orchestrator: Use ssl for talking to db servers
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Kormat
	Nov 6 2020, 1:19 PM

Description

As far as i can tell, it currently tries to use ssl but fails with cert verification issues, and then falls back to plain-text.

MySQLTopologyUseMixedTLS to true, but i suspect we need to also set MySQLTopologySSLCAFile.

Details

	Subject	Repo	Branch	Lines +/-
	orchestrator: Require ssl connections to db servers	operations/puppet	production	+2 -0

Customize query in gerrit

Event Timeline

Kormat created this task.Nov 6 2020, 1:19 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 6 2020, 1:19 PM

Looking at the code, it looks like this is what happens:

if MySQLTopologyUseMixedTLS is set, check if the host 'requires' ssl
if it can auth to the db host without ssl, then it doesn't 'require' ssl, so ssl won't be used.

Change 639765 had a related patch set uploaded (by Kormat; owner: Kormat):
[operations/puppet@production] orchestrator: Require ssl connections to db servers

https://gerrit.wikimedia.org/r/639765

gerritbot added a project: Patch-For-Review.Nov 6 2020, 1:37 PM

• Marostegui triaged this task as Medium priority.Nov 10 2020, 7:13 AM

• Marostegui moved this task from Triage to Ready on the DBA board.

Change 639765 merged by Kormat:
[operations/puppet@production] orchestrator: Require ssl connections to db servers

https://gerrit.wikimedia.org/r/639765

Fixed by https://gerrit.wikimedia.org/r/639765. From the commit description:

The orchestrator docs are a bit misleading here; If you set
MySQLTopologyUseMutualTLS it means ssl is required; if you _don't_ set
MySQLTopologySSLCertFile then it doesn't try to do TLS client
authentication.

Maintenance_bot removed a project: Patch-For-Review.Nov 18 2020, 1:10 PM

orchestrator: Use ssl for talking to db serversClosed, ResolvedPublicActions

Description

Details

Event Timeline

orchestrator: Use ssl for talking to db servers
Closed, ResolvedPublic
Actions