Refactor galera_use_ssl behaviour

With PKI role in place in most cases you don't need to explicitly provide path to the CA file because PKI role ensures that CA is trusted by the system overall. In the meanwhile in PyMySQL [1] you must either provide CA file or cert/key or enable verify. Since current behaviour is to provide path to the custom CA we expect certificate being trusted overall. Thus we enable cert verification when galera_use_ssl is True. [1] 78f0cf99e5/pymysql/connections.py (L267) Change-Id: I79e43119830da22f09d7666b25054c6c14c28ffb
2021-09-21 14:49:50 +03:00 · 2021-09-21 14:49:50 +03:00 · 590541adc1
parent 302acd77a0
commit 590541adc1
1 changed files with 5 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -145,7 +145,7 @@ ironic_galera_address: "{{ galera_address | default('127.0.0.1') }}"
 ironic_galera_user: ironic
 ironic_galera_database: ironic
 ironic_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
-ironic_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
+ironic_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
 ironic_galera_port: "{{ galera_port | default('3306') }}"

 ## Keystone authentication middleware
@ -168,7 +168,7 @@ ironic_default_network_interface: "{{ (ironic_neutron_provisioning_network_uuid
 ironic_auth_strategy: keystone
 ironic_dhcp_provider: "{{ (ironic_standalone | bool) | ternary('none', 'neutron') }}"
 ironic_sync_power_state_interval: "{{ (ironic_standalone | bool) | ternary('-1', '60') }}"
-ironic_db_connection_string: "mysql+pymysql://{{ ironic_galera_user }}:{{ ironic_container_mysql_password }}@{{ ironic_galera_address }}:{{ ironic_galera_port }}/ironic{% if ironic_galera_use_ssl | bool %}&ssl_ca={{ ironic_galera_ssl_ca_cert }}{% endif %}"
+ironic_db_connection_string: "mysql+pymysql://{{ ironic_galera_user }}:{{ ironic_container_mysql_password }}@{{ ironic_galera_address }}:{{ ironic_galera_port }}/ironic?charset=utf8{% if ironic_galera_use_ssl | bool %}&ssl_verify_cert=true{% if ironic_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ ironic_galera_ssl_ca_cert }}{% endif %}{% endif %}"

 # Ironic db tuning
 ironic_db_max_overflow: 10
@ -316,6 +316,8 @@ ironic_inspector_galera_address: "{{ galera_address | default('127.0.0.1') }}"
 ironic_inspector_galera_user: ironic-inspector
 ironic_inspector_galera_database: ironic_inspector
 ironic_inspector_galera_port: 3306
+ironic_inspector_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
+ironic_inspector_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"

 # Ironic db tuning
 ironic_inspector_db_max_overflow: 10
@ -341,7 +343,7 @@ ironic_inspector_swift_role_names:

 # Ironic inspector
 ironic_inspector_enable_discovery: True
-ironic_inspector_openstack_db_connection_string: "mysql+pymysql://{{ ironic_inspector_galera_user }}:{{ ironic_inspector_container_mysql_password }}@{{ ironic_inspector_galera_address }}:{{ ironic_inspector_galera_port }}/{{ ironic_inspector_galera_database }}"
+ironic_inspector_openstack_db_connection_string: "mysql+pymysql://{{ ironic_inspector_galera_user }}:{{ ironic_inspector_container_mysql_password }}@{{ ironic_inspector_galera_address }}:{{ ironic_inspector_galera_port }}/{{ ironic_inspector_galera_database }}?charset=utf8{% if ironic_inspector_galera_use_ssl | bool %}&ssl_verify_cert=true{% if ironic_inspector_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ ironic_inspector_galera_ssl_ca_cert }}{% endif %}{% endif %}"

 # Ironic inspector dhcp
 ironic_inspector_dhcp_pool_range: 192.168.0.51 192.168.0.150