Fix proxysql-config's TLS DB configuration

This patch removes `proxysql_project_database_internal_tls_enable` variable and also 'use_ssl: 1' option from ProxySQL's user configuration. The reason for this removal is that when 'use_ssl: 1' option is enabled on the ProxySQL frontend side, ProxySQL does not allow non-TLS connections. This, of course, breaks upgrades or reconfigurations when an operator enables TLS, as it blocks all non-TLS service connections at the moment of switching. Simply said, we do not need to, nor can we, strictly enforce user connections over TLS because it disrupts reconfiguration and upgrades. Instead, it is sufficient to reconfigure the service to connect over TLS - which is already implemented. It also corrects the `database_enable_tls_internal` variable, ensuring it is enabled only when `kolla_enable_tls_internal` is enabled, rather than `kolla_enable_tls_backend`. Closes-Bug: #2086466 Change-Id: I6c56b144a81f800e062d6670733ca606733c9e1b
2024-11-01 16:24:02 +01:00 · 2024-11-01 16:24:02 +01:00 · 624056be02
commit 624056be02
parent fc0e0fb821
4 changed files with 6 additions and 5 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -86,7 +86,7 @@ database_port: "3306"
 database_connection_recycle_time: 10
 database_max_pool_size: 1
 database_enable_tls_backend: "{{ 'yes' if ((kolla_enable_tls_backend | bool ) and ( enable_proxysql | bool)) else 'no' }}"
-database_enable_tls_internal: "{{ 'yes' if ((kolla_enable_tls_backend | bool ) and ( enable_proxysql | bool)) else 'no' }}"
+database_enable_tls_internal: "{{ 'yes' if ((kolla_enable_tls_internal | bool ) and ( enable_proxysql | bool)) else 'no' }}"

 ####################
 # Container engine options
--- a/ansible/roles/proxysql-config/defaults/main.yml
+++ b/ansible/roles/proxysql-config/defaults/main.yml
@ -1,6 +1,5 @@
 ---
 proxysql_project_database_shard: "{{ lookup('vars', (kolla_role_name | default(project_name)) + '_database_shard', default=omit) }}"
-proxysql_project_database_internal_tls_enable: "{{ lookup('vars', (kolla_role_name | default(project_name)) + '_database_internal_tls_enable', default='no')  }}"
 # NOTE(kevko): Kolla_role_name and replace is used only because of nova-cell
 proxysql_project: "{{ kolla_role_name | default(project_name) | replace('_', '-') }}"
 proxysql_config_users: "{% if proxysql_project_database_shard is defined and proxysql_project_database_shard['users'] is defined %}True{% else %}False{% endif %}"
--- a/ansible/roles/proxysql-config/templates/users.yaml.j2
+++ b/ansible/roles/proxysql-config/templates/users.yaml.j2
@ -25,7 +25,4 @@ mysql_users:
 {% endif %}
    transaction_persistent: 1
    active: 1
-{% if database_enable_tls_internal | bool and proxysql_project_database_internal_tls_enable | bool %}
-    use_ssl: 1
-{% endif %}
 {% endfor %}
--- a/releasenotes/notes/bug-2086466-dc13b40f8da39542.yaml
+++ b/releasenotes/notes/bug-2086466-dc13b40f8da39542.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixes proxysql-config's TLS DB configuration.
+    `LP#2086466 <https://launchpad.net/bugs/#2086466>`__