Implement ability for Ansible Kolla to deploy MariaDB with the ability to accept connections via TLS

[fdobrovolny]

Epic #462

As an SCS Operator, I want to deploy MariaDB using Ansible Kolla and have it listen for TLS connections so that I can have E2E encryption for OpenStack services.

Definition of Ready:

• [ ] User Story is clear and understood by the whole team
• [ ] Acceptance criteria are defined
• [ ] Acceptance criteria are clear and understood by the whole team

Definition of Done:

• [x] Ansible Kolla is able to deploy MariaDB with TLS listener enabled
• [ ] The patch has been submitted to upstream and merged.
• [ ] Change has been included in the testbed.
• [ ] CI tests have run successfully
• [ ] Documentation has been updated
• [ ] Release Notes have been updated

[fkr]

@artificial-intelligence alongside this and #467 we came across the comment from Mark Goddard in the linked review that ProxySQL is the way to address this need. Since we discussed the enablement of ProxySQL on Dec 13th in Team IaaS this seems to fit nicely together. Can you comment on this and assist here?

[MatusJenca2]

ProxySQL is already implemented in Kolla. I enabled TLS between ProxySQL and MariaDB according to this guide and created a patch in upstream. There should be a discussion about which services will have TLS, around 20 services in Kolla use DB, do we need them all?

[MatusJenca2]

I wrote a test for proxysql as requested by the reviews. You can check out progress in upstream

[berendt]

There should be a discussion about which services will have TLS, around 20 services in Kolla use DB, do we need them all?

No discussion necessary. In the upstream project we have to add TLS support for all the services, even if we do not use them here in SCS at the moment. Otherwise, the change has not been fully implemented there and is not mergeable.

If necessary, you may can split it into several reviews so that the services relevant to us are implemented first.

We deploy the following services at the moment:

• Nova
• Glance
• Keystone
• Ceilometer
• Neutron
• Placement
• Octavia
• Barbican
• Horizon
• Skyline
• Gnocchi
• Magnum
• Manila
• Designate
• Heat
• Ironic
• Aodh
• Grafana
• Haproxy/Proxysql

[MatusJenca2]

In Kolla, every service mentioned above has it's own user and ProxySQL can require_ssl SSL per user. We can make separate upstream PR for every service, that's the preferred way of work when developing Kolla.

However, there's also root user, which is used when seting up the cloud by kolla-ansible deploy. This user is utilized in all roles, meaning that if we turn require SSL for this user, we will have to at the very least add --ssl parameter to all the roles ( or ansible equivalent of --ssl). This could be done in one PR only, because turning require_ssl on for root user will break the roles that don't have --ssl

There is a question that if we need require SSL for root user at all, because it's only used during kolla deploying.

[artificial-intelligence]

@MatusJenca2 could you address upstreams comment about removing the "when:" condition in your patch at https://review.opendev.org/c/openstack/kolla-ansible/+/915901 ? Then we can merge it.

So just remove that when condition completely, just like Michal Arbet suggested and we can merge it.

Thanks!

[MatusJenca2]

I am working on a patch that will allow use TLS between a service and proxysql (frontend TLS), this patch will be pushed upstream as soon as it's done.