From bc541db1a2f314156f2116ecb1df556ac9223282 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Fri, 17 Sep 2021 16:54:04 +0300 Subject: [PATCH] Refactor galera_use_ssl behaviour With PKI role in place in most cases you don't need to explicitly provide path to the CA file because PKI role ensures that CA is trusted by the system overall. In the meanwhile in PyMySQL [1] you must either provide CA file or cert/key or enable verify. Since current behaviour is to provide path to the custom CA we expect certificate being trusted overall. Thus we enable cert verification when galera_use_ssl is True. [1] https://github.com/PyMySQL/PyMySQL/blob/78f0cf99e5d5351df0821442e4dc35c49a6390c6/pymysql/connections.py#L267 Change-Id: Ie02010583c9c9fc82211065cedac4fc120a31318 --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 589556d..e29e204 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -58,8 +58,8 @@ aodh_database_name: aodh aodh_database_user: aodh aodh_db_type: "mysql+pymysql" aodh_galera_use_ssl: "{{ galera_use_ssl | default(False) }}" -aodh_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}" -aodh_connection_string: "{{ aodh_db_type }}://{{ aodh_database_user }}:{{ aodh_container_db_password }}@{{ aodh_db_address }}/{{ aodh_database_name }}?charset=utf8{% if aodh_galera_use_ssl | bool %}&ssl_ca={{ aodh_galera_ssl_ca_cert }}{% endif %}" +aodh_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}" +aodh_connection_string: "{{ aodh_db_type }}://{{ aodh_database_user }}:{{ aodh_container_db_password }}@{{ aodh_db_address }}/{{ aodh_database_name }}?charset=utf8{% if aodh_galera_use_ssl | bool %}&ssl_verify_cert=true{% if aodh_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ aodh_galera_ssl_ca_cert }}{% endif %}{% endif %}" aodh_galera_port: "{{ galera_port | default('3306') }}" # Oslo Messaging