diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-02-23 15:03:56 +0200 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-02-28 06:56:59 +0000 |
commit | fb40fb82f4f98d563af12737a1c433ee4260a43c (patch) | |
tree | 43c2af07c2c6326955ac2a9470230964300e1910 /manifests/profile/base/database/mysql | |
parent | 8250ec96114b6b617ac55b7966dc8581d9c8618a (diff) |
Configure MySQL client SSL connections via the config file
This does the actual configuration for the mysql client to use SSL if
the parameter is set via t-h-t.
Change-Id: I24e4c195a31109835739e78a6b53d36f661f9fd0
Depends-On: Ifd1a06e0749a05a65f6314255843f572d2209067
Diffstat (limited to 'manifests/profile/base/database/mysql')
-rw-r--r-- | manifests/profile/base/database/mysql/client.pp | 31 |
1 files changed, 26 insertions, 5 deletions
diff --git a/manifests/profile/base/database/mysql/client.pp b/manifests/profile/base/database/mysql/client.pp index f23b97d..a58b7ad 100644 --- a/manifests/profile/base/database/mysql/client.pp +++ b/manifests/profile/base/database/mysql/client.pp @@ -18,6 +18,11 @@ # # === Parameters # +# [*enable_ssl*] +# (Optional) Whether SSL should be used for the connection to the server or +# not. +# Defaults to false +# # [*mysql_read_default_file*] # (Optional) Name of the file that will be passed to pymysql connection strings # Defaults to hiera('tripleo::profile::base:database::mysql::read_default_file', '/etc/my.cnf.d/tripleo.cnf') @@ -36,10 +41,11 @@ # Defaults to hiera('step') # class tripleo::profile::base::database::mysql::client ( + $enable_ssl = false, $mysql_read_default_file = hiera('tripleo::profile::base:database::mysql::read_default_file', '/etc/my.cnf.d/tripleo.cnf'), $mysql_read_default_group = hiera('tripleo::profile::base:database::mysql::read_default_group', 'tripleo'), $mysql_client_bind_address = hiera('tripleo::profile::base:database::mysql::client_bind_address', undef), - $step = hiera('step'), + $step = hiera('step'), ) { if $step >= 1 { # If the folder /etc/my.cnf.d does not exist (e.g. if mariadb is not @@ -50,23 +56,38 @@ class tripleo::profile::base::database::mysql::client ( # included on this node as well (we'd get duplicate declaration in such a # situation when using file) if $mysql_client_bind_address { - $changes = [ + $client_bind_changes = [ "set ${mysql_read_default_group}/bind-address '${mysql_client_bind_address}'" ] } else { - $changes = [ + $client_bind_changes = [ "rm ${mysql_read_default_group}/bind-address" ] } + + if $enable_ssl { + $changes_ssl = [ + "set ${mysql_read_default_group}/ssl '1'", + "set ${mysql_read_default_group}/ssl-ca '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'" + ] + } else { + $changes_ssl = [ + "rm ${mysql_read_default_group}/ssl", + "rm ${mysql_read_default_group}/ssl-ca" + ] + } + + $conf_changes = union($client_bind_changes, $changes_ssl) + exec { 'directory-create-etc-my.cnf.d': command => 'mkdir -p /etc/my.cnf.d', path => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'], } -> # Create /etc/my.cnf.d/tripleo.cnf with the [tripleo]bind-address=<IP of the node in the mysql network> - augeas { 'mysql-bind-address': + augeas { 'tripleo-mysql-client-conf': incl => $mysql_read_default_file, lens => 'Puppet.lns', - changes => $changes, + changes => $conf_changes, } } } |