summaryrefslogtreecommitdiffstats
path: root/puppet/services/database/mysql-client.yaml
AgeCommit message (Collapse)AuthorFilesLines
2017-05-03Internal TLS: Use specific CA file for mysql-clientJuan Antonio Osorio Robles1-0/+6
Instead of using the CA bundle, this sets the mysql client configuration file to use a specific file for validating the certificate of the database server. This helps in two ways: * Improves performance since validation will check only one certificate. * Improves security since we're only the certificates signed by one CA are valid, instead of any certificate that the system trusts (which could include potentially compromised public certs). Change-Id: I46f7cb6da73715f8f331337e0161418450d5afd7 Depends-On: I75bdaf71d88d169e64687a180cb13c1f63418a0f
2017-02-28mysqlclient: Use actual parameter in puppet to set bind-addressJuan Antonio Osorio Robles1-1/+1
It was using a hiera key, and fetching that from a hiera call in the puppet manfiest. But we can remove that if we set it via hiera from t-h-t. Change-Id: I5af5ccb88e644f4dd25503d8e7a93796695d3039
2017-02-28Configure SSL connection for MySQL client via client config fileJuan Antonio Osorio Robles1-0/+4
This uses the mysql client configuration file to configure if SSL should be used for the connection if SSL in the internal network is enabled. Change-Id: Ifd1a06e0749a05a65f6314255843f572d2209067
2017-02-17Make the DB URIs host-independent for all servicesMichele Baldessari1-0/+30
When fixing LP#1643487 we added ?bind_address to all DB URIs. Since this clashes with Cellsv2 due to the URIs becoming host dependent, we need a new approach to pass bind_address to pymysql that leaves the DB URIs host-independent. In change Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18 we first create a /etc/my.cnf.d/tripleo.cnf file with a [tripleo] section with the correct bind-address option. In this change we make sure that the DB URIs will point to the added file and to the specific section containing the necessary bind-address option. We do introduce a new MySQLClient profile which will hold all this more client-specific configuration so that this change can fit better in the composable roles work. Also, in the future it might contain the necessary configuration for SSL for example. Note that in case the /etc/my.cnf.d/tripleo.cnf file does not exist (because it is created via the mysqlclient profile), things keep on working as usual and the bind-address option simply won't be set, which has no impact on hosts where there are no VIPs. Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Change-Id: Ieac33efe38f32e949fd89545eb1cd8e0fe114a12 Related-Bug: #1643487 Closes-Bug: #1663181 Closes-Bug: #1664524 Depends-On: Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18