From dd63909c1ccc69907024753ec1b825917cf8298b Mon Sep 17 00:00:00 2001 From: David Ames Date: Tue, 30 Jun 2020 15:26:41 -0700 Subject: [PATCH] Enable MySQL TLS Enable passing the certificate authority on the relation in order to enable TLS communication to the MySQL DB. Depends-On: I785afe7f64cb57caa857178d529e3cabdcf63517 Change-Id: I26d7ec4cf9a2e99d9d1cb573ad40f6f4e53f56b5 --- src/lib/charm/openstack/mysql_router.py | 7 ++++- src/tests/tests.yaml | 10 +++---- src/wheelhouse.txt | 1 - .../test_lib_charm_openstack_mysql_router.py | 28 ++++++++++++------- 4 files changed, 29 insertions(+), 17 deletions(-) diff --git a/src/lib/charm/openstack/mysql_router.py b/src/lib/charm/openstack/mysql_router.py index a8f9220..b3c46f2 100644 --- a/src/lib/charm/openstack/mysql_router.py +++ b/src/lib/charm/openstack/mysql_router.py @@ -500,6 +500,10 @@ class MySQLRouterCharm(charms_openstack.charm.OpenStackCharm): _wait_timeout = receiving_interface.wait_timeout() if _wait_timeout: _wait_timeout = json.loads(_wait_timeout) + # SSL CA is an optional setting + _ssl_ca = receiving_interface.ssl_ca() + if _ssl_ca: + _ssl_ca = json.loads(_ssl_ca) if ch_core.hookenv.local_unit() in (json.loads( receiving_interface.allowed_units(prefix=prefix))): _allowed_hosts = unit.unit_name @@ -515,4 +519,5 @@ class MySQLRouterCharm(charms_openstack.charm.OpenStackCharm): allowed_units=_allowed_hosts, prefix=prefix, wait_timeout=_wait_timeout, - db_port=self.mysqlrouter_port) + db_port=self.mysqlrouter_port, + ssl_ca=_ssl_ca) diff --git a/src/tests/tests.yaml b/src/tests/tests.yaml index b066c2e..5892527 100644 --- a/src/tests/tests.yaml +++ b/src/tests/tests.yaml @@ -24,13 +24,13 @@ tests_options: target_deploy_status: neutron-api-plugin-ovn: workload-status: waiting - workload-status-message: "'ovsdb-cms' incomplete" + workload-status-message: "'certificates' awaiting server certificate data, 'ovsdb-cms' incomplete" ovn-central: - workload-status: blocked - workload-status-message: "'certificates' missing" + workload-status: waiting + workload-status-message: "'ovsdb-peer' incomplete, 'certificates' awaiting server certificate data" ovn-chassis: - workload-status: blocked - workload-status-message: "'certificates' missing" + workload-status: waiting + workload-status-message: "'certificates' awaiting server certificate data" vault: workload-status: blocked workload-status-message: Vault needs to be initialized diff --git a/src/wheelhouse.txt b/src/wheelhouse.txt index 326ab4c..11c72f4 100644 --- a/src/wheelhouse.txt +++ b/src/wheelhouse.txt @@ -1,3 +1,2 @@ -jinja2 psutil mysqlclient diff --git a/unit_tests/test_lib_charm_openstack_mysql_router.py b/unit_tests/test_lib_charm_openstack_mysql_router.py index 51780e6..7d4d8dd 100644 --- a/unit_tests/test_lib_charm_openstack_mysql_router.py +++ b/unit_tests/test_lib_charm_openstack_mysql_router.py @@ -452,6 +452,8 @@ class TestMySQLRouterCharm(test_utils.PatchHelper): _json_wait_time = "90" _json_pass = '"pass"' _pass = json.loads(_json_pass) + _json_ca = '"Certificate Authority"' + _ca = json.loads(_json_ca) _local_unit = "kmr/5" _port = 3316 self.db_router.password.return_value = _json_pass @@ -462,8 +464,9 @@ class TestMySQLRouterCharm(test_utils.PatchHelper): self.db_router.get_prefixes.return_value = [ mrc._unprefixed, mrc.db_prefix] - # Allowed Units unset and wait_time unset + # Allowed Units, wait_time and ssl_ca unset self.db_router.wait_timeout.return_value = None + self.db_router.ssl_ca.return_value = None self.db_router.allowed_units.return_value = '""' mrc.proxy_db_and_user_responses( @@ -471,10 +474,11 @@ class