Implement X.509 auth for MySQL and Aodh
Related-PROD: PROD-22742
Change-Id: Ic38582b18b36b23e9534b4deb67ce06264d95df2
diff --git a/aodh/server/cluster.yml b/aodh/server/cluster.yml
index fb8f747..db6b39b 100644
--- a/aodh/server/cluster.yml
+++ b/aodh/server/cluster.yml
@@ -1,5 +1,6 @@
classes:
- service.aodh.server.cluster
+- system.salt.minion.cert.mysql.clients.openstack.aodh
- service.haproxy.proxy.single
- system.haproxy.proxy.listen.openstack.aodh
- system.keepalived.cluster.instance.openstack_telemetry_vip
@@ -8,6 +9,8 @@
openstack_event_alarm_topic: alarm.all
# Keep alarm history in database for 30 days
aodh_alarm_history_ttl: 2592000
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
linux:
system:
cron:
@@ -32,6 +35,13 @@
name: aodh
user: aodh
password: ${_param:mysql_aodh_password}
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_aodh_ssl_ca_file}
+ key_file: ${_param:mysql_aodh_client_ssl_key_file}
+ cert_file: ${_param:mysql_aodh_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
bind:
host: ${_param:cluster_local_address}
port: 8042
diff --git a/aodh/server/single.yml b/aodh/server/single.yml
index 8442a2d..f20195f 100644
--- a/aodh/server/single.yml
+++ b/aodh/server/single.yml
@@ -1,10 +1,13 @@
classes:
- service.aodh.server.single
+- system.salt.minion.cert.mysql.clients.openstack.aodh
parameters:
_param:
openstack_event_alarm_topic: alarm.all
# Keep alarm history in database for 30 days
aodh_alarm_history_ttl: 2592000
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
linux:
system:
cron:
@@ -13,6 +16,14 @@
enabled: true
aodh:
server:
+ database:
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_aodh_ssl_ca_file}
+ key_file: ${_param:mysql_aodh_client_ssl_key_file}
+ cert_file: ${_param:mysql_aodh_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
ttl: ${_param:aodh_alarm_history_ttl}
role: ${_param:openstack_node_role}
region: ${_param:openstack_region}