From 3c2a8699470e9c4bdf297102912320b31c0f4e8a Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Mon, 20 Mar 2023 14:18:09 +0900 Subject: [PATCH] Mysql: Enable SSL Change-Id: Ia4276ef65947c36c5d3712859381bd7536018b0c --- manifests/aodh.pp | 1 + manifests/barbican.pp | 1 + manifests/cinder.pp | 1 + manifests/config.pp | 6 ++++++ manifests/designate.pp | 1 + manifests/ec2api.pp | 1 + manifests/glance.pp | 1 + manifests/gnocchi.pp | 1 + manifests/heat.pp | 1 + manifests/ironic.pp | 2 ++ manifests/keystone.pp | 1 + manifests/magnum.pp | 1 + manifests/manila.pp | 1 + manifests/mistral.pp | 1 + manifests/murano.pp | 1 + manifests/mysql.pp | 16 +++++++++++++++- manifests/neutron.pp | 1 + manifests/nova.pp | 2 ++ manifests/octavia.pp | 1 + manifests/params.pp | 2 ++ manifests/placement.pp | 1 + manifests/sahara.pp | 1 + manifests/trove.pp | 1 + manifests/vitrage.pp | 1 + manifests/watcher.pp | 1 + manifests/zaqar.pp | 2 +- 26 files changed, 48 insertions(+), 2 deletions(-) diff --git a/manifests/aodh.pp b/manifests/aodh.pp index 1639902b3..28bf21e3f 100644 --- a/manifests/aodh.pp +++ b/manifests/aodh.pp @@ -35,6 +35,7 @@ class openstack_integration::aodh ( 'password' => 'aodh', 'database' => 'aodh', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'aodh': diff --git a/manifests/barbican.pp b/manifests/barbican.pp index 880109285..0b11198fa 100644 --- a/manifests/barbican.pp +++ b/manifests/barbican.pp @@ -31,6 +31,7 @@ class openstack_integration::barbican { 'password' => 'barbican', 'database' => 'barbican', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'barbican::keystone::auth': diff --git a/manifests/cinder.pp b/manifests/cinder.pp index 35335a317..a813cfebf 100644 --- a/manifests/cinder.pp +++ b/manifests/cinder.pp @@ -73,6 +73,7 @@ class openstack_integration::cinder ( 'password' => 'cinder', 'database' => 'cinder', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'cinder': diff --git a/manifests/config.pp b/manifests/config.pp index a642acee5..23631ab7c 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -24,6 +24,8 @@ class openstack_integration::config ( $notify_backend = 'rabbit', ) { + include openstack_integration::params + $messaging_default_proto = $rpc_backend $messaging_notify_proto = $notify_backend @@ -35,6 +37,9 @@ class openstack_integration::config ( $messaging_default_port = '5671' } $messaging_notify_port = '5671' + $db_extra = { + 'ssl_ca' => $::openstack_integration::params::ca_bundle_cert_path, + } } else { $proto = 'http' if $rpc_backend == 'amqp' { @@ -43,6 +48,7 @@ class openstack_integration::config ( $messaging_default_port = '5672' } $messaging_notify_port = '5672' + $db_extra = {} } $rabbit_port = $messaging_notify_port diff --git a/manifests/designate.pp b/manifests/designate.pp index 675899cd2..afb82519f 100644 --- a/manifests/designate.pp +++ b/manifests/designate.pp @@ -47,6 +47,7 @@ class openstack_integration::designate { 'password' => 'designate', 'database' => 'designate', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'designate::coordination': diff --git a/manifests/ec2api.pp b/manifests/ec2api.pp index f1222a5b5..0f44f7d1e 100644 --- a/manifests/ec2api.pp +++ b/manifests/ec2api.pp @@ -36,6 +36,7 @@ class openstack_integration::ec2api { 'password' => 'ec2api', 'database' => 'ec2api', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'ec2api::db::sync': } diff --git a/manifests/glance.pp b/manifests/glance.pp index 2310c7179..c9f25d11e 100644 --- a/manifests/glance.pp +++ b/manifests/glance.pp @@ -107,6 +107,7 @@ class openstack_integration::glance ( 'password' => 'glance', 'database' => 'glance', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'glance::api': diff --git a/manifests/gnocchi.pp b/manifests/gnocchi.pp index b64c5252f..0d19a109e 