openstack/openstack-ansible-os_nova
Code Issues Proposed changes

Merge "Added MySQL connection SSL support"

Browse Source
This commit is contained in:
Jenkins 2017-03-04 16:22:58 +00:00 committed by Gerrit Code Review
commit 659e0e6a8e
4 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
defaults/main.yml
View File

@ -81,6 +81,12 @@ nova_galera_database: nova
nova_db_max_overflow: 10 nova_db_max_overflow: 10
nova_db_max_pool_size: 120 nova_db_max_pool_size: 120
nova_db_pool_timeout: 30 nova_db_pool_timeout: 30
# Toggle whether nova connects via an encrypted connection
nova_galera_use_ssl: False
# The path to where the database server CA certificate is stored
nova_galera_ssl_ca_cert: /etc/ssl/certs/galera-ca.crt
# The path to a user-provided Galera CA certificate file on the deployment host
#galera_user_ssl_ca_cert: /etc/openstack_deploy/files/galera-ca.crt
## DB API ## DB API
nova_api_galera_user: nova_api nova_api_galera_user: nova_api

9
releasenotes/notes/nova_galera_ssl-24c2ca2a8ab6fec4.yaml Normal file
View File

@ -0,0 +1,9 @@
---
features:
- Nova may now use an encrypted database connection.
This is enabled by setting ``nova_galera_use_ssl``
to ``True``.
security:
- Nova may now use an encrypted database connection.
This is enabled by setting ``nova_galera_use_ssl``
to ``True``.

28
tasks/nova_post_install.yml
View File

@ -25,6 +25,34 @@
- nova-config - nova-config
- nova-post-install - nova-post-install
- name: Distribute self signed Galera ssl CA cert
copy:
dest: "{{ nova_galera_ssl_ca_cert }}"
content: "{{ hostvars[galera_cluster_members[0]]['galera_ssl_ca_cert_fact'] | b64decode }}"
owner: "root"
group: "{{ item.group|default(nova_system_group_name) }}"
mode: "0640"
when:
- nova_galera_use_ssl | bool
- galera_user_ssl_ca_cert is undefined
tags:
- nova-config
- nova-post-install
- name: Distribute user provided Galera ssl CA cert
copy:
dest: "{{ nova_galera_ssl_ca_cert }}"
src: "{{ galera_user_ssl_ca_cert }}"
owner: "root"
group: "{{ item.group|default(nova_system_group_name) }}"
mode: "0640"
when:
- nova_galera_use_ssl | bool
- galera_user_ssl_ca_cert is defined
tags:
- nova-config
- nova-post-install
- name: Generate nova config - name: Generate nova config
config_template: config_template:
src: "{{ item.src }}" src: "{{ item.src }}"

4
templates/nova.conf.j2
View File

@ -206,7 +206,11 @@ memcache_secret_key = {{ memcached_encryption_key }}
{% if inventory_hostname in (groups['nova_conductor'] + groups['nova_scheduler'] + groups['nova_api_os_compute'] + groups['nova_api_metadata'] + groups['nova_console'] + groups['nova_api_placement'])%} {% if inventory_hostname in (groups['nova_conductor'] + groups['nova_scheduler'] + groups['nova_api_os_compute'] + groups['nova_api_metadata'] + groups['nova_console'] + groups['nova_api_placement'])%}
[database] [database]
{% if nova_galera_use_ssl | bool %}
connection = mysql+pymysql://{{ nova_galera_user }}:{{ nova_container_mysql_password }}@{{ nova_galera_address }}/{{ nova_galera_database }}?charset=utf8&ssl_ca={{ nova_galera_ssl_ca_cert }}
{% else %}
connection = mysql+pymysql://{{ nova_galera_user }}:{{ nova_container_mysql_password }}@{{ nova_galera_address }}/{{ nova_galera_database }}?charset=utf8 connection = mysql+pymysql://{{ nova_galera_user }}:{{ nova_container_mysql_password }}@{{ nova_galera_address }}/{{ nova_galera_database }}?charset=utf8
{% endif %}
max_overflow = {{ nova_db_max_overflow }} max_overflow = {{ nova_db_max_overflow }}
max_pool_size = {{ nova_db_max_pool_size }} max_pool_size = {{ nova_db_max_pool_size }}
pool_timeout = {{ nova_db_pool_timeout }} pool_timeout = {{ nova_db_pool_timeout }}