Browse Source

Add DB SSL support

Change-Id: Ic13c24e32b9259cba432db0b25d7145f0614c248
Depends-On: I9e6d9ee439cab734eba02320d58ccfcd73e23106
changes/35/431035/2
Proskurin Kirill 2 years ago
parent
commit
f5127808a9
3 changed files with 8 additions and 4 deletions
  1. 1
    1
      service/files/backup.sh.j2
  2. 1
    1
      service/files/keystone.conf.j2
  3. 6
    2
      service/keystone.yaml

+ 1
- 1
service/files/backup.sh.j2 View File

@@ -1,6 +1,6 @@
1 1
 #!/bin/bash -ex
2 2
 set -o pipefail
3 3
 BACKUP_FILE="/var/ccp/backup/keystone/backup-$(date "+%Y%m%d%H%M%S").sql"
4
-mysqldump -h {{ address(service.database) }} \
4
+mysqldump {% if percona.tls.enabled %} --ssl-mode REQUIRED {% endif %} -h {{ address(service.database) }} \
5 5
     -u {{ keystone.db.username }} -p{{ keystone.db.password }} \
6 6
     --single-transaction {{ keystone.db.name }} > "${BACKUP_FILE}"

+ 1
- 1
service/files/keystone.conf.j2 View File

@@ -8,7 +8,7 @@ notification_format = {{ keystone.notifications.format }}
8 8
 {% endif %}
9 9
 
10 10
 [database]
11
-connection = mysql+pymysql://{{ keystone.db.username }}:{{ keystone.db.password }}@{{ address(service.database) }}/{{ keystone.db.name }}
11
+connection = mysql+pymysql://{{ keystone.db.username }}:{{ keystone.db.password }}@{{ address(service.database) }}/{{ keystone.db.name }}{% if percona.tls.enabled %}?ssl_ca=/opt/ccp/etc/tls/ca.pem{% endif %}
12 12
 max_retries = -1
13 13
 max_overflow = 60
14 14
 

+ 6
- 2
service/keystone.yaml View File

@@ -30,8 +30,12 @@ service:
30 30
           type: single
31 31
           command:
32 32
             mysql -u root -p{{ db.root_password }} -h {{ address(service.database) }} -e "create database {{ keystone.db.name }};
33
-            grant all privileges on {{ keystone.db.name }}.* to '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}';
34
-            grant super on *.* to '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}';"
33
+            create user '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}'
34
+            {% if percona.tls.enabled %} require ssl {% endif %};
35
+            grant all privileges on {{ keystone.db.name }}.* to '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}'
36
+            {% if percona.tls.enabled %} require ssl {% endif %};
37
+            grant super on *.* to '{{ keystone.db.username }}'@'%' identified by '{{ keystone.db.password }}'
38
+            {% if percona.tls.enabled %} require ssl {% endif %};"
35 39
         - name: keystone-db-sync
36 40
           files:
37 41
             - keystone-conf

Loading…
Cancel
Save