Add frontend TLS ability to ProxySQL

This patch ads an ability to receive TLS connections to ProxySQL. Certificates and variable lookups are added in order for TLS to be enabled by <project_name>_database_internal_tls_enable. Note that in order for this to work, mysql connection strings need to have TLS enabled, which can be added in separate per-service patches Change-Id: I2c06ce5e138f52259c1725dae37f25c1b00d1e6b
2024-08-01 15:55:06 +02:00 · 2024-08-01 15:55:06 +02:00 · d23433aca3
commit d23433aca3
parent 23413d4e0f
7 changed files with 53 additions and 0 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -86,6 +86,7 @@ database_port: "3306"
 database_connection_recycle_time: 10
 database_max_pool_size: 1
 database_enable_tls_backend: "{{ 'yes' if ((kolla_enable_tls_backend | bool ) and ( enable_proxysql | bool)) else 'no' }}"
+database_enable_tls_internal: "{{ 'yes' if ((kolla_enable_tls_backend | bool ) and ( enable_proxysql | bool)) else 'no' }}"

 ####################
 # Container engine options
--- a/ansible/roles/certificates/tasks/generate.yml
+++ b/ansible/roles/certificates/tasks/generate.yml
@ -142,3 +142,15 @@
    - not enable_letsencrypt | bool
    - kolla_enable_tls_internal | bool
    - not kolla_same_external_internal_vip | bool
+- block:
+    - name: Copy Certificate and Key for ProxySQL
+      copy:
+        src: "{{ external_dir if kolla_same_external_internal_vip | bool else internal_dir }}/{{ 'external' if  kolla_same_external_internal_vip | bool else 'internal' }}.{{item}}"
+        dest: "{{ kolla_certificates_dir }}/proxysql-{{ 'cert' if item == 'crt' else item }}.pem"
+        mode: "0660"
+      with_items:
+        - "crt"
+        - "key"
+  when:
+    - database_enable_tls_internal | bool
+    - kolla_enable_tls_internal | bool
--- a/ansible/roles/loadbalancer/tasks/copy-certs.yml
+++ b/ansible/roles/loadbalancer/tasks/copy-certs.yml
@ -14,3 +14,12 @@
    project_services: "{{ loadbalancer_services }}"
    project_name: mariadb
  when: database_enable_tls_backend | bool
+
+
+- name: "Copy certificates and keys for Proxysql"
+  import_role:
+    role: service-cert-copy
+  vars:
+    project_services: "{{ loadbalancer_services }}"
+    project_name: "proxysql"
+  when: database_enable_tls_internal | bool
--- a/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2
+++ b/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2
@ -44,5 +44,24 @@
            "owner": "proxysql",
            "perm": "0600"
        }{% endif %}
+        {% if database_enable_tls_internal | bool %},
+        {
+            "source": "{{ container_config_directory }}/ca-certificates/root.crt",
+            "dest": "/var/lib/proxysql/proxysql-ca.pem",
+            "owner": "proxysql",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/proxysql-cert.pem",
+            "dest": "/var/lib/proxysql/proxysql-cert.pem",
+            "owner": "proxysql",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/proxysql-key.pem",
+            "dest": "/var/lib/proxysql/proxysql-key.pem",
+            "owner": "proxysql",
+            "perm": "0600"
+        }{% endif %}
    ]
 }
--- a/ansible/roles/proxysql-config/defaults/main.yml
+++ b/ansible/roles/proxysql-config/defaults/main.yml
@ -1,5 +1,6 @@
 ---
 proxysql_project_database_shard: "{{ lookup('vars', (kolla_role_name | default(project_name)) + '_database_shard', default=omit) }}"
+proxysql_project_database_internal_tls_enable: "{{ lookup('vars', (kolla_role_name | default(project_name)) + '_database_internal_tls_enable', default='no')  }}"
 # NOTE(kevko): Kolla_role_name and replace is used only because of nova-cell
 proxysql_project: "{{ kolla_role_name | default(project_name) | replace('_', '-') }}"
 proxysql_config_users: "{% if proxysql_project_database_shard is defined and proxysql_project_database_shard['users'] is defined %}True{% else %}False{% endif %}"
--- a/ansible/roles/proxysql-config/templates/users.yaml.j2
+++ b/ansible/roles/proxysql-config/templates/users.yaml.j2
@ -25,4 +25,7 @@ mysql_users:
 {% endif %}
    transaction_persistent: 1
    active: 1
+{% if database_enable_tls_internal | bool and proxysql_project_database_internal_tls_enable | bool %}
+    use_ssl: 1
+{% endif %}
 {% endfor %}
--- a/releasenotes/notes/proxysql-internal-tls-dd68e952d97540a1.yaml
+++ b/releasenotes/notes/proxysql-internal-tls-dd68e952d97540a1.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Implements  ability to use internal frontend TLS between
+    a Kolla service and ProxySQL
+    This does not enable TLS itself, its need to be patched
+    in per-service patches, that will enable TLS in
+    mysql connection strings