)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"ec8076875551e297cea2d8274e673d76da7b504e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"1f66dc55_852d2e17","updated":"2023-11-06 17:43:06.000000000","message":"Thanks for proposing that - it\u0027s really great overseeing not to have that by now.\n\nThough, I assumed that default behavior is to use whatever is set in my.cnf on `_oslodb_setup_host`? And I believe it should respect already CA and SSL from there, except we miss defining CA there as well, doh [1]\n\nBut it might be easier to patch my.cnf rather then each role? Also I assume you might use `galera_client_my_cnf_overrides` to add extra line to the my.cnf as temporary workaround until rest patches will land.\n\n[1] https://opendev.org/openstack/openstack-ansible-galera_server/src/branch/master/templates/client.my.cnf.j2#L11-L16","commit_id":"a49bd18119eaadc07ad8c6212bedf71d49142f25"},{"author":{"_account_id":14805,"name":"Jimmy McCrory","email":"jimmy.mccrory@gmail.com","username":"jimmy-mccrory"},"change_message_id":"953ab9b5cf16203a3f62797a1d8e2212f8def291","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"78a2d755_9ba1e95d","updated":"2023-11-07 06:29:15.000000000","message":"After some more testing, it looks like updating the client my.cnf should be enough to get these tasks working.\nhttps://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/900266 \n\nThe override I had been using was `ssl_ca`, `ssl-ca` with a dash instead of underscore works as expected.","commit_id":"be5e04dc087046f33ceb2eac184e48ec171327b9"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"1874a821e64990c9bffa0a3a50607dd5bd6c399a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"143859fb_99b54ffa","updated":"2024-03-28 15:38:34.000000000","message":"i need to spawn an AIO to test that, as in CI mariadb always is covered with TLS. So we won\u0027t catch cases when this is explicitly disabled by user.","commit_id":"be5e04dc087046f33ceb2eac184e48ec171327b9"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"b6022f74424c3a8b2cf52ce1ab7939f53a551b8e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"9421f97e_1f98ecea","updated":"2024-04-03 17:41:05.000000000","message":"ok, spawned an AIO and that indeed is safe for non-TLS setup.","commit_id":"be5e04dc087046f33ceb2eac184e48ec171327b9"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"5323b8552148a305532657152b04ff783392230e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"0bcc12bd_dbff7849","updated":"2024-03-13 10:03:59.000000000","message":"recheck get latest CI results","commit_id":"be5e04dc087046f33ceb2eac184e48ec171327b9"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"e3d2a45c15684d9999c9227f2b40759f2890ed8c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"532492f3_e0521b14","updated":"2023-11-07 14:37:20.000000000","message":"recheck post failures","commit_id":"be5e04dc087046f33ceb2eac184e48ec171327b9"}],"roles/db_setup/tasks/main.yml":[{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"ec8076875551e297cea2d8274e673d76da7b504e","unresolved":true,"context_lines":[{"line_number":25,"context_line":"        name: \"{{ item.name }}\""},{"line_number":26,"context_line":"        login_host: \"{{ _oslodb_setup_endpoint | default(omit) }}\""},{"line_number":27,"context_line":"        login_port: \"{{ _oslodb_setup_port | default(omit) }}\""},{"line_number":28,"context_line":"        ca_cert: \"{{ _oslodb_ca_cert | default(omit) }}\""},{"line_number":29,"context_line":"      loop: \"{{ _oslodb_databases }}\""},{"line_number":30,"context_line":"      no_log: \"{{ _oslodb_setup_nolog | default(True) }}\""},{"line_number":31,"context_line":"      when: item.condition | default(True)"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"e979df38_332ab788","line":28,"updated":"2023-11-06 17:43:06.000000000","message":"Should we maybe also add `check_hostname` right away? According to the doc [1] it acts as `--ssl` flag in the mysql client.