Added configuration for MYSQL SSL connection

added config params to set up client certs for PDO SSL connections ( mysql ) Change-Id: Idb04a5a97e5e461bc91508567ad27c1ded60049a
2018-08-23 14:21:44 -03:00 · 2018-08-23 14:21:44 -03:00 · 9a044f8e00
parent 3a1fd8b9be
commit 9a044f8e00
2 changed files with 50 additions and 0 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -85,6 +85,14 @@ class openstackid (
  $session_cookie_domain = $::fqdn,
  $session_cookie_secure = true,
  $session_cookie_http_only = true,
+  $mysql_ssl_enabled = false,
+  $mysql_ssl_ca_file = '/etc/mysql-client-ssl/ca-cert.pem',
+  $mysql_ssl_ca_file_contents = '',
+  $mysql_ssl_client_key_file = '/etc/mysql-client-ssl/client-key.pem',
+  $mysql_ssl_client_key_file_contents = '',
+  $mysql_ssl_client_cert_file = '/etc/mysql-client-ssl/client-cert.pem',
+  $mysql_ssl_client_cert_file_contents = '',
+  $mysql_ssl_cypher = 'DHE-RSA-AES256-SHA',
 ) {

  # php packages needed for openid server
@ -292,6 +300,42 @@ class openstackid (
    }
  }

+  # mysql ssl connection configuration
+  if($mysql_ssl_enabled) {
+
+    if $mysql_ssl_ca_file_contents != '' {
+      file { $mysql_ssl_ca_file:
+        owner   => 'root',
+        group   => 'www-data',
+        mode    => '0640',
+        content => $mysql_ssl_ca_file_contents,
+        notify  => Class['::apache::service'],
+        before  => Apache::Vhost::Custom[$vhost_name],
+      }
+    }
+
+    if $mysql_ssl_client_key_file_contents != '' {
+      file { $mysql_ssl_client_key_file:
+        owner   => 'root',
+        group   => 'www-data',
+        mode    => '0640',
+        content => $mysql_ssl_client_key_file_contents,
+        notify  => Class['::apache::service'],
+        before  => Apache::Vhost::Custom[$vhost_name],
+      }
+    }
+    if $mysql_ssl_client_cert_file_contents != '' {
+      file { $mysql_ssl_client_cert_file:
+        owner   => 'root',
+        group   => 'www-data',
+        mode    => '0640',
+        content => $mysql_ssl_client_cert_file_contents,
+        notify  => Class['::apache::service'],
+        before  => Apache::Vhost::Custom[$vhost_name],
+      }
+    }
+  }
+
  $docroot_dirs = [ '/srv/openstackid' ]

  file { $docroot_dirs:
--- a/templates/lv5/.env.erb
+++ b/templates/lv5/.env.erb
@ -18,6 +18,12 @@ SS_DATABASE="<%= @ss_db_name %>"
 SS_DB_USERNAME="<%= @ss_mysql_user %>"
 SS_DB_PASSWORD="<%= @ss_mysql_password %>"

+DB_USE_SSL=<%= @mysql_ssl_enabled %>
+DB_MYSQL_ATTR_SSL_CA="<%= @mysql_ssl_ca_file %>"
+DB_MYSQL_ATTR_SSL_KEY="<%= @mysql_ssl_client_key_file %>"
+DB_MYSQL_ATTR_SSL_CERT="<%= @mysql_ssl_client_cert %>"
+DB_MYSQL_ATTR_SSL_CIPHER="<%= @mysql_ssl_cypher %>"
+
 REDIS_HOST="<%= @redis_host %>"
 REDIS_PORT=<%= @redis_port %>
 REDIS_DB=<%= @redis_db %>