From e72c788d94feefbddf23a34ded49339c39d2c1b6 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Tue, 21 Sep 2021 17:32:04 +0300 Subject: [PATCH] Refactor galera_use_ssl behaviour With PKI role in place in most cases you don't need to explicitly provide path to the CA file because PKI role ensures that CA is trusted by the system overall. In the meanwhile in PyMySQL [1] you must either provide CA file or cert/key or enable verify. Since current behaviour is to provide path to the custom CA we expect certificate being trusted overall. Thus we enable cert verification when galera_use_ssl is True. [1] https://github.com/PyMySQL/PyMySQL/blob/78f0cf99e5d5351df0821442e4dc35c49a6390c6/pymysql/connections.py#L267 Change-Id: I8b7b266d2a0633b40d38581e734ad00714b89885 --- defaults/main.yml | 2 +- templates/zun.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d88bc96..32abf2b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -133,7 +133,7 @@ zun_db_pool_timeout: 30 # Toggle whether zun connects via an encrypted connection zun_galera_use_ssl: "{{ galera_use_ssl | default(False) }}" # The path where to store the database server CA certificate -zun_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}" +zun_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}" zun_galera_port: "{{ galera_port | default('3306') }}" ## RabbitMQ info diff --git a/templates/zun.conf.j2 b/templates/zun.conf.j2 index b4be27b..9df2b36 100644 --- a/templates/zun.conf.j2 +++ b/templates/zun.conf.j2 @@ -22,7 +22,7 @@ endpoint_type = {{ zun_service_endpoint_type }} {% if group_names | intersect(zun_services.keys() | difference('zun-compute') | map('extract', zun_services, 'group') | list) | count > 0 %} [database] -connection = mysql+pymysql://{{ zun_galera_user }}:{{ zun_galera_password }}@{{ zun_galera_address }}/{{ zun_galera_database }}?charset=utf8{% if zun_galera_use_ssl | bool %}&ssl_ca={{ zun_galera_ssl_ca_cert }}{% endif %} +connection = mysql+pymysql://{{ zun_galera_user }}:{{ zun_galera_password }}@{{ zun_galera_address }}/{{ zun_galera_database }}?charset=utf8{% if zun_galera_use_ssl | bool %}&ssl_verify_cert=true{% if zun_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ zun_galera_ssl_ca_cert }}{% endif %}{% endif %} max_pool_size = {{ zun_db_max_pool_size }} max_overflow = {{ zun_db_max_overflow }}