From d23433aca34cb3bf550056804dced7aa44a08c59 Mon Sep 17 00:00:00 2001 From: Matus Jenca Date: Thu, 1 Aug 2024 15:55:06 +0200 Subject: [PATCH] Add frontend TLS ability to ProxySQL This patch ads an ability to receive TLS connections to ProxySQL. Certificates and variable lookups are added in order for TLS to be enabled by _database_internal_tls_enable. Note that in order for this to work, mysql connection strings need to have TLS enabled, which can be added in separate per-service patches Change-Id: I2c06ce5e138f52259c1725dae37f25c1b00d1e6b --- ansible/group_vars/all.yml | 1 + ansible/roles/certificates/tasks/generate.yml | 12 ++++++++++++ .../roles/loadbalancer/tasks/copy-certs.yml | 9 +++++++++ .../templates/proxysql/proxysql.json.j2 | 19 +++++++++++++++++++ .../roles/proxysql-config/defaults/main.yml | 1 + .../proxysql-config/templates/users.yaml.j2 | 3 +++ ...roxysql-internal-tls-dd68e952d97540a1.yaml | 8 ++++++++ 7 files changed, 53 insertions(+) create mode 100644 releasenotes/notes/proxysql-internal-tls-dd68e952d97540a1.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 9c90466cfd..57be6a7f77 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -86,6 +86,7 @@ database_port: "3306" database_connection_recycle_time: 10 database_max_pool_size: 1 database_enable_tls_backend: "{{ 'yes' if ((kolla_enable_tls_backend | bool ) and ( enable_proxysql | bool)) else 'no' }}" +database_enable_tls_internal: "{{ 'yes' if ((kolla_enable_tls_backend | bool ) and ( enable_proxysql | bool)) else 'no' }}" #################### # Container engine options diff --git a/ansible/roles/certificates/tasks/generate.yml b/ansible/roles/certificates/tasks/generate.yml index cf24d969ef..511df27d0f 100644 --- a/ansible/roles/certificates/tasks/generate.yml +++ b/ansible/roles/certificates/tasks/generate.yml @@ -142,3 +142,15 @@ - not enable_letsencrypt | bool - kolla_enable_tls_internal | bool - not kolla_same_external_internal_vip | bool +- block: + - name: Copy Certificate and Key for ProxySQL + copy: + src: "{{ external_dir if kolla_same_external_internal_vip | bool else internal_dir }}/{{ 'external' if kolla_same_external_internal_vip | bool else 'internal' }}.{{item}}" + dest: "{{ kolla_certificates_dir }}/proxysql-{{ 'cert' if item == 'crt' else item }}.pem" + mode: "0660" + with_items: + - "crt" + - "key" + when: + - database_enable_tls_internal | bool + - kolla_enable_tls_internal | bool diff --git a/ansible/roles/loadbalancer/tasks/copy-certs.yml b/ansible/roles/loadbalancer/tasks/copy-certs.yml index 3c628dfa62..95cd80afda 100644 --- a/ansible/roles/loadbalancer/tasks/copy-certs.yml +++ b/ansible/roles/loadbalancer/tasks/copy-certs.yml @@ -14,3 +14,12 @@ project_services: "{{ loadbalancer_services }}" project_name: mariadb when: database_enable_tls_backend | bool + + +- name: "Copy certificates and keys for Proxysql" + import_role: + role: service-cert-copy + vars: + project_services: "{{ loadbalancer_services }}" + project_name: "proxysql" + when: database_enable_tls_internal | bool diff --git a/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2 b/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2 index 8ad11470d3..4f4e52fc07 100644 --- a/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2 +++ b/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2 @@ -44,5 +44,24 @@ "owner": "proxysql", "perm": "0600" }{% endif %} + {% if database_enable_tls_internal | bool %}, + { + "source": "{{ container_config_directory }}/ca-certificates/root.crt", + "dest": "/var/lib/proxysql/proxysql-ca.pem", + "owner": "proxysql", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/proxysql-cert.pem", + "dest": "/var/lib/proxysql/proxysql-cert.pem", + "owner": "proxysql", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/proxysql-key.pem", + "dest": "/var/lib/proxysql/proxysql-key.pem", + "owner": "proxysql", + "perm": "0600" + }{% endif %} ] } diff --git a/ansible/roles/proxysql-config/defaults/main.yml b/ansible/roles/proxysql-config/defaults/main.yml index f09305d9f4..0ad83398c7 100644 --- a/ansible/roles/proxysql-config/defaults/main.yml +++ b/ansible/roles/proxysql-config/defaults/main.yml @@ -1,5 +1,6 @@ --- proxysql_project_database_shard: "{{ lookup('vars', (kolla_role_name | default(project_name)) + '_database_shard', default=omit) }}" +proxysql_project_database_internal_tls_enable: "{{ lookup('vars', (kolla_role_name | default(project_name)) + '_database_internal_tls_enable', default='no') }}" # NOTE(kevko): Kolla_role_name and replace is used only because of nova-cell proxysql_project: "{{ kolla_role_name | default(project_name) | replace('_', '-') }}" proxysql_config_users: "{% if proxysql_project_database_shard is defined and proxysql_project_database_shard['users'] is defined %}True{% else %}False{% endif %}" diff --git a/ansible/roles/proxysql-config/templates/users.yaml.j2 b/ansible/roles/proxysql-config/templates/users.yaml.j2 index f8de57bc8b..48accdb1b9 100644 --- a/ansible/roles/proxysql-config/templates/users.yaml.j2 +++ b/ansible/roles/proxysql-config/templates/users.yaml.j2 @@ -25,4 +25,7 @@ mysql_users: {% endif %} transaction_persistent: 1 active: 1 +{% if database_enable_tls_internal | bool and proxysql_project_database_internal_tls_enable | bool %} + use_ssl: 1 +{% endif %} {% endfor %} diff --git a/releasenotes/notes/proxysql-internal-tls-dd68e952d97540a1.yaml b/releasenotes/notes/proxysql-internal-tls-dd68e952d97540a1.yaml new file mode 100644 index 0000000000..c5774b2123 --- /dev/null +++ b/releasenotes/notes/proxysql-internal-tls-dd68e952d97540a1.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Implements ability to use internal frontend TLS between + a Kolla service and ProxySQL + This does not enable TLS itself, its need to be patched + in per-service patches, that will enable TLS in + mysql connection strings