Refactor galera_use_ssl behaviour

With PKI role in place in most cases you don't need to explicitly provide path to the CA file because PKI role ensures that CA is trusted by the system overall. In the meanwhile in PyMySQL [1] you must either provide CA file or cert/key or enable verify. Since current behaviour is to provide path to the custom CA we expect certificate being trusted overall. Thus we enable cert verification when galera_use_ssl is True. [1] 78f0cf99e5/pymysql/connections.py (L267) Change-Id: I1d9e22487272b1e1f0ce5f66045bc53d7c031d67
2021-09-20 17:57:22 +03:00 · 2021-09-20 17:57:22 +03:00 · 18024df25d
commit 18024df25d
parent ce4a6da081
2 changed files with 2 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -217,7 +217,7 @@ neutron_db_max_overflow: 20
 neutron_db_pool_size: 120
 neutron_db_pool_timeout: 30
 neutron_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
-neutron_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
+neutron_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
 neutron_galera_port: "{{ galera_port | default('3306') }}"

 ###
--- a/templates/neutron.conf.j2
+++ b/templates/neutron.conf.j2
@ -197,7 +197,7 @@ memcache_use_advanced_pool = True

 # Database
 [database]
-connection = mysql+pymysql://{{ neutron_galera_user }}:{{ neutron_container_mysql_password }}@{{ neutron_galera_address }}/{{ neutron_galera_database }}?charset=utf8{% if neutron_galera_use_ssl | bool %}&ssl_ca={{ neutron_galera_ssl_ca_cert }}{% endif %}
+connection = mysql+pymysql://{{ neutron_galera_user }}:{{ neutron_container_mysql_password }}@{{ neutron_galera_address }}/{{ neutron_galera_database }}?charset=utf8{% if neutron_galera_use_ssl | bool %}&ssl_verify_cert=true{% if neutron_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ neutron_galera_ssl_ca_cert }}{% endif %}{% endif %}

 max_overflow = {{ neutron_db_max_overflow }}
 max_pool_size = {{ neutron_db_pool_size }}