From 624056be022af4228589dc51c88dc731d88d3eae Mon Sep 17 00:00:00 2001 From: Michal Arbet Date: Fri, 1 Nov 2024 16:24:02 +0100 Subject: [PATCH] Fix proxysql-config's TLS DB configuration This patch removes `proxysql_project_database_internal_tls_enable` variable and also 'use_ssl: 1' option from ProxySQL's user configuration. The reason for this removal is that when 'use_ssl: 1' option is enabled on the ProxySQL frontend side, ProxySQL does not allow non-TLS connections. This, of course, breaks upgrades or reconfigurations when an operator enables TLS, as it blocks all non-TLS service connections at the moment of switching. Simply said, we do not need to, nor can we, strictly enforce user connections over TLS because it disrupts reconfiguration and upgrades. Instead, it is sufficient to reconfigure the service to connect over TLS - which is already implemented. It also corrects the `database_enable_tls_internal` variable, ensuring it is enabled only when `kolla_enable_tls_internal` is enabled, rather than `kolla_enable_tls_backend`. Closes-Bug: #2086466 Change-Id: I6c56b144a81f800e062d6670733ca606733c9e1b --- ansible/group_vars/all.yml | 2 +- ansible/roles/proxysql-config/defaults/main.yml | 1 - ansible/roles/proxysql-config/templates/users.yaml.j2 | 3 --- releasenotes/notes/bug-2086466-dc13b40f8da39542.yaml | 5 +++++ 4 files changed, 6 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/bug-2086466-dc13b40f8da39542.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 85559a6e8a..25bd65a6c6 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -86,7 +86,7 @@ database_port: "3306" database_connection_recycle_time: 10 database_max_pool_size: 1 database_enable_tls_backend: "{{ 'yes' if ((kolla_enable_tls_backend | bool ) and ( enable_proxysql | bool)) else 'no' }}" -database_enable_tls_internal: "{{ 'yes' if ((kolla_enable_tls_backend | bool ) and ( enable_proxysql | bool)) else 'no' }}" +database_enable_tls_internal: "{{ 'yes' if ((kolla_enable_tls_internal | bool ) and ( enable_proxysql | bool)) else 'no' }}" #################### # Container engine options diff --git a/ansible/roles/proxysql-config/defaults/main.yml b/ansible/roles/proxysql-config/defaults/main.yml index 0ad83398c7..f09305d9f4 100644 --- a/ansible/roles/proxysql-config/defaults/main.yml +++ b/ansible/roles/proxysql-config/defaults/main.yml @@ -1,6 +1,5 @@ --- proxysql_project_database_shard: "{{ lookup('vars', (kolla_role_name | default(project_name)) + '_database_shard', default=omit) }}" -proxysql_project_database_internal_tls_enable: "{{ lookup('vars', (kolla_role_name | default(project_name)) + '_database_internal_tls_enable', default='no') }}" # NOTE(kevko): Kolla_role_name and replace is used only because of nova-cell proxysql_project: "{{ kolla_role_name | default(project_name) | replace('_', '-') }}" proxysql_config_users: "{% if proxysql_project_database_shard is defined and proxysql_project_database_shard['users'] is defined %}True{% else %}False{% endif %}" diff --git a/ansible/roles/proxysql-config/templates/users.yaml.j2 b/ansible/roles/proxysql-config/templates/users.yaml.j2 index 48accdb1b9..f8de57bc8b 100644 --- a/ansible/roles/proxysql-config/templates/users.yaml.j2 +++ b/ansible/roles/proxysql-config/templates/users.yaml.j2 @@ -25,7 +25,4 @@ mysql_users: {% endif %} transaction_persistent: 1 active: 1 -{% if database_enable_tls_internal | bool and proxysql_project_database_internal_tls_enable | bool %} - use_ssl: 1 -{% endif %} {% endfor %} diff --git a/releasenotes/notes/bug-2086466-dc13b40f8da39542.yaml b/releasenotes/notes/bug-2086466-dc13b40f8da39542.yaml new file mode 100644 index 0000000000..220b36771a --- /dev/null +++ b/releasenotes/notes/bug-2086466-dc13b40f8da39542.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes proxysql-config's TLS DB configuration. + `LP#2086466 `__