Options to configure MySQL for SSL and glance, keystone and nova clients.

The mysql module supports SSL but it wasn't accessible since the arguments to configure it were unused. Add options to pass in the CA, cert and private key paths to enable SSL in MySQL. The second part of the patch reconfigures the connection line in the glance, keystone and nova clients to use SSL by adding the ssl_ca option. Change-Id: I1f748fd7cfac110fc3170b235175623abfc9317b Fixes: bug #1214606
2013-09-11 17:38:28 -04:00 · 2013-09-11 17:38:28 -04:00 · 9dd6737863
parent 74f8c55726
commit 9dd6737863
9 changed files with 167 additions and 7 deletions
--- a/manifests/controller.pp
+++ b/manifests/controller.pp
@ -173,6 +173,10 @@ class openstack::controller (
  $mysql_bind_address      = '0.0.0.0',
  $sql_idle_timeout        = undef,
  $allowed_hosts           = '%',
+  $mysql_ssl               = false,
+  $mysql_ca                = undef,
+  $mysql_cert              = undef,
+  $mysql_key               = undef,
  # Keystone
  $keystone_host           = '127.0.0.1',
  $keystone_db_user        = 'keystone',
@ -310,6 +314,10 @@ class openstack::controller (
      mysql_root_password    => $mysql_root_password,
      mysql_bind_address     => $mysql_bind_address,
      mysql_account_security => $mysql_account_security,
+      mysql_ssl              => $mysql_ssl,
+      mysql_ca               => $mysql_ca,
+      mysql_cert             => $mysql_cert,
+      mysql_key              => $mysql_key,
      keystone_db_user       => $keystone_db_user,
      keystone_db_password   => $keystone_db_password,
      keystone_db_dbname     => $keystone_db_dbname,
@ -343,6 +351,8 @@ class openstack::controller (
    db_password               => $keystone_db_password,
    db_name                   => $keystone_db_dbname,
    db_user                   => $keystone_db_user,
+    db_ssl                    => $mysql_ssl,
+    db_ssl_ca                 => $mysql_ca,
    idle_timeout              => $sql_idle_timeout,
    admin_token               => $keystone_admin_token,
    admin_tenant              => $keystone_admin_tenant,
@ -385,6 +395,8 @@ class openstack::controller (
    verbose          => $verbose,
    db_type          => $db_type,
    db_host          => $db_host,
+    db_ssl           => $mysql_ssl,
+    db_ssl_ca        => $mysql_ca,
    sql_idle_timeout => $sql_idle_timeout,
    keystone_host    => $keystone_host,
    registry_host    => $glance_registry_host,
--- a/manifests/db/mysql.pp
+++ b/manifests/db/mysql.pp
@ -15,6 +15,10 @@
 # [ceilometer_db_password] Password for ceilometer database. Required.
 # [mysql_bind_address] Address that mysql will bind to. Optional .Defaults to '0.0.0.0'.
 # [mysql_account_security] If a secure mysql db should be setup. Optional .Defaults to true.
+# [mysql_ssl] Enable SSL in the mysql server. Default is false.
+# [mysql_ca] The path to the CA certificate in PEM format.
+# [mysql_cert] The path to the server certificate in PEM format.
+# [mysql_key] The path to the server private key in PEM format, unencrypted.
 # [keystone_db_user] DB user for keystone. Optional. Defaults to 'keystone'.
 # [keystone_db_dbname] DB name for keystone. Optional. Defaults to 'keystone'.
 # [glance_db_user] DB user for glance. Optional. Defaults to 'glance'.
@ -63,6 +67,10 @@ class openstack::db::mysql (
    # MySQL
    $mysql_bind_address     = '0.0.0.0',
    $mysql_account_security = true,
+    $mysql_ssl              = false,
+    $mysql_ca               = undef,
+    $mysql_cert             = undef,
+    $mysql_key              = undef,
    # Keystone
    $keystone_db_user       = 'keystone',
    $keystone_db_dbname     = 'keystone',
@ -95,6 +103,10 @@ class openstack::db::mysql (
    config_hash => {
      'root_password' => $mysql_root_password,
      'bind_address'  => $mysql_bind_address,
+      'ssl'           => $mysql_ssl,
+      'ssl_ca'        => $mysql_ca,
+      'ssl_cert'      => $mysql_cert,
+      'ssl_key'       => $mysql_key,
    },
    enabled     => $enabled,
  }
--- a/manifests/glance.pp
+++ b/manifests/glance.pp
@ -18,6 +18,8 @@
 # [registry_host] Address used by API to find the Registry service. Optional. Defaults to '0.0.0.0'
 # [bind_host] Address for binding API and Registry services. Optional. Defaults to '0.0.0.0'
 # [db_type] Type of sql databse to use. Optional. Defaults to 'mysql'
+# [db_ssl] Boolean whether to use SSL for database. Defaults to false.
+# [db_ssl_ca] If db_ssl is true, this is used in the connection to define the CA. Default undef.
 # [db_user] Name of glance DB user. Optional. Defaults to 'glance'
 # [db_name] Name of glance DB. Optional. Defaults to 'glance'
 # [backend] Backends used to store images.  Defaults to file.
@ -48,6 +50,8 @@ class openstack::glance (
  $registry_host            = '0.0.0.0',
  $bind_host                = '0.0.0.0',
  $db_type                  = 'mysql',
+  $db_ssl                   = false,
+  $db_ssl_ca                = undef,
  $db_user                  = 'glance',
  $db_name                  = 'glance',
  $backend                  = 'file',
@ -62,10 +66,17 @@ class openstack::glance (
 ) {