100644 --- a/manifests/gnocchi.pp +++ b/manifests/gnocchi.pp @@ -42,6 +42,7 @@ class openstack_integration::gnocchi ( 'password' => 'gnocchi', 'database' => 'gnocchi', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'gnocchi': diff --git a/manifests/heat.pp b/manifests/heat.pp index c2a11718e..c7610a783 100644 --- a/manifests/heat.pp +++ b/manifests/heat.pp @@ -53,6 +53,7 @@ class openstack_integration::heat ( 'password' => 'heat', 'database' => 'heat', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'heat': diff --git a/manifests/ironic.pp b/manifests/ironic.pp index e05dae174..350e2fbeb 100644 --- a/manifests/ironic.pp +++ b/manifests/ironic.pp @@ -26,6 +26,7 @@ class openstack_integration::ironic { 'password' => 'ironic', 'database' => 'ironic', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'ironic': @@ -110,6 +111,7 @@ class openstack_integration::ironic { 'password' => 'ironic-inspector', 'database' => 'ironic-inspector', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'ironic::inspector::ironic': diff --git a/manifests/keystone.pp b/manifests/keystone.pp index 73ff84937..a2ab90432 100644 --- a/manifests/keystone.pp +++ b/manifests/keystone.pp @@ -57,6 +57,7 @@ class openstack_integration::keystone ( 'password' => 'keystone', 'database' => 'keystone', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'keystone::logging': diff --git a/manifests/magnum.pp b/manifests/magnum.pp index 14104bb87..0e2288040 100644 --- a/manifests/magnum.pp +++ b/manifests/magnum.pp @@ -69,6 +69,7 @@ class openstack_integration::magnum ( 'password' => 'magnum', 'database' => 'magnum', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } diff --git a/manifests/manila.pp b/manifests/manila.pp index 1c32242ca..71682c73c 100644 --- a/manifests/manila.pp +++ b/manifests/manila.pp @@ -58,6 +58,7 @@ class openstack_integration::manila ( 'password' => 'manila', 'database' => 'manila', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'manila': diff --git a/manifests/mistral.pp b/manifests/mistral.pp index 3d66324f6..d17a02b8f 100644 --- a/manifests/mistral.pp +++ b/manifests/mistral.pp @@ -33,6 +33,7 @@ class openstack_integration::mistral { 'password' => 'mistral', 'database' => 'mistral', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'mistral': diff --git a/manifests/murano.pp b/manifests/murano.pp index e3ad05297..ab8f5b05e 100644 --- a/manifests/murano.pp +++ b/manifests/murano.pp @@ -61,6 +61,7 @@ class openstack_integration::murano { 'password' => 'murano', 'database' => 'murano', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'murano::keystone::authtoken': diff --git a/manifests/mysql.pp b/manifests/mysql.pp index 57b2b1f9a..4b8c92269 100644 --- a/manifests/mysql.pp +++ b/manifests/mysql.pp @@ -1,13 +1,27 @@ class openstack_integration::mysql { include openstack_integration::config + include openstack_integration::params + + $mysql_conf_dir = $::openstack_integration::params::mysql_conf_dir + + if $::openstack_integration::config::ssl { + openstack_integration::ssl_key { 'mysql': + key_path => "${mysql_conf_dir}/${facts['networking']['fqdn']}.pem", + require => Package['mysql-server'], + notify => Service['mysqld'], + } + } class { 'mysql::server': override_options => { 'mysqld' => { 'bind-address' => $::openstack_integration::config::host, + 'ssl' => $::openstack_integration::config::ssl, + 'ssl-ca' => $::openstack_integration::params::ca_bundle_cert_path, + 'ssl-cert' => $::openstack_integration::params::cert_path, + 'ssl-key' => "${mysql_conf_dir}/${facts['networking']['fqdn']}.pem", }, }, } - } diff --git a/manifests/neutron.pp b/manifests/neutron.pp index b54e2bd13..869b9596c 100644 --- a/manifests/neutron.pp +++ b/manifests/neutron.pp @@ -234,6 +234,7 @@ class openstack_integration::neutron ( 'password' => 'neutron', 'database' => 'neutron', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'neutron::server': diff --git a/manifests/nova.pp b/manifests/nova.pp index 579a93d07..68cc26a39 100644 --- a/manifests/nova.pp +++ b/manifests/nova.pp @@ -111,6 +111,7 @@ class openstack_integration::nova ( 'password' => 'nova', 'database' => 'nova', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), api_database_connection => os_database_connection({ 'dialect' => 'mysql+pymysql', @@ -119,6 +120,7 @@ class openstack_integration::nova ( 'password' => 'nova', 'database' => 'nova_api', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'nova': diff --git a/manifests/octavia.pp b/manifests/octavia.pp index 13b9dbc87..4c62ca055 100644 --- a/manifests/octavia.pp +++ b/manifests/octavia.pp @@ -40,6 +40,7 @@ class openstack_integration::octavia ( 'password' => 'octavia', 'database' => 'octavia', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'octavia': diff --git a/manifests/params.pp b/manifests/params.pp index 68fde5bf4..ab5af4766 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -7,6 +7,7 @@ class openstack_integration::params { $update_ca_certs_cmd = '/usr/bin/update-ca-trust force-enable && /usr/bin/update-ca-trust extract' $mysql_charset = 'utf8' $mysql_collate = 'utf8_general_ci' + $mysql_conf_dir = '/etc/my.cnf.d' } 'Debian': { $ca_bundle_cert_path = '/etc/ssl/certs/puppet_openstack.pem' @@ -14,6 +15,7 @@ class openstack_integration::params { $update_ca_certs_cmd = '/usr/sbin/update-ca-certificates -f' $mysql_charset = 'utf8mb3' $mysql_collate = 'utf8mb3_general_ci' + $mysql_conf_dir = '/etc/mysql' } default: { fail("Unsupported osfamily: ${facts['os']['family']} operatingsystem") diff --git a/manifests/placement.pp b/manifests/placement.pp index b2d3fda39..613371ff1 100644 --- a/manifests/placement.pp +++ b/manifests/placement.pp @@ -48,6 +48,7 @@ class openstack_integration::placement { 'password' => 'placement', 'database' => 'placement', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } include placement::db::sync diff --git a/manifests/sahara.pp b/manifests/sahara.pp index d4c5b7409..87c110767 100644 --- a/manifests/sahara.pp +++ b/manifests/sahara.pp @@ -48,6 +48,7 @@ class openstack_integration::sahara ( 'password' => 'sahara', 'database' => 'sahara', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'sahara': diff --git a/manifests/trove.pp b/manifests/trove.pp index 77f65e8b4..6e2d8ad18 100644 --- a/manifests/trove.pp +++ b/manifests/trove.pp @@ -27,6 +27,7 @@ class openstack_integration::trove { 'password' => 'trove', 'database' => 'trove', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'trove': diff --git a/manifests/vitrage.pp b/manifests/vitrage.pp index 22ef1adaf..223fcba38 100644 --- a/manifests/vitrage.pp +++ b/manifests/vitrage.pp @@ -31,6 +31,7 @@ class openstack_integration::vitrage { 'password' => 'vitrage', 'database' => 'vitrage', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } diff --git a/manifests/watcher.pp b/manifests/watcher.pp index 7840158b8..a389a1595 100644 --- a/manifests/watcher.pp +++ b/manifests/watcher.pp @@ -29,6 +29,7 @@ class openstack_integration::watcher { 'password' => 'watcher', 'database' => 'watcher', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), } class { 'watcher::keystone::auth': diff --git a/manifests/zaqar.pp b/manifests/zaqar.pp index 5230ed676..3030b5e7d 100644 --- a/manifests/zaqar.pp +++ b/manifests/zaqar.pp @@ -38,8 +38,8 @@ class openstack_integration::zaqar { 'password' => 'zaqar', 'database' => 'zaqar', 'charset' => 'utf8', + 'extra' => $::openstack_integration::config::db_extra, }), - } class {'zaqar::messaging::swift': auth_url => "${::openstack_integration::config::keystone_auth_uri}/v3",