horizon: Adapt local_settings for SSL connection to database

Also, do not require SSL connection for insecure setup. It seems that MySQLdb library used by django is not able to start SSL connection without proper certificate verification.
crowbar · Nov 3, 2017 · 763a89f · 763a89f
1 parent fd9cc22
commit 763a89f
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 3 deletions.
diff --git a/chef/cookbooks/horizon/recipes/server.rb b/chef/cookbooks/horizon/recipes/server.rb
@@ -333,6 +333,11 @@
     only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) }
 end
 
+# We do not require SSL connectopn for horizon user in case of insecure DB setup,
+# because horizon's django uses a library (MySQLdb) that does not support insecure connection.
+database_ssl = db_settings[:connection][:ssl][:enabled] &&
+  !db_settings[:connection][:ssl][:insecure]
+
 database_user "grant database access for dashboard database user" do
     connection db_settings[:connection]
     database_name node[:horizon][:db][:database]
@@ -341,14 +346,14 @@
     host "%"
     privileges db_settings[:privs]
     provider db_settings[:user_provider]
-    require_ssl db_settings[:connection][:ssl][:enabled]
+    require_ssl database_ssl
     action :grant
     only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) }
 end
 
 crowbar_pacemaker_sync_mark "create-horizon_database" if ha_enabled
 
-db_settings = {
+django_db_settings = {
   "ENGINE" => django_db_backend,
   "NAME" => "'#{node[:horizon][:db][:database]}'",
   "USER" => "'#{node[:horizon][:db][:user]}'",
@@ -357,6 +362,8 @@
   "default-character-set" => "'utf8'"
 }
 
+db_ca_certs = database_ssl ? db_settings[:connection][:ssl][:ca_certs] : ""
+
 glance_insecure = CrowbarOpenStackHelper.insecure(Barclamp::Config.load("openstack", "glance"))
 cinder_insecure = CrowbarOpenStackHelper.insecure(Barclamp::Config.load("openstack", "cinder"))
 neutron_insecure = CrowbarOpenStackHelper.insecure(Barclamp::Config.load("openstack", "neutron"))
@@ -446,7 +453,8 @@
     || sahara_insecure \
     || manila_insecure \
     || ceilometer_insecure,
-    db_settings: db_settings,
+    db_settings: django_db_settings,
+    db_ca_certs: db_ca_certs,
     timezone: (node[:provisioner][:timezone] rescue "UTC") || "UTC",
     use_ssl: node[:horizon][:apache][:ssl],
     password_validator_regex: node[:horizon][:password_validator][:regex],

diff --git a/chef/cookbooks/horizon/templates/default/local_settings.py.erb b/chef/cookbooks/horizon/templates/default/local_settings.py.erb
@@ -227,6 +227,13 @@ DATABASES = {
         <% @db_settings.sort_by { |key, value| key }.each do |key,value| -%>
         '<%= key %>': <%= value %>,
         <% end -%>
+        <% unless @db_ca_certs.empty? %>
+        'OPTIONS': {
+            'ssl': {
+                'ca': '<%= @db_ca_certs %>'
+            }
+        }
+        <% end %>
     },
 }