Refactor galera_use_ssl behaviour

With PKI role in place in most cases you don't need to explicitly provide path to the CA file because PKI role ensures that CA is trusted by the system overall. In the meanwhile in PyMySQL [1] you must either provide CA file or cert/key or enable verify. Since current behaviour is to provide path to the custom CA we expect certificate being trusted overall. Thus we enable cert verification when galera_use_ssl is True. [1] 78f0cf99e5/pymysql/connections.py (L267) Change-Id: Id986985e623896698d54496a8f0608e59516eec5
2021-09-21 14:33:30 +03:00 · 2021-09-21 14:33:30 +03:00 · 1274517f71
parent 7a66bd6b59
commit 1274517f71
2 changed files with 2 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -73,7 +73,7 @@ gnocchi_galera_database: gnocchi
 gnocchi_galera_user: gnocchi
 gnocchi_db_sync_options: ""
 gnocchi_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
-gnocchi_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
+gnocchi_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
 gnocchi_galera_port: "{{ galera_port | default('3306') }}"

 #: Storage info
--- a/templates/gnocchi.conf.j2
+++ b/templates/gnocchi.conf.j2
@ -18,7 +18,7 @@ secure_proxy_ssl_header = {{ gnocchi_secure_proxy_ssl_header }}
 {% endif %}

 [indexer]
-url = mysql+pymysql://{{ gnocchi_galera_user }}:{{ gnocchi_container_mysql_password }}@{{ gnocchi_galera_address }}/{{ gnocchi_galera_database }}?charset=utf8{% if gnocchi_galera_use_ssl | bool %}&ssl_ca={{ gnocchi_galera_ssl_ca_cert }}{% endif %}
+url = mysql+pymysql://{{ gnocchi_galera_user }}:{{ gnocchi_container_mysql_password }}@{{ gnocchi_galera_address }}/{{ gnocchi_galera_database }}?charset=utf8{% if gnocchi_galera_use_ssl | bool %}&ssl_verify_cert=true{% if gnocchi_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ gnocchi_galera_ssl_ca_cert }}{% endif %}{% endif %}

 {% if gnocchi_auth_mode == "keystone" %}
 [keystone_authtoken]