Internal TLS: Use specific CA file for mysql-client

Instead of using the CA bundle, this sets the mysql client configuration file to use a specific file for validating the certificate of the database server. This helps in two ways: * Improves performance since validation will check only one certificate. * Improves security since we're only the certificates signed by one CA are valid, instead of any certificate that the system trusts (which could include potentially compromised public certs). Change-Id: I46f7cb6da73715f8f331337e0161418450d5afd7 Depends-On: I75bdaf71d88d169e64687a180cb13c1f63418a0f
2017-05-03 12:56:17 +03:00 · 2017-05-03 12:56:17 +03:00 · be4bc8f3f2
parent 9697f70dcb
commit be4bc8f3f2
1 changed files with 6 additions and 0 deletions
--- a/puppet/services/database/mysql-client.yaml
+++ b/puppet/services/database/mysql-client.yaml
@ -21,6 +21,11 @@ parameters:
  EnableInternalTLS:
    type: boolean
    default: false
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.

 outputs:
  role_data:
@ -30,5 +35,6 @@ outputs:
      config_settings:
        tripleo::profile::base::database::mysql::client::mysql_client_bind_address: {get_param: [ServiceNetMap, MysqlNetwork]}
        tripleo::profile::base::database::mysql::client::enable_ssl: {get_param: EnableInternalTLS}
+        tripleo::profile::base::database::mysql::client::ssl_ca: {get_param: InternalTLSCAFile}
      step_config: |
        include ::tripleo::profile::base::database::mysql::client