From 6ec2464b1d25526ce51cc905b57aef843bc22286 Mon Sep 17 00:00:00 2001
From: Laurent Indermuehle <laurent.indermuehle@pm.me>
Date: Thu, 3 Apr 2025 14:27:44 +0200
Subject: [PATCH 1/3] Fix ssl verification always enabled for replication even
 if set to false

---
 plugins/modules/mysql_replication.py          | 16 +++++---
 .../tasks/issue-689.yml                       | 40 +++++++++++++++++++
 .../test_mysql_replication/tasks/main.yml     |  3 ++
 3 files changed, 54 insertions(+), 5 deletions(-)
 create mode 100644 tests/integration/targets/test_mysql_replication/tasks/issue-689.yml

diff --git a/plugins/modules/mysql_replication.py b/plugins/modules/mysql_replication.py
index b902da0..deb2a0c 100644
--- a/plugins/modules/mysql_replication.py
+++ b/plugins/modules/mysql_replication.py
@@ -493,7 +493,7 @@ def main():
         primary_ssl_cert=dict(type='str', aliases=['master_ssl_cert']),
         primary_ssl_key=dict(type='str', no_log=False, aliases=['master_ssl_key']),
         primary_ssl_cipher=dict(type='str', aliases=['master_ssl_cipher']),
-        primary_ssl_verify_server_cert=dict(type='bool', default=False),
+        primary_ssl_verify_server_cert=dict(type='bool'),
         primary_use_gtid=dict(type='str', choices=[
             'current_pos', 'replica_pos', 'disabled'], aliases=['master_use_gtid']),
         primary_delay=dict(type='int', aliases=['master_delay']),
@@ -641,8 +641,11 @@ def main():
             chm.append("%s='%s'" % (command_resolver.resolve_command('MASTER_SSL_KEY'), primary_ssl_key))
         if primary_ssl_cipher is not None:
             chm.append("%s='%s'" % (command_resolver.resolve_command('MASTER_SSL_CIPHER'), primary_ssl_cipher))
-        if primary_ssl_verify_server_cert:
-            chm.append("%s=1" % command_resolver.resolve_command('MASTER_SSL_VERIFY_SERVER_CERT'))
+        if primary_ssl_verify_server_cert is not None:
+            if primary_ssl_verify_server_cert:
+                chm.append("%s=1" % command_resolver.resolve_command('MASTER_SSL_VERIFY_SERVER_CERT'))
+            else:
+                chm.append("%s=0" % command_resolver.resolve_command('MASTER_SSL_VERIFY_SERVER_CERT'))
         if primary_auto_position:
             chm.append("%s=1" % command_resolver.resolve_command('MASTER_AUTO_POSITION'))
         if primary_use_gtid is not None:
@@ -723,8 +726,11 @@ def main():
             chm.append("SOURCE_SSL_KEY='%s'" % primary_ssl_key)
         if primary_ssl_cipher is not None:
             chm.append("SOURCE_SSL_CIPHER='%s'" % primary_ssl_cipher)
-        if primary_ssl_verify_server_cert:
-            chm.append("SOURCE_SSL_VERIFY_SERVER_CERT=1")
+        if primary_ssl_verify_server_cert is not None:
+            if primary_ssl_verify_server_cert:
+                chm.append("%s=1" % command_resolver.resolve_command('MASTER_SSL_VERIFY_SERVER_CERT'))
+            else:
+                chm.append("%s=0" % command_resolver.resolve_command('MASTER_SSL_VERIFY_SERVER_CERT'))
         if primary_auto_position:
             chm.append("SOURCE_AUTO_POSITION=1")
         try:
diff --git a/tests/integration/targets/test_mysql_replication/tasks/issue-689.yml b/tests/integration/targets/test_mysql_replication/tasks/issue-689.yml
new file mode 100644
index 0000000..cc79d6d
--- /dev/null
+++ b/tests/integration/targets/test_mysql_replication/tasks/issue-689.yml
@@ -0,0 +1,40 @@
+---
+
+- vars:
+    mysql_parameters: &mysql_params
+      login_user: '{{ mysql_user }}'
+      login_password: '{{ mysql_password }}'
+      login_host: '{{ mysql_host }}'
+      login_port: '{{ mysql_primary_port }}'
+  block:
+
+    - name: Disable ssl verification
+      community.mysql.mysql_replication:
+        <<: *mysql_params
+        login_port: '{{ mysql_replica1_port }}'
+        mode: changeprimary
+        primary_ssl_verify_server_cert: false
+      register: result
+
+    - name: Assert that changeprimmary is changed and return expected query for MariaDB and MySQL < 8.0.23
+      ansible.builtin.assert:
+        that:
+          - result is changed
+          - result.queries == expected_queries
+      when:
+        - >
+          db_engine == 'mariadb' or
+          (db_engine == 'mysql' and db_version is version('8.0.23', '<'))
+      vars:
+        expected_queries: ["CHANGE MASTER TO MASTER_SSL_VERIFY_SERVER_CERT=0"]
+
+    - name: Assert that changeprimmary is changed and return expected query for MySQL > 8.0.23
+      ansible.builtin.assert:
+        that:
+          - result is changed
+          - result.queries == expected_queries
+      when:
+        - db_engine == 'mysql'
+        - db_version is version('8.0.23', '>=')
+      vars:
+        expected_queries: ["CHANGE REPLICATION SOURCE TO SOURCE_SSL_VERIFY_SERVER_CERT=0"]
diff --git a/tests/integration/targets/test_mysql_replication/tasks/main.yml b/tests/integration/targets/test_mysql_replication/tasks/main.yml
index 32ce553..9e88203 100644
--- a/tests/integration/targets/test_mysql_replication/tasks/main.yml
+++ b/tests/integration/targets/test_mysql_replication/tasks/main.yml
@@ -31,3 +31,6 @@
   when:
     - db_engine == 'mysql'
     - db_version is version('8.0.23', '>=')
+
+# primary_ssl_verify_server_cert
+- import_tasks: issue-689.yml

