From 57e283fdfa4954d0cfd2d2ccf5ac67d83dd461f2 Mon Sep 17 00:00:00 2001 From: Andrey Date: Fri, 24 Feb 2017 15:53:15 -0600 Subject: [PATCH] Added MySQL connection SSL support MySQL SSL connections allowed. When nova_galera_use_ssl is True Nova sets up encrypted connection to the database using either self-signed or user-provided CA certificate. Partial-Bug: #1667789 Change-Id: I16e074865367e52d17baadb4703e615f89142893 --- defaults/main.yml | 6 ++++ .../nova_galera_ssl-24c2ca2a8ab6fec4.yaml | 9 ++++++ tasks/nova_post_install.yml | 28 +++++++++++++++++++ templates/nova.conf.j2 | 4 +++ 4 files changed, 47 insertions(+) create mode 100644 releasenotes/notes/nova_galera_ssl-24c2ca2a8ab6fec4.yaml diff --git a/defaults/main.yml b/defaults/main.yml index d9b006b5..228b01bc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -81,6 +81,12 @@ nova_galera_database: nova nova_db_max_overflow: 10 nova_db_max_pool_size: 120 nova_db_pool_timeout: 30 +# Toggle whether nova connects via an encrypted connection +nova_galera_use_ssl: False +# The path to where the database server CA certificate is stored +nova_galera_ssl_ca_cert: /etc/ssl/certs/galera-ca.crt +# The path to a user-provided Galera CA certificate file on the deployment host +#galera_user_ssl_ca_cert: /etc/openstack_deploy/files/galera-ca.crt ## DB API nova_api_galera_user: nova_api diff --git a/releasenotes/notes/nova_galera_ssl-24c2ca2a8ab6fec4.yaml b/releasenotes/notes/nova_galera_ssl-24c2ca2a8ab6fec4.yaml new file mode 100644 index 00000000..07540721 --- /dev/null +++ b/releasenotes/notes/nova_galera_ssl-24c2ca2a8ab6fec4.yaml @@ -0,0 +1,9 @@ +--- +features: + - Nova may now use an encrypted database connection. + This is enabled by setting ``nova_galera_use_ssl`` + to ``True``. +security: + - Nova may now use an encrypted database connection. + This is enabled by setting ``nova_galera_use_ssl`` + to ``True``. diff --git a/tasks/nova_post_install.yml b/tasks/nova_post_install.yml index 9c4825ef..df4beb20 100644 --- a/tasks/nova_post_install.yml +++ b/tasks/nova_post_install.yml @@ -25,6 +25,34 @@ - nova-config - nova-post-install +- name: Distribute self signed Galera ssl CA cert + copy: + dest: "{{ nova_galera_ssl_ca_cert }}" + content: "{{ hostvars[galera_cluster_members[0]]['galera_ssl_ca_cert_fact'] | b64decode }}" + owner: "root" + group: "{{ item.group|default(nova_system_group_name) }}" + mode: "0640" + when: + - nova_galera_use_ssl | bool + - galera_user_ssl_ca_cert is undefined + tags: + - nova-config + - nova-post-install + +- name: Distribute user provided Galera ssl CA cert + copy: + dest: "{{ nova_galera_ssl_ca_cert }}" + src: "{{ galera_user_ssl_ca_cert }}" + owner: "root" + group: "{{ item.group|default(nova_system_group_name) }}" + mode: "0640" + when: + - nova_galera_use_ssl | bool + - galera_user_ssl_ca_cert is defined + tags: + - nova-config + - nova-post-install + - name: Generate nova config config_template: src: "{{ item.src }}" diff --git a/templates/nova.conf.j2 b/templates/nova.conf.j2 index 7016a3e5..42b03e09 100644 --- a/templates/nova.conf.j2 +++ b/templates/nova.conf.j2 @@ -212,7 +212,11 @@ memcache_secret_key = {{ memcached_encryption_key }} {% if inventory_hostname in (groups['nova_conductor'] + groups['nova_scheduler'] + groups['nova_api_os_compute'] + groups['nova_api_metadata'] + groups['nova_console'] + groups['nova_api_placement'])%} [database] +{% if nova_galera_use_ssl | bool %} +connection = mysql+pymysql://{{ nova_galera_user }}:{{ nova_container_mysql_password }}@{{ nova_galera_address }}/{{ nova_galera_database }}?charset=utf8&ssl_ca={{ nova_galera_ssl_ca_cert }} +{% else %} connection = mysql+pymysql://{{ nova_galera_user }}:{{ nova_container_mysql_password }}@{{ nova_galera_address }}/{{ nova_galera_database }}?charset=utf8 +{% endif %} max_overflow = {{ nova_db_max_overflow }} max_pool_size = {{ nova_db_max_pool_size }} pool_timeout = {{ nova_db_pool_timeout }}