Add MySQL connection SSL support

When 'keystone_galera_use_ssl' is True, use an encrypted connection to
the database using either a self-signed or user-provided CA certificate.

A new non-voting test has been added to verify that the role remains
functional when enabling SSL features.

Partial-Bug: 1667789

Change-Id: I0f8c62412e088ebb9b0ed21f7ce707b14f69d62a
Depends-On: I95cc994df5118fce7ce588fc0bff979bc283a6f3
This commit is contained in:
Jimmy McCrory 2017-12-13 14:19:41 -08:00
parent 6a90ce7e43
commit 7a466a85cb
4 changed files with 26 additions and 2 deletions

View File

@ -93,12 +93,16 @@ keystone_bind_address: 0.0.0.0
keystone_memcached_servers: 127.0.0.1 keystone_memcached_servers: 127.0.0.1
keystone_memcached_max_compare_and_set_retry: 16 keystone_memcached_max_compare_and_set_retry: 16
## DB info ## Database info
keystone_database_connection_string: >-
mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}/{{ keystone_galera_database }}?charset=utf8{% if keystone_galera_use_ssl | bool %}&ssl_ca={{ keystone_galera_ssl_ca_cert }}{% endif %}
keystone_galera_user: keystone keystone_galera_user: keystone
keystone_galera_database: keystone keystone_galera_database: keystone
## Database SSL
keystone_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
keystone_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
# Database tuning # Database tuning
keystone_database_enabled: true keystone_database_enabled: true
keystone_database_connection_string: mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}/{{ keystone_galera_database }}?charset=utf8
keystone_database_idle_timeout: 200 keystone_database_idle_timeout: 200
keystone_database_min_pool_size: 5 keystone_database_min_pool_size: 5
keystone_database_max_pool_size: 120 keystone_database_max_pool_size: 120

11
tox.ini
View File

@ -126,6 +126,17 @@ commands =
bash -c "{toxinidir}/tests/common/test-ansible-functional.sh" bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
[testenv:ssl]
deps =
{[testenv:ansible]deps}
setenv =
{[testenv]setenv}
ANSIBLE_PARAMETERS=-vvv -e galera_use_ssl=True
commands =
bash -c "{toxinidir}/tests/tests-repo-clone.sh"
bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
[testenv:linters] [testenv:linters]
deps = deps =
{[testenv:ansible]deps} {[testenv:ansible]deps}

View File

@ -29,3 +29,10 @@
parent: openstack-ansible-uw_apache parent: openstack-ansible-uw_apache
voting: false voting: false
nodeset: centos-7 nodeset: centos-7
- job:
name: openstack-ansible-keystone-ssl-nv
parent: openstack-ansible-functional-ubuntu-xenial
voting: false
vars:
tox_env: ssl

View File

@ -24,6 +24,7 @@
- openstack-ansible-upgrade-ubuntu-xenial - openstack-ansible-upgrade-ubuntu-xenial
- openstack-ansible-uw_apache-centos-7-nv - openstack-ansible-uw_apache-centos-7-nv
- openstack-ansible-uw_apache-ubuntu-xenial - openstack-ansible-uw_apache-ubuntu-xenial
- openstack-ansible-keystone-ssl-nv
experimental: experimental:
jobs: jobs:
- openstack-ansible-integrated-deploy-aio - openstack-ansible-integrated-deploy-aio
@ -35,3 +36,4 @@
- openstack-ansible-functional-ubuntu-xenial - openstack-ansible-functional-ubuntu-xenial
- openstack-ansible-upgrade-ubuntu-xenial - openstack-ansible-upgrade-ubuntu-xenial
- openstack-ansible-uw_apache-ubuntu-xenial - openstack-ansible-uw_apache-ubuntu-xenial
- openstack-ansible-keystone-ssl-nv