Refactor galera_use_ssl behaviour

With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.

Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.

[1] 78f0cf99e5/pymysql/connections.py (L267)

Change-Id: Ib9d0b810bf5aef475021f886dd19348548a7ec9a
This commit is contained in:
Dmitriy Rabotyagov 2021-09-21 15:38:59 +03:00
parent 9f3dfd20b0
commit db5ac1dc35
2 changed files with 2 additions and 2 deletions

View File

@ -89,7 +89,7 @@ magnum_galera_address: "{{ galera_address | default('127.0.0.1') }}"
magnum_galera_database_name: magnum_service
magnum_galera_user: magnum
magnum_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
magnum_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
magnum_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
magnum_galera_port: "{{ galera_port | default('3306') }}"
# Oslo Messaging vars

View File

@ -23,7 +23,7 @@ region_name = {{ magnum_cinder_service_region }}
endpoint_type = internalURL
[database]
connection = mysql+pymysql://{{ magnum_galera_user }}:{{ magnum_galera_password }}@{{ magnum_galera_address }}/{{ magnum_galera_database_name }}?charset=utf8{% if magnum_galera_use_ssl | bool %}&ssl_ca={{ magnum_galera_ssl_ca_cert }}{% endif %}
connection = mysql+pymysql://{{ magnum_galera_user }}:{{ magnum_galera_password }}@{{ magnum_galera_address }}/{{ magnum_galera_database_name }}?charset=utf8{% if magnum_galera_use_ssl | bool %}&ssl_verify_cert=true{% if magnum_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ magnum_galera_ssl_ca_cert }}{% endif %}{% endif %}
[glance_client]
region_name = {{ magnum_glance_service_region }}