Added MySQL connection SSL support

MySQL SSL connections allowed. When nova_galera_use_ssl is True Nova sets up encrypted connection to the database using either self-signed or user-provided CA certificate. Partial-Bug: #1667789 Change-Id: I16e074865367e52d17baadb4703e615f89142893
2017-02-24 15:53:15 -06:00 · 2017-02-24 15:53:15 -06:00 · 57e283fdfa
parent 410cbed571
commit 57e283fdfa
4 changed files with 47 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -81,6 +81,12 @@ nova_galera_database: nova
 nova_db_max_overflow: 10
 nova_db_max_pool_size: 120
 nova_db_pool_timeout: 30
+# Toggle whether nova connects via an encrypted connection
+nova_galera_use_ssl: False
+# The path to where the database server CA certificate is stored
+nova_galera_ssl_ca_cert: /etc/ssl/certs/galera-ca.crt
+# The path to a user-provided Galera CA certificate file on the deployment host
+#galera_user_ssl_ca_cert: /etc/openstack_deploy/files/galera-ca.crt

 ## DB API
 nova_api_galera_user: nova_api
--- a/releasenotes/notes/nova_galera_ssl-24c2ca2a8ab6fec4.yaml
+++ b/releasenotes/notes/nova_galera_ssl-24c2ca2a8ab6fec4.yaml
@ -0,0 +1,9 @@
+---
+features:
+  - Nova may now use an encrypted database connection.
+    This is enabled by setting ``nova_galera_use_ssl``
+    to ``True``.
+security:
+  - Nova may now use an encrypted database connection.
+    This is enabled by setting ``nova_galera_use_ssl``
+    to ``True``.
--- a/tasks/nova_post_install.yml
+++ b/tasks/nova_post_install.yml
@ -25,6 +25,34 @@
    - nova-config
    - nova-post-install

+- name: Distribute self signed Galera ssl CA cert
+  copy:
+    dest: "{{ nova_galera_ssl_ca_cert }}"
+    content: "{{ hostvars[galera_cluster_members[0]]['galera_ssl_ca_cert_fact'] | b64decode }}"
+    owner: "root"
+    group: "{{ item.group|default(nova_system_group_name) }}"
+    mode: "0640"
+  when:
+    - nova_galera_use_ssl | bool
+    - galera_user_ssl_ca_cert is undefined
+  tags:
+    - nova-config
+    - nova-post-install
+
+- name: Distribute user provided Galera ssl CA cert
+  copy:
+    dest: "{{ nova_galera_ssl_ca_cert }}"
+    src: "{{ galera_user_ssl_ca_cert }}"
+    owner: "root"
+    group: "{{ item.group|default(nova_system_group_name) }}"
+    mode: "0640"
+  when:
+    - nova_galera_use_ssl | bool
+    - galera_user_ssl_ca_cert is defined
+  tags:
+    - nova-config
+    - nova-post-install
+
 - name: Generate nova config
  config_template:
    src: "{{ item.src }}"
--- a/templates/nova.conf.j2
+++ b/templates/nova.conf.j2
@ -212,7 +212,11 @@ memcache_secret_key = {{ memcached_encryption_key }}

 {% if inventory_hostname in (groups['nova_conductor'] + groups['nova_scheduler'] + groups['nova_api_os_compute'] + groups['nova_api_metadata'] + groups['nova_console'] + groups['nova_api_placement'])%}
 [database]
+{% if nova_galera_use_ssl | bool %}
+connection = mysql+pymysql://{{ nova_galera_user }}:{{ nova_container_mysql_password }}@{{ nova_galera_address }}/{{ nova_galera_database }}?charset=utf8&ssl_ca={{ nova_galera_ssl_ca_cert }}
+{% else %}
 connection = mysql+pymysql://{{ nova_galera_user }}:{{ nova_container_mysql_password }}@{{ nova_galera_address }}/{{ nova_galera_database }}?charset=utf8
+{% endif %}
 max_overflow = {{ nova_db_max_overflow }}
 max_pool_size = {{ nova_db_max_pool_size }}
 pool_timeout = {{ nova_db_pool_timeout }}