From 7e61ea00c8bd2bb31f94bda5b307bd490a77bf04 Mon Sep 17 00:00:00 2001
From: Proskurin Kirill <kproskurin@mirantis.com>
Date: Thu, 9 Feb 2017 11:37:49 +0000
Subject: [PATCH] Add DB SSL support

Change-Id: I5c0dc0646018946eaa2647bd6a8691ebf664d102
Depends-On: I9e6d9ee439cab734eba02320d58ccfcd73e23106
---
 service/files/backup.sh.j2 | 4 ++--
 service/files/nova.conf.j2 | 4 ++--
 service/nova-api.yaml      | 8 ++++++--
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/service/files/backup.sh.j2 b/service/files/backup.sh.j2
index 0a05104..34e2b46 100644
--- a/service/files/backup.sh.j2
+++ b/service/files/backup.sh.j2
@@ -1,10 +1,10 @@
 #!/bin/bash -ex
 set -o pipefail
 BACKUP_FILE="/var/ccp/backup/nova/backup-$(date "+%Y%m%d%H%M%S").sql"
-mysqldump -h {{ address(service.database) }} \
+mysqldump {% if percona.tls.enabled %} --ssl-mode REQUIRED {% endif %} -h {{ address(service.database) }} \
     -u {{ nova.db.username }} -p{{ nova.db.password }} \
     --single-transaction {{ nova.db.name }} > "${BACKUP_FILE}"
 BACKUP_FILE_API="/var/ccp/backup/nova/backup-$(date "+%Y%m%d%H%M%S")-api.sql"
-mysqldump -h {{ address(service.database) }} \
+mysqldump {% if percona.tls.enabled %} --ssl-mode REQUIRED {% endif %} -h {{ address(service.database) }} \
     -u {{ nova.db.username }} -p{{ nova.db.password }} \
     --single-transaction {{ nova.db.api_name }} > "${BACKUP_FILE_API}"
diff --git a/service/files/nova.conf.j2 b/service/files/nova.conf.j2
index 1b540b7..48ab612 100644
--- a/service/files/nova.conf.j2
+++ b/service/files/nova.conf.j2
@@ -103,13 +103,13 @@ username = {{ neutron.db.username }}
 password = {{ neutron.db.password }}
 
 [database]
-connection = mysql+pymysql://{{ nova.db.username }}:{{ nova.db.password }}@{{ address(service.database) }}/{{ nova.db.name }}
+connection = mysql+pymysql://{{ nova.db.username }}:{{ nova.db.password }}@{{ address(service.database) }}/{{ nova.db.name }}{% if percona.tls.enabled %}?ssl_ca=/opt/ccp/etc/tls/ca.pem{% endif %}
 max_pool_size = 50
 max_overflow = 1000
 max_retries = -1
 
 [api_database]
-connection = mysql+pymysql://{{ nova.db.username }}:{{ nova.db.password }}@{{ address(service.database) }}/{{ nova.db.api_name }}
+connection = mysql+pymysql://{{ nova.db.username }}:{{ nova.db.password }}@{{ address(service.database) }}/{{ nova.db.api_name }}{% if percona.tls.enabled %}?ssl_ca=/opt/ccp/etc/tls/ca.pem{% endif %}
 max_retries = -1
 
 [cache]
diff --git a/service/nova-api.yaml b/service/nova-api.yaml
index 3ac1132..7ff37df 100644
--- a/service/nova-api.yaml
+++ b/service/nova-api.yaml
@@ -16,8 +16,12 @@ service:
           type: single
           command: mysql -v -u root -p{{ db.root_password }} -h {{ address(service.database) }} -e 'create database `{{ nova.db.name }}`;
                    create database `{{ nova.db.api_name }}`;
-                   grant all privileges on `{{ nova.db.name }}`.* to "{{ nova.db.username }}"@"%" identified by "{{ nova.db.password }}";
-                   grant all privileges on `{{ nova.db.api_name }}`.* to "{{ nova.db.username }}"@"%" identified by "{{ nova.db.password }}"'
+                   create user "{{ nova.db.username }}"@"%" identified by "{{ nova.db.password }}"
+                   {% if percona.tls.enabled %} require ssl {% endif %};
+                   grant all privileges on `{{ nova.db.name }}`.* to "{{ nova.db.username }}"@"%" identified by "{{ nova.db.password }}"
+                   {% if percona.tls.enabled %} require ssl {% endif %};
+                   grant all privileges on `{{ nova.db.api_name }}`.* to "{{ nova.db.username }}"@"%" identified by "{{ nova.db.password }}"
+                   {% if percona.tls.enabled %} require ssl {% endif %};'
           dependencies:
             - {{ service.database }}
           files: