openstack
/
openstack-ansible-os_cinder
Code Issues Proposed changes

Refactor galera_use_ssl behaviour 

With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.

Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.

[1] 78f0cf99e5/pymysql/connections.py (L267)

Change-Id: Ieab4ab2e36e4953961841be334ff16162f7daeb8
This commit is contained in:
Dmitriy Rabotyagov 2021-09-20 12:55:31 +03:00
parent 4022e8950e
commit 9e37558593
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml
View File

@ -68,7 +68,7 @@ cinder_galera_address: "{{ galera_address | default('127.0.0.1') }}"
cinder_galera_user: cinder
cinder_galera_database: cinder
cinder_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
cinder_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
cinder_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
cinder_galera_port: "{{ galera_port | default('3306') }}"
## Oslo Messaging

2
templates/cinder.conf.j2
View File

@ -115,7 +115,7 @@ allowed_direct_url_schemes = cinder
target_helper = {{ cinder_target_helper }}
[database]
connection = mysql+pymysql://{{ cinder_galera_user }}:{{ cinder_container_mysql_password }}@{{ cinder_galera_address }}/{{ cinder_galera_database }}?charset=utf8{% if cinder_galera_use_ssl | bool %}&ssl_ca={{ cinder_galera_ssl_ca_cert }}{% endif %}
connection = mysql+pymysql://{{ cinder_galera_user }}:{{ cinder_container_mysql_password }}@{{ cinder_galera_address }}/{{ cinder_galera_database }}?charset=utf8{% if cinder_galera_use_ssl | bool %}&ssl_verify_cert=true{% if cinder_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ cinder_galera_ssl_ca_cert }}{% endif %}{% endif %}
[oslo_messaging_notifications]
driver = {{ (cinder_ceilometer_enabled | bool) | ternary('messagingv2', 'noop') }}