Enable MySQL TLS
Enable passing the certificate authority on the relation in order to enable TLS communication to the MySQL DB. Depends-On: I785afe7f64cb57caa857178d529e3cabdcf63517 Change-Id: I26d7ec4cf9a2e99d9d1cb573ad40f6f4e53f56b5
This commit is contained in:
parent
27ffd139ae
commit
dd63909c1c
|
@ -500,6 +500,10 @@ class MySQLRouterCharm(charms_openstack.charm.OpenStackCharm):
|
|||
_wait_timeout = receiving_interface.wait_timeout()
|
||||
if _wait_timeout:
|
||||
_wait_timeout = json.loads(_wait_timeout)
|
||||
# SSL CA is an optional setting
|
||||
_ssl_ca = receiving_interface.ssl_ca()
|
||||
if _ssl_ca:
|
||||
_ssl_ca = json.loads(_ssl_ca)
|
||||
if ch_core.hookenv.local_unit() in (json.loads(
|
||||
receiving_interface.allowed_units(prefix=prefix))):
|
||||
_allowed_hosts = unit.unit_name
|
||||
|
@ -515,4 +519,5 @@ class MySQLRouterCharm(charms_openstack.charm.OpenStackCharm):
|
|||
allowed_units=_allowed_hosts,
|
||||
prefix=prefix,
|
||||
wait_timeout=_wait_timeout,
|
||||
db_port=self.mysqlrouter_port)
|
||||
db_port=self.mysqlrouter_port,
|
||||
ssl_ca=_ssl_ca)
|
||||
|
|
|
@ -24,13 +24,13 @@ tests_options:
|
|||
target_deploy_status:
|
||||
neutron-api-plugin-ovn:
|
||||
workload-status: waiting
|
||||
workload-status-message: "'ovsdb-cms' incomplete"
|
||||
workload-status-message: "'certificates' awaiting server certificate data, 'ovsdb-cms' incomplete"
|
||||
ovn-central:
|
||||
workload-status: blocked
|
||||
workload-status-message: "'certificates' missing"
|
||||
workload-status: waiting
|
||||
workload-status-message: "'ovsdb-peer' incomplete, 'certificates' awaiting server certificate data"
|
||||
ovn-chassis:
|
||||
workload-status: blocked
|
||||
workload-status-message: "'certificates' missing"
|
||||
workload-status: waiting
|
||||
workload-status-message: "'certificates' awaiting server certificate data"
|
||||
vault:
|
||||
workload-status: blocked
|
||||
workload-status-message: Vault needs to be initialized
|
||||
|
|
|
@ -1,3 +1,2 @@
|
|||
jinja2
|
||||
psutil
|
||||
mysqlclient
|
||||
|
|
|
@ -452,6 +452,8 @@ class TestMySQLRouterCharm(test_utils.PatchHelper):
|
|||
_json_wait_time = "90"
|
||||
_json_pass = '"pass"'
|
||||
_pass = json.loads(_json_pass)
|
||||
_json_ca = '"Certificate Authority"'
|
||||
_ca = json.loads(_json_ca)
|
||||
_local_unit = "kmr/5"
|
||||
_port = 3316
|
||||
self.db_router.password.return_value = _json_pass
|
||||
|
@ -462,8 +464,9 @@ class TestMySQLRouterCharm(test_utils.PatchHelper):
|
|||
self.db_router.get_prefixes.return_value = [
|
||||
mrc._unprefixed, mrc.db_prefix]
|
||||
|
||||
# Allowed Units unset and wait_time unset
|
||||
# Allowed Units, wait_time and ssl_ca unset
|
||||
self.db_router.wait_timeout.return_value = None
|
||||
self.db_router.ssl_ca.return_value = None
|
||||
self.db_router.allowed_units.return_value = '""'
|
||||
|
||||
mrc.proxy_db_and_user_responses(
|
||||
|
@ -471,10 +474,11 @@ class TestMySQLRouterCharm(test_utils.PatchHelper):
|
|||
self.keystone_shared_db.set_db_connection_info.assert_called_once_with(
|
||||
self.keystone_shared_db.relation_id, mrc.shared_db_address,
|
||||
_pass, allowed_units=None, prefix=None, wait_timeout=None,
|
||||
db_port=_port)
|
||||
db_port=_port, ssl_ca=None)
|
||||
|
||||
# Allowed Units and wait time set correctly
|
||||
self.db_router.wait_timeout.return_value = _json_wait_time
|
||||
self.db_router.ssl_ca.return_value = _json_ca
|
||||
self.keystone_shared_db.set_db_connection_info.reset_mock()
|
||||
self.db_router.allowed_units.return_value = json.dumps(_local_unit)
|
||||
