From 859cbbba6c443f27025517a629b85b7a48b7452e Mon Sep 17 00:00:00 2001 From: Mohammed Naser Date: Wed, 6 Jun 2018 15:49:06 -0400 Subject: [PATCH] Fix SSL support The problems at the moment with setting up SSL support with Galera are: - The keys are not used when creating users in the mysql_user Ansible module - The private key must be converted to PKCS-1 in order to work properly with Galera. - The MySQL client configuration is missing the settings that include the SSL certificates. - Hard-coding the cipher causes problems for older clients, so we instead enable SSL and let the client and server negociate the ideal cipher. This patch cleans up all of those issues, removes verbose logging from the SSL job because we have ARA to gather all the information we need and adds jobs for all the deployment platforms that we support. Change-Id: I27218c4086a50d238082895092fb8aa5e7fad807 --- tasks/galera_setup.yml | 3 +++ tasks/galera_ssl_self_signed.yml | 11 +++++++++++ templates/debian.cnf.j2 | 5 +++++ templates/my.cnf.j2 | 2 +- tox.ini | 2 +- zuul.d/jobs.yaml | 23 ++++++++++++++++++++--- zuul.d/project.yaml | 9 ++++++++- 7 files changed, 49 insertions(+), 6 deletions(-) diff --git a/tasks/galera_setup.yml b/tasks/galera_setup.yml index a9535e95..44020e54 100644 --- a/tasks/galera_setup.yml +++ b/tasks/galera_setup.yml @@ -18,6 +18,9 @@ login_user: "{{ galera_root_user }}" login_password: "{{ galera_root_password }}" login_host: "127.0.0.1" + ssl_ca: "{{ (galera_use_ssl | bool) | ternary(galera_ssl_ca_cert, omit) }}" + ssl_cert: "{{ (galera_use_ssl | bool) | ternary(galera_ssl_cert, omit) }}" + ssl_key: "{{ (galera_use_ssl | bool) | ternary(galera_ssl_key, omit) }}" name: "{{ item.name }}" host: "{{ item.host }}" password: "{{ item.password }}" diff --git a/tasks/galera_ssl_self_signed.yml b/tasks/galera_ssl_self_signed.yml index 569e3ce8..d3586e6c 100644 --- a/tasks/galera_ssl_self_signed.yml +++ b/tasks/galera_ssl_self_signed.yml @@ -59,10 +59,21 @@ -out {{ galera_ssl_ca_cert | dirname }}/galera-req.pem -extensions v3_ca creates={{ galera_ssl_ca_cert | dirname }}/galera-req.pem + register: create_galera_ssl_request when: - inventory_hostname == galera_server_bootstrap_node notify: Restart all mysql +- name: Convert generated SSL key to valid format for Galera + command: > + openssl rsa + -in {{ galera_ssl_key }} + -out {{ galera_ssl_key }} + when: + - create_galera_ssl_request | changed + - inventory_hostname == galera_server_bootstrap_node + notify: Restart all mysql + - name: Get REQ key contents and store as var slurp: src: "{{ galera_ssl_ca_cert | dirname }}/galera-req.pem" diff --git a/templates/debian.cnf.j2 b/templates/debian.cnf.j2 index 4bbfaeae..6db5aa66 100644 --- a/templates/debian.cnf.j2 +++ b/templates/debian.cnf.j2 @@ -5,6 +5,11 @@ host = localhost user = root password = {{ galera_root_password }} socket = /var/run/mysqld/mysqld.sock +{% if galera_use_ssl | bool %} +ssl-ca = {{ galera_ssl_ca_cert }} +ssl-cert = {{ galera_ssl_cert }} +ssl-key = {{ galera_ssl_key }} +{% endif %} [mysql_upgrade] host = localhost diff --git a/templates/my.cnf.j2 b/templates/my.cnf.j2 index c5595928..91d33f3f 100644 --- a/templates/my.cnf.j2 +++ b/templates/my.cnf.j2 @@ -34,10 +34,10 @@ bind-address = :: server-id = {{ galera_server_id }} {% endif %} {% if galera_use_ssl | bool %} +ssl ssl-ca = {{ galera_ssl_ca_cert }} ssl-cert = {{ galera_ssl_cert }} ssl-key = {{ galera_ssl_key }} -ssl-cipher = TLSv1.2 {% endif %} # LOGGING # diff --git a/tox.ini b/tox.ini index 0c4b8e11..97a5ca21 100644 --- a/tox.ini +++ b/tox.ini @@ -116,7 +116,7 @@ deps = {[testenv:ansible]deps} setenv = {[testenv]setenv} - ANSIBLE_PARAMETERS=-vvv -e galera_use_ssl=True + ANSIBLE_PARAMETERS=-e galera_use_ssl=True commands = bash -c "{toxinidir}/tests/common/test-ansible-functional.sh" diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 692e7753..d1e5e2eb 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -14,8 +14,25 @@ # limitations under the License. - job: - name: openstack-ansible-ssl-ubuntu-xenial-nv - parent: openstack-ansible-functional-ubuntu-xenial - voting: false + name: openstack-ansible-functional-centos-7-ssl + parent: openstack-ansible-functional-centos-7 + vars: + tox_env: ssl + +- job: + name: openstack-ansible-functional-opensuse-423-ssl + parent: openstack-ansible-functional-opensuse-423 + vars: + tox_env: ssl + +- job: + name: openstack-ansible-functional-ubuntu-bionic-ssl + parent: openstack-ansible-functional-ubuntu-bionic + vars: + tox_env: ssl + +- job: + name: openstack-ansible-functional-ubuntu-xenial-ssl + parent: openstack-ansible-functional-ubuntu-xenial vars: tox_env: ssl diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 42b31768..a52a46b2 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -17,9 +17,13 @@ jobs: - openstack-ansible-linters - openstack-ansible-functional-centos-7 + - openstack-ansible-functional-centos-7-ssl - openstack-ansible-functional-opensuse-423 + - openstack-ansible-functional-opensuse-423-ssl - openstack-ansible-functional-ubuntu-xenial + - openstack-ansible-functional-ubuntu-xenial-ssl - openstack-ansible-functional-ubuntu-bionic + - openstack-ansible-functional-ubuntu-bionic-ssl - openstack-ansible-upgrade-centos-7 - openstack-ansible-upgrade-opensuse-423 - openstack-ansible-upgrade-ubuntu-xenial @@ -27,7 +31,6 @@ # did not support Bionic in the Q cycle. - openstack-ansible-upgrade-ubuntu-bionic: voting: false - - openstack-ansible-ssl-ubuntu-xenial-nv experimental: jobs: - openstack-ansible-integrated-deploy-aio @@ -35,9 +38,13 @@ jobs: - openstack-ansible-linters - openstack-ansible-functional-centos-7 + - openstack-ansible-functional-centos-7-ssl - openstack-ansible-functional-opensuse-423 + - openstack-ansible-functional-opensuse-423-ssl - openstack-ansible-functional-ubuntu-xenial + - openstack-ansible-functional-ubuntu-xenial-ssl - openstack-ansible-functional-ubuntu-bionic + - openstack-ansible-functional-ubuntu-bionic-ssl - openstack-ansible-upgrade-centos-7 - openstack-ansible-upgrade-opensuse-423 - openstack-ansible-upgrade-ubuntu-xenial