[REFACTOR] Implement X.509 auth for MySQL and Nova
Some cosmetic edits.
Moved 'nova._ssl.mysql' to 'require' construction.
Related-PROD: PROD-19981
Change-Id: I3124c09c89b26807b3d9cc50e415d7a6c2c65049
diff --git a/nova/_ssl/mysql.sls b/nova/_ssl/mysql.sls
index 3f44e2a..9d1acdb 100644
--- a/nova/_ssl/mysql.sls
+++ b/nova/_ssl/mysql.sls
@@ -2,9 +2,9 @@
{%- if controller.database.get('x509',{}).get('enabled',False) %}
- {%- set ca_file=controller.database.x509.get('ca_file') %}
- {%- set key_file=controller.database.x509.get('key_file') %}
- {%- set cert_file=controller.database.x509.get('cert_file') %}
+ {%- set ca_file=controller.database.x509.ca_file %}
+ {%- set key_file=controller.database.x509.key_file %}
+ {%- set cert_file=controller.database.x509.cert_file %}
mysql_nova_ssl_x509_ca:
{%- if controller.database.x509.cacert is defined %}
diff --git a/nova/controller.sls b/nova/controller.sls
index 5b814df..cc6c2fc 100644
--- a/nova/controller.sls
+++ b/nova/controller.sls
@@ -453,11 +453,11 @@
{%- endif %}
- require:
- sls: nova.db.offline_sync
- - require_in:
- - sls: nova.db.online_sync
{%- if mysql_x509_ssl_enabled %}
- sls: nova._ssl.mysql
{%- endif %}
+ - require_in:
+ - sls: nova.db.online_sync
- watch:
- file: /etc/nova/nova.conf
- file: /etc/nova/api-paste.ini
diff --git a/nova/files/pike/nova-controller.conf.Debian b/nova/files/pike/nova-controller.conf.Debian
index e2036b1..9b8a545 100644
--- a/nova/files/pike/nova-controller.conf.Debian
+++ b/nova/files/pike/nova-controller.conf.Debian
@@ -2,7 +2,7 @@
{%- set connection_x509_ssl_option = '' %}
{%- if controller.database.get('x509',{}).get('enabled',False) %}
- {%- set connection_x509_ssl_option = '&ssl_ca=' ~ controller.database.x509.get('ca_file') ~ '&ssl_cert=' ~ controller.database.x509.get('cert_file') ~ '&ssl_key=' ~ controller.database.x509.get('key_file') %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ controller.database.x509.ca_file ~ '&ssl_cert=' ~ controller.database.x509.cert_file ~ '&ssl_key=' ~ controller.database.x509.key_file %}
{%- elif controller.database.get('ssl',{}).get('enabled',False) %}
{%- set connection_x509_ssl_option = '&ssl_ca=' ~ controller.database.ssl.get('cacert_file', controller.cacert_file) %}
{%- endif %}
@@ -3447,7 +3447,7 @@
db_retry_interval = 1
connection_debug = 10
pool_timeout = 120
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}_api?charset=utf8{{ connection_x509_ssl_option }}
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}_api?charset=utf8{{ connection_x509_ssl_option|string }}
# The SQLAlchemy connection string to use to connect to the database. (string
# value)
@@ -4496,7 +4496,7 @@
db_retry_interval = 1
connection_debug = 10
pool_timeout = 120
-connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{{ connection_x509_ssl_option }}
+connection = {{ controller.database.engine }}+pymysql://{{ controller.database.user }}:{{ controller.database.password }}@{{ controller.database.host }}/{{ controller.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
# If True, SQLite uses synchronous mode. (boolean value)
# Deprecated group/name - [DEFAULT]/sqlite_synchronous