From 66a2f5830cc2618ba2add2c66cb31d1a19524462 Mon Sep 17 00:00:00 2001
From: Matus Jenca <matus.jenca@dnation.cloud>
Date: Thu, 1 Aug 2024 17:28:27 +0200
Subject: [PATCH] Add frontend database TLS for Keystone

This patch enables internal TLS database
connection for Keystone.

Change-Id: I816d051e933a560629d9b9c95362f668abe4ade7
---
 ansible/roles/keystone/defaults/main.yml                      | 3 +++
 ansible/roles/keystone/templates/keystone.conf.j2             | 2 +-
 .../proxysql-internal-tls-keystone-5e3574a356afc819.yaml      | 4 ++++
 3 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/proxysql-internal-tls-keystone-5e3574a356afc819.yaml

diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml
index 1945142c48..a6843774cd 100644
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@@ -239,3 +239,6 @@ keystone_federation_oidc_scopes: "openid email profile"
 
 # OIDC caching
 keystone_oidc_enable_memcached: "{{ enable_memcached }}"
+
+# Database
+keystone_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}"
diff --git a/ansible/roles/keystone/templates/keystone.conf.j2 b/ansible/roles/keystone/templates/keystone.conf.j2
index ffccd4abec..614a9eab08 100644
--- a/ansible/roles/keystone/templates/keystone.conf.j2
+++ b/ansible/roles/keystone/templates/keystone.conf.j2
@@ -16,7 +16,7 @@ policy_file = {{ keystone_policy_file }}
 {% endif %}
 
 [database]
-connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }}
+connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }}{{ '?ssl_ca=' ~ openstack_cacert if keystone_database_enable_tls_internal | bool }}
 connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
diff --git a/releasenotes/notes/proxysql-internal-tls-keystone-5e3574a356afc819.yaml b/releasenotes/notes/proxysql-internal-tls-keystone-5e3574a356afc819.yaml
new file mode 100644
index 0000000000..b385a6e8a3
--- /dev/null
+++ b/releasenotes/notes/proxysql-internal-tls-keystone-5e3574a356afc819.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Implements TLS between Keystone and ProxySQL