Fix SSL support

The problems at the moment with setting up SSL support with
Galera are:

- The keys are not used when creating users in the mysql_user
  Ansible module
- The private key must be converted to PKCS-1 in order to work
  properly with Galera.
- The MySQL client configuration is missing the settings that
  include the SSL certificates.
- Hard-coding the cipher causes problems for older clients,
  so we instead enable SSL and let the client and server
  negociate the ideal cipher.

This patch cleans up all of those issues, removes verbose
logging from the SSL job because we have ARA to gather all
the information we need and adds jobs for all the deployment
platforms that we support.

Change-Id: I27218c4086a50d238082895092fb8aa5e7fad807

tasks/galera_setup.yml

@@ -18,6 +18,9 @@
     login_user: "{{ galera_root_user }}"
     login_password: "{{ galera_root_password }}"
     login_host: "127.0.0.1"
+    ssl_ca: "{{ (galera_use_ssl | bool) | ternary(galera_ssl_ca_cert, omit) }}"
+    ssl_cert: "{{ (galera_use_ssl | bool) | ternary(galera_ssl_cert, omit) }}"
+    ssl_key: "{{ (galera_use_ssl | bool) | ternary(galera_ssl_key, omit) }}"
     name: "{{ item.name }}"
     host: "{{ item.host }}"
     password: "{{ item.password }}"

tasks/galera_ssl_self_signed.yml

@@ -59,10 +59,21 @@
     -out {{ galera_ssl_ca_cert | dirname }}/galera-req.pem
     -extensions v3_ca
     creates={{ galera_ssl_ca_cert | dirname }}/galera-req.pem
+  register: create_galera_ssl_request
   when:
     - inventory_hostname == galera_server_bootstrap_node
   notify: Restart all mysql
 
+- name: Convert generated SSL key to valid format for Galera
+  command: >
+    openssl rsa
+    -in {{ galera_ssl_key }}
+    -out {{ galera_ssl_key }}
+  when:
+    - create_galera_ssl_request | changed
+    - inventory_hostname == galera_server_bootstrap_node
+  notify: Restart all mysql
+
 - name: Get REQ key contents and store as var
   slurp:
     src: "{{ galera_ssl_ca_cert | dirname }}/galera-req.pem"

templates/debian.cnf.j2

@@ -5,6 +5,11 @@ host     = localhost
 user     = root
 password = {{ galera_root_password }}
 socket   = /var/run/mysqld/mysqld.sock
+{% if galera_use_ssl | bool %}
+ssl-ca   = {{ galera_ssl_ca_cert }}
+ssl-cert = {{ galera_ssl_cert }}
+ssl-key  = {{ galera_ssl_key }}
+{% endif %}
 
 [mysql_upgrade]
 host     = localhost

templates/my.cnf.j2

@@ -34,10 +34,10 @@ bind-address = ::
 server-id = {{ galera_server_id }}
 {% endif %}
 {% if galera_use_ssl | bool %}
+ssl
 ssl-ca = {{ galera_ssl_ca_cert }}
 ssl-cert = {{ galera_ssl_cert }}
 ssl-key = {{ galera_ssl_key }}
-ssl-cipher = TLSv1.2
 {% endif %}
 
 # LOGGING #

tox.ini

@@ -116,7 +116,7 @@ deps =
     {[testenv:ansible]deps}
 setenv =
     {[testenv]setenv}
-    ANSIBLE_PARAMETERS=-vvv -e galera_use_ssl=True
+    ANSIBLE_PARAMETERS=-e galera_use_ssl=True
 commands =
     bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
 

zuul.d/jobs.yaml

@@ -14,8 +14,25 @@
 # limitations under the License.
 
 - job:
-    name: openstack-ansible-ssl-ubuntu-xenial-nv
-    parent: openstack-ansible-functional-ubuntu-xenial
-    voting: false
+    name: openstack-ansible-functional-centos-7-ssl
+    parent: openstack-ansible-functional-centos-7
+    vars:
+      tox_env: ssl
+
+- job:
+    name: openstack-ansible-functional-opensuse-423-ssl
+    parent: openstack-ansible-functional-opensuse-423
+    vars:
+      tox_env: ssl
+
+- job:
+    name: openstack-ansible-functional-ubuntu-bionic-ssl
+    parent: openstack-ansible-functional-ubuntu-bionic
+    vars:
+      tox_env: ssl
+
+- job:
+    name: openstack-ansible-functional-ubuntu-xenial-ssl
+    parent: openstack-ansible-functional-ubuntu-xenial
     vars:
       tox_env: ssl

zuul.d/project.yaml

@@ -17,9 +17,13 @@
       jobs:
         - openstack-ansible-linters
         - openstack-ansible-functional-centos-7
+        - openstack-ansible-functional-centos-7-ssl
         - openstack-ansible-functional-opensuse-423
+        - openstack-ansible-functional-opensuse-423-ssl
         - openstack-ansible-functional-ubuntu-xenial
+        - openstack-ansible-functional-ubuntu-xenial-ssl
         - openstack-ansible-functional-ubuntu-bionic
+        - openstack-ansible-functional-ubuntu-bionic-ssl
         - openstack-ansible-upgrade-centos-7
         - openstack-ansible-upgrade-opensuse-423
         - openstack-ansible-upgrade-ubuntu-xenial
@@ -27,7 +31,6 @@
         #               did not support Bionic in the Q cycle.
         - openstack-ansible-upgrade-ubuntu-bionic:
             voting: false
-        - openstack-ansible-ssl-ubuntu-xenial-nv
     experimental:
       jobs:
         - openstack-ansible-integrated-deploy-aio
@@ -35,9 +38,13 @@
       jobs:
         - openstack-ansible-linters
         - openstack-ansible-functional-centos-7
+        - openstack-ansible-functional-centos-7-ssl
         - openstack-ansible-functional-opensuse-423
+        - openstack-ansible-functional-opensuse-423-ssl
         - openstack-ansible-functional-ubuntu-xenial
+        - openstack-ansible-functional-ubuntu-xenial-ssl
         - openstack-ansible-functional-ubuntu-bionic
+        - openstack-ansible-functional-ubuntu-bionic-ssl
         - openstack-ansible-upgrade-centos-7
         - openstack-ansible-upgrade-opensuse-423
         - openstack-ansible-upgrade-ubuntu-xenial