859cbbba6c
The problems at the moment with setting up SSL support with Galera are: - The keys are not used when creating users in the mysql_user Ansible module - The private key must be converted to PKCS-1 in order to work properly with Galera. - The MySQL client configuration is missing the settings that include the SSL certificates. - Hard-coding the cipher causes problems for older clients, so we instead enable SSL and let the client and server negociate the ideal cipher. This patch cleans up all of those issues, removes verbose logging from the SSL job because we have ARA to gather all the information we need and adds jobs for all the deployment platforms that we support. Change-Id: I27218c4086a50d238082895092fb8aa5e7fad807
137 lines
4.0 KiB
YAML
137 lines
4.0 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc., Mirantis Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Remove self signed cert for regen
|
|
file:
|
|
dest: "{{ item }}"
|
|
state: "absent"
|
|
with_items:
|
|
- "{{ galera_ssl_ca_cert }}"
|
|
- "{{ galera_ssl_cert }}"
|
|
- "{{ galera_ssl_key }}"
|
|
when:
|
|
- galera_ssl_self_signed_regen | bool
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
|
|
- name: Create galera CA cert
|
|
command: >
|
|
openssl req -new -nodes -x509 -subj
|
|
"{{ galera_ssl_ca_self_signed_subject }}"
|
|
-keyout {{ galera_ssl_key | dirname }}/galera-ca.key
|
|
-out {{ galera_ssl_ca_cert }}
|
|
creates={{ galera_ssl_ca_cert }}
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
notify: Restart all mysql
|
|
|
|
- name: Get CA key contents and store as var
|
|
slurp:
|
|
src: "{{ galera_ssl_ca_cert }}"
|
|
register: galera_ca
|
|
changed_when: false
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
|
|
- name: Register a fact for the CA key
|
|
set_fact:
|
|
galera_server_ca_key: "{{ galera_ca.content }}"
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
|
|
- name: Create galera ssl request
|
|
command: >
|
|
openssl req -new -nodes -sha256 -subj
|
|
"{{ galera_ssl_self_signed_subject }}"
|
|
-days 3650
|
|
-keyout {{ galera_ssl_key }}
|
|
-out {{ galera_ssl_ca_cert | dirname }}/galera-req.pem
|
|
-extensions v3_ca
|
|
creates={{ galera_ssl_ca_cert | dirname }}/galera-req.pem
|
|
register: create_galera_ssl_request
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
notify: Restart all mysql
|
|
|
|
- name: Convert generated SSL key to valid format for Galera
|
|
command: >
|
|
openssl rsa
|
|
-in {{ galera_ssl_key }}
|
|
-out {{ galera_ssl_key }}
|
|
when:
|
|
- create_galera_ssl_request | changed
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
notify: Restart all mysql
|
|
|
|
- name: Get REQ key contents and store as var
|
|
slurp:
|
|
src: "{{ galera_ssl_ca_cert | dirname }}/galera-req.pem"
|
|
register: galera_req
|
|
changed_when: false
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
|
|
- name: Register a fact for the REQ key
|
|
set_fact:
|
|
galera_server_req_key: "{{ galera_req.content }}"
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
|
|
- name: Create galera ssl cert
|
|
command: >
|
|
openssl x509 -req
|
|
-days 3650
|
|
-in {{ galera_ssl_ca_cert | dirname }}/galera-req.pem
|
|
-CA {{ galera_ssl_ca_cert }}
|
|
-CAkey {{ galera_ssl_key | dirname }}/galera-ca.key
|
|
-out {{ galera_ssl_cert }}
|
|
-set_serial 01
|
|
creates={{ galera_ssl_cert }}
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
notify: Restart all mysql
|
|
|
|
- name: Get CERT key contents and store as var
|
|
slurp:
|
|
src: "{{ galera_ssl_cert }}"
|
|
register: galera_cert
|
|
changed_when: false
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
|
|
- name: Register a fact for the CERT key
|
|
set_fact:
|
|
galera_server_cert_key: "{{ galera_cert.content }}"
|
|
when:
|
|
- inventory_hostname == galera_server_bootstrap_node
|
|
|
|
- name: Copy CA cert and key (SELF)
|
|
copy:
|
|
content: "{{ hostvars[galera_server_bootstrap_node][item.key] | b64decode }}"
|
|
dest: "{{ item.dest }}"
|
|
owner: "mysql"
|
|
group: "mysql"
|
|
mode: "{{ item.mode | default('0640') }}"
|
|
with_items:
|
|
- key: "galera_server_ca_key"
|
|
dest: "{{ galera_ssl_ca_cert }}"
|
|
- key: "galera_server_req_key"
|
|
dest: "{{ galera_ssl_cert }}"
|
|
- key: "galera_server_cert_key"
|
|
dest: "{{ galera_ssl_key }}"
|
|
mode: "0600"
|
|
when:
|
|
- inventory_hostname != galera_server_bootstrap_node
|
|
notify: Restart all mysql
|