commit 55eeac7c279822a28ae85c3c3b5efdd435d36937
author Oleksandr Shyshko <oshyshko@mirantis.com> Fri Aug 03 18:23:28 2018 +0300
committer oshyshko <oshyshko@mirantis.com> Wed Aug 15 04:59:09 2018 +0000
tree 64a00b5e5da504bff73ba51dd0f4fe12812d8d7a
parent e9855cec33f189f0e090c3915f9d5e836281db5f

Implement X.509 auth for MySQL and Nova

cluster:cotrol:
- system.salt.minion.cert.mysql.clients.openstack.nova

nova:
  controller:
    database:
      x509:
        enabled: True
        ca_file: ${_param:mysql_nova_ssl_ca_file}
        cert_file: ${_param:mysql_nova_client_ssl_cert_file}
        key_file: ${_param:mysql_nova_client_ssl_key_file}

cluster:db
- system.galera.server.database.x509.nova

Related-PROD: PROD-19981

Change-Id: I5402a4f4f34ca7472dd537fbceda70a2ca3b6c9a

README.rst

diff --git a/README.rst b/README.rst
index 1e367dc..b93b061 100644
--- a/README.rst
+++ b/README.rst
@@ -1059,6 +1059,27 @@
 You can read more about it here:
     https://docs.openstack.org/mitaka/config-reference/dashboard/configure.html
 
+Enable x509 and ssl communication between Nova and Galera cluster.
+---------------------
+By default communication between Nova and Galera is unsecure.
+
+You able to set custom certificates in pillar:
+controller:
+  database:
+    x509:
+      enabled: True
+
+nova:
+  controller:
+    database:
+      x509:
+        cacert (certificate content)
+        cert (certificate content)
+        key (certificate content)
+
+You can read more about it here:
+    https://docs.openstack.org/security-guide/databases/database-access-control.html
+
 Documentation and Bugs
 ======================