From d23433aca34cb3bf550056804dced7aa44a08c59 Mon Sep 17 00:00:00 2001
From: Matus Jenca <matus.jenca@dnation.cloud>
Date: Thu, 1 Aug 2024 15:55:06 +0200
Subject: [PATCH] Add frontend TLS ability to ProxySQL
This patch ads an ability to receive TLS connections
to ProxySQL. Certificates and variable lookups are
added in order for TLS to be enabled by
<project_name>_database_internal_tls_enable.
Note that in order for this to work, mysql
connection strings need to have TLS enabled,
which can be added in separate per-service patches
Change-Id: I2c06ce5e138f52259c1725dae37f25c1b00d1e6b
---
ansible/group_vars/all.yml | 1 +
ansible/roles/certificates/tasks/generate.yml | 12 ++++++++++++
.../roles/loadbalancer/tasks/copy-certs.yml | 9 +++++++++
.../templates/proxysql/proxysql.json.j2 | 19 +++++++++++++++++++
.../roles/proxysql-config/defaults/main.yml | 1 +
.../proxysql-config/templates/users.yaml.j2 | 3 +++
...roxysql-internal-tls-dd68e952d97540a1.yaml | 8 ++++++++
7 files changed, 53 insertions(+)
create mode 100644 releasenotes/notes/proxysql-internal-tls-dd68e952d97540a1.yaml
diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 9c90466cfd..57be6a7f77 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -86,6 +86,7 @@ database_port: "3306"
database_connection_recycle_time: 10
database_max_pool_size: 1
database_enable_tls_backend: "{{ 'yes' if ((kolla_enable_tls_backend | bool ) and ( enable_proxysql | bool)) else 'no' }}"
+database_enable_tls_internal: "{{ 'yes' if ((kolla_enable_tls_backend | bool ) and ( enable_proxysql | bool)) else 'no' }}"
####################
# Container engine options
diff --git a/ansible/roles/certificates/tasks/generate.yml b/ansible/roles/certificates/tasks/generate.yml
index cf24d969ef..511df27d0f 100644
--- a/ansible/roles/certificates/tasks/generate.yml
+++ b/ansible/roles/certificates/tasks/generate.yml
@@ -142,3 +142,15 @@
- not enable_letsencrypt | bool
- kolla_enable_tls_internal | bool
- not kolla_same_external_internal_vip | bool
+- block:
+ - name: Copy Certificate and Key for ProxySQL
+ copy:
+ src: "{{ external_dir if kolla_same_external_internal_vip | bool else internal_dir }}/{{ 'external' if kolla_same_external_internal_vip | bool else 'internal' }}.{{item}}"
+ dest: "{{ kolla_certificates_dir }}/proxysql-{{ 'cert' if item == 'crt' else item }}.pem"
+ mode: "0660"
+ with_items:
+ - "crt"
+ - "key"
+ when:
+ - database_enable_tls_internal | bool
+ - kolla_enable_tls_internal | bool
diff --git a/ansible/roles/loadbalancer/tasks/copy-certs.yml b/ansible/roles/loadbalancer/tasks/copy-certs.yml
index 3c628dfa62..95cd80afda 100644
--- a/ansible/roles/loadbalancer/tasks/copy-certs.yml
+++ b/ansible/roles/loadbalancer/tasks/copy-certs.yml
@@ -14,3 +14,12 @@
project_services: "{{ loadbalancer_services }}"
project_name: mariadb
when: database_enable_tls_backend | bool
+
+
+- name: "Copy certificates and keys for Proxysql"
+ import_role:
+ role: service-cert-copy
+ vars:
+ project_services: "{{ loadbalancer_services }}"
+ project_name: "proxysql"
+ when: database_enable_tls_internal | bool
diff --git a/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2 b/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2
index 8ad11470d3..4f4e52fc07 100644
--- a/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2
+++ b/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2
@@ -44,5 +44,24 @@
"owner": "proxysql",
"perm": "0600"
}{% endif %}
+ {% if database_enable_tls_internal | bool %},
+ {
+ "source": "{{ container_config_directory }}/ca-certificates/root.crt",
+ "dest": "/var/lib/proxysql/proxysql-ca.pem",
+ "owner": "proxysql",
+ "perm": "0600"
+ },
+ {
+ "source": "{{ container_config_directory }}/proxysql-cert.pem",
+ "dest": "/var/lib/proxysql/proxysql-cert.pem",
+ "owner": "proxysql",
+ "perm": "0600"
+ },
+ {
+ "source": "{{ container_config_directory }}/proxysql-key.pem",
+ "dest": "/var/lib/proxysql/proxysql-key.pem",
+ "owner": "proxysql",
+ "perm": "0600"
+ }{% endif %}
]
}
diff --git a/ansible/roles/proxysql-config/defaults/main.yml b/ansible/roles/proxysql-config/defaults/main.yml
index f09305d9f4..0ad83398c7 100644
--- a/ansible/roles/proxysql-config/defaults/main.yml
+++ b/ansible/roles/proxysql-config/defaults/main.yml
@@ -1,5 +1,6 @@
---
proxysql_project_database_shard: "{{ lookup('vars', (kolla_role_name | default(project_name)) + '_database_shard', default=omit) }}"
+proxysql_project_database_internal_tls_enable: "{{ lookup('vars', (kolla_role_name | default(project_name)) + '_database_internal_tls_enable', default='no') }}"
# NOTE(kevko): Kolla_role_name and replace is used only because of nova-cell
proxysql_project: "{{ kolla_role_name | default(project_name) | replace('_', '-') }}"
proxysql_config_users: "{% if proxysql_project_database_shard is defined and proxysql_project_database_shard['users'] is defined %}True{% else %}False{% endif %}"
diff --git a/ansible/roles/proxysql-config/templates/users.yaml.j2 b/ansible/roles/proxysql-config/templates/users.yaml.j2
index f8de57bc8b..48accdb1b9 100644
--- a/ansible/roles/proxysql-config/templates/users.yaml.j2
+++ b/ansible/roles/proxysql-config/templates/users.yaml.j2
@@ -25,4 +25,7 @@ mysql_users:
{% endif %}
transaction_persistent: 1
active: 1
+{% if database_enable_tls_internal | bool and proxysql_project_database_internal_tls_enable | bool %}
+ use_ssl: 1
+{% endif %}
{% endfor %}
diff --git a/releasenotes/notes/proxysql-internal-tls-dd68e952d97540a1.yaml b/releasenotes/notes/proxysql-internal-tls-dd68e952d97540a1.yaml
new file mode 100644
index 0000000000..c5774b2123
--- /dev/null
+++ b/releasenotes/notes/proxysql-internal-tls-dd68e952d97540a1.yaml
@@ -0,0 +1,8 @@
+---
+features:
+ - |
+ Implements ability to use internal frontend TLS between
+ a Kolla service and ProxySQL
+ This does not enable TLS itself, its need to be patched
+ in per-service patches, that will enable TLS in
+ mysql connection strings