From 763a89fe00e80f40052666a8e07c25abddabd2b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ji=C5=99=C3=AD=20Suchomel?= <jiri.suchomel@suse.com>
Date: Thu, 2 Nov 2017 15:49:07 +0100
Subject: [PATCH] horizon: Adapt local_settings for SSL connection to database

Also, do not require SSL connection for insecure setup.
It seems that MySQLdb library used by django is not able to start
SSL connection without proper certificate verification.
---
 chef/cookbooks/horizon/recipes/server.rb           | 14 +++++++++++---
 .../templates/default/local_settings.py.erb        |  7 +++++++
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/chef/cookbooks/horizon/recipes/server.rb b/chef/cookbooks/horizon/recipes/server.rb
index 03dbad7278..539310e0ae 100644
--- a/chef/cookbooks/horizon/recipes/server.rb
+++ b/chef/cookbooks/horizon/recipes/server.rb
@@ -333,6 +333,11 @@
     only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) }
 end
 
+# We do not require SSL connectopn for horizon user in case of insecure DB setup,
+# because horizon's django uses a library (MySQLdb) that does not support insecure connection.
+database_ssl = db_settings[:connection][:ssl][:enabled] &&
+  !db_settings[:connection][:ssl][:insecure]
+
 database_user "grant database access for dashboard database user" do
     connection db_settings[:connection]
     database_name node[:horizon][:db][:database]
@@ -341,14 +346,14 @@
     host "%"
     privileges db_settings[:privs]
     provider db_settings[:user_provider]
-    require_ssl db_settings[:connection][:ssl][:enabled]
+    require_ssl database_ssl
     action :grant
     only_if { !ha_enabled || CrowbarPacemakerHelper.is_cluster_founder?(node) }
 end
 
 crowbar_pacemaker_sync_mark "create-horizon_database" if ha_enabled
 
-db_settings = {
+django_db_settings = {
   "ENGINE" => django_db_backend,
   "NAME" => "'#{node[:horizon][:db][:database]}'",
   "USER" => "'#{node[:horizon][:db][:user]}'",
@@ -357,6 +362,8 @@
   "default-character-set" => "'utf8'"
 }
 
+db_ca_certs = database_ssl ? db_settings[:connection][:ssl][:ca_certs] : ""
+
 glance_insecure = CrowbarOpenStackHelper.insecure(Barclamp::Config.load("openstack", "glance"))
 cinder_insecure = CrowbarOpenStackHelper.insecure(Barclamp::Config.load("openstack", "cinder"))
 neutron_insecure = CrowbarOpenStackHelper.insecure(Barclamp::Config.load("openstack", "neutron"))
@@ -446,7 +453,8 @@
     || sahara_insecure \
     || manila_insecure \
     || ceilometer_insecure,
-    db_settings: db_settings,
+    db_settings: django_db_settings,
+    db_ca_certs: db_ca_certs,
     timezone: (node[:provisioner][:timezone] rescue "UTC") || "UTC",
     use_ssl: node[:horizon][:apache][:ssl],
     password_validator_regex: node[:horizon][:password_validator][:regex],
diff --git a/chef/cookbooks/horizon/templates/default/local_settings.py.erb b/chef/cookbooks/horizon/templates/default/local_settings.py.erb
index 943bb79fdf..9d22b60603 100644
--- a/chef/cookbooks/horizon/templates/default/local_settings.py.erb
+++ b/chef/cookbooks/horizon/templates/default/local_settings.py.erb
@@ -227,6 +227,13 @@ DATABASES = {
         <% @db_settings.sort_by { |key, value| key }.each do |key,value| -%>
         '<%= key %>': <%= value %>,
         <% end -%>
+        <% unless @db_ca_certs.empty? %>
+        'OPTIONS': {
+            'ssl': {
+                'ca': '<%= @db_ca_certs %>'
+            }
+        }
+        <% end %>
     },
 }