Add frontend database TLS for Keystone

This patch enables internal TLS database connection for Keystone. Change-Id: I816d051e933a560629d9b9c95362f668abe4ade7
2024-08-01 17:28:27 +02:00 · 2024-08-01 17:28:27 +02:00 · 66a2f5830c
commit 66a2f5830c
parent f76833b49a
3 changed files with 8 additions and 1 deletions
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@ -239,3 +239,6 @@ keystone_federation_oidc_scopes: "openid email profile"

 # OIDC caching
 keystone_oidc_enable_memcached: "{{ enable_memcached }}"
+
+# Database
+keystone_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}"
--- a/ansible/roles/keystone/templates/keystone.conf.j2
+++ b/ansible/roles/keystone/templates/keystone.conf.j2
@ -16,7 +16,7 @@ policy_file = {{ keystone_policy_file }}
 {% endif %}

 [database]
-connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }}
+connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }}{{ '?ssl_ca=' ~ openstack_cacert if keystone_database_enable_tls_internal | bool }}
 connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
--- a/releasenotes/notes/proxysql-internal-tls-keystone-5e3574a356afc819.yaml
+++ b/releasenotes/notes/proxysql-internal-tls-keystone-5e3574a356afc819.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Implements TLS between Keystone and ProxySQL