From f5127808a9b215440837b0eb2c23f904c0a7c929 Mon Sep 17 00:00:00 2001
From: Proskurin Kirill <kproskurin@mirantis.com>
Date: Wed, 8 Feb 2017 16:17:46 +0000
Subject: [PATCH] Add DB SSL support

Change-Id: Ic13c24e32b9259cba432db0b25d7145f0614c248
Depends-On: I9e6d9ee439cab734eba02320d58ccfcd73e23106
---
 service/files/backup.sh.j2     | 2 +-
 service/files/keystone.conf.j2 | 2 +-
 service/keystone.yaml          | 8 ++++++--
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/service/files/backup.sh.j2 b/service/files/backup.sh.j2
index 88f2020..e425325 100644
--- a/service/files/backup.sh.j2
+++ b/service/files/backup.sh.j2
@@ -1,6 +1,6 @@
 #!/bin/bash -ex
 set -o pipefail
 BACKUP_FILE="/var/ccp/backup/keystone/backup-$(date "+%Y%m%d%H%M%S").sql"
-mysqldump -h {{ address(service.database) }} \
+mysqldump {% if percona.tls.enabled %} --ssl-mode REQUIRED {% endif %} -h {{ address(service.database) }} \
     -u {{ keystone.db.username }} -p{{ keystone.db.password }} \
     --single-transaction {{ keystone.db.name }} > "${BACKUP_FILE}"
diff --git a/service/files/keystone.conf.j2 b/service/files/keystone.conf.j2
index afed78b..d64aaf6 100644
--- a/service/files/keystone.conf.j2
+++ b/service/files/keystone.conf.j2
@@ -8,7 +8,7 @@ notification_format = {{ keystone.notifications.format }}
 {% endif %}
 
 [database]
-connection = mysql+pymysql://{{ keystone.db.username }}:{{ keystone.db.password }}@{{ address(service.database) }}/{{ keystone.db.name }}
+connection = mysql+pymysql://{{ keystone.db.username }}:{{ keystone.db.password }}@{{ address(service.database) }}/{{ keystone.db.name }}{% if percona.tls.enabled %}?ssl_ca=/opt/ccp/etc/tls/ca.pem{% endif %}
 max_retries = -1
 max_overflow = 60
 
diff --git a/service/keystone.yaml b/service/keystone.yaml
index e96451a..cc161a7 100644
--- a/service/keystone.yaml
+++ b/service/keystone.yaml
@@ -30,8 +30,12 @@ service:
           type: single
           command:
             mysql -u root -p{{ db.root_password }} -h {{ address(service.database) }} -e "create database {{ keystone.db.name }};
-            grant all privileges on {{ keystone.db.name }}.* to '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}';
-            grant super on *.* to '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}';"
+            create user '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}'
+            {% if percona.tls.enabled %} require ssl {% endif %};
+            grant all privileges on {{ keystone.db.name }}.* to '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}'
+            {% if percona.tls.enabled %} require ssl {% endif %};
+            grant super on *.* to '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}'
+            {% if percona.tls.enabled %} require ssl {% endif %};"
         - name: keystone-db-sync
           files:
             - keystone-conf