MySQL TLS Support Adds ability to use secured TLS connection from OS service to MySQL database. PROD-14213 Change-Id: I47431e1ad4d9445f70f1e330c33cb96b5e390c42

commit: 4952ed39f2ad11bdffd3f7fbc618ca55ba0bcac1 [log] [tgz]
author: Kirill Bespalov <kbespalov@mirantis.com> Fri Aug 25 13:31:55 2017 +0300
committer: Kirill Bespalov <kbespalov@mirantis.com> Mon Sep 18 18:50:16 2017 +0300
tree: a050a69a8ced02f7a3f0c4b1415609fbb7408cd1
parent: 25063fa32078cd642b70d0b3d445b4e451e023b6 [diff]
diff --git a/nova/controller.sls b/nova/controller.sls
index f898295..94dda8b 100644
--- a/nova/controller.sls
+++ b/nova/controller.sls

@@ -277,6 +277,9 @@
     - file: /etc/nova/nova.conf
     - file: /etc/nova/api-paste.ini
     - file: /etc/apache2/sites-available/nova-placement-api.conf
+    {%- if controller.database.get('ssl',{}).get('enabled',False)  %}
+    - file: mysql_ca
+    {% endif %}
 
 {%- endif %}
 
@@ -295,6 +298,9 @@
     {%- if controller.message_queue.get('ssl',{}).get('enabled',False) %}
     - file: rabbitmq_ca
     {%- endif %}
+    {%- if controller.database.get('ssl',{}).get('enabled',False)  %}
+    - file: mysql_ca
+    {% endif %}
 
 {%- if grains.get('virtual_subtype', None) == "Docker" %}
 
@@ -307,4 +313,22 @@
 
 {%- endif %}
 
+{%- if controller.database.get('ssl',{}).get('enabled',False)  %}
+mysql_ca:
+{%- if controller.database.ssl.cacert is defined %}
+  file.managed:
+    - name: {{ controller.database.ssl.cacert_file }}
+    - contents_pillar: nova:controller:database:ssl:cacert
+    - mode: 0444
+    - makedirs: true
+    - require_in:
+      - file: /etc/nova/nova.conf
+{%- else %}
+  file.exists:
+   - name: {{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}
+   - require_in:
+     - file: /etc/nova/nova.conf
+{%- endif %}
+{%- endif %}
+
 {%- endif %}

diff --git a/nova/files/mitaka/nova-controller.conf.Debian b/nova/files/mitaka/nova-controller.conf.Debian
index 5c6f7ef..d6f6c23 100644
--- a/nova/files/mitaka/nova-controller.conf.Debian
+++ b/nova/files/mitaka/nova-controller.conf.Debian

@@ -180,7 +180,7 @@
 db_retry_interval = 1
 connection_debug = 10
 pool_timeout = 120
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}{%- if controller.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 
 [api_database]
 idle_timeout = 180
@@ -193,7 +193,7 @@
 db_retry_interval = 1
 connection_debug = 10
 pool_timeout = 120
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}_api
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}_api{%- if controller.database.get('ssl',{}).get('enabled',False) %}?ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 
 [glance]
 

diff --git a/nova/files/newton/nova-controller.conf.Debian b/nova/files/newton/nova-controller.conf.Debian
index 0505bb6..daa8334 100644
--- a/nova/files/newton/nova-controller.conf.Debian
+++ b/nova/files/newton/nova-controller.conf.Debian

@@ -185,7 +185,7 @@
 db_retry_interval = 1
 connection_debug = 10
 pool_timeout = 120
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 
 [oslo_middleware]
 enable_proxy_headers_parsing=True
@@ -201,7 +201,7 @@
 db_retry_interval = 1
 connection_debug = 10
 pool_timeout = 120
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}_api?charset=utf8
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}_api?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 
 [glance]
 

diff --git a/nova/files/ocata/nova-controller.conf.Debian b/nova/files/ocata/nova-controller.conf.Debian
index e70bf4f..ee7bcc3 100644
--- a/nova/files/ocata/nova-controller.conf.Debian
+++ b/nova/files/ocata/nova-controller.conf.Debian

@@ -3416,7 +3416,7 @@
 db_retry_interval = 1
 connection_debug = 10
 pool_timeout = 120
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}_api?charset=utf8
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}_api?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 
 # The SQLAlchemy connection string to use to connect to the database. (string
 # value)
@@ -4458,7 +4458,7 @@
 db_retry_interval = 1
 connection_debug = 10
 pool_timeout = 120
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{%- if controller.database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ controller.database.ssl.get('cacert_file', system_cacerts_file) }}{% endif %}
 
 # If True, SQLite uses synchronous mode. (boolean value)
 # Deprecated group/name - [DEFAULT]/sqlite_synchronous

diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
index d42f6bf..07f4ad6 100644
--- a/tests/pillar/ssl.sls
+++ b/tests/pillar/ssl.sls

@@ -4,11 +4,17 @@
 
 nova:
   controller:
+    database:
+      ssl:
+        enabled: True
     message_queue:
       port: 5671
       ssl:
         enabled: True
   compute:
+    database:
+      ssl:
+        enabled: True
     message_queue:
       port: 5671
       ssl:
commit	4952ed39f2ad11bdffd3f7fbc618ca55ba0bcac1	[log] [tgz]
author	Kirill Bespalov <kbespalov@mirantis.com>	Fri Aug 25 13:31:55 2017 +0300
committer	Kirill Bespalov <kbespalov@mirantis.com>	Mon Sep 18 18:50:16 2017 +0300
tree	a050a69a8ced02f7a3f0c4b1415609fbb7408cd1
parent	25063fa32078cd642b70d0b3d445b4e451e023b6 [diff]