From c093c13e01826da545bf9a0259e0be441bc1b5e1 Mon Sep 17 00:00:00 2001 From: Andrey Date: Wed, 22 Mar 2017 13:27:33 -0500 Subject: [PATCH] Added Galera SSL support MySQL SSL connections allowed. Self-signed SSL CA cert or user-provided CA certificate delivered from the deployment host. Change-Id: Iaa07435357139133e325d85808b419e8c55b5e50 Partial-Bug: #1667789 --- defaults/main.yml | 8 ++++++++ .../notes/implement-ssl-48a82cf611db0eb6.yaml | 5 +++++ tasks/galera_client_post_install.yml | 12 ++++++++++++ 3 files changed, 25 insertions(+) create mode 100644 releasenotes/notes/implement-ssl-48a82cf611db0eb6.yaml diff --git a/defaults/main.yml b/defaults/main.yml index 4fa0979..3948468 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -42,3 +42,11 @@ galera_client_fatal_deprecations: false galera_client_my_cnf_overrides: {} mariadb_repo_filename: "MariaDB" + +# SSL support +galera_use_ssl: false +# The path where to store the database server CA certificate +galera_ssl_ca_cert: /etc/ssl/certs/galera-ca.pem +# The path to Galera CA certificate file on the deployment host +galera_user_ssl_ca_cert: /etc/openstack_deploy/self_signed_certs/galera-ca.pem + diff --git a/releasenotes/notes/implement-ssl-48a82cf611db0eb6.yaml b/releasenotes/notes/implement-ssl-48a82cf611db0eb6.yaml new file mode 100644 index 0000000..3dd18c4 --- /dev/null +++ b/releasenotes/notes/implement-ssl-48a82cf611db0eb6.yaml @@ -0,0 +1,5 @@ +--- +features: + - Allows SSL connection to Galera with SSL support. ``galera_use_ssl`` option has to + be set to ``true``, in this case self-signed CA cert or user-provided CA cert will + be delivered to the container/host. diff --git a/tasks/galera_client_post_install.yml b/tasks/galera_client_post_install.yml index 639f72c..d808ae2 100644 --- a/tasks/galera_client_post_install.yml +++ b/tasks/galera_client_post_install.yml @@ -25,3 +25,15 @@ when: galera_client_drop_config_file tags: - galera-client-user-config + +- name: Distribute Galera ssl CA cert + copy: + dest: "{{ galera_ssl_ca_cert }}" + src: "{{ galera_user_ssl_ca_cert }}" + owner: "root" + group: "root" + mode: "0644" + when: + - galera_use_ssl | bool + tags: + - galera-client-user-config