From 9e46d0abd79a564543e7afeab847cf3ae2c47e74 Mon Sep 17 00:00:00 2001
From: Proskurin Kirill <kproskurin@mirantis.com>
Date: Thu, 9 Feb 2017 11:27:57 +0000
Subject: [PATCH] Add DB SSL support

Change-Id: I5927663040a52e664e40cd13bee931b771adabb0
Depends-On: I9e6d9ee439cab734eba02320d58ccfcd73e23106
---
 service/files/heat.conf.j2 | 2 +-
 service/heat-api.yaml      | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/service/files/heat.conf.j2 b/service/files/heat.conf.j2
index e3422f8..e55b317 100644
--- a/service/files/heat.conf.j2
+++ b/service/files/heat.conf.j2
@@ -16,7 +16,7 @@ reauthentication_auth_method = trusts
 endpoint_type = internalURL
 
 [database]
-connection = mysql+pymysql://{{ heat.db.username }}:{{ heat.db.password }}@{{ address(service.database) }}/{{ heat.db.name }}
+connection = mysql+pymysql://{{ heat.db.username }}:{{ heat.db.password }}@{{ address(service.database) }}/{{ heat.db.name }}{% if percona.tls.enabled %}?ssl_ca=/opt/ccp/etc/tls/ca.pem{% endif %}
 
 [keystone_authtoken]
 auth_version = v3
diff --git a/service/heat-api.yaml b/service/heat-api.yaml
index d866f42..0ac7e2f 100644
--- a/service/heat-api.yaml
+++ b/service/heat-api.yaml
@@ -13,7 +13,10 @@ service:
           type: single
           command:
             mysql -u root -p{{ db.root_password }} -h {{ address(service.database) }} -e "create database {{ heat.db.name }};
-            grant all privileges on {{ heat.db.name }}.* to '{{ heat.db.username }}'@'%' identified by '{{ heat.db.password }}';"
+            create user '{{ heat.db.username }}'@'%' identified by '{{ heat.db.password }}'
+            {% if percona.tls.enabled %} require ssl {% endif %};
+            grant all privileges on {{ heat.db.name }}.* to '{{ heat.db.username }}'@'%' identified by '{{ heat.db.password }}'
+            {% if percona.tls.enabled %} require ssl {% endif %};"
         - name: heat-db-sync
           files:
             - heat-conf