From a422c42665f987dc4e5be2a907e814e14d097d3c Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@citynetwork.eu>
Date: Tue, 21 Sep 2021 16:26:57 +0300
Subject: [PATCH] Refactor galera_use_ssl behaviour

With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.

Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.

[1] https://github.com/PyMySQL/PyMySQL/blob/78f0cf99e5d5351df0821442e4dc35c49a6390c6/pymysql/connections.py#L267

Change-Id: I94b3f8ba5116cdfb94e9d0dc575bd7edb1d27b3c
---
 defaults/main.yml        | 2 +-
 templates/manila.conf.j2 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 4d0f533..8061155 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -57,7 +57,7 @@ manila_galera_address: "{{ galera_address | default('127.0.0.1') }}"
 manila_galera_user: manila
 manila_galera_database: manila
 manila_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
-manila_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
+manila_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
 manila_galera_port: "{{ galera_port | default('3306') }}"
 manila_db_max_overflow: "{{ openstack_db_max_overflow | default('50') }}"
 manila_db_max_pool_size: "{{ openstack_db_max_pool_size | default('5') }}"
diff --git a/templates/manila.conf.j2 b/templates/manila.conf.j2
index 2bebceb..d75140f 100644
--- a/templates/manila.conf.j2
+++ b/templates/manila.conf.j2
@@ -47,7 +47,7 @@ enabled_share_backends={% for backend in manila_backends | dictsort %}{{ backend
 {% endfor %}
 
 [database]
-connection = mysql+pymysql://{{ manila_galera_user }}:{{ manila_container_mysql_password }}@{{ manila_galera_address }}/{{ manila_galera_database }}?charset=utf8{% if manila_galera_use_ssl | bool %}&ssl_ca={{ manila_galera_ssl_ca_cert }}{% endif +%}
+connection = mysql+pymysql://{{ manila_galera_user }}:{{ manila_container_mysql_password }}@{{ manila_galera_address }}/{{ manila_galera_database }}?charset=utf8{% if manila_galera_use_ssl | bool %}&ssl_verify_cert=true{% if manila_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ manila_galera_ssl_ca_cert }}{% endif %}{% endif +%}
 max_overflow = {{ manila_db_max_overflow }}
 max_pool_size = {{ manila_db_max_pool_size }}
 pool_timeout = {{ manila_db_pool_timeout }}