mrc.proxy_db_and_user_responses(
|
||||
|
@ -483,7 +487,7 @@ class TestMySQLRouterCharm(test_utils.PatchHelper):
|
|||
self.keystone_shared_db.set_db_connection_info.assert_called_once_with(
|
||||
self.keystone_shared_db.relation_id, mrc.shared_db_address,
|
||||
_pass, allowed_units=self.keystone_unit_name, prefix=None,
|
||||
wait_timeout=_wait_time, db_port=_port)
|
||||
wait_timeout=_wait_time, db_port=_port, ssl_ca=_ca)
|
||||
|
||||
# Confirm msyqlrouter credentials are not sent over the shared-db
|
||||
# relation
|
||||
|
@ -495,6 +499,8 @@ class TestMySQLRouterCharm(test_utils.PatchHelper):
|
|||
_json_wait_time = "90"
|
||||
_json_pass = '"pass"'
|
||||
_pass = json.loads(_json_pass)
|
||||
_json_ca = '"Certificate Authority"'
|
||||
_ca = json.loads(_json_ca)
|
||||
_local_unit = "nmr/5"
|
||||
_nova = "nova"
|
||||
_novaapi = "novaapi"
|
||||
|
@ -508,29 +514,31 @@ class TestMySQLRouterCharm(test_utils.PatchHelper):
|
|||
self.db_router.get_prefixes.return_value = [
|
||||
mrc.db_prefix, _nova, _novaapi, _novacell0]
|
||||
|
||||
# Allowed Units and wait time unset
|
||||
# Allowed Units, wait time and CA unset
|
||||
self.db_router.wait_timeout.return_value = None
|
||||
self.db_router.ssl_ca.return_value = None
|
||||
self.db_router.allowed_units.return_value = '""'
|
||||
mrc.proxy_db_and_user_responses(self.db_router, self.nova_shared_db)
|
||||
_calls = [
|
||||
mock.call(
|
||||
self.nova_shared_db.relation_id, mrc.shared_db_address, _pass,
|
||||
allowed_units=None, prefix=_nova,
|
||||
wait_timeout=None, db_port=_port),
|
||||
wait_timeout=None, db_port=_port, ssl_ca=None),
|
||||
mock.call(
|
||||
self.nova_shared_db.relation_id, mrc.shared_db_address, _pass,
|
||||
allowed_units=None, prefix=_novaapi,
|
||||
wait_timeout=None, db_port=_port),
|
||||
wait_timeout=None, db_port=_port, ssl_ca=None),
|
||||
mock.call(
|
||||
self.nova_shared_db.relation_id, mrc.shared_db_address, _pass,
|
||||
allowed_units=None, prefix=_novacell0,
|
||||
wait_timeout=None, db_port=_port),
|
||||
wait_timeout=None, db_port=_port, ssl_ca=None),
|
||||
]
|
||||
self.nova_shared_db.set_db_connection_info.assert_has_calls(
|
||||
_calls, any_order=True)
|
||||
|
||||
# Allowed Units and wait time set correctly
|
||||
self.db_router.wait_timeout.return_value = _json_wait_time
|
||||
self.db_router.ssl_ca.return_value = _json_ca
|
||||
self.nova_shared_db.set_db_connection_info.reset_mock()
|
||||
self.db_router.allowed_units.return_value = json.dumps(_local_unit)
|
||||
mrc.proxy_db_and_user_responses(self.db_router, self.nova_shared_db)
|
||||
|
@ -538,15 +546,15 @@ class TestMySQLRouterCharm(test_utils.PatchHelper):
|
|||
mock.call(
|
||||
self.nova_shared_db.relation_id, mrc.shared_db_address, _pass,
|
||||
allowed_units=self.nova_unit_name, prefix=_nova,
|
||||
wait_timeout=_wait_time, db_port=_port),
|
||||
wait_timeout=_wait_time, db_port=_port, ssl_ca=_ca),
|
||||
mock.call(
|
||||
self.nova_shared_db.relation_id, mrc.shared_db_address, _pass,
|
||||
allowed_units=self.nova_unit_name, prefix=_novaapi,
|
||||
wait_timeout=_wait_time, db_port=_port),
|
||||
wait_timeout=_wait_time, db_port=_port, ssl_ca=_ca),
|
||||
mock.call(
|
||||
self.nova_shared_db.relation_id, mrc.shared_db_address, _pass,
|
||||
allowed_units=self.nova_unit_name, prefix=_novacell0,
|
||||
wait_timeout=_wait_time, db_port=_port),
|
||||
wait_timeout=_wait_time, db_port=_port, ssl_ca=_ca),
|
||||
]
|
||||
self.nova_shared_db.set_db_connection_info.assert_has_calls(
|
||||
_calls, any_order=True)
|
||||
|
|
Loading…
Reference in New Issue