Add SSL encryption to galera

Change-Id: I9e6d9ee439cab734eba02320d58ccfcd73e23106
2017-01-12 13:43:00 +00:00 · 2017-01-12 13:43:00 +00:00 · f816215ef0
parent f7e2a64c80
commit f816215ef0
6 changed files with 37 additions and 1 deletions
--- a/service/files/ca.pem.j2
+++ b/service/files/ca.pem.j2
@ -0,0 +1 @@
+{{ security.tls.ca_cert }}
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@ -15,6 +15,8 @@ configs:
      node: null
    port:
      cont: 3306
+    tls:
+      enabled: false
 url:
  percona:
    debian:
--- a/service/files/my.cnf.j2
+++ b/service/files/my.cnf.j2
@ -31,4 +31,16 @@ wsrep_provider = /usr/lib/galera3/libgalera_smm.so
 wsrep_cluster_name = {{ percona.cluster_name }}
 wsrep_sst_method = xtrabackup-v2
 wsrep_sst_auth = "xtrabackup:{{ percona.xtrabackup_password }}"
-wsrep_provider_options = "gcache.size={{ percona.gcache_size }};gcache.recover=yes"
+wsrep_provider_options = "gcache.size={{ percona.gcache_size }};gcache.recover=yes{% if percona.tls.enabled and security.tls.enabled %},socket.ssl=yes;socket.ssl_key=/etc/mysql/certs/server-key.pem;socket.ssl_cert=/etc/mysql/certs/server-cert.pem;socket.ssl_ca=/etc/mysql/certs/ca.pem"{% endif %}
+
+{% if percona.tls.enabled and security.tls.enabled %}
+ssl-ca = /etc/mysql/certs/ca.pem
+ssl-cert = /etc/mysql/certs/server-cert.pem
+ssl-key = /etc/mysql/certs/server-key.pem
+
+[sst]
+encrypt = 4
+ssl-ca = /etc/mysql/certs/ca.pem
+ssl-cert = /etc/mysql/certs/server-cert.pem
+ssl-key = /etc/mysql/certs/server-key.pem
+{% endif %}
--- a/service/files/server-cert.pem.j2
+++ b/service/files/server-cert.pem.j2
@ -0,0 +1 @@
+{{ security.tls.server_cert }}
--- a/service/files/server-key.pem.j2
+++ b/service/files/server-key.pem.j2
@ -0,0 +1 @@
+{{ security.tls.server_key }}
--- a/service/galera.yaml
+++ b/service/galera.yaml
@ -67,6 +67,11 @@ service:
          - entrypoint
          - mycnf
          - galera-checker
+          # {% if percona.tls.enabled %}
+          - ca.pem
+          - server-key.pem
+          - server-cert.pem
+          # {% endif %}
        dependencies:
          - etcd
        command: /opt/ccp/bin/entrypoint.py
@ -90,3 +95,17 @@ files:
    path: /opt/ccp/bin/haproxy_entrypoint.py
    content: haproxy_entrypoint.py
    perm: "0755"
+# {% if percona.tls.enabled %}
+  ca.pem:
+    path: /etc/mysql/certs/ca.pem
+    content: ca.pem.j2
+    perm: "0400"
+  server-key.pem:
+    path: /etc/mysql/certs/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  server-cert.pem:
+    path: /etc/mysql/certs/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+# {% endif %}