Browse Source

Added configuration for MYSQL SSL connection

added config params to set up client certs for
PDO SSL connections ( mysql )

Change-Id: Idb04a5a97e5e461bc91508567ad27c1ded60049a
Sebastian Marcet 8 months ago
parent
commit
9a044f8e00
2 changed files with 50 additions and 0 deletions
  1. 44
    0
      manifests/init.pp
  2. 6
    0
      templates/lv5/.env.erb

+ 44
- 0
manifests/init.pp View File

@@ -85,6 +85,14 @@ class openstackid (
85 85
   $session_cookie_domain = $::fqdn,
86 86
   $session_cookie_secure = true,
87 87
   $session_cookie_http_only = true,
88
+  $mysql_ssl_enabled = false,
89
+  $mysql_ssl_ca_file = '/etc/mysql-client-ssl/ca-cert.pem',
90
+  $mysql_ssl_ca_file_contents = '',
91
+  $mysql_ssl_client_key_file = '/etc/mysql-client-ssl/client-key.pem',
92
+  $mysql_ssl_client_key_file_contents = '',
93
+  $mysql_ssl_client_cert_file = '/etc/mysql-client-ssl/client-cert.pem',
94
+  $mysql_ssl_client_cert_file_contents = '',
95
+  $mysql_ssl_cypher = 'DHE-RSA-AES256-SHA',
88 96
 ) {
89 97
 
90 98
   # php packages needed for openid server
@@ -292,6 +300,42 @@ class openstackid (
292 300
     }
293 301
   }
294 302
 
303
+  # mysql ssl connection configuration
304
+  if($mysql_ssl_enabled) {
305
+
306
+    if $mysql_ssl_ca_file_contents != '' {
307
+      file { $mysql_ssl_ca_file:
308
+        owner   => 'root',
309
+        group   => 'www-data',
310
+        mode    => '0640',
311
+        content => $mysql_ssl_ca_file_contents,
312
+        notify  => Class['::apache::service'],
313
+        before  => Apache::Vhost::Custom[$vhost_name],
314
+      }
315
+    }
316
+
317
+    if $mysql_ssl_client_key_file_contents != '' {
318
+      file { $mysql_ssl_client_key_file:
319
+        owner   => 'root',
320
+        group   => 'www-data',
321
+        mode    => '0640',
322
+        content => $mysql_ssl_client_key_file_contents,
323
+        notify  => Class['::apache::service'],
324
+        before  => Apache::Vhost::Custom[$vhost_name],
325
+      }
326
+    }
327
+    if $mysql_ssl_client_cert_file_contents != '' {
328
+      file { $mysql_ssl_client_cert_file:
329
+        owner   => 'root',
330
+        group   => 'www-data',
331
+        mode    => '0640',
332
+        content => $mysql_ssl_client_cert_file_contents,
333
+        notify  => Class['::apache::service'],
334
+        before  => Apache::Vhost::Custom[$vhost_name],
335
+      }
336
+    }
337
+  }
338
+
295 339
   $docroot_dirs = [ '/srv/openstackid' ]
296 340
 
297 341
   file { $docroot_dirs:

+ 6
- 0
templates/lv5/.env.erb View File

@@ -18,6 +18,12 @@ SS_DATABASE="<%= @ss_db_name %>"
18 18
 SS_DB_USERNAME="<%= @ss_mysql_user %>"
19 19
 SS_DB_PASSWORD="<%= @ss_mysql_password %>"
20 20
 
21
+DB_USE_SSL=<%= @mysql_ssl_enabled %>
22
+DB_MYSQL_ATTR_SSL_CA="<%= @mysql_ssl_ca_file %>"
23
+DB_MYSQL_ATTR_SSL_KEY="<%= @mysql_ssl_client_key_file %>"
24
+DB_MYSQL_ATTR_SSL_CERT="<%= @mysql_ssl_client_cert %>"
25
+DB_MYSQL_ATTR_SSL_CIPHER="<%= @mysql_ssl_cypher %>"
26
+
21 27
 REDIS_HOST="<%= @redis_host %>"
22 28
 REDIS_PORT=<%= @redis_port %>
23 29
 REDIS_DB=<%= @redis_db %>

Loading…
Cancel
Save