openstack/kolla-ansible
Code Issues Proposed changes
kolla-ansible/ansible/roles/proxysql-config/templates/users.yaml.j2
Michal Arbet 624056be02 Fix proxysql-config's TLS DB configuration 
This patch removes `proxysql_project_database_internal_tls_enable`
variable and also 'use_ssl: 1' option from ProxySQL's user
configuration. The reason for this removal is that when
'use_ssl: 1' option is enabled on the ProxySQL frontend
side, ProxySQL does not allow non-TLS connections.

This, of course, breaks upgrades or reconfigurations
when an operator enables TLS, as it blocks all non-TLS service
connections at the moment of switching.
Simply said, we do not need to, nor can we, strictly enforce
user connections over TLS because it disrupts reconfiguration
and upgrades. Instead, it is sufficient to reconfigure
the service to connect over TLS - which is already implemented.

It also corrects the `database_enable_tls_internal`
variable, ensuring it is enabled only when
`kolla_enable_tls_internal` is enabled, rather than
`kolla_enable_tls_backend`.

Closes-Bug: #2086466
Change-Id: I6c56b144a81f800e062d6670733ca606733c9e1b
2024-12-01 22:17:25 +01:00

29 lines
978 B
Django/Jinja
Raw Blame History

# This configuration file is used to configure proxysql users,
# in our case we just define default_hostgroup and the mysql galera
# cluster group where user is routed to.
#
# This is used especially when services are creating databases, users
# and connects via user 'root_shard_SHARD_ID', so ProxySQL know
# where to route this query.
#
# Table mysql_users defines MySQL users that clients can use to connect to
# ProxySQL, and then used to connect to backends.
#
# ProxySQL Admin> SHOW CREATE TABLE mysql_users\G
#
# https://proxysql.com/documentation/main-runtime/#mysql_users
mysql_users:
{% for user in proxysql_project_database_shard['users'] %}
{% if user['shard_id'] is defined %}
{% set WRITER_GROUP = user['shard_id'] | int * 10 %}
{% endif %}
- username: "{{ user['user'] }}"
password: "{{ user['password'] }}"
{% if user['shard_id'] is defined %}
default_hostgroup: {{ WRITER_GROUP }}
{% endif %}
transaction_persistent: 1
active: 1
{% endfor %}
View Git Blame Copy Permalink