From b775123f54f3839965f9801d295330582265dd3f Mon Sep 17 00:00:00 2001 From: Jimmy McCrory Date: Thu, 14 Dec 2017 10:26:37 -0800 Subject: [PATCH] Add MySQL connection SSL support When 'horizon_galera_use_ssl' is True, use an encrypted connection to the database using either a self-signed or user-provided CA certificate. A new non-voting test has been added to verify that the role remains functional when enabling SSL features. Change-Id: Ie7e0e5f7fc89978126d0d735367d8ecf3e007cfc Partial-Bug: 1667789 --- defaults/main.yml | 4 +++- templates/horizon_local_settings.py.j2 | 3 +++ tox.ini | 11 +++++++++++ zuul.d/jobs.yaml | 21 +++++++++++++++++++++ zuul.d/project.yaml | 2 ++ 5 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 zuul.d/jobs.yaml diff --git a/defaults/main.yml b/defaults/main.yml index 49a524d5..81986669 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -68,9 +68,11 @@ horizon_system_user_home: "/var/lib/{{ horizon_system_user_name }}" horizon_service_region: RegionOne horizon_service_name: horizon -## DB info +## Database info horizon_galera_database: dash horizon_galera_user: dash +horizon_galera_use_ssl: "{{ galera_use_ssl | default(False) }}" +horizon_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}" ## Session configuration # Specifies the timespan in seconds inactivity, until a user is considered as diff --git a/templates/horizon_local_settings.py.j2 b/templates/horizon_local_settings.py.j2 index 6d91f41f..9838cdc4 100644 --- a/templates/horizon_local_settings.py.j2 +++ b/templates/horizon_local_settings.py.j2 @@ -140,6 +140,9 @@ DATABASES = { 'USER': '{{ horizon_galera_user }}', 'PASSWORD': '{{ horizon_container_mysql_password }}', 'default-character-set': 'utf8' + {% if horizon_galera_use_ssl | bool -%} + ,'ssl-ca': '{{ horizon_galera_ssl_ca_cert }}' + {% endif -%} }, } diff --git a/tox.ini b/tox.ini index a4d68163..6119166d 100644 --- a/tox.ini +++ b/tox.ini @@ -103,6 +103,17 @@ commands = bash -c "{toxinidir}/tests/common/test-ansible-functional.sh" +[testenv:ssl] +deps = + {[testenv:ansible]deps} +setenv = + {[testenv]setenv} + ANSIBLE_PARAMETERS=-vvv -e galera_use_ssl=True +commands = + bash -c "{toxinidir}/tests/tests-repo-clone.sh" + bash -c "{toxinidir}/tests/common/test-ansible-functional.sh" + + [testenv:linters] deps = {[testenv:ansible]deps} diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml new file mode 100644 index 00000000..8b1c419a --- /dev/null +++ b/zuul.d/jobs.yaml @@ -0,0 +1,21 @@ +--- +# Copyright 2017, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- job: + name: openstack-ansible-horizon-ssl-nv + parent: openstack-ansible-functional-ubuntu-xenial + voting: false + vars: + tox_env: ssl diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index c5bc2ce8..9643f912 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -21,6 +21,7 @@ - openstack-ansible-functional-centos-7 - openstack-ansible-functional-opensuse-423 - openstack-ansible-functional-ubuntu-xenial + - openstack-ansible-horizon-ssl-nv experimental: jobs: - openstack-ansible-integrated-deploy-aio @@ -30,3 +31,4 @@ - openstack-ansible-functional-centos-7 - openstack-ansible-functional-opensuse-423 - openstack-ansible-functional-ubuntu-xenial + - openstack-ansible-horizon-ssl-nv