Refactor galera_use_ssl behaviour

With PKI role in place in most cases you don't need to explicitly provide path to the CA file because PKI role ensures that CA is trusted by the system overall. In the meanwhile in PyMySQL [1] you must either provide CA file or cert/key or enable verify. Since current behaviour is to provide path to the custom CA we expect certificate being trusted overall. Thus we enable cert verification when galera_use_ssl is True. [1] 78f0cf99e5/pymysql/connections.py (L267) Change-Id: I71ebc2fc4e386f3a1599fe73d49fae185ec9d2ff
2021-09-17 14:39:02 +03:00 · 2021-09-17 14:39:02 +03:00 · 7b719c7ffb
parent afd0779201
commit 7b719c7ffb
3 changed files with 3 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -128,7 +128,7 @@ glance_galera_address: "{{ galera_address | default('127.0.0.1') }}"
 glance_galera_database: glance
 glance_galera_user: glance
 glance_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
-glance_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
+glance_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
 glance_galera_port: "{{ galera_port | default('3306') }}"

 glance_role_name: admin
--- a/templates/glance-api.conf.j2
+++ b/templates/glance-api.conf.j2
@ -36,7 +36,7 @@ enabled_backends = {% for backend in glance_available_stores %}{{ ('name' in bac
 task_executor = {{ glance_task_executor }}

 [database]
-connection = mysql+pymysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ glance_galera_address }}/{{ glance_galera_database }}?charset=utf8{% if glance_galera_use_ssl | bool %}&ssl_ca={{ glance_galera_ssl_ca_cert }}{% endif %}
+connection = mysql+pymysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ glance_galera_address }}/{{ glance_galera_database }}?charset=utf8{% if glance_galera_use_ssl | bool %}&ssl_verify_cert=true{% if glance_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ glance_galera_ssl_ca_cert }}{% endif %}{% endif %}

 [keystone_authtoken]
 insecure = {{ keystone_service_internaluri_insecure | bool }}
--- a/templates/glance-manage.conf.j2
+++ b/templates/glance-manage.conf.j2
@ -6,4 +6,4 @@ use_journal = True
 fatal_deprecations = {{ glance_fatal_deprecations }}

 [database]
-connection = mysql+pymysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ glance_galera_address }}/{{ glance_galera_database }}?charset=utf8{% if glance_galera_use_ssl | bool %}&ssl_ca={{ glance_galera_ssl_ca_cert }}{% endif %}
+connection = mysql+pymysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ glance_galera_address }}/{{ glance_galera_database }}?charset=utf8{% if glance_galera_use_ssl | bool %}&ssl_verify_cert=true{% if glance_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ glance_galera_ssl_ca_cert }}{% endif %}{% endif %}