From 8aaea63714eb825b0a3f22a6814c6fc86fc6069b Mon Sep 17 00:00:00 2001
From: Laurent Indermuehle <laurent.indermuehle@pm.me>
Date: Thu, 3 Apr 2025 14:38:46 +0200
Subject: [PATCH 2/3] add changelog fragment

---
 changelogs/fragments/707-source_ssl_verify_server_cert.yml | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 changelogs/fragments/707-source_ssl_verify_server_cert.yml

diff --git a/changelogs/fragments/707-source_ssl_verify_server_cert.yml b/changelogs/fragments/707-source_ssl_verify_server_cert.yml
new file mode 100644
index 0000000..3a5af8d
--- /dev/null
+++ b/changelogs/fragments/707-source_ssl_verify_server_cert.yml
@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - mysql_replication - fixed an issue where setting primary_ssl_verify_server_cert to false had no effect.

From 0cbebb88a49dcf23cf82e1380b6d6130d5f7b2da Mon Sep 17 00:00:00 2001
From: Laurent Indermuehle <laurent.indermuehle@pm.me>
Date: Thu, 3 Apr 2025 15:08:24 +0200
Subject: [PATCH 3/3] fix test when multiple replication channels are present

---
 .../targets/test_mysql_replication/tasks/main.yml          | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/tests/integration/targets/test_mysql_replication/tasks/main.yml b/tests/integration/targets/test_mysql_replication/tasks/main.yml
index 9e88203..e77af38 100644
--- a/tests/integration/targets/test_mysql_replication/tasks/main.yml
+++ b/tests/integration/targets/test_mysql_replication/tasks/main.yml
@@ -13,6 +13,10 @@
 # Tests of replication filters and force_context
 - include_tasks: issue-265.yml
 
+# primary_ssl_verify_server_cert
+# Must run before mysql add channels in mysql_replication_channel.yml
+- import_tasks: issue-689.yml
+
 # Tests of primary_delay parameter:
 - import_tasks: mysql_replication_primary_delay.yml
 
@@ -31,6 +35,3 @@
   when:
     - db_engine == 'mysql'
     - db_version is version('8.0.23', '>=')
-
-# primary_ssl_verify_server_cert
-- import_tasks: issue-689.yml