron/files/newton/neutron-server.conf.Debian
index 76768ae..fc763eb 100644
--- a/neutron/files/newton/neutron-server.conf.Debian
+++ b/neutron/files/newton/neutron-server.conf.Debian

@@ -760,7 +760,7 @@
 # Deprecated group/name - [DATABASE]/sql_connection
 # Deprecated group/name - [sql]/connection
 {% if server.backend.engine == "ml2" %}
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 {% else %}
 connection = sqlite:////var/lib/neutron/neutron.sqlite
 {% endif %}

diff --git a/neutron/files/ocata/neutron-server.conf.Debian b/neutron/files/ocata/neutron-server.conf.Debian
index fd15e1f..79376a2 100644
--- a/neutron/files/ocata/neutron-server.conf.Debian
+++ b/neutron/files/ocata/neutron-server.conf.Debian

@@ -848,8 +848,9 @@
 # Deprecated group/name - [DEFAULT]/sql_connection
 # Deprecated group/name - [DATABASE]/sql_connection
 # Deprecated group/name - [sql]/connection
+
 {% if server.backend.engine in ["ml2", "ovn"] %}
-connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8
+connection = {{ server.database.engine }}+pymysql://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{%- if server.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ server.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 {% else %}
 connection = sqlite:////var/lib/neutron/neutron.sqlite
 {% endif %}

diff --git a/neutron/server.sls b/neutron/server.sls
index 6de0f4a..ab624f5 100644
--- a/neutron/server.sls
+++ b/neutron/server.sls

@@ -69,6 +69,9 @@
     {%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
     - file: rabbitmq_ca_neutron_server
     {%- endif %}
+    {%- if server.database.get('ssl',{}).get('enabled', False) %}
+    - file: mysql_ca_neutron_server
+    {%- endif %}
 
 {%- endif %}
 
@@ -109,6 +112,9 @@
   - template: jinja
   - require:
     - pkg: neutron_server_packages
+    {%- if server.database.get('ssl',{}).get('enabled', False) %}
+    - file: mysql_ca_neutron_server
+    {%- endif %}
 
 /etc/neutron/api-paste.ini:
   file.managed:
@@ -257,6 +263,9 @@
     {%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
     - file: rabbitmq_ca_neutron_server
     {%- endif %}
+    {%- if server.database.get('ssl',{}).get('enabled', False) %}
+    - file: mysql_ca_neutron_server
+    {%- endif %}
 
 {%- if grains.get('virtual_subtype', None) == "Docker" %}
 
@@ -284,4 +293,18 @@
 {%- endif %}
 {%- endif %}
 
+{%- if server.database.get('ssl',{}).get('enabled', False) %}
+mysql_ca_neutron_server:
+{%- if server.database.ssl.cacert is defined %}
+  file.managed:
+    - name: {{ server.database.ssl.cacert_file }}
+    - contents_pillar: neutron:server:database:ssl:cacert
+    - mode: 0444
+    - makedirs: true
+{%- else %}
+  file.exists:
+   - name: {{ server.database.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+{%- endif %}
+
 {%- endif %}

diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
index 3e79d83..4eb9fa9 100644
--- a/tests/pillar/ssl.sls
+++ b/tests/pillar/ssl.sls

@@ -3,6 +3,9 @@
 
 neutron:
   server:
+    database:
+      ssl:
+        enabled: True
     message_queue:
       port: 5671
       ssl:
commit	cd8a32136719507da8c9891b48c9ed6d09e6f100	[log] [tgz]
author	Kirill Bespalov <kbespalov@mirantis.com>	Tue Sep 19 17:11:38 2017 +0300
committer	Kirill Bespalov <kbespalov@mirantis.com>	Tue Oct 31 08:39:10 2017 +0000
tree	5a06306ba25432b3913170b32254f4a929646049
parent	8bcc3d04517dd27d26b413ad34b6aef4c37c4461 [diff]