Fix SSL support
The problems at the moment with setting up SSL support with Galera are: - The keys are not used when creating users in the mysql_user Ansible module - The private key must be converted to PKCS-1 in order to work properly with Galera. - The MySQL client configuration is missing the settings that include the SSL certificates. - Hard-coding the cipher causes problems for older clients, so we instead enable SSL and let the client and server negociate the ideal cipher. This patch cleans up all of those issues, removes verbose logging from the SSL job because we have ARA to gather all the information we need and adds jobs for all the deployment platforms that we support. Change-Id: I27218c4086a50d238082895092fb8aa5e7fad807
This commit is contained in:
parent
5ce635ac9c
commit
859cbbba6c
|
@ -18,6 +18,9 @@
|
|||
login_user: "{{ galera_root_user }}"
|
||||
login_password: "{{ galera_root_password }}"
|
||||
login_host: "127.0.0.1"
|
||||
ssl_ca: "{{ (galera_use_ssl | bool) | ternary(galera_ssl_ca_cert, omit) }}"
|
||||
ssl_cert: "{{ (galera_use_ssl | bool) | ternary(galera_ssl_cert, omit) }}"
|
||||
ssl_key: "{{ (galera_use_ssl | bool) | ternary(galera_ssl_key, omit) }}"
|
||||
name: "{{ item.name }}"
|
||||
host: "{{ item.host }}"
|
||||
password: "{{ item.password }}"
|
||||
|
|
|
@ -59,10 +59,21 @@
|
|||
-out {{ galera_ssl_ca_cert | dirname }}/galera-req.pem
|
||||
-extensions v3_ca
|
||||
creates={{ galera_ssl_ca_cert | dirname }}/galera-req.pem
|
||||
register: create_galera_ssl_request
|
||||
when:
|
||||
- inventory_hostname == galera_server_bootstrap_node
|
||||
notify: Restart all mysql
|
||||
|
||||
- name: Convert generated SSL key to valid format for Galera
|
||||
command: >
|
||||
openssl rsa
|
||||
-in {{ galera_ssl_key }}
|
||||
-out {{ galera_ssl_key }}
|
||||
when:
|
||||
- create_galera_ssl_request | changed
|
||||
- inventory_hostname == galera_server_bootstrap_node
|
||||
notify: Restart all mysql
|
||||
|
||||
- name: Get REQ key contents and store as var
|
||||
slurp:
|
||||
src: "{{ galera_ssl_ca_cert | dirname }}/galera-req.pem"
|
||||
|
|
|
@ -5,6 +5,11 @@ host = localhost
|
|||
user = root
|
||||
password = {{ galera_root_password }}
|
||||
socket = /var/run/mysqld/mysqld.sock
|
||||
{% if galera_use_ssl | bool %}
|
||||
ssl-ca = {{ galera_ssl_ca_cert }}
|
||||
ssl-cert = {{ galera_ssl_cert }}
|
||||
ssl-key = {{ galera_ssl_key }}
|
||||
{% endif %}
|
||||
|
||||
[mysql_upgrade]
|
||||
host = localhost
|
||||
|
|
|
@ -34,10 +34,10 @@ bind-address = ::
|
|||
server-id = {{ galera_server_id }}
|
||||
{% endif %}
|
||||
{% if galera_use_ssl | bool %}
|
||||
ssl
|
||||
ssl-ca = {{ galera_ssl_ca_cert }}
|
||||
ssl-cert = {{ galera_ssl_cert }}
|
||||
ssl-key = {{ galera_ssl_key }}
|
||||
ssl-cipher = TLSv1.2
|
||||
{% endif %}
|
||||
|
||||
# LOGGING #
|
||||
|
|
2
tox.ini
2
tox.ini
|
@ -116,7 +116,7 @@ deps =
|
|||
{[testenv:ansible]deps}
|
||||
setenv =
|
||||
{[testenv]setenv}
|
||||
ANSIBLE_PARAMETERS=-vvv -e galera_use_ssl=True
|
||||
ANSIBLE_PARAMETERS=-e galera_use_ssl=True
|
||||
commands =
|
||||
bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
|
||||
|
||||
|
|
|
@ -14,8 +14,25 @@
|
|||
# limitations under the License.
|
||||
|
||||
- job:
|
||||
name: openstack-ansible-ssl-ubuntu-xenial-nv
|
||||
parent: openstack-ansible-functional-ubuntu-xenial
|
||||
voting: false
|
||||
name: openstack-ansible-functional-centos-7-ssl
|
||||
parent: openstack-ansible-functional-centos-7
|
||||
vars:
|
||||
tox_env: ssl
|
||||
|
||||
- job:
|
||||
name: openstack-ansible-functional-opensuse-423-ssl
|
||||
parent: openstack-ansible-functional-opensuse-423
|
||||
vars:
|
||||
tox_env: ssl
|
||||
|
||||
- job:
|
||||
name: openstack-ansible-functional-ubuntu-bionic-ssl
|
||||
parent: openstack-ansible-functional-ubuntu-bionic
|
||||
vars:
|
||||
tox_env: ssl
|
||||
|
||||
- job:
|
||||
name: openstack-ansible-functional-ubuntu-xenial-ssl
|
||||
parent: openstack-ansible-functional-ubuntu-xenial
|
||||
vars:
|
||||
tox_env: ssl
|
||||
|
|
|
@ -17,9 +17,13 @@
|
|||
jobs:
|
||||
- openstack-ansible-linters
|
||||
- openstack-ansible-functional-centos-7
|
||||
- openstack-ansible-functional-centos-7-ssl
|
||||
- openstack-ansible-functional-opensuse-423
|
||||
- openstack-ansible-functional-opensuse-423-ssl
|
||||
- openstack-ansible-functional-ubuntu-xenial
|
||||
- openstack-ansible-functional-ubuntu-xenial-ssl
|
||||
- openstack-ansible-functional-ubuntu-bionic
|
||||
- openstack-ansible-functional-ubuntu-bionic-ssl
|
||||
- openstack-ansible-upgrade-centos-7
|
||||
- openstack-ansible-upgrade-opensuse-423
|
||||
- openstack-ansible-upgrade-ubuntu-xenial
|
||||
|
@ -27,7 +31,6 @@
|
|||
# did not support Bionic in the Q cycle.
|
||||
- openstack-ansible-upgrade-ubuntu-bionic:
|
||||
voting: false
|
||||
- openstack-ansible-ssl-ubuntu-xenial-nv
|
||||
experimental:
|
||||
jobs:
|
||||
- openstack-ansible-integrated-deploy-aio
|
||||
|
@ -35,9 +38,13 @@
|
|||
jobs:
|
||||
- openstack-ansible-linters
|
||||
- openstack-ansible-functional-centos-7
|
||||
- openstack-ansible-functional-centos-7-ssl
|
||||
- openstack-ansible-functional-opensuse-423
|
||||
- openstack-ansible-functional-opensuse-423-ssl
|
||||
- openstack-ansible-functional-ubuntu-xenial
|
||||
- openstack-ansible-functional-ubuntu-xenial-ssl
|
||||
- openstack-ansible-functional-ubuntu-bionic
|
||||
- openstack-ansible-functional-ubuntu-bionic-ssl
|
||||
- openstack-ansible-upgrade-centos-7
|
||||
- openstack-ansible-upgrade-opensuse-423
|
||||
- openstack-ansible-upgrade-ubuntu-xenial
|
||||
|
|
Loading…
Reference in New Issue