From 3ecdde11291c8dcada164b53abb20fa253829cad Mon Sep 17 00:00:00 2001 From: Jimmy McCrory Date: Thu, 14 Dec 2017 11:16:15 -0800 Subject: [PATCH] Add MySQL connection SSL support When 'ironic_galera_use_ssl' is True, use an encrypted connection to the database using either a self-signed or user-provided CA certificate. A new non-voting test has been added to verify that the role remains functional when enabling SSL features. Change-Id: I1c0598a2f83d330014ffbb2612386016347d3425 Partial-Bug: 1667789 --- defaults/main.yml | 6 ++++-- tox.ini | 11 +++++++++++ zuul.d/jobs.yaml | 21 +++++++++++++++++++++ zuul.d/project.yaml | 2 ++ 4 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 zuul.d/jobs.yaml diff --git a/defaults/main.yml b/defaults/main.yml index eb744ffd..cadf5d8c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -178,7 +178,9 @@ ironic_openstack_auth_strategy: keystone #ironic_openstack_api_url: '' # Not required when we have keystone ironic_openstack_dhcp_provider: neutron ironic_openstack_sync_power_state_interval: 60 -ironic_openstack_db_connection_string: "mysql+pymysql://{{ ironic_galera_user }}:{{ ironic_container_mysql_password }}@{{ ironic_galera_address }}/ironic" +ironic_galera_use_ssl: "{{ galera_use_ssl | default(False) }}" +ironic_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}" +ironic_openstack_db_connection_string: "mysql+pymysql://{{ ironic_galera_user }}:{{ ironic_container_mysql_password }}@{{ ironic_galera_address }}/ironic{% if ironic_galera_use_ssl | bool %}&ssl_ca={{ ironic_galera_ssl_ca_cert }}{% endif %}" # Standalone Ironic configuration ironic_standalone_driver_list: @@ -188,7 +190,7 @@ ironic_standalone_auth_strategy: noauth ironic_standalone_api_url: "{{ ironic_service_internaluri }}/" ironic_standalone_dhcp_provider: none ironic_standalone_sync_power_state_interval: -1 -ironic_standalone_db_connection_string: "mysql+pymysql://{{ ironic_galera_user }}:{{ ironic_container_mysql_password }}@{{ ironic_galera_address }}/ironic" +ironic_standalone_db_connection_string: "{{ ironic_openstack_db_connection_string }}" # Ironic db tuning ironic_db_max_overflow: 10 diff --git a/tox.ini b/tox.ini index 53f3415f..d15f8727 100644 --- a/tox.ini +++ b/tox.ini @@ -103,6 +103,17 @@ commands = bash -c "{toxinidir}/tests/common/test-ansible-functional.sh" +[testenv:ssl] +deps = + {[testenv:ansible]deps} +setenv = + {[testenv]setenv} + ANSIBLE_PARAMETERS=-vvv -e galera_use_ssl=True +commands = + bash -c "{toxinidir}/tests/tests-repo-clone.sh" + bash -c "{toxinidir}/tests/common/test-ansible-functional.sh" + + [testenv:linters] deps = {[testenv:ansible]deps} diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml new file mode 100644 index 00000000..f8b822e8 --- /dev/null +++ b/zuul.d/jobs.yaml @@ -0,0 +1,21 @@ +--- +# Copyright 2017, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- job: + name: openstack-ansible-ironic-ssl-nv + parent: openstack-ansible-functional-ubuntu-xenial + voting: false + vars: + tox_env: ssl diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 312a73dc..2231717d 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -19,6 +19,7 @@ jobs: - openstack-ansible-linters - openstack-ansible-functional-ubuntu-xenial + - openstack-ansible-ironic-ssl-nv experimental: jobs: - openstack-ansible-integrated-deploy-aio @@ -26,3 +27,4 @@ jobs: - openstack-ansible-linters - openstack-ansible-functional-ubuntu-xenial + - openstack-ansible-ironic-ssl-nv