Internal TLS: Use specific CA file for mysql-client
Instead of using the CA bundle, this sets the mysql client configuration file to use a specific file for validating the certificate of the database server. This helps in two ways: * Improves performance since validation will check only one certificate. * Improves security since we're only the certificates signed by one CA are valid, instead of any certificate that the system trusts (which could include potentially compromised public certs). Change-Id: I46f7cb6da73715f8f331337e0161418450d5afd7 Depends-On: I75bdaf71d88d169e64687a180cb13c1f63418a0f
This commit is contained in:
parent
9697f70dcb
commit
be4bc8f3f2
|
@ -21,6 +21,11 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
InternalTLSCAFile:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
|
@ -30,5 +35,6 @@ outputs:
|
|||
config_settings:
|
||||
tripleo::profile::base::database::mysql::client::mysql_client_bind_address: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
tripleo::profile::base::database::mysql::client::enable_ssl: {get_param: EnableInternalTLS}
|
||||
tripleo::profile::base::database::mysql::client::ssl_ca: {get_param: InternalTLSCAFile}
|
||||
step_config: |
|
||||
include ::tripleo::profile::base::database::mysql::client
|
||||
|
|
Loading…
Reference in New Issue