[REFACTOR] Implement X.509 auth for MySQL and Nova
Some cosmetic edits.
Change-Id: I46cf70f1e138b7117e9343ef8168124eb0b243b5
Related-PROD: PROD-19981
diff --git a/nova/_ssl/mysql.sls b/nova/_ssl/mysql.sls
index 9d1acdb..3d715e9 100644
--- a/nova/_ssl/mysql.sls
+++ b/nova/_ssl/mysql.sls
@@ -1,5 +1,9 @@
{% from "nova/map.jinja" import controller with context %}
+nova_ssl_mysql:
+ test.show_notification:
+ - text: "Running nova._ssl.mysql"
+
{%- if controller.database.get('x509',{}).get('enabled',False) %}
{%- set ca_file=controller.database.x509.ca_file %}
@@ -12,6 +16,8 @@
- name: {{ ca_file }}
- contents_pillar: nova:controller:database:x509:cacert
- mode: 444
+ - user: nova
+ - group: nova
- makedirs: true
{%- else %}
file.exists:
@@ -24,6 +30,8 @@
- name: {{ cert_file }}
- contents_pillar: nova:controller:database:x509:cert
- mode: 440
+ - user: nova
+ - group: nova
- makedirs: true
{%- else %}
file.exists:
@@ -36,13 +44,24 @@
- name: {{ key_file }}
- contents_pillar: nova:controller:database:x509:key
- mode: 400
+ - user: nova
+ - group: nova
- makedirs: true
{%- else %}
file.exists:
- name: {{ key_file }}
{%- endif %}
-{% elif controller.database.get('ssl',{}).get('enabled',False) %}
+mysql_nova_ssl_x509_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - {{ cert_file }}
+ - {{ key_file }}
+ - user: nova
+ - group: nova
+
+ {% elif controller.database.get('ssl',{}).get('enabled',False) %}
mysql_ca_nova_controller:
{%- if controller.database.ssl.cacert is defined %}
file.managed:
diff --git a/nova/controller.sls b/nova/controller.sls
index cc6c2fc..0251163 100644
--- a/nova/controller.sls
+++ b/nova/controller.sls
@@ -1,7 +1,5 @@
{% from "nova/map.jinja" import controller with context %}
-{%- set mysql_x509_ssl_enabled = controller.database.get('x509',{}).get('enabled',False) or controller.database.get('ssl',{}).get('enabled',False) %}
-
{%- if controller.get('enabled') %}
include:
@@ -12,9 +10,7 @@
# TODO(vsaienko) we need to run online dbsync only once after upgrade
# Move to appropriate upgrade phase
- nova.db.online_sync
- {%- if mysql_x509_ssl_enabled %}
- nova._ssl.mysql
- {%- endif %}
{%- if grains.os_family == 'Debian' %}
debconf-set-prerequisite:
@@ -173,6 +169,7 @@
- template: jinja
- require:
- pkg: nova_controller_packages
+ - sls: nova._ssl.mysql
- require_in:
- sls: nova.db.offline_sync
- sls: nova.db.online_sync
@@ -434,9 +431,7 @@
{%- endif %}
- require:
- sls: nova.db.offline_sync
- {%- if mysql_x509_ssl_enabled %}
- sls: nova._ssl.mysql
- {%- endif %}
- watch:
- file: /etc/nova/nova.conf
- file: /etc/nova/api-paste.ini
@@ -453,9 +448,7 @@
{%- endif %}
- require:
- sls: nova.db.offline_sync
- {%- if mysql_x509_ssl_enabled %}
- sls: nova._ssl.mysql
- {%- endif %}
- require_in:
- sls: nova.db.online_sync
- watch: