From ec882d45f9f8110a2e3a9e82956067392db8e0d8 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Tue, 17 Jun 2025 11:58:53 +0100 Subject: [PATCH 1/3] Add proxysql cert generation --- .../secret-store-generate-internal-tls.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/etc/kayobe/ansible/secret-store/secret-store-generate-internal-tls.yml b/etc/kayobe/ansible/secret-store/secret-store-generate-internal-tls.yml index ea9dfd9290..bf0261ff6e 100644 --- a/etc/kayobe/ansible/secret-store/secret-store-generate-internal-tls.yml +++ b/etc/kayobe/ansible/secret-store/secret-store-generate-internal-tls.yml @@ -54,3 +54,37 @@ dest: "{{ kayobe_env_config_path }}/kolla/certificates/ca/{{ stackhpc_ca_secret_store }}.crt" mode: "0600" delegate_to: localhost + +# NOTE(seunghun1ee): Kolla Ansible reuses internal TLS certificate when +# creating certificate for proxysql +# https://opendev.org/openstack/kolla-ansible/src/branch/stable/2025.1/ansible/roles/certificates/tasks/generate.yml#L169-L183 + - name: Generate ProxySQL certificates + when: kolla_enable_proxysql + block: + - name: Copy ProxySQL certificate + no_log: true + ansible.builtin.copy: + dest: "{{ kayobe_env_config_path }}/kolla/certificates/proxysql-cert.pem" + content: | + {{ internal_cert.data.certificate }} + {{ internal_cert.data.issuing_ca }} + mode: "0600" + delegate_to: localhost + + - name: Copy ProxySQL certificate key + no_log: true + ansible.builtin.copy: + dest: "{{ kayobe_env_config_path }}/kolla/certificates/proxysql-key.pem" + content: | + {{ internal_cert.data.private_key }} + mode: "0600" + delegate_to: localhost + +# NOTE(seunghun1ee): When ProxySQL is used with database internal TLS, it expects the intermediate +# certificate that signed the proxysql-cert.pem as a CA. + - name: Copy CA for ProxySQL + ansible.builtin.copy: + src: "{{ kayobe_env_config_path }}/{{ stackhpc_ca_secret_store }}/OS-TLS-INT.pem" + dest: "{{ kayobe_env_config_path }}/kolla/certificates/proxysql-ca.pem" + mode: "0600" + delegate_to: localhost From ae5400e6e64b299831be367e609be222c8d811b6 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Tue, 31 Mar 2026 16:11:11 +0100 Subject: [PATCH 2/3] Bump ProxySQL to 3.0.x and enable DB TLS --- etc/kayobe/kolla/globals.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/etc/kayobe/kolla/globals.yml b/etc/kayobe/kolla/globals.yml index d7ef2198bc..59db7ae8bd 100644 --- a/etc/kayobe/kolla/globals.yml +++ b/etc/kayobe/kolla/globals.yml @@ -61,7 +61,5 @@ prometheus_openstack_exporter_interval: "{{ stackhpc_prometheus_openstack_export rabbitmq_image: "{% raw %}{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/rabbitmq-4-1{% endraw %}" -# NOTE(seunghun1ee) Disable database TLS until ProxySQL 2.7 gets bug fix for -# https://github.com/sysown/proxysql/issues/4877 or K-A bumps ProxySQL to 3.x. -database_enable_tls_internal: false -database_enable_tls_backend: false +# Using ProxySQL 3.0.x to fix bug https://github.com/sysown/proxysql/issues/4877 +proxysql_version: 3 From d5e0f2eb2d67fe0f3c531e08e278a6d601b6d07c Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Fri, 17 Apr 2026 14:30:39 +0100 Subject: [PATCH 3/3] Bump ProxySQL image This tag includes ProxySQL 3.0 --- etc/kayobe/kolla-image-tags.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml index 5e98c935c5..9c3677dcd2 100644 --- a/etc/kayobe/kolla-image-tags.yml +++ b/etc/kayobe/kolla-image-tags.yml @@ -43,3 +43,6 @@ kolla_image_tags: ubuntu-noble: 2025.1-ubuntu-noble-20260416T131004 prometheus_cadvisor: rocky-9: 2025.1-rocky-9-20260303T104901 + proxysql: + rocky-9: 2025.1-rocky-9-20260417T133810 + ubuntu-noble: 2025.1-ubuntu-noble-20260417T123032