ansible-scylla-node: Allow the user to use a same certificate for all the nodes #427
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…set of nodes If the user provides certificates for at least one node, then the user should either provide certificates for all the other nodes or provide the CA used, otherwise the role would generate its own CA which would of course be different than the one used by the user. The main change in this patch is that now the user is allowed to provide certs for the nodes without having to provide a CA, as long as the certificates are provided for all the nodes.
So far this role allowed the user to provide a parent folder (localhost_cert_path)
for the certificates but would always create the certificates and keys in `{{ localhost_cert_path }}/ssl/{{ hostname }}`,
with fixed names {{ hostname }}.crt and {{ hostname }}.pem,
what prevented us from being able to use a single certificate for all the nodes without having to create
a folder for every single node in the cluster with a same crt and key files.
With the changes in this patch, the 'localhost_cert_path' will indicate the complete path to the crt file and
a variable 'localhost_cert_key_path' was also added, this way the user can save the key in a different path, if necessary.
By having a 'localhost_cert_path' which is not a function of '{{ hostname }}', the user will now be able to have a single
certificate for the whole cluster.
The patch also tries to use the old defaults in the ssl task in case 'localhost_cert_path' and 'localhost_cert_key_path'
are not set in ordre to still support clusters that were relying on the old defaults.
|
so with wildcard certificate support I guess #151 could be closed too |
tarzanek
reviewed
Dec 6, 2024
The issue above is still relevant when we are using certificates generated by this role, but it's out of the scope of the current PR |
tarzanek
reviewed
Dec 6, 2024
tarzanek
approved these changes
Dec 6, 2024
igorribeiroduarte
force-pushed
the
fix_ssl_validation
branch
from
7865f0e to
e7cc31e
Compare
So far we were considering that the CA would always be used as a truststore, but since the CA is not mandatory, this wouldn't always work. From now on, let's have a dedicated file for the truststore and use the CA as truststore only if the CA exists and if a dedicated truststore is not given.
This is necessary since the scylla.yaml.j2 file uses variables '_localhost_cert_path', '_localhost_cert_key_path' and '_truststore_exists', which are defined only in the ssl task.
igorribeiroduarte
force-pushed
the
fix_ssl_validation
branch
from
e7cc31e to
4445f0a
Compare
tarzanek
approved these changes
Dec 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.