From a67a73ec27e83aca8e0311ce097c0ea4d701cd2d Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Mon, 14 Aug 2017 14:23:21 +0000
Subject: Enable TLS for containerized MySQL

Bind mounts and adds the appropriate permissions for the cert and
key that's used for TLS.

bp tls-via-certmonger-containers

Change-Id: I7fae4083604c7dc89ca04141080a228ebfc44ac9
---
 docker/services/database/mysql.yaml              | 69 ++++++++++++++++++++----
 environments/docker-services-tls-everywhere.yaml |  1 +
 2 files changed, 61 insertions(+), 9 deletions(-)

diff --git a/docker/services/database/mysql.yaml b/docker/services/database/mysql.yaml
index 54331415..402dc351 100644
--- a/docker/services/database/mysql.yaml
+++ b/docker/services/database/mysql.yaml
@@ -40,6 +40,18 @@ parameters:
     type: string
     hidden: true
     default: ''
+  EnableInternalTLS:
+    type: boolean
+    default: false
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
+
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
 
 resources:
 
@@ -86,10 +98,21 @@ outputs:
               dest: "/"
               merge: true
               preserve_properties: true
+            - source: "/var/lib/kolla/config_files/src-tls/*"
+              dest: "/"
+              merge: true
+              preserve_properties: true
+              optional: true
           permissions:
             - path: /var/lib/mysql
               owner: mysql:mysql
               recurse: true
+            - path: /etc/pki/tls/certs/mysql.crt
+              owner: mysql:mysql
+              optional: true
+            - path: /etc/pki/tls/private/mysql.key
+              owner: mysql:mysql
+              optional: true
       docker_config:
         # Kolla_bootstrap runs before permissions set by kolla_config
         step_1:
@@ -108,12 +131,25 @@ outputs:
             # Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
             command: ['bash', '-c', 'test -e /var/lib/mysql/mysql || kolla_start']
             volumes: &mysql_volumes
-              - /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json
-              - /var/lib/config-data/puppet-generated/mysql/:/var/lib/kolla/config_files/src:ro
-              - /etc/localtime:/etc/localtime:ro
-              - /etc/hosts:/etc/hosts:ro
-              - /var/lib/mysql:/var/lib/mysql
-              - /var/log/containers/mysql:/var/log/mariadb
+              list_concat:
+              -
+                - /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json
+                - /var/lib/config-data/puppet-generated/mysql/:/var/lib/kolla/config_files/src:ro
+                - /etc/localtime:/etc/localtime:ro
+                - /etc/hosts:/etc/hosts:ro
+                - /var/lib/mysql:/var/lib/mysql
+                - /var/log/containers/mysql:/var/log/mariadb
+              - if:
+                - internal_tls_enabled
+                - 
+                  - list_join:
+                    - ':'
+                    - - {get_param: InternalTLSCAFile}
+                      - {get_param: InternalTLSCAFile}
+                      - 'ro'
+                  - /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
+                  - /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
+                - null 
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
               - KOLLA_BOOTSTRAP=True
@@ -146,9 +182,24 @@ outputs:
           step_config: 'include ::tripleo::profile::base::database::mysql'
           config_image: *mysql_config_image
           volumes:
-            - /var/lib/mysql:/var/lib/mysql/:ro
-            - /var/log/containers/mysql:/var/log/mariadb
-            - /var/lib/config-data/mysql/root:/root:ro #provides .my.cnf
+            list_concat:
+            -
+              - /var/lib/mysql:/var/lib/mysql/:ro
+              - /var/log/containers/mysql:/var/log/mariadb
+              - /var/lib/config-data/mysql/root:/root:ro #provides .my.cnf
+            - if:
+              - internal_tls_enabled
+              - 
+                - list_join:
+                  - ':'
+                  - - {get_param: InternalTLSCAFile}
+                    - {get_param: InternalTLSCAFile}
+                    - 'ro'
+                - /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
+                - /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
+              - null 
+      metadata_settings:
+        get_attr: [MysqlPuppetBase, role_data, metadata_settings]
       host_prep_tasks:
         - name: create persistent directories
           file:
diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml
index e227366c..2c93b210 100644
--- a/environments/docker-services-tls-everywhere.yaml
+++ b/environments/docker-services-tls-everywhere.yaml
@@ -42,3 +42,4 @@ resource_registry:
   OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml
   OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml
   OS::TripleO::Services::HAproxy: ../docker/services/haproxy.yaml
+  OS::TripleO::Services::MySQL: ../docker/services/database/mysql.yaml
-- 
cgit 1.2.3-korg