Fix proxysql-config's TLS DB configuration
This patch removes `proxysql_project_database_internal_tls_enable` variable and also 'use_ssl: 1' option from ProxySQL's user configuration. The reason for this removal is that when 'use_ssl: 1' option is enabled on the ProxySQL frontend side, ProxySQL does not allow non-TLS connections. This, of course, breaks upgrades or reconfigurations when an operator enables TLS, as it blocks all non-TLS service connections at the moment of switching. Simply said, we do not need to, nor can we, strictly enforce user connections over TLS because it disrupts reconfiguration and upgrades. Instead, it is sufficient to reconfigure the service to connect over TLS - which is already implemented. It also corrects the `database_enable_tls_internal` variable, ensuring it is enabled only when `kolla_enable_tls_internal` is enabled, rather than `kolla_enable_tls_backend`. Closes-Bug: #2086466 Change-Id: I6c56b144a81f800e062d6670733ca606733c9e1b
This commit is contained in:
parent
fc0e0fb821
commit
624056be02
@ -86,7 +86,7 @@ database_port: "3306"
|
|||||||
database_connection_recycle_time: 10
|
database_connection_recycle_time: 10
|
||||||
database_max_pool_size: 1
|
database_max_pool_size: 1
|
||||||
database_enable_tls_backend: "{{ 'yes' if ((kolla_enable_tls_backend | bool ) and ( enable_proxysql | bool)) else 'no' }}"
|
database_enable_tls_backend: "{{ 'yes' if ((kolla_enable_tls_backend | bool ) and ( enable_proxysql | bool)) else 'no' }}"
|
||||||
database_enable_tls_internal: "{{ 'yes' if ((kolla_enable_tls_backend | bool ) and ( enable_proxysql | bool)) else 'no' }}"
|
database_enable_tls_internal: "{{ 'yes' if ((kolla_enable_tls_internal | bool ) and ( enable_proxysql | bool)) else 'no' }}"
|
||||||
|
|
||||||
####################
|
####################
|
||||||
# Container engine options
|
# Container engine options
|
||||||
|
@ -1,6 +1,5 @@
|
|||||||
---
|
---
|
||||||
proxysql_project_database_shard: "{{ lookup('vars', (kolla_role_name | default(project_name)) + '_database_shard', default=omit) }}"
|
proxysql_project_database_shard: "{{ lookup('vars', (kolla_role_name | default(project_name)) + '_database_shard', default=omit) }}"
|
||||||
proxysql_project_database_internal_tls_enable: "{{ lookup('vars', (kolla_role_name | default(project_name)) + '_database_internal_tls_enable', default='no') }}"
|
|
||||||
# NOTE(kevko): Kolla_role_name and replace is used only because of nova-cell
|
# NOTE(kevko): Kolla_role_name and replace is used only because of nova-cell
|
||||||
proxysql_project: "{{ kolla_role_name | default(project_name) | replace('_', '-') }}"
|
proxysql_project: "{{ kolla_role_name | default(project_name) | replace('_', '-') }}"
|
||||||
proxysql_config_users: "{% if proxysql_project_database_shard is defined and proxysql_project_database_shard['users'] is defined %}True{% else %}False{% endif %}"
|
proxysql_config_users: "{% if proxysql_project_database_shard is defined and proxysql_project_database_shard['users'] is defined %}True{% else %}False{% endif %}"
|
||||||
|
@ -25,7 +25,4 @@ mysql_users:
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
transaction_persistent: 1
|
transaction_persistent: 1
|
||||||
active: 1
|
active: 1
|
||||||
{% if database_enable_tls_internal | bool and proxysql_project_database_internal_tls_enable | bool %}
|
|
||||||
use_ssl: 1
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
5
releasenotes/notes/bug-2086466-dc13b40f8da39542.yaml
Normal file
5
releasenotes/notes/bug-2086466-dc13b40f8da39542.yaml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Fixes proxysql-config's TLS DB configuration.
|
||||||
|
`LP#2086466 <https://launchpad.net/bugs/#2086466>`__
|
Loading…
Reference in New Issue
Block a user