From 18024df25deb596083d30c153d088bf6317a3a88 Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@citynetwork.eu>
Date: Mon, 20 Sep 2021 17:57:22 +0300
Subject: [PATCH] Refactor galera_use_ssl behaviour

With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.

Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.

[1] https://github.com/PyMySQL/PyMySQL/blob/78f0cf99e5d5351df0821442e4dc35c49a6390c6/pymysql/connections.py#L267

Change-Id: I1d9e22487272b1e1f0ce5f66045bc53d7c031d67
---
 defaults/main.yml         | 2 +-
 templates/neutron.conf.j2 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 31242529..343e4359 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -217,7 +217,7 @@ neutron_db_max_overflow: 20
 neutron_db_pool_size: 120
 neutron_db_pool_timeout: 30
 neutron_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
-neutron_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
+neutron_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
 neutron_galera_port: "{{ galera_port | default('3306') }}"
 
 ###
diff --git a/templates/neutron.conf.j2 b/templates/neutron.conf.j2
index 02038f99..ff474bd1 100644
--- a/templates/neutron.conf.j2
+++ b/templates/neutron.conf.j2
@@ -197,7 +197,7 @@ memcache_use_advanced_pool = True
 
 # Database
 [database]
-connection = mysql+pymysql://{{ neutron_galera_user }}:{{ neutron_container_mysql_password }}@{{ neutron_galera_address }}/{{ neutron_galera_database }}?charset=utf8{% if neutron_galera_use_ssl | bool %}&ssl_ca={{ neutron_galera_ssl_ca_cert }}{% endif %}
+connection = mysql+pymysql://{{ neutron_galera_user }}:{{ neutron_container_mysql_password }}@{{ neutron_galera_address }}/{{ neutron_galera_database }}?charset=utf8{% if neutron_galera_use_ssl | bool %}&ssl_verify_cert=true{% if neutron_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ neutron_galera_ssl_ca_cert }}{% endif %}{% endif %}
 
 max_overflow = {{ neutron_db_max_overflow }}
 max_pool_size = {{ neutron_db_pool_size }}