Ensure TLS is enabled properly for cell0 mapping DB connection

Once we've enabled TLS requirement in [1] jobs started failing on cell0 mapping as it was actually different and not connecting to MariaDB through TLS when it was assumed it is. [1] https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/911009 Change-Id: I96fa921cfdb849f59b5abd8452061d4c5bd04a76
2024-04-09 13:53:30 +02:00 · 2024-04-09 13:53:30 +02:00 · 3515638326
commit 3515638326
parent 501cf14342
2 changed files with 47 additions and 15 deletions
--- a/releasenotes/notes/update_cell0_db_tls-1d14996f697b5c68.yaml
+++ b/releasenotes/notes/update_cell0_db_tls-1d14996f697b5c68.yaml
@ -0,0 +1,7 @@
 ---
 fixes:
  - |
    Due to missing parameter Nova cell0 used to be configured to not use
    TLS for MySQL communication even when ``nova_galera_use_ssl`` was
    explicitly enabled.
    It is fixed now and cell0 should be updated on the next playbook run.
--- a/tasks/nova_db_setup.yml
+++ b/tasks/nova_db_setup.yml
@ -19,16 +19,50 @@
  become_user: "{{ nova_system_user_name }}"
  changed_when: false
 # We need to check for existance of the cell, since nova-manage cell_v2 create_cell
 # might be not idempotent due to the bug https://bugs.launchpad.net/nova/+bug/1923899
 - name: Get UUID of Nova Cells
  command: "{{ nova_bin }}/nova-manage cell_v2 list_cells"
  become: yes
  become_user: "{{ nova_system_user_name }}"
  changed_when: false
  register: _cell_list
 - name: Set cell facts
  set_fact:
    _cell0_record: '{{ _cell_list.stdout_lines | select("regex", "[0-]{36}") }}'
    _cell1_record: '{{ _cell_list.stdout_lines | select("regex", " " ~ nova_cell1_name ~ " ") }}'
 # This is idempotent and therefore safe for greenfield
 # and brownfield installations.
 # Though since we anyway need to fetch cell records - let's run
 # it conditionally.
 - name: Create the cell0 mapping entry in the nova API DB
  command: >-
    {{ nova_bin }}/nova-manage cell_v2 map_cell0
      --database_connection mysql+pymysql://{{ nova_api_galera_user }}:{{ nova_api_container_mysql_password }}@{{ nova_api_galera_address }}/{{
-        nova_cell0_database }}?charset=utf8{% if nova_galera_use_ssl | bool %}&ssl_ca={{ nova_galera_ssl_ca_cert }}{% endif %}
+        nova_cell0_database }}?charset=utf8{% if nova_galera_use_ssl | bool %}&ssl_verify_cert=true{%
          if nova_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ nova_galera_ssl_ca_cert }}{% endif %}{% endif %}
  become: yes
  become_user: "{{ nova_system_user_name }}"
  changed_when: false
  when:
    - not _cell0_record
 - name: Update the cell0 mapping entry in the nova API DB
  command: >-
    {{ nova_bin }}/nova-manage cell_v2 update_cell --cell_uuid 00000000-0000-0000-0000-000000000000
      --database_connection mysql+pymysql://{{ nova_api_galera_user }}:{{ nova_api_container_mysql_password }}@{{ nova_api_galera_address }}/{{
        nova_cell0_database }}?charset=utf8{% if nova_galera_use_ssl | bool %}&ssl_verify_cert=true{%
          if nova_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ nova_galera_ssl_ca_cert }}{% endif %}{% endif %}
      --transport-url 'none:/'
  become: yes
  become_user: "{{ nova_system_user_name }}"
  changed_when: false
  when:
    - _cell0_record | length > 0
    - ('ssl_verify_cert' not in _cell0_record[0] and nova_galera_use_ssl) or
      ('ssl_verify_cert' in _cell0_record[0] and not nova_galera_use_ssl)
 - name: Synchronize the nova DB schema
  command: "{{ nova_bin }}/nova-manage db sync"
@ -36,16 +70,6 @@
  become_user: "{{ nova_system_user_name }}"
  changed_when: false
 # We need to check for existance of the cell, since nova-manage cell_v2 create_cell
 # might be not idempotent due to the bug https://bugs.launchpad.net/nova/+bug/1923899
 - name: Get UUID of new Nova Cell
  shell: "{{ nova_bin }}/nova-manage cell_v2 list_cells | grep ' {{ nova_cell1_name }} '"
  become: yes
  become_user: "{{ nova_system_user_name }}"
  changed_when: false
  failed_when: false
  register: _cell_uuid
 - name: Create the cell1 mapping entry in the nova API DB
  command: >-
    {{ nova_bin }}/nova-manage cell_v2 create_cell
@ -66,12 +90,13 @@
  #    because of the bug https://bugs.launchpad.net/nova/+bug/1923899
  failed_when: "nova_cell1_create.rc not in [0, 2]"
  changed_when: "nova_cell1_create.rc == 0"
-  when: "_cell_uuid.rc == 1"
+  when:
    - not _cell1_record
 - name: "Change the template for cell {{ nova_cell1_name }}"
  command: >-
    {{ nova_bin }}/nova-manage cell_v2 update_cell
-      --cell_uuid {{ _cell_uuid['stdout'].split()[3] }}
+      --cell_uuid {{ _cell1_record[0].split()[3] }}
      --database_connection {scheme}://{username}:{password}@{hostname}:{port}/{path}?{query}
      --transport-url {scheme}://{username}:{password}@{hostname}:{port}/{{ (
          not nova_oslomsg_rabbit_quorum_queues | bool) | ternary('/{path}', '{path}') }}?{query}
@ -79,8 +104,8 @@
  become_user: "{{ nova_system_user_name }}"
  changed_when: false
  when:
-    - "_cell_uuid.rc == 0"
+    - _cell1_record | length > 0
-    - (nova_oslomsg_rpc_port ~ '/' ~ _nova_oslomsg_rpc_vhost_conf) not in _cell_uuid.stdout
+    - (nova_oslomsg_rpc_port ~ '/' ~ _nova_oslomsg_rpc_vhost_conf) not in _cell1_record[0]
 # The nova-status upgrade check command is typically run after upgrading the
 # controller services to new code, but is also OK to run for a greenfield