\n\n[1] https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html#parameter-check_hostname","commit_id":"a49bd18119eaadc07ad8c6212bedf71d49142f25"},{"author":{"_account_id":14805,"name":"Jimmy McCrory","email":"jimmy.mccrory@gmail.com","username":"jimmy-mccrory"},"change_message_id":"aa1a7408b7cb8987412c2d2fee8d64404b5a0f55","unresolved":true,"context_lines":[{"line_number":25,"context_line":"        name: \"{{ item.name }}\""},{"line_number":26,"context_line":"        login_host: \"{{ _oslodb_setup_endpoint | default(omit) }}\""},{"line_number":27,"context_line":"        login_port: \"{{ _oslodb_setup_port | default(omit) }}\""},{"line_number":28,"context_line":"        ca_cert: \"{{ _oslodb_ca_cert | default(omit) }}\""},{"line_number":29,"context_line":"      loop: \"{{ _oslodb_databases }}\""},{"line_number":30,"context_line":"      no_log: \"{{ _oslodb_setup_nolog | default(True) }}\""},{"line_number":31,"context_line":"      when: item.condition | default(True)"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"2c63aea5_49c7a940","line":28,"in_reply_to":"13492fbd_d6410587","updated":"2023-11-06 19:28:59.000000000","message":"That may actually be a bug with the modules.\n\nIf I\u0027m reading it correctly, when none of these arguments are given it rewrites the ssl config to an empty dictionary, but if just one is given it can continue using any others provided in my.cnf.\n```\nssl_ca\nssl_key\nssl_cert\ncheck_hostname\n```","commit_id":"a49bd18119eaadc07ad8c6212bedf71d49142f25"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"535b16bb2989de06671b09a2febbdb6f0716e047","unresolved":true,"context_lines":[{"line_number":25,"context_line":"        name: \"{{ item.name }}\""},{"line_number":26,"context_line":"        login_host: \"{{ _oslodb_setup_endpoint | default(omit) }}\""},{"line_number":27,"context_line":"        login_port: \"{{ _oslodb_setup_port | default(omit) }}\""},{"line_number":28,"context_line":"        ca_cert: \"{{ _oslodb_ca_cert | default(omit) }}\""},{"line_number":29,"context_line":"      loop: \"{{ _oslodb_databases }}\""},{"line_number":30,"context_line":"      no_log: \"{{ _oslodb_setup_nolog | default(True) }}\""},{"line_number":31,"context_line":"      when: item.condition | default(True)"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"42ada775_cbe6c49a","line":28,"in_reply_to":"2c63aea5_49c7a940","updated":"2024-03-05 16:26:10.000000000","message":"can we make this variable optional? As we for sure have deployments that consciously opted out from any kind of encryption.","commit_id":"a49bd18119eaadc07ad8c6212bedf71d49142f25"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"de9dccec3ea765911e15552bf1f36994213ea257","unresolved":true,"context_lines":[{"line_number":25,"context_line":"        name: \"{{ item.name }}\""},{"line_number":26,"context_line":"        login_host: \"{{ _oslodb_setup_endpoint | default(omit) }}\""},{"line_number":27,"context_line":"        login_port: \"{{ _oslodb_setup_port | default(omit) }}\""},{"line_number":28,"context_line":"        ca_cert: \"{{ _oslodb_ca_cert | default(omit) }}\""},{"line_number":29,"context_line":"      loop: \"{{ _oslodb_databases }}\""},{"line_number":30,"context_line":"      no_log: \"{{ _oslodb_setup_nolog | default(True) }}\""},{"line_number":31,"context_line":"      when: item.condition | default(True)"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"ea01bdc6_eaf665eb","line":28,"in_reply_to":"8623a582_124a04c8","updated":"2023-11-06 19:17:30.000000000","message":"We should actually add `require_secure_transport` to our CI for TLS jobs as well I think, to test out the scenario properly. I will try to handle that during the week.","commit_id":"a49bd18119eaadc07ad8c6212bedf71d49142f25"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"176a48fdbb1f8e92d3ee1f5b9611f76e05b04da2","unresolved":true,"context_lines":[{"line_number":25,"context_line":"        