  # Configure the db string
-  if $db_type == 'mysql' {
-    $sql_connection = "mysql://${db_user}:${db_password}@${db_host}/${db_name}"
-  } else {
-    fail("Unsupported db_type ${db_type}. Only mysql is currently supported")
+  case $db_type {
+    'mysql': {
+      if $db_ssl == true {
+        $sql_connection = "mysql://${db_user}:${db_password}@${db_host}/${db_name}?ssl_ca=${db_ssl_ca}"
+      } else {
+        $sql_connection = "mysql://${db_user}:${db_password}@${db_host}/${db_name}"
+      }
+    }
+    default: {
+      fail("db_type ${db_type} is not supported")
+    }
  }

  # Install and configure glance-api
--- a/manifests/keystone.pp
+++ b/manifests/keystone.pp
@ -18,6 +18,8 @@
 # [token_format] Format keystone uses for tokens. Optional. Defaults to PKI.
 #   Supports PKI and UUID.
 # [db_type] Type of DB used. Currently only supports mysql. Optional. Defaults to  'mysql'
+# [db_ssl] Boolean whether to use SSL for database. Defaults to false.
+# [db_ssl_ca] If db_ssl is true, this is used in the connection to define the CA. Default undef.
 # [db_user] Name of keystone db user. Optional. Defaults to  'keystone'
 # [db_name] Name of keystone DB. Optional. Defaults to  'keystone'
 # [admin_tenant] Name of keystone admin tenant. Optional. Defaults to  'admin'
@ -65,6 +67,8 @@ class openstack::keystone (
  $db_type                     = 'mysql',
  $db_user                     = 'keystone',
  $db_name                     = 'keystone',
+  $db_ssl                      = false,
+  $db_ssl_ca                   = undef,
  $admin_tenant                = 'admin',
  $verbose                     = false,
  $debug                       = false,
@ -127,7 +131,11 @@ class openstack::keystone (

  # Install and configure Keystone
  if $db_type == 'mysql' {
-    $sql_conn = "mysql://${db_user}:${db_password}@${db_host}/${db_name}"
+    if $db_ssl == true {
+      $sql_conn = "mysql://${db_user}:${db_password}@${db_host}/${db_name}?ssl_ca=${db_ssl_ca}"
+    } else {
+      $sql_conn = "mysql://${db_user}:${db_password}@${db_host}/${db_name}"
+    }
  } else {
    fail("db_type ${db_type} is not supported")
  }
--- a/manifests/nova/controller.pp
+++ b/manifests/nova/controller.pp
@ -90,6 +90,8 @@ class openstack::nova::controller (
  $rabbit_cluster_nodes      = false,
  # Database
  $db_type                   = 'mysql',
+  $db_ssl                    = false,
+  $db_ssl_ca                 = undef,
  $sql_idle_timeout          = '3600',
  # Glance
  $glance_api_servers        = undef,
@ -107,9 +109,14 @@ class openstack::nova::controller (
  # Configure the db string
  case $db_type {
    'mysql': {
-      $nova_db = "mysql://${nova_db_user}:${nova_db_password}@${db_host}/${nova_db_dbname}"
+      if $db_ssl == true {
+        $nova_db = "mysql://${nova_db_user}:${nova_db_password}@${db_host}/${nova_db_dbname}?ssl_ca=${db_ssl_ca}"
+      } else {
+        $nova_db = "mysql://${nova_db_user}:${nova_db_password}@${db_host}/${nova_db_dbname}"
+      }
    }
    default: {
+      fail("db_type ${db_type} is not supported")
    }
  }

--- a/spec/classes/openstack_controller_spec.rb
+++ b/spec/classes/openstack_controller_spec.rb
@ -173,6 +173,35 @@ describe 'openstack::controller' do
      it { should_not contain_class('mysql::server::account_security')}
    end

