Refactor galera_use_ssl behaviour

With PKI role in place in most cases you don't need to explicitly provide path to the CA file because PKI role ensures that CA is trusted by the system overall. In the meanwhile in PyMySQL [1] you must either provide CA file or cert/key or enable verify. Since current behaviour is to provide path to the custom CA we expect certificate being trusted overall. Thus we enable cert verification when galera_use_ssl is True. [1] 78f0cf99e5/pymysql/connections.py (L267) Change-Id: I8e689330b76e72df780be3b2f8af066a5fe96a2a
2021-09-21 14:41:59 +03:00 · 2021-09-21 14:41:59 +03:00 · e84f7e496a
parent a252d5d3f9
commit e84f7e496a
2 changed files with 2 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -60,7 +60,7 @@ heat_galera_address: "{{ galera_address | default('127.0.0.1') }}"
 heat_galera_user: heat
 heat_galera_database: heat
 heat_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
-heat_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
+heat_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
 heat_galera_port: "{{ galera_port | default('3306') }}"

 ## Oslo Messaging Info
--- a/templates/heat.conf.j2
+++ b/templates/heat.conf.j2
@ -47,7 +47,7 @@ endpoint_type = {{ heat_clients_endpoint }}
 auth_uri = {{ keystone_service_internaluri }}

 [database]
-connection = mysql+pymysql://{{ heat_galera_user }}:{{ heat_container_mysql_password }}@{{ heat_galera_address }}/{{ heat_galera_database }}?charset=utf8{% if heat_galera_use_ssl | bool %}&ssl_ca={{ heat_galera_ssl_ca_cert }}{% endif %}
+connection = mysql+pymysql://{{ heat_galera_user }}:{{ heat_container_mysql_password }}@{{ heat_galera_address }}/{{ heat_galera_database }}?charset=utf8{% if heat_galera_use_ssl | bool %}&ssl_verify_cert=true{% if heat_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ heat_galera_ssl_ca_cert }}{% endif %}{% endif %}

 [ec2authtoken]
 auth_uri = {{ keystone_service_internaluri }}