summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-05-03 12:56:17 +0300
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-05-03 11:53:47 +0000
commitbe4bc8f3f243b3282010848cc00f31d31c9f9ab8 (patch)
tree61c3921bf7263751737bcf8bbb979acf846a06e0
parent9697f70dcbbb30882bf8cb90f9dd0bcfc35f087f (diff)
Internal TLS: Use specific CA file for mysql-client
Instead of using the CA bundle, this sets the mysql client configuration file to use a specific file for validating the certificate of the database server. This helps in two ways: * Improves performance since validation will check only one certificate. * Improves security since we're only the certificates signed by one CA are valid, instead of any certificate that the system trusts (which could include potentially compromised public certs). Change-Id: I46f7cb6da73715f8f331337e0161418450d5afd7 Depends-On: I75bdaf71d88d169e64687a180cb13c1f63418a0f
-rw-r--r--puppet/services/database/mysql-client.yaml6
1 files changed, 6 insertions, 0 deletions
diff --git a/puppet/services/database/mysql-client.yaml b/puppet/services/database/mysql-client.yaml
index 78456e28..b6bd060e 100644
--- a/puppet/services/database/mysql-client.yaml
+++ b/puppet/services/database/mysql-client.yaml
@@ -21,6 +21,11 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
outputs:
role_data:
@@ -30,5 +35,6 @@ outputs:
config_settings:
tripleo::profile::base::database::mysql::client::mysql_client_bind_address: {get_param: [ServiceNetMap, MysqlNetwork]}
tripleo::profile::base::database::mysql::client::enable_ssl: {get_param: EnableInternalTLS}
+ tripleo::profile::base::database::mysql::client::ssl_ca: {get_param: InternalTLSCAFile}
step_config: |
include ::tripleo::profile::base::database::mysql::client