+    context 'with default SSL params, disabled' do
+
+      it 'SSL in mysql should be disabled' do
+        config_hash = param_value(subject, 'class', 'mysql::server', 'config_hash')
+        config_hash['ssl'].should == false
+      end
+
+    end
+
+    context 'SSL is enabled' do
+      let :params do
+        default_params.merge(
+          :mysql_ssl => true,
+          :mysql_ca => '/etc/mysql/ca.pem',
+          :mysql_cert => '/etc/mysql/server.pem',
+          :mysql_key => '/etc/mysql/server.key'
+        )
+      end
+
+      it 'should configure mysql server' do
+        config_hash = param_value(subject, 'class', 'mysql::server', 'config_hash')
+        config_hash['ssl'].should == true
+        config_hash['ssl_ca'].should == '/etc/mysql/ca.pem'
+        config_hash['ssl_cert'].should == '/etc/mysql/server.pem'
+        config_hash['ssl_key'].should == '/etc/mysql/server.key'
+      end
+
+    end
+
  end

  context 'keystone' do
@ -307,6 +336,24 @@ describe 'openstack::controller' do
        end
      end
    end
+
+    context 'with mysql SSL enabled' do
+
+      let :params do
+        default_params.merge(
+          :mysql_ssl => true,
+          :mysql_ca => '/etc/mysql/ca.pem',
+          :mysql_cert => '/etc/mysql/server.pem',
+          :mysql_key => '/etc/mysql/server.key'
+        )
+      end
+
+      it 'should configure keystone with SSL mysql connection' do
+        should contain_class('keystone').with(
+          :sql_connection => "mysql://keystone:keystone_pass@127.0.0.1/keystone?ssl_ca=/etc/mysql/ca.pem"
+        )
+      end
+    end
  end

  it do
@ -431,6 +478,25 @@ describe 'openstack::controller' do
        )
      end
    end
+
+    context 'with mysql SSL enabled' do
+
+      let :params do
+        default_params.merge(
+          :mysql_ssl => true,
+          :mysql_ca => '/etc/mysql/ca.pem',
+          :mysql_cert => '/etc/mysql/server.pem',
+          :mysql_key => '/etc/mysql/server.key'
+        )
+      end
+
+      it 'should configure glance with SSL mysql connection' do
+        should contain_class('glance::api').with(
+          :sql_connection    => "mysql://glance:glance_pass@127.0.0.1/glance?ssl_ca=/etc/mysql/ca.pem"
+        )
+      end
+    end
+
  end

  context 'config for nova' do
--- a/spec/classes/openstack_glance_spec.rb
+++ b/spec/classes/openstack_glance_spec.rb
@ -57,7 +57,7 @@ describe 'openstack::glance' do
      params.merge!(:db_type => 'sqlite' )
    end
    it 'should fail' do
-      expect { subject }.to raise_error(Puppet::Error, /Unsupported db_type sqlite/)
+      expect { subject }.to raise_error(Puppet::Error, /db_type sqlite is not supported/)
    end
  end

@ -135,4 +135,19 @@ describe 'openstack::glance' do
    end
  end

+  describe 'when configuring mysql with SSL' do
+    before do
+      params.merge!({
+        :db_ssl    => true,
+        :db_ssl_ca => '/etc/mysql/ca.pem'
+      })
+    end
+
+    it 'should configure mysql properly' do
+      should contain_class('glance::registry').with(
+        :sql_connection    => 'mysql://glance:glance_db_pass@127.0.0.1/glance?ssl_ca=/etc/mysql/ca.pem'
+      )
+    end
+  end
+
 end
--- a/spec/classes/openstack_keystone_spec.rb
+++ b/spec/classes/openstack_keystone_spec.rb
@ -158,4 +158,19 @@ describe 'openstack::keystone' do
    end
  end

+  describe 'when configuring mysql with SSL' do
+    let :params do
+      required_params.merge(
+        :db_ssl    => true,
+        :db_ssl_ca => '/etc/mysql/ca.pem'
+      )
+    end
+
+    it 'should configure mysql properly' do
+      should contain_class('keystone').with(
+        :sql_connection => 'mysql://keystone:pass@127.0.0.1/keystone?ssl_ca=/etc/mysql/ca.pem'
+      )
+    end
+  end
+
 end
--- a/spec/classes/openstack_nova_controller_spec.rb
+++ b/spec/classes/openstack_nova_controller_spec.rb
@ -96,4 +96,18 @@ describe 'openstack::nova::controller' do
      )
    end
  end
+
+  context 'when configuring SSL' do
+    let :params do
+      default_params.merge(
+        :db_ssl => true,
+        :db_ssl_ca => '/etc/mysql/ca.pem'
+      )
+    end
+    it 'should configure SSL' do
+      should contain_class('nova').with(
+        :sql_connection       => 'mysql://nova:nova_db_pass@127.0.0.1/nova?ssl_ca=/etc/mysql/ca.pem'
+      )
+    end
+  end
 end