Merge "Add frontend TLS ability to ProxySQL"

ansible/group_vars/all.yml

@@ -86,6 +86,7 @@ database_port: "3306"
 database_connection_recycle_time: 10
 database_max_pool_size: 1
 database_enable_tls_backend: "{{ 'yes' if ((kolla_enable_tls_backend | bool ) and ( enable_proxysql | bool)) else 'no' }}"
+database_enable_tls_internal: "{{ 'yes' if ((kolla_enable_tls_backend | bool ) and ( enable_proxysql | bool)) else 'no' }}"
 
 ####################
 # Container engine options

ansible/roles/certificates/tasks/generate.yml

@@ -142,3 +142,15 @@
     - not enable_letsencrypt | bool
     - kolla_enable_tls_internal | bool
     - not kolla_same_external_internal_vip | bool
+- block:
+    - name: Copy Certificate and Key for ProxySQL
+      copy:
+        src: "{{ external_dir if kolla_same_external_internal_vip | bool else internal_dir }}/{{ 'external' if  kolla_same_external_internal_vip | bool else 'internal' }}.{{item}}"
+        dest: "{{ kolla_certificates_dir }}/proxysql-{{ 'cert' if item == 'crt' else item }}.pem"
+        mode: "0660"
+      with_items:
+        - "crt"
+        - "key"
+  when:
+    - database_enable_tls_internal | bool
+    - kolla_enable_tls_internal | bool

ansible/roles/loadbalancer/tasks/copy-certs.yml

@@ -14,3 +14,12 @@
     project_services: "{{ loadbalancer_services }}"
     project_name: mariadb
   when: database_enable_tls_backend | bool
+
+
+- name: "Copy certificates and keys for Proxysql"
+  import_role:
+    role: service-cert-copy
+  vars:
+    project_services: "{{ loadbalancer_services }}"
+    project_name: "proxysql"
+  when: database_enable_tls_internal | bool

ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2

@@ -44,5 +44,24 @@
             "owner": "proxysql",
             "perm": "0600"
         }{% endif %}
+        {% if database_enable_tls_internal | bool %},
+        {
+            "source": "{{ container_config_directory }}/ca-certificates/root.crt",
+            "dest": "/var/lib/proxysql/proxysql-ca.pem",
+            "owner": "proxysql",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/proxysql-cert.pem",
+            "dest": "/var/lib/proxysql/proxysql-cert.pem",
+            "owner": "proxysql",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/proxysql-key.pem",
+            "dest": "/var/lib/proxysql/proxysql-key.pem",
+            "owner": "proxysql",
+            "perm": "0600"
+        }{% endif %}
     ]
 }

ansible/roles/proxysql-config/defaults/main.yml

@@ -1,5 +1,6 @@
 ---
 proxysql_project_database_shard: "{{ lookup('vars', (kolla_role_name | default(project_name)) + '_database_shard', default=omit) }}"
+proxysql_project_database_internal_tls_enable: "{{ lookup('vars', (kolla_role_name | default(project_name)) + '_database_internal_tls_enable', default='no')  }}"
 # NOTE(kevko): Kolla_role_name and replace is used only because of nova-cell
 proxysql_project: "{{ kolla_role_name | default(project_name) | replace('_', '-') }}"
 proxysql_config_users: "{% if proxysql_project_database_shard is defined and proxysql_project_database_shard['users'] is defined %}True{% else %}False{% endif %}"

ansible/roles/proxysql-config/templates/users.yaml.j2

@@ -25,4 +25,7 @@ mysql_users:
 {% endif %}
     transaction_persistent: 1
     active: 1
+{% if database_enable_tls_internal | bool and proxysql_project_database_internal_tls_enable | bool %}
+    use_ssl: 1
+{% endif %}
 {% endfor %}

releasenotes/notes/proxysql-internal-tls-dd68e952d97540a1.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Implements  ability to use internal frontend TLS between
+    a Kolla service and ProxySQL
+    This does not enable TLS itself, its need to be patched
+    in per-service patches, that will enable TLS in
+    mysql connection strings