Secure MySQL clustering with SSL
Accept values through Heat for the contents of an X509 certificate and key to be used in Galera clustering and write the values into files. Set the file owner and permissions to only allow mysql access to the certificate/key pair. Configure Galera clustering to bind to the server ip:4567 and use the provided certificate/key pair. This is dependent on the associated change in tripleo-heat-templates to provide the certificate values. If values are missing, the clustering will not be secured. Turning on/off secure clustering cannot be done without restarting every node cluster. Change-Id: I2f3406cd09a2a513347593dfcfd3121d3de096c9
This commit is contained in:
parent
367d7c555a
commit
a075c14b61
|
@ -0,0 +1 @@
|
|||
{{mysql.cluster_certificate}}
|
|
@ -0,0 +1 @@
|
|||
{{mysql.cluster_key}}
|
|
@ -14,3 +14,8 @@ wsrep_sst_method=rsync
|
|||
|
||||
# Cluster name
|
||||
wsrep_cluster_name=tripleo-{{mysql.cluster_name}}
|
||||
|
||||
{{#mysql.cluster_key}}
|
||||
# Security options
|
||||
wsrep_provider_options="gmcast.listen_addr=tcp://{{local-ipv4}}:4567; socket.ssl_cert=/etc/ssl/mysql/from-heat.crt; socket.ssl_key=/etc/ssl/mysql/from-heat.key"
|
||||
{{/mysql.cluster_key}}
|
||||
|
|
|
@ -2,3 +2,13 @@
|
|||
set -eu
|
||||
|
||||
chmod 600 /mnt/state/etc/mysql/debian.cnf /mnt/state/etc/mysql/dbusers.json /mnt/state/etc/mysql/static-dbusers.json /mnt/state/root/metadata.my.cnf
|
||||
|
||||
# Galera clustering certificates
|
||||
if [ -f /etc/ssl/mysql/from-heat.crt ]; then
|
||||
chown mysql /etc/ssl/mysql/from-heat.crt
|
||||
chmod 600 /etc/ssl/mysql/from-heat.crt
|
||||
fi
|
||||
if [ -f /etc/ssl/mysql/from-heat.key ]; then
|
||||
chown mysql /etc/ssl/mysql/from-heat.key
|
||||
chmod 600 /etc/ssl/mysql/from-heat.key
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue