Browse Source

Galera cluster TLS Support

Change-Id: I07624681c53cef53de6c72de97a53b96ea52381b
pull/37/head
Kirill Bespalov 7 years ago
parent
commit
5f0c1d6f8a
5 changed files with 142 additions and 1 deletions
  1. +22
    -1
      README.rst
  2. +15
    -0
      galera/files/my.cnf
  3. +1
    -0
      galera/init.sls
  4. +83
    -0
      galera/ssl.sls
  5. +21
    -0
      metadata/service/ssl.yml

+ 22
- 1
README.rst View File

@@ -56,6 +56,27 @@ Galera cluster slave node
user: root
password: pass


Enable TLS support:

.. code-block:: yaml

galera:
slave or master:
ssl:
enabled: True

# path
cert_file: /etc/mysql/ssl/cert.pem
key_file: /etc/mysql/ssl/key.pem
ca_file: /etc/mysql/ssl/ca.pem

# content (not required if files already exists)
key: << body of key >>
cert: << body of cert >>
cacert_chain: << body of ca certs chain >>


Configurable soft parameters
============================

@@ -68,7 +89,7 @@ Usage:

_param:
galera_innodb_buffer_pool_size: 1024M
galera_max_connections: 200
galera_max_connections: 200

Usage
=====

+ 15
- 0
galera/files/my.cnf View File

@@ -9,6 +9,14 @@
{%- from "galera/map.jinja" import slave with context %}
{%- set service = slave %}
{%- endif %}

[mysql]
{% if service.get('ssl', {}).get('enabled', False) %}
ssl-ca={{ service.ssl.ca_file }}
ssl-cert={{ service.ssl.cert_file }}
ssl-key={{ service.ssl.key_file }}
{% endif %}

[mysqld_safe]
syslog

@@ -60,6 +68,13 @@ wsrep_node_address={{ service.bind.address }}
wsrep_provider_options="gcache.size = 256M"
wsrep_provider_options="gmcast.listen_addr = tcp://{{ service.bind.address }}:4567"

{% if service.get('ssl', {}).get('enabled', False) %}
wsrep_provider_options="socket.ssl=yes;socket.ssl_key={{ service.ssl.key_file }};socket.ssl_cert={{ service.ssl.cert_file }};socket.ssl_ca={{ service.ssl.ca_file }}"
ssl-ca={{ service.ssl.ca_file }}
ssl-cert={{ service.ssl.cert_file }}
ssl-key={{ service.ssl.key_file }}
{% endif %}

[xtrabackup]
parallel=4


+ 1
- 0
galera/init.sls View File

@@ -1,6 +1,7 @@

{%- if pillar.galera is defined %}
include:
- galera.ssl
{%- if pillar.galera.master is defined %}
- galera.master
{%- endif %}

+ 83
- 0
galera/ssl.sls View File

@@ -0,0 +1,83 @@
{%- from "galera/map.jinja" import master, slave with context %}

{%- set service = master if pillar.galera.master is defined else slave %}
{%- set role = 'master' if pillar.galera.master is defined else 'slave' %}

{%- if service.get('ssl', {}).get('enabled', False) %}
{%- if service.ssl.cacert_chain is defined %}
mysql_cacertificate:
file.managed:
- name: {{ service.ssl.ca_file }}
- contents_pillar: galera:{{ role }}:ssl:cacert_chain
- mode: 0444
- makedirs: true
- require_in:
- service: galera_service
{%- else %}
mysql_cacertificate_exists:
file.exists:
- name: {{ service.ssl.ca_file }}
mysql_cacertificate:
file.managed:
- name: {{ service.ssl.ca_file }}
- mode: 644
- create: False
- require:
- file: mysql_cacertificate_exists
- require_in:
- service: galera_service
{%- endif %}

{%- if service.ssl.cert is defined %}
mysql_certificate:
file.managed:
- name: {{ service.ssl.cert_file }}
- contents_pillar: galera:{{ role }}:ssl:cert
- mode: 0444
- makedirs: true
- require_in:
- service: galera_service
{%- else %}
mysql_certificate_exists:
file.exists:
- name: {{ service.ssl.cert_file }}
mysql_certificate:
file.managed:
- name: {{ service.ssl.cert_file }}
- mode: 644
- create: False
- require:
- file: mysql_certificate_exists
- require_in:
- service: galera_service
{%- endif %}

{%- if service.ssl.key is defined %}
mysql_server_key:
file.managed:
- name: {{ service.ssl.key_file }}
- contents_pillar: galera:{{ role }}:ssl:key
- user: root
- group: mysql
- mode: 0440
- makedirs: true
- require_in:
- service: galera_service
{%- else %}
mysql_server_key_exists:
file.exists:
- name: {{ service.ssl.key_file }}
mysql_server_key:
file.managed:
- name: {{ service.ssl.key_file }}
- user: root
- group: mysql
- mode: 0440
- create: False
- require:
- file: mysql_server_key_exists
- require_in:
- service: galera_service
{%- endif %}

{%- endif %}

+ 21
- 0
metadata/service/ssl.yml View File

@@ -0,0 +1,21 @@
# class to enable tls for galera.master and galera.slave

parameters:
_param:
mysql_ssl_key_file: /etc/mysql/ssl/key.pem
mysql_ssl_cert_file: /etc/mysql/ssl/cert.pem
mysql_ssl_ca_file: /etc/mysql/ssl/ca.pem

galera:
master:
ssl:
enabled: True
key_file: ${_param:mysql_ssl_key_file}
cert_file: ${_param:mysql_ssl_cert_file}
ca_file: ${_param:mysql_ssl_ca_file}
slave:
ssl:
enabled: True
key_file: ${_param:mysql_ssl_key_file}
cert_file: ${_param:mysql_ssl_cert_file}
ca_file: ${_param:mysql_ssl_ca_file}

Loading…
Cancel
Save