name: \"{{ item.name }}\""},{"line_number":26,"context_line":"        login_host: \"{{ _oslodb_setup_endpoint | default(omit) }}\""},{"line_number":27,"context_line":"        login_port: \"{{ _oslodb_setup_port | default(omit) }}\""},{"line_number":28,"context_line":"        ca_cert: \"{{ _oslodb_ca_cert | default(omit) }}\""},{"line_number":29,"context_line":"      loop: \"{{ _oslodb_databases }}\""},{"line_number":30,"context_line":"      no_log: \"{{ _oslodb_setup_nolog | default(True) }}\""},{"line_number":31,"context_line":"      when: item.condition | default(True)"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"8623a582_124a04c8","line":28,"in_reply_to":"caaf279d_4cc975c8","updated":"2023-11-06 19:15:16.000000000","message":"But doesn\u0027t that make the ansible module to communicate through TLS as well? As I\u0027d assume it to respect whatever is set in my.cnf.\n\nAlso please add `check_hostname` with some variable and default omit, since there\u0027re still quite some deployments that have opted out from encryption, thus I would expect this approach to fail for them.","commit_id":"a49bd18119eaadc07ad8c6212bedf71d49142f25"},{"author":{"_account_id":14805,"name":"Jimmy McCrory","email":"jimmy.mccrory@gmail.com","username":"jimmy-mccrory"},"change_message_id":"b17da27b32a7f19628a1475299769ddafa2a1bb8","unresolved":true,"context_lines":[{"line_number":25,"context_line":"        name: \"{{ item.name }}\""},{"line_number":26,"context_line":"        login_host: \"{{ _oslodb_setup_endpoint | default(omit) }}\""},{"line_number":27,"context_line":"        login_port: \"{{ _oslodb_setup_port | default(omit) }}\""},{"line_number":28,"context_line":"        ca_cert: \"{{ _oslodb_ca_cert | default(omit) }}\""},{"line_number":29,"context_line":"      loop: \"{{ _oslodb_databases }}\""},{"line_number":30,"context_line":"      no_log: \"{{ _oslodb_setup_nolog | default(True) }}\""},{"line_number":31,"context_line":"      when: item.condition | default(True)"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"caaf279d_4cc975c8","line":28,"in_reply_to":"e979df38_332ab788","updated":"2023-11-06 18:58:15.000000000","message":"Yes, I\u0027m using overrides for my.cnf and cluster.cnf\n```\ngalera_client_my_cnf_overrides:\n  client:\n    ssl_ca: /etc/ssl/certs/galera-ca.pem\n    \ngalera_cluster_cnf_overrides:\n  mysqld:\n    require_secure_transport: ON\n```\nGreat find with `check_hostname`, just tested and that seems to work and would avoid having to patch every individual role.\nWill update to use that instead.","commit_id":"a49bd18119eaadc07ad8c6212bedf71d49142f25"},{"author":{"_account_id":14805,"name":"Jimmy McCrory","email":"jimmy.mccrory@gmail.com","username":"jimmy-mccrory"},"change_message_id":"e7364567fec7f85d3c786a971102a8fbaa7f5210","unresolved":true,"context_lines":[{"line_number":25,"context_line":"        name: \"{{ item.name }}\""},{"line_number":26,"context_line":"        login_host: \"{{ _oslodb_setup_endpoint | default(omit) }}\""},{"line_number":27,"context_line":"        login_port: \"{{ _oslodb_setup_port | default(omit) }}\""},{"line_number":28,"context_line":"        ca_cert: \"{{ _oslodb_ca_cert | default(omit) }}\""},{"line_number":29,"context_line":"      loop: \"{{ _oslodb_databases }}\""},{"line_number":30,"context_line":"      no_log: \"{{ _oslodb_setup_nolog | default(True) }}\""},{"line_number":31,"context_line":"      when: item.condition | default(True)"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"13492fbd_d6410587","line":28,"in_reply_to":"ea01bdc6_eaf665eb","updated":"2023-11-06 19:23:18.000000000","message":"These modules failed with the change to my.cnf alone.\n\nIt looks like they\u0027re only relying on module arguments rather than the config file for ssl options.\nhttps://github.com/ansible-collections/community.mysql/blob/main/plugins/module_utils/mysql.py#L111-L112","commit_id":"a49bd18119eaadc07ad8c6212bedf71d49142f25"}]}
