Add DB SSL support

Change-Id: I5c0dc0646018946eaa2647bd6a8691ebf664d102 Depends-On: I9e6d9ee439cab734eba02320d58ccfcd73e23106
2017-02-09 11:37:49 +00:00 · 2017-02-09 11:37:49 +00:00 · 7e61ea00c8
parent 5139d5e26a
commit 7e61ea00c8
3 changed files with 10 additions and 6 deletions
--- a/service/files/backup.sh.j2
+++ b/service/files/backup.sh.j2
@ -1,10 +1,10 @@
 #!/bin/bash -ex
 set -o pipefail
 BACKUP_FILE="/var/ccp/backup/nova/backup-$(date "+%Y%m%d%H%M%S").sql"
-mysqldump -h {{ address(service.database) }} \
+mysqldump {% if percona.tls.enabled %} --ssl-mode REQUIRED {% endif %} -h {{ address(service.database) }} \
    -u {{ nova.db.username }} -p{{ nova.db.password }} \
    --single-transaction {{ nova.db.name }} > "${BACKUP_FILE}"
 BACKUP_FILE_API="/var/ccp/backup/nova/backup-$(date "+%Y%m%d%H%M%S")-api.sql"
-mysqldump -h {{ address(service.database) }} \
+mysqldump {% if percona.tls.enabled %} --ssl-mode REQUIRED {% endif %} -h {{ address(service.database) }} \
    -u {{ nova.db.username }} -p{{ nova.db.password }} \
    --single-transaction {{ nova.db.api_name }} > "${BACKUP_FILE_API}"
--- a/service/files/nova.conf.j2
+++ b/service/files/nova.conf.j2
@ -103,13 +103,13 @@ username = {{ neutron.db.username }}
 password = {{ neutron.db.password }}

 [database]
-connection = mysql+pymysql://{{ nova.db.username }}:{{ nova.db.password }}@{{ address(service.database) }}/{{ nova.db.name }}
+connection = mysql+pymysql://{{ nova.db.username }}:{{ nova.db.password }}@{{ address(service.database) }}/{{ nova.db.name }}{% if percona.tls.enabled %}?ssl_ca=/opt/ccp/etc/tls/ca.pem{% endif %}
 max_pool_size = 50
 max_overflow = 1000
 max_retries = -1

 [api_database]
-connection = mysql+pymysql://{{ nova.db.username }}:{{ nova.db.password }}@{{ address(service.database) }}/{{ nova.db.api_name }}
+connection = mysql+pymysql://{{ nova.db.username }}:{{ nova.db.password }}@{{ address(service.database) }}/{{ nova.db.api_name }}{% if percona.tls.enabled %}?ssl_ca=/opt/ccp/etc/tls/ca.pem{% endif %}
 max_retries = -1

 [cache]
--- a/service/nova-api.yaml
+++ b/service/nova-api.yaml
@ -16,8 +16,12 @@ service:
          type: single
          command: mysql -v -u root -p{{ db.root_password }} -h {{ address(service.database) }} -e 'create database `{{ nova.db.name }}`;
                   create database `{{ nova.db.api_name }}`;
-                   grant all privileges on `{{ nova.db.name }}`.* to "{{ nova.db.username }}"@"%" identified by "{{ nova.db.password }}";
-                   grant all privileges on `{{ nova.db.api_name }}`.* to "{{ nova.db.username }}"@"%" identified by "{{ nova.db.password }}"'
+                   create user "{{ nova.db.username }}"@"%" identified by "{{ nova.db.password }}"
+                   {% if percona.tls.enabled %} require ssl {% endif %};
+                   grant all privileges on `{{ nova.db.name }}`.* to "{{ nova.db.username }}"@"%" identified by "{{ nova.db.password }}"
+                   {% if percona.tls.enabled %} require ssl {% endif %};
+                   grant all privileges on `{{ nova.db.api_name }}`.* to "{{ nova.db.username }}"@"%" identified by "{{ nova.db.password }}"
+                   {% if percona.tls.enabled %} require ssl {% endif %};'
          dependencies:
            - {{ service.database }}
          files: