From 11e00a8c2ce6938fcc2d2af4091a9d9df3f278de Mon Sep 17 00:00:00 2001
From: Proskurin Kirill <kproskurin@mirantis.com>
Date: Thu, 9 Feb 2017 11:33:20 +0000
Subject: [PATCH] Add DB SSL support

Change-Id: I4af5f0aaf6dc65c2e2bd5159823d39dbe4bb0f62
Depends-On: I9e6d9ee439cab734eba02320d58ccfcd73e23106
---
 service/files/backup.sh.j2    | 2 +-
 service/files/neutron.conf.j2 | 2 +-
 service/neutron-server.yaml   | 5 ++++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/service/files/backup.sh.j2 b/service/files/backup.sh.j2
index 41213e3..d87c651 100644
--- a/service/files/backup.sh.j2
+++ b/service/files/backup.sh.j2
@@ -1,6 +1,6 @@
 #!/bin/bash -ex
 set -o pipefail
 BACKUP_FILE="/var/ccp/backup/neutron/backup-$(date "+%Y%m%d%H%M%S").sql"
-mysqldump -h {{ address(service.database)  }} \
+mysqldump {% if percona.tls.enabled %} --ssl-mode REQUIRED {% endif %} -h {{ address(service.database)  }} \
     -u {{ neutron.db.username }} -p{{ neutron.db.password }} \
     --single-transaction {{ neutron.db.name }} > "${BACKUP_FILE}"
diff --git a/service/files/neutron.conf.j2 b/service/files/neutron.conf.j2
index bcea232..7e379e2 100644
--- a/service/files/neutron.conf.j2
+++ b/service/files/neutron.conf.j2
@@ -56,7 +56,7 @@ root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
 root_helper_daemon = sudo neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
 
 [database]
-connection = mysql+pymysql://{{ neutron.db.username }}:{{ neutron.db.password }}@{{ address(service.database) }}/{{ neutron.db.name }}
+connection = mysql+pymysql://{{ neutron.db.username }}:{{ neutron.db.password }}@{{ address(service.database) }}/{{ neutron.db.name }}{% if percona.tls.enabled %}?ssl_ca=/opt/ccp/etc/tls/ca.pem{% endif %}
 max_retries = -1
 max_pool_size = {{ neutron.db.max_pool_size }}
 max_overflow = {{ neutron.db.max_overflow }}
diff --git a/service/neutron-server.yaml b/service/neutron-server.yaml
index d3a37eb..90e96db 100644
--- a/service/neutron-server.yaml
+++ b/service/neutron-server.yaml
@@ -15,7 +15,10 @@ service:
             - {{ service.database }}
           type: single
           command: mysql -u root -p{{ db.root_password }} -h {{ address(service.database) }} -e 'create database `{{ neutron.db.name }}`;
-                   grant all privileges on `{{ neutron.db.name }}`.* to "{{ neutron.db.username }}"@"%" identified by "{{ neutron.db.password }}"'
+                   create user "{{ neutron.db.username }}"@"%" identified by "{{ neutron.db.password }}"
+                   {% if percona.tls.enabled %} require ssl {% endif %};
+                   grant all privileges on `{{ neutron.db.name }}`.* to "{{ neutron.db.username }}"@"%" identified by "{{ neutron.db.password }}"
+                   {% if percona.tls.enabled %} require ssl {% endif %};'
         - name: neutron-db-sync
           type: single
           command: neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head