From 5a3bf1c9b4561d97b85255687ad56e9f8e5a1ab0 Mon Sep 17 00:00:00 2001
From: Seunghun Lee <seunghun@stackhpc.com>
Date: Tue, 17 Jun 2025 11:58:53 +0100
Subject: [PATCH 1/2] Add proxysql cert generation

---
 .../secret-store-generate-internal-tls.yml    | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/etc/kayobe/ansible/secret-store/secret-store-generate-internal-tls.yml b/etc/kayobe/ansible/secret-store/secret-store-generate-internal-tls.yml
index ea9dfd9290..c575a128d8 100644
--- a/etc/kayobe/ansible/secret-store/secret-store-generate-internal-tls.yml
+++ b/etc/kayobe/ansible/secret-store/secret-store-generate-internal-tls.yml
@@ -54,3 +54,38 @@
         dest: "{{ kayobe_env_config_path }}/kolla/certificates/ca/{{ stackhpc_ca_secret_store }}.crt"
         mode: "0600"
       delegate_to: localhost
+
+# NOTE(seunghun1ee): Kolla Ansible reuses internal TLS certificate when
+# creating certificate for proxysql
+# https://opendev.org/openstack/kolla-ansible/src/branch/stable/2025.1/ansible/roles/certificates/tasks/generate.yml#L169-L183
+    - name: Generate ProxySQL certificates
+      when: kolla_enable_proxysql
+      block:
+        - name: Copy ProxySQL certificate
+          no_log: true
+          ansible.builtin.copy:
+            dest: "{{ kayobe_env_config_path }}/kolla/certificates/proxysql-cert.pem"
+            content: |
+              {{ internal_cert.data.certificate }}
+              {{ internal_cert.data.issuing_ca }}
+            mode: "0600"
+          delegate_to: localhost
+
+        - name: Copy ProxySQL certificate key
+          no_log: true
+          ansible.builtin.copy:
+            dest: "{{ kayobe_env_config_path }}/kolla/certificates/proxysql-key.pem"
+            content: |
+              {{ internal_cert.data.private_key }}
+            mode: "0600"
+          delegate_to: localhost
+
+# NOTE(seunghun1ee): ProxySQL only expects root CA to be named ``root.crt`` because of
+# https://opendev.org/openstack/kolla-ansible/src/branch/stable/2025.1/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2#L36
+# Make a duplicate named ``root.crt``
+        - name: Copy root CA for ProxySQL
+          ansible.builtin.copy:
+            src: "{{ kayobe_env_config_path }}/{{ stackhpc_ca_secret_store }}/OS-TLS-ROOT.pem"
+            dest: "{{ kayobe_env_config_path }}/kolla/certificates/ca/root.crt"
+            mode: "0600"
+          delegate_to: localhost

From 6a816f6cf2c9b4fae48894a24ab00487198f14b2 Mon Sep 17 00:00:00 2001
From: Seunghun Lee <seunghun@stackhpc.com>
Date: Tue, 31 Mar 2026 16:11:11 +0100
Subject: [PATCH 2/2] Bump ProxySQL to 3.0.x and enable DB TLS

---
 etc/kayobe/kolla/globals.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/etc/kayobe/kolla/globals.yml b/etc/kayobe/kolla/globals.yml
index d7ef2198bc..6a822e3386 100644
--- a/etc/kayobe/kolla/globals.yml
+++ b/etc/kayobe/kolla/globals.yml
@@ -61,7 +61,7 @@ prometheus_openstack_exporter_interval: "{{ stackhpc_prometheus_openstack_export
 
 rabbitmq_image: "{% raw %}{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/rabbitmq-4-1{% endraw %}"
 
-# NOTE(seunghun1ee) Disable database TLS until ProxySQL 2.7 gets bug fix for
-# https://github.com/sysown/proxysql/issues/4877 or K-A bumps ProxySQL to 3.x.
-database_enable_tls_internal: false
-database_enable_tls_backend: false
+# Using ProxySQL 3.0.x to fix bug https://github.com/sysown/proxysql/issues/4877
+proxysql_version: 3
+database_enable_tls_internal: true
+database_enable_tls_backend: true