Browse Source

Galera cluster TLS Support

Change-Id: I07624681c53cef53de6c72de97a53b96ea52381b
pull/37/head
Kirill Bespalov 7 years ago
parent
commit
5f0c1d6f8a
5 changed files with 142 additions and 1 deletions
  1. +22
    -1
      README.rst
  2. +15
    -0
      galera/files/my.cnf
  3. +1
    -0
      galera/init.sls
  4. +83
    -0
      galera/ssl.sls
  5. +21
    -0
      metadata/service/ssl.yml

+ 22
- 1
README.rst View File

user: root user: root
password: pass password: pass



Enable TLS support:

.. code-block:: yaml

galera:
slave or master:
ssl:
enabled: True

# path
cert_file: /etc/mysql/ssl/cert.pem
key_file: /etc/mysql/ssl/key.pem
ca_file: /etc/mysql/ssl/ca.pem

# content (not required if files already exists)
key: << body of key >>
cert: << body of cert >>
cacert_chain: << body of ca certs chain >>


Configurable soft parameters Configurable soft parameters
============================ ============================




_param: _param:
galera_innodb_buffer_pool_size: 1024M galera_innodb_buffer_pool_size: 1024M
galera_max_connections: 200
galera_max_connections: 200


Usage Usage
===== =====

+ 15
- 0
galera/files/my.cnf View File

{%- from "galera/map.jinja" import slave with context %} {%- from "galera/map.jinja" import slave with context %}
{%- set service = slave %} {%- set service = slave %}
{%- endif %} {%- endif %}

[mysql]
{% if service.get('ssl', {}).get('enabled', False) %}
ssl-ca={{ service.ssl.ca_file }}
ssl-cert={{ service.ssl.cert_file }}
ssl-key={{ service.ssl.key_file }}
{% endif %}

[mysqld_safe] [mysqld_safe]
syslog syslog


wsrep_provider_options="gcache.size = 256M" wsrep_provider_options="gcache.size = 256M"
wsrep_provider_options="gmcast.listen_addr = tcp://{{ service.bind.address }}:4567" wsrep_provider_options="gmcast.listen_addr = tcp://{{ service.bind.address }}:4567"


{% if service.get('ssl', {}).get('enabled', False) %}
wsrep_provider_options="socket.ssl=yes;socket.ssl_key={{ service.ssl.key_file }};socket.ssl_cert={{ service.ssl.cert_file }};socket.ssl_ca={{ service.ssl.ca_file }}"
ssl-ca={{ service.ssl.ca_file }}
ssl-cert={{ service.ssl.cert_file }}
ssl-key={{ service.ssl.key_file }}
{% endif %}

[xtrabackup] [xtrabackup]
parallel=4 parallel=4



+ 1
- 0
galera/init.sls View File



{%- if pillar.galera is defined %} {%- if pillar.galera is defined %}
include: include:
- galera.ssl
{%- if pillar.galera.master is defined %} {%- if pillar.galera.master is defined %}
- galera.master - galera.master
{%- endif %} {%- endif %}

+ 83
- 0
galera/ssl.sls View File

{%- from "galera/map.jinja" import master, slave with context %}

{%- set service = master if pillar.galera.master is defined else slave %}
{%- set role = 'master' if pillar.galera.master is defined else 'slave' %}

{%- if service.get('ssl', {}).get('enabled', False) %}
{%- if service.ssl.cacert_chain is defined %}
mysql_cacertificate:
file.managed:
- name: {{ service.ssl.ca_file }}
- contents_pillar: galera:{{ role }}:ssl:cacert_chain
- mode: 0444
- makedirs: true
- require_in:
- service: galera_service
{%- else %}
mysql_cacertificate_exists:
file.exists:
- name: {{ service.ssl.ca_file }}
mysql_cacertificate:
file.managed:
- name: {{ service.ssl.ca_file }}
- mode: 644
- create: False
- require:
- file: mysql_cacertificate_exists
- require_in:
- service: galera_service
{%- endif %}

{%- if service.ssl.cert is defined %}
mysql_certificate:
file.managed:
- name: {{ service.ssl.cert_file }}
- contents_pillar: galera:{{ role }}:ssl:cert
- mode: 0444
- makedirs: true
- require_in:
- service: galera_service
{%- else %}
mysql_certificate_exists:
file.exists:
- name: {{ service.ssl.cert_file }}
mysql_certificate:
file.managed:
- name: {{ service.ssl.cert_file }}
- mode: 644
- create: False
- require:
- file: mysql_certificate_exists
- require_in:
- service: galera_service
{%- endif %}

{%- if service.ssl.key is defined %}
mysql_server_key:
file.managed:
- name: {{ service.ssl.key_file }}
- contents_pillar: galera:{{ role }}:ssl:key
- user: root
- group: mysql
- mode: 0440
- makedirs: true
- require_in:
- service: galera_service
{%- else %}
mysql_server_key_exists:
file.exists:
- name: {{ service.ssl.key_file }}
mysql_server_key:
file.managed:
- name: {{ service.ssl.key_file }}
- user: root
- group: mysql
- mode: 0440
- create: False
- require:
- file: mysql_server_key_exists
- require_in:
- service: galera_service
{%- endif %}

{%- endif %}

+ 21
- 0
metadata/service/ssl.yml View File

# class to enable tls for galera.master and galera.slave

parameters:
_param:
mysql_ssl_key_file: /etc/mysql/ssl/key.pem
mysql_ssl_cert_file: /etc/mysql/ssl/cert.pem
mysql_ssl_ca_file: /etc/mysql/ssl/ca.pem

galera:
master:
ssl:
enabled: True
key_file: ${_param:mysql_ssl_key_file}
cert_file: ${_param:mysql_ssl_cert_file}
ca_file: ${_param:mysql_ssl_ca_file}
slave:
ssl:
enabled: True
key_file: ${_param:mysql_ssl_key_file}
cert_file: ${_param:mysql_ssl_cert_file}
ca_file: ${_param:mysql_ssl_ca_file}

Loading…
Cancel
Save