openstack
/
openstack-ansible-os_zun
Code Issues Proposed changes

Refactor galera_use_ssl behaviour 

With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.

Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.

[1] 78f0cf99e5/pymysql/connections.py (L267)

Change-Id: I8b7b266d2a0633b40d38581e734ad00714b89885
This commit is contained in:
Dmitriy Rabotyagov 2021-09-21 17:32:04 +03:00 committed by Andrew Bonney
parent 019bea7ce8
commit e72c788d94
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml
View File

@ -133,7 +133,7 @@ zun_db_pool_timeout: 30
# Toggle whether zun connects via an encrypted connection
zun_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
# The path where to store the database server CA certificate
zun_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
zun_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
zun_galera_port: "{{ galera_port | default('3306') }}"
## RabbitMQ info

2
templates/zun.conf.j2
View File

@ -22,7 +22,7 @@ endpoint_type = {{ zun_service_endpoint_type }}
{% if group_names | intersect(zun_services.keys() | difference('zun-compute') | map('extract', zun_services, 'group') | list) | count > 0 %}
[database]
connection = mysql+pymysql://{{ zun_galera_user }}:{{ zun_galera_password }}@{{ zun_galera_address }}/{{ zun_galera_database }}?charset=utf8{% if zun_galera_use_ssl | bool %}&ssl_ca={{ zun_galera_ssl_ca_cert }}{% endif %}
connection = mysql+pymysql://{{ zun_galera_user }}:{{ zun_galera_password }}@{{ zun_galera_address }}/{{ zun_galera_database }}?charset=utf8{% if zun_galera_use_ssl | bool %}&ssl_verify_cert=true{% if zun_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ zun_galera_ssl_ca_cert }}{% endif %}{% endif %}
max_pool_size = {{ zun_db_max_pool_size }}
max_overflow = {{ zun_db_max_overflow }}