From 7c600ad224f80003bed683e850e9a76db5e539e7 Mon Sep 17 00:00:00 2001 From: Luca Miccini Date: Mon, 17 Oct 2022 07:55:40 +0200 Subject: [PATCH] Allow overriding mysql_bundle::gcomm_cipher There are cases where it is necessary to change the default cipher used by galera (example: FIPS). This commit adds a new parameter called MysqlGaleraSSLCipher to easily override the default value 'AES128-SHA256' if required. Change-Id: I7f47741d4b2a5a3473d24439689cc358bf7738f0 --- deployment/database/mysql-pacemaker-puppet.yaml | 5 +++++ .../notes/mysql_bundle_gcomm_cipher-df7655775d20f4d1.yaml | 6 ++++++ 2 files changed, 11 insertions(+) create mode 100644 releasenotes/notes/mysql_bundle_gcomm_cipher-df7655775d20f4d1.yaml diff --git a/deployment/database/mysql-pacemaker-puppet.yaml b/deployment/database/mysql-pacemaker-puppet.yaml index 469a895221..60bf465bf0 100644 --- a/deployment/database/mysql-pacemaker-puppet.yaml +++ b/deployment/database/mysql-pacemaker-puppet.yaml @@ -104,6 +104,10 @@ parameters: hidden: true description: When MysqlGaleraSSTMethod is set to mariabackup, the password of the database user that executes the SST. + MysqlGaleraSSLCipher: + type: string + default: 'AES128-SHA256' + description: Symmetric cipher to use. resources: ContainersCommon: @@ -185,6 +189,7 @@ outputs: # starting from pcs-0.10.14-6 enforces validations but this doesn't work when running # outside the respective containers. we need to use --force to overcome this. tripleo::profile::pacemaker::database::mysql_bundle::force_ocf: true + tripleo::profile::pacemaker::database::mysql_bundle::gcomm_cipher: {get_param: MysqlGaleraSSLCipher} # BEGIN DOCKER SETTINGS # puppet_config: config_volume: mysql diff --git a/releasenotes/notes/mysql_bundle_gcomm_cipher-df7655775d20f4d1.yaml b/releasenotes/notes/mysql_bundle_gcomm_cipher-df7655775d20f4d1.yaml new file mode 100644 index 0000000000..c02bbc0268 --- /dev/null +++ b/releasenotes/notes/mysql_bundle_gcomm_cipher-df7655775d20f4d1.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Add support for overriding the default cipher used by galera. + This is useful for cases like FIPS where the default 'AES128-SHA256' is + not allowed.