diff --git a/manifests/controller.pp b/manifests/controller.pp index c3db26c..d01c1d5 100644 --- a/manifests/controller.pp +++ b/manifests/controller.pp @@ -173,6 +173,10 @@ class openstack::controller ( $mysql_bind_address = '0.0.0.0', $sql_idle_timeout = undef, $allowed_hosts = '%', + $mysql_ssl = false, + $mysql_ca = undef, + $mysql_cert = undef, + $mysql_key = undef, # Keystone $keystone_host = '127.0.0.1', $keystone_db_user = 'keystone', @@ -310,6 +314,10 @@ class openstack::controller ( mysql_root_password => $mysql_root_password, mysql_bind_address => $mysql_bind_address, mysql_account_security => $mysql_account_security, + mysql_ssl => $mysql_ssl, + mysql_ca => $mysql_ca, + mysql_cert => $mysql_cert, + mysql_key => $mysql_key, keystone_db_user => $keystone_db_user, keystone_db_password => $keystone_db_password, keystone_db_dbname => $keystone_db_dbname, @@ -343,6 +351,8 @@ class openstack::controller ( db_password => $keystone_db_password, db_name => $keystone_db_dbname, db_user => $keystone_db_user, + db_ssl => $mysql_ssl, + db_ssl_ca => $mysql_ca, idle_timeout => $sql_idle_timeout, admin_token => $keystone_admin_token, admin_tenant => $keystone_admin_tenant, @@ -385,6 +395,8 @@ class openstack::controller ( verbose => $verbose, db_type => $db_type, db_host => $db_host, + db_ssl => $mysql_ssl, + db_ssl_ca => $mysql_ca, sql_idle_timeout => $sql_idle_timeout, keystone_host => $keystone_host, registry_host => $glance_registry_host, diff --git a/manifests/db/mysql.pp b/manifests/db/mysql.pp index f3f2824..7a65607 100644 --- a/manifests/db/mysql.pp +++ b/manifests/db/mysql.pp @@ -15,6 +15,10 @@ # [ceilometer_db_password] Password for ceilometer database. Required. # [mysql_bind_address] Address that mysql will bind to. Optional .Defaults to '0.0.0.0'. # [mysql_account_security] If a secure mysql db should be setup. Optional .Defaults to true. +# [mysql_ssl] Enable SSL in the mysql server. Default is false. +# [mysql_ca] The path to the CA certificate in PEM format. +# [mysql_cert] The path to the server certificate in PEM format. +# [mysql_key] The path to the server private key in PEM format, unencrypted. # [keystone_db_user] DB user for keystone. Optional. Defaults to 'keystone'. # [keystone_db_dbname] DB name for keystone. Optional. Defaults to 'keystone'. # [glance_db_user] DB user for glance. Optional. Defaults to 'glance'. @@ -63,6 +67,10 @@ class openstack::db::mysql ( # MySQL $mysql_bind_address = '0.0.0.0', $mysql_account_security = true, + $mysql_ssl = false, + $mysql_ca = undef, + $mysql_cert = undef, + $mysql_key = undef, # Keystone $keystone_db_user = 'keystone', $keystone_db_dbname = 'keystone', @@ -95,6 +103,10 @@ class openstack::db::mysql ( config_hash => { 'root_password' => $mysql_root_password, 'bind_address' => $mysql_bind_address, + 'ssl' => $mysql_ssl, + 'ssl_ca' => $mysql_ca, + 'ssl_cert' => $mysql_cert, + 'ssl_key' => $mysql_key, }, enabled => $enabled, } diff --git a/manifests/glance.pp b/manifests/glance.pp index 9aa4734..8fb5962 100644 --- a/manifests/glance.pp +++ b/manifests/glance.pp @@ -18,6 +18,8 @@ # [registry_host] Address used by API to find the Registry service. Optional. Defaults to '0.0.0.0' # [bind_host] Address for binding API and Registry services. Optional. Defaults to '0.0.0.0' # [db_type] Type of sql databse to use. Optional. Defaults to 'mysql' +# [db_ssl] Boolean whether to use SSL for database. Defaults to false. +# [db_ssl_ca] If db_ssl is true, this is used in the connection to define the CA. Default undef. # [db_user] Name of glance DB user. Optional. Defaults to 'glance' # [db_name] Name of glance DB. Optional. Defaults to 'glance' # [backend] Backends used to store images. Defaults to file. @@ -48,6 +50,8 @@ class openstack::glance ( $registry_host = '0.0.0.0', $bind_host = '0.0.0.0', $db_type = 'mysql', + $db_ssl = false, + $db_ssl_ca = undef, $db_user = 'glance', $db_name = 'glance', $backend = 'file', @@ -62,10 +66,17 @@ class openstack::glance ( ) { # Configure the db string - if $db_type == 'mysql' { - $sql_connection = "mysql://${db_user}:${db_password}@${db_host}/${db_name}" - } else { - fail("Unsupported db_type ${db_type}. Only mysql is currently supported") + case $db_type { + 'mysql': { + if $db_ssl == true { + $sql_connection = "mysql://${db_user}:${db_password}@${db_host}/${db_name}?ssl_ca=${db_ssl_ca}" + } else { + $sql_connection = "mysql://${db_user}:${db_password}@${db_host}/${db_name}" + } + } + default: { + fail("db_type ${db_type} is not supported") + } } # Install and configure glance-api diff --git a/manifests/keystone.pp b/manifests/keystone.pp index be24f12..1cca446 100644 --- a/manifests/keystone.pp +++ b/manifests/keystone.pp @@ -18,6 +18,8 @@ # [token_format] Format keystone uses for tokens. Optional. Defaults to PKI. # Supports PKI and UUID. # [db_type] Type of DB used. Currently only supports mysql. Optional. Defaults to 'mysql' +# [db_ssl] Boolean whether to use SSL for database. Defaults to false. +# [db_ssl_ca] If db_ssl is true, this is used in the connection to define the CA. Default undef. # [db_user] Name of keystone db user. Optional. Defaults to 'keystone' # [db_name] Name of keystone DB. Optional. Defaults to 'keystone' # [admin_tenant] Name of keystone admin tenant. Optional. Defaults to 'admin' @@ -65,6 +67,8 @@ class openstack::keystone ( $db_type = 'mysql', $db_user = 'keystone', $db_name = 'keystone', + $db_ssl = false, + $db_ssl_ca = undef, $admin_tenant = 'admin', $verbose = false, $debug = false, @@ -127,7 +131,11 @@ class openstack::keystone ( # Install and configure Keystone if $db_type == 'mysql' { - $sql_conn = "mysql://${db_user}:${db_password}@${db_host}/${db_name}" + if $db_ssl == true { + $sql_conn = "mysql://${db_user}:${db_password}@${db_host}/${db_name}?ssl_ca=${db_ssl_ca}" + } else { + $sql_conn = "mysql://${db_user}:${db_password}@${db_host}/${db_name}" + } } else { fail("db_type ${db_type} is not supported") } diff --git a/manifests/nova/controller.pp b/manifests/nova/controller.pp index 5a8004a..491dfdf 100644 --- a/manifests/nova/controller.pp +++ b/manifests/nova/controller.pp @@ -90,6 +90,8 @@ class openstack::nova::controller ( $rabbit_cluster_nodes = false, # Database $db_type = 'mysql', + $db_ssl = false, + $db_ssl_ca = undef, $sql_idle_timeout = '3600', # Glance $glance_api_servers = undef, @@ -107,9 +109,14 @@ class openstack::nova::controller ( # Configure the db string case $db_type { 'mysql': { - $nova_db = "mysql://${nova_db_user}:${nova_db_password}@${db_host}/${nova_db_dbname}" + if $db_ssl == true { + $nova_db = "mysql://${nova_db_user}:${nova_db_password}@${db_host}/${nova_db_dbname}?ssl_ca=${db_ssl_ca}" + } else { + $nova_db = "mysql://${nova_db_user}:${nova_db_password}@${db_host}/${nova_db_dbname}" + } } default: { + fail("db_type ${db_type} is not supported") } } diff --git a/spec/classes/openstack_controller_spec.rb b/spec/classes/openstack_controller_spec.rb index 448e094..954f0a9 100644 --- a/spec/classes/openstack_controller_spec.rb +++ b/spec/classes/openstack_controller_spec.rb @@ -173,6 +173,35 @@ describe 'openstack::controller' do it { should_not contain_class('mysql::server::account_security')} end + context 'with default SSL params, disabled' do + + it 'SSL in mysql should be disabled' do + config_hash = param_value(subject, 'class', 'mysql::server', 'config_hash') + config_hash['ssl'].should == false + end + + end + + context 'SSL is enabled' do + let :params do + default_params.merge( + :mysql_ssl => true, + :mysql_ca => '/etc/mysql/ca.pem', + :mysql_cert => '/etc/mysql/server.pem', + :mysql_key => '/etc/mysql/server.key' + ) + end + + it 'should configure mysql server' do + config_hash = param_value(subject, 'class', 'mysql::server', 'config_hash') + config_hash['ssl'].should == true + config_hash['ssl_ca'].should == '/etc/mysql/ca.pem' + config_hash['ssl_cert'].should == '/etc/mysql/server.pem' + config_hash['ssl_key'].should == '/etc/mysql/server.key' + end + + end + end context 'keystone' do @@ -307,6 +336,24 @@ describe 'openstack::controller' do end end end + + context 'with mysql SSL enabled' do + + let :params do + default_params.merge( + :mysql_ssl => true, + :mysql_ca => '/etc/mysql/ca.pem', + :mysql_cert => '/etc/mysql/server.pem', + :mysql_key => '/etc/mysql/server.key' + ) + end + + it 'should configure keystone with SSL mysql connection' do + should contain_class('keystone').with( + :sql_connection => "mysql://keystone:keystone_pass@127.0.0.1/keystone?ssl_ca=/etc/mysql/ca.pem" + ) + end + end end it do @@ -431,6 +478,25 @@ describe 'openstack::controller' do ) end end + + context 'with mysql SSL enabled' do + + let :params do + default_params.merge( + :mysql_ssl => true, + :mysql_ca => '/etc/mysql/ca.pem', + :mysql_cert => '/etc/mysql/server.pem', + :mysql_key => '/etc/mysql/server.key' + ) + end + + it 'should configure glance with SSL mysql connection' do + should contain_class('glance::api').with( + :sql_connection => "mysql://glance:glance_pass@127.0.0.1/glance?ssl_ca=/etc/mysql/ca.pem" + ) + end + end + end context 'config for nova' do diff --git a/spec/classes/openstack_glance_spec.rb b/spec/classes/openstack_glance_spec.rb index 0dd1163..4197276 100644 --- a/spec/classes/openstack_glance_spec.rb +++ b/spec/classes/openstack_glance_spec.rb @@ -57,7 +57,7 @@ describe 'openstack::glance' do params.merge!(:db_type => 'sqlite' ) end it 'should fail' do - expect { subject }.to raise_error(Puppet::Error, /Unsupported db_type sqlite/) + expect { subject }.to raise_error(Puppet::Error, /db_type sqlite is not supported/) end end @@ -135,4 +135,19 @@ describe 'openstack::glance' do end end + describe 'when configuring mysql with SSL' do + before do + params.merge!({ + :db_ssl => true, + :db_ssl_ca => '/etc/mysql/ca.pem' + }) + end + + it 'should configure mysql properly' do + should contain_class('glance::registry').with( + :sql_connection => 'mysql://glance:glance_db_pass@127.0.0.1/glance?ssl_ca=/etc/mysql/ca.pem' + ) + end + end + end diff --git a/spec/classes/openstack_keystone_spec.rb b/spec/classes/openstack_keystone_spec.rb index 5889039..417a67b 100644 --- a/spec/classes/openstack_keystone_spec.rb +++ b/spec/classes/openstack_keystone_spec.rb @@ -158,4 +158,19 @@ describe 'openstack::keystone' do end end + describe 'when configuring mysql with SSL' do + let :params do + required_params.merge( + :db_ssl => true, + :db_ssl_ca => '/etc/mysql/ca.pem' + ) + end + + it 'should configure mysql properly' do + should contain_class('keystone').with( + :sql_connection => 'mysql://keystone:pass@127.0.0.1/keystone?ssl_ca=/etc/mysql/ca.pem' + ) + end + end + end diff --git a/spec/classes/openstack_nova_controller_spec.rb b/spec/classes/openstack_nova_controller_spec.rb index 2fe3d72..9983aec 100644 --- a/spec/classes/openstack_nova_controller_spec.rb +++ b/spec/classes/openstack_nova_controller_spec.rb @@ -96,4 +96,18 @@ describe 'openstack::nova::controller' do ) end end + + context 'when configuring SSL' do + let :params do + default_params.merge( + :db_ssl => true, + :db_ssl_ca => '/etc/mysql/ca.pem' + ) + end + it 'should configure SSL' do + should contain_class('nova').with( + :sql_connection => 'mysql://nova:nova_db_pass@127.0.0.1/nova?ssl_ca=/etc/mysql/ca.pem' + ) + end + end end