Fix Galera self-signed SSL functionality

Ensure that `galera-req.pem` is removed when `galera_ssl_self_signed_regen` is enabled. When this file is not removed, the "Create galera ssl request" task does not run again, which is required to create a new CSR and private key. Copy the correct files to non-bootstrap Galera nodes, which are: - CA certificate - Private key for CSR - Signed certificate Rename a few variables for clarity between private key and certificate. Change-Id: I3c65ff93498dde97e93fe9ac46ecee894a45c3e1
2018-10-25 13:10:13 -07:00 · 2018-10-25 13:10:13 -07:00 · 66e9a67a19
parent 00e9fd9fd2
commit 66e9a67a19
1 changed files with 23 additions and 22 deletions
--- a/tasks/galera_ssl_self_signed.yml
+++ b/tasks/galera_ssl_self_signed.yml
@ -21,11 +21,12 @@
    - "{{ galera_ssl_ca_cert }}"
    - "{{ galera_ssl_cert }}"
    - "{{ galera_ssl_key }}"
    - "{{ galera_ssl_ca_cert | dirname }}/galera-csr.pem"
  when:
    - galera_ssl_self_signed_regen | bool
    - inventory_hostname == galera_server_bootstrap_node
- name: Create galera CA cert
+- name: Create Galera CA cert
  command: >
    openssl req -new -nodes -x509 -subj
    "{{ galera_ssl_ca_self_signed_subject }}"
@ -36,7 +37,7 @@
    - inventory_hostname == galera_server_bootstrap_node
  notify: Restart all mysql
- name: Get CA key contents and store as var
+- name: Get CA cert contents and store as var
  slurp:
    src: "{{ galera_ssl_ca_cert }}"
  register: galera_ca
@ -44,21 +45,21 @@
  when:
    - inventory_hostname == galera_server_bootstrap_node
- name: Register a fact for the CA key
+- name: Register a fact for the CA cert
  set_fact:
-    galera_server_ca_key: "{{ galera_ca.content }}"
+    galera_server_ca_cert: "{{ galera_ca.content }}"
  when:
    - inventory_hostname == galera_server_bootstrap_node
- name: Create galera ssl request
+- name: Create Galera SSL CSR
  command: >
    openssl req -new -nodes -sha256 -subj
    "{{ galera_ssl_self_signed_subject }}"
    -days 3650
    -keyout {{ galera_ssl_key }}
-    -out {{ galera_ssl_ca_cert | dirname }}/galera-req.pem
+    -out {{ galera_ssl_ca_cert | dirname }}/galera-csr.pem
    -extensions v3_ca
-    creates={{ galera_ssl_ca_cert | dirname }}/galera-req.pem
+    creates={{ galera_ssl_ca_cert | dirname }}/galera-csr.pem
  register: create_galera_ssl_request
  when:
    - inventory_hostname == galera_server_bootstrap_node
@ -74,25 +75,25 @@
    - inventory_hostname == galera_server_bootstrap_node
  notify: Restart all mysql
- name: Get REQ key contents and store as var
+- name: Get CSR private key contents and store as var
  slurp:
-    src: "{{ galera_ssl_ca_cert | dirname }}/galera-req.pem"
+    src: "{{ galera_ssl_key }}"
-  register: galera_req
+  register: galera_private_key
  changed_when: false
  when:
    - inventory_hostname == galera_server_bootstrap_node
- name: Register a fact for the REQ key
+- name: Register a fact for the CSR private key
  set_fact:
-    galera_server_req_key: "{{ galera_req.content }}"
+    galera_server_private_key: "{{ galera_private_key.content }}"
  when:
    - inventory_hostname == galera_server_bootstrap_node
- name: Create galera ssl cert
+- name: Create Galera SSL signed cert
  command: >
    openssl x509 -req
    -days 3650
-    -in {{ galera_ssl_ca_cert | dirname }}/galera-req.pem
+    -in {{ galera_ssl_ca_cert | dirname }}/galera-csr.pem
    -CA {{ galera_ssl_ca_cert }}
    -CAkey {{ galera_ssl_key | dirname }}/galera-ca.key
    -out {{ galera_ssl_cert }}
@ -102,7 +103,7 @@
    - inventory_hostname == galera_server_bootstrap_node
  notify: Restart all mysql
- name: Get CERT key contents and store as var
+- name: Get signed cert contents and store as var
  slurp:
    src: "{{ galera_ssl_cert }}"
  register: galera_cert
@ -110,13 +111,13 @@
  when:
    - inventory_hostname == galera_server_bootstrap_node
- name: Register a fact for the CERT key
+- name: Register a fact for the signed cert contents
  set_fact:
-    galera_server_cert_key: "{{ galera_cert.content }}"
+    galera_server_cert: "{{ galera_cert.content }}"
  when:
    - inventory_hostname == galera_server_bootstrap_node
- name: Copy CA cert and key (SELF)
+- name: Copy CA cert, private key, and signed cert (SELF)
  copy:
    content: "{{ hostvars[galera_server_bootstrap_node][item.key] | b64decode }}"
    dest: "{{ item.dest }}"
@ -124,12 +125,12 @@
    group: "mysql"
    mode: "{{ item.mode | default('0640') }}"
  with_items:
-    - key: "galera_server_ca_key"
+    - key: "galera_server_ca_cert"
      dest: "{{ galera_ssl_ca_cert }}"
-    - key: "galera_server_req_key"
+    - key: "galera_server_private_key"
      dest: "{{ galera_ssl_cert }}"
    - key: "galera_server_cert_key"
      dest: "{{ galera_ssl_key }}"
    - key: "galera_server_cert"
      dest: "{{ galera_ssl_cert }}"
      mode: "0600"
  when:
    - inventory_hostname != galera_server_bootstrap_node