summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-02-23 15:03:56 +0200
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-02-28 06:56:59 +0000
commitfb40fb82f4f98d563af12737a1c433ee4260a43c (patch)
tree43c2af07c2c6326955ac2a9470230964300e1910
parent8250ec96114b6b617ac55b7966dc8581d9c8618a (diff)
Configure MySQL client SSL connections via the config file
This does the actual configuration for the mysql client to use SSL if the parameter is set via t-h-t. Change-Id: I24e4c195a31109835739e78a6b53d36f661f9fd0 Depends-On: Ifd1a06e0749a05a65f6314255843f572d2209067
-rw-r--r--manifests/profile/base/database/mysql/client.pp31
1 files changed, 26 insertions, 5 deletions
diff --git a/manifests/profile/base/database/mysql/client.pp b/manifests/profile/base/database/mysql/client.pp
index f23b97d..a58b7ad 100644
--- a/manifests/profile/base/database/mysql/client.pp
+++ b/manifests/profile/base/database/mysql/client.pp
@@ -18,6 +18,11 @@
#
# === Parameters
#
+# [*enable_ssl*]
+# (Optional) Whether SSL should be used for the connection to the server or
+# not.
+# Defaults to false
+#
# [*mysql_read_default_file*]
# (Optional) Name of the file that will be passed to pymysql connection strings
# Defaults to hiera('tripleo::profile::base:database::mysql::read_default_file', '/etc/my.cnf.d/tripleo.cnf')
@@ -36,10 +41,11 @@
# Defaults to hiera('step')
#
class tripleo::profile::base::database::mysql::client (
+ $enable_ssl = false,
$mysql_read_default_file = hiera('tripleo::profile::base:database::mysql::read_default_file', '/etc/my.cnf.d/tripleo.cnf'),
$mysql_read_default_group = hiera('tripleo::profile::base:database::mysql::read_default_group', 'tripleo'),
$mysql_client_bind_address = hiera('tripleo::profile::base:database::mysql::client_bind_address', undef),
- $step = hiera('step'),
+ $step = hiera('step'),
) {
if $step >= 1 {
# If the folder /etc/my.cnf.d does not exist (e.g. if mariadb is not
@@ -50,23 +56,38 @@ class tripleo::profile::base::database::mysql::client (
# included on this node as well (we'd get duplicate declaration in such a
# situation when using file)
if $mysql_client_bind_address {
- $changes = [
+ $client_bind_changes = [
"set ${mysql_read_default_group}/bind-address '${mysql_client_bind_address}'"
]
} else {
- $changes = [
+ $client_bind_changes = [
"rm ${mysql_read_default_group}/bind-address"
]
}
+
+ if $enable_ssl {
+ $changes_ssl = [
+ "set ${mysql_read_default_group}/ssl '1'",
+ "set ${mysql_read_default_group}/ssl-ca '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'"
+ ]
+ } else {
+ $changes_ssl = [
+ "rm ${mysql_read_default_group}/ssl",
+ "rm ${mysql_read_default_group}/ssl-ca"
+ ]
+ }
+
+ $conf_changes = union($client_bind_changes, $changes_ssl)
+
exec { 'directory-create-etc-my.cnf.d':
command => 'mkdir -p /etc/my.cnf.d',
path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'],
} ->
# Create /etc/my.cnf.d/tripleo.cnf with the [tripleo]bind-address=<IP of the node in the mysql network>
- augeas { 'mysql-bind-address':
+ augeas { 'tripleo-mysql-client-conf':
incl => $mysql_read_default_file,
lens => 'Puppet.lns',
- changes => $changes,
+ changes => $conf_changes,
}
}
}