Refactor galera_use_ssl behaviour
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: I8b7b266d2a0633b40d38581e734ad00714b89885
This commit is contained in:
parent
019bea7ce8
commit
e72c788d94
@ -133,7 +133,7 @@ zun_db_pool_timeout: 30
|
||||
# Toggle whether zun connects via an encrypted connection
|
||||
zun_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
|
||||
# The path where to store the database server CA certificate
|
||||
zun_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
|
||||
zun_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
|
||||
zun_galera_port: "{{ galera_port | default('3306') }}"
|
||||
|
||||
## RabbitMQ info
|
||||
|
@ -22,7 +22,7 @@ endpoint_type = {{ zun_service_endpoint_type }}
|
||||
|
||||
{% if group_names | intersect(zun_services.keys() | difference('zun-compute') | map('extract', zun_services, 'group') | list) | count > 0 %}
|
||||
[database]
|
||||
connection = mysql+pymysql://{{ zun_galera_user }}:{{ zun_galera_password }}@{{ zun_galera_address }}/{{ zun_galera_database }}?charset=utf8{% if zun_galera_use_ssl | bool %}&ssl_ca={{ zun_galera_ssl_ca_cert }}{% endif %}
|
||||
connection = mysql+pymysql://{{ zun_galera_user }}:{{ zun_galera_password }}@{{ zun_galera_address }}/{{ zun_galera_database }}?charset=utf8{% if zun_galera_use_ssl | bool %}&ssl_verify_cert=true{% if zun_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ zun_galera_ssl_ca_cert }}{% endif %}{% endif %}
|
||||
|
||||
max_pool_size = {{ zun_db_max_pool_size }}
|
||||
max_overflow = {{ zun_db_max_overflow }}
|
||||
|
Loading…
Reference in New Issue
Block a user