TestMySQLRouterCharm(test_utils.PatchHelper): self.keystone_shared_db.set_db_connection_info.assert_called_once_with( self.keystone_shared_db.relation_id, mrc.shared_db_address, _pass, allowed_units=None, prefix=None, wait_timeout=None, - db_port=_port) + db_port=_port, ssl_ca=None) # Allowed Units and wait time set correctly self.db_router.wait_timeout.return_value = _json_wait_time + self.db_router.ssl_ca.return_value = _json_ca self.keystone_shared_db.set_db_connection_info.reset_mock() self.db_router.allowed_units.return_value = json.dumps(_local_unit) mrc.proxy_db_and_user_responses( @@ -483,7 +487,7 @@ class TestMySQLRouterCharm(test_utils.PatchHelper): self.keystone_shared_db.set_db_connection_info.assert_called_once_with( self.keystone_shared_db.relation_id, mrc.shared_db_address, _pass, allowed_units=self.keystone_unit_name, prefix=None, - wait_timeout=_wait_time, db_port=_port) + wait_timeout=_wait_time, db_port=_port, ssl_ca=_ca) # Confirm msyqlrouter credentials are not sent over the shared-db # relation @@ -495,6 +499,8 @@ class TestMySQLRouterCharm(test_utils.PatchHelper): _json_wait_time = "90" _json_pass = '"pass"' _pass = json.loads(_json_pass) + _json_ca = '"Certificate Authority"' + _ca = json.loads(_json_ca) _local_unit = "nmr/5" _nova = "nova" _novaapi = "novaapi" @@ -508,29 +514,31 @@ class TestMySQLRouterCharm(test_utils.PatchHelper): self.db_router.get_prefixes.return_value = [ mrc.db_prefix, _nova, _novaapi, _novacell0] - # Allowed Units and wait time unset + # Allowed Units, wait time and CA unset self.db_router.wait_timeout.return_value = None + self.db_router.ssl_ca.return_value = None self.db_router.allowed_units.return_value = '""' mrc.proxy_db_and_user_responses(self.db_router, self.nova_shared_db) _calls = [ mock.call( self.nova_shared_db.relation_id, mrc.shared_db_address, _pass, allowed_units=None, prefix=_nova, - wait_timeout=None, db_port=_port), + wait_timeout=None, db_port=_port, ssl_ca=None), mock.call( self.nova_shared_db.relation_id, mrc.shared_db_address, _pass, allowed_units=None, prefix=_novaapi, - wait_timeout=None, db_port=_port), + wait_timeout=None, db_port=_port, ssl_ca=None), mock.call( self.nova_shared_db.relation_id, mrc.shared_db_address, _pass, allowed_units=None, prefix=_novacell0, - wait_timeout=None, db_port=_port), + wait_timeout=None, db_port=_port, ssl_ca=None), ] self.nova_shared_db.set_db_connection_info.assert_has_calls( _calls, any_order=True) # Allowed Units and wait time set correctly self.db_router.wait_timeout.return_value = _json_wait_time + self.db_router.ssl_ca.return_value = _json_ca self.nova_shared_db.set_db_connection_info.reset_mock() self.db_router.allowed_units.return_value = json.dumps(_local_unit) mrc.proxy_db_and_user_responses(self.db_router, self.nova_shared_db) @@ -538,15 +546,15 @@ class TestMySQLRouterCharm(test_utils.PatchHelper): mock.call( self.nova_shared_db.relation_id, mrc.shared_db_address, _pass, allowed_units=self.nova_unit_name, prefix=_nova, - wait_timeout=_wait_time, db_port=_port), + wait_timeout=_wait_time, db_port=_port, ssl_ca=_ca), mock.call( self.nova_shared_db.relation_id, mrc.shared_db_address, _pass, allowed_units=self.nova_unit_name, prefix=_novaapi, - wait_timeout=_wait_time, db_port=_port), + wait_timeout=_wait_time, db_port=_port, ssl_ca=_ca), mock.call( self.nova_shared_db.relation_id, mrc.shared_db_address, _pass, allowed_units=self.nova_unit_name, prefix=_novacell0, - wait_timeout=_wait_time, db_port=_port), + wait_timeout=_wait_time, db_port=_port, ssl_ca=_ca), ] self.nova_shared_db.set_db_connection_info.assert_has_calls( _calls, any_order=True)