Adding SSL Support

2024-08-01 14:43:13 -06:00 · 2024-08-01 14:43:13 -06:00 · 828a542896
commit 828a542896
parent 4daa6d2d0b
10 changed files with 162 additions and 6 deletions
--- a/roles/mariadb_cluster/tasks/bootstrap-galera.yml
+++ b/roles/mariadb_cluster/tasks/bootstrap-galera.yml
@ -3,12 +3,12 @@

 - name: Stop MariaDB on first MariaDB Galera cluster node
  service: name=mariadb state=stopped
-  when: inventory_hostname == groups['mariadb_cluster'][0]
+  when: inventory_hostname == mariadb_cluster_master

 - name: Bootstrap first MariaDB Galera cluster node
  command: galera_new_cluster
-  when: inventory_hostname == groups['mariadb_cluster'][0]
+  when: inventory_hostname == mariadb_cluster_master

 - name: Restart the other MariaDB Galera cluster nodes
  service: name=mariadb state=restarted
-  when: inventory_hostname != groups['mariadb_cluster'][0]
+  when: inventory_hostname != mariadb_cluster_master
--- a/roles/mariadb_cluster/tasks/certificates-server.yml
+++ b/roles/mariadb_cluster/tasks/certificates-server.yml
@ -0,0 +1,39 @@
+---
+# file: roles/mariadb_cluster/tasks/certificates-server.yml 
+
+
+- name: "{{ hostvars[item]['ansible_hostname'] }} - Create private key"
+  community.crypto.openssl_privatekey:
+    path: /etc/ssl/galera/server.key
+
+- name: "{{ hostvars[item]['ansible_hostname'] }} - Check if server certificate exists"
+  stat:
+    path: "/etc/ssl/galera/server.pem"
+  register: serverCertCheck
+
+- name: "{{ hostvars[item]['ansible_hostname'] }} - CSR"
+  block:
+  - name: "{{ hostvars[item]['ansible_hostname'] }} - Create CSR for new certificate"
+    community.crypto.openssl_csr_pipe:
+      privatekey_path: /etc/ssl/galera/server.key
+      common_name: "{{ hostvars[item]['ansible_hostname'] }}"
+      subject_alt_name:
+        - "DNS:{{ mariadb_cluster_wsrep_cluster_name }}"
+    register: csr
+
+  - name: "{{ hostvars[item]['ansible_hostname'] }} - Sign certificate with CA"
+    community.crypto.x509_certificate_pipe:
+      csr_content: "{{ csr.csr }}"
+      provider: ownca
+      ownca_path: /etc/ssl/galera/ca-certificate.pem
+      ownca_privatekey_path: /etc/ssl/galera/ca-certificate.key
+      ownca_not_after: "{{ mariadb_cluster_cert_length }}"
+      ownca_not_before: "-1d"
+    delegate_to: "{{ mariadb_cluster_master }}"
+    register: certificate
+
+  - name: "{{ hostvars[item]['ansible_hostname'] }} - Write certificate file"
+    copy:
+      dest: /etc/ssl/galera/server.pem
+      content: "{{ certificate.certificate }}"
+  when: not serverCertCheck.stat.exists
--- a/roles/mariadb_cluster/tasks/certificates.yml
+++ b/roles/mariadb_cluster/tasks/certificates.yml
@ -0,0 +1,67 @@
+---
+# file: roles/mariadb_cluster/tasks/certificates.yml 
+
+- name: Ensure directory exists for local self-signed TLS certs
+  file:
+    path: /etc/ssl/galera/
+    state: directory
+    owner: mysql
+    group: mysql
+    recurse: true
+
+- name: CA Setup
+  block:
+  - name: Generate an OpenSSL private key
+    community.crypto.openssl_privatekey:
+      path: /etc/ssl/galera/ca-certificate.key
+
+  - name: Create certificate signing request (CSR) for CA certificate
+    community.crypto.openssl_csr_pipe:
+      privatekey_path: /etc/ssl/galera/ca-certificate.key
+      common_name: Galera-Ansible
+      use_common_name_for_san: false
+      basic_constraints:
+        - 'CA:TRUE'
+      basic_constraints_critical: true
+      key_usage:
+        - keyCertSign
+      key_usage_critical: true
+    register: ca_csr
+    changed_when: false
+
+  - name: Create self-signed CA certificate from CSR
+    community.crypto.x509_certificate:
+      path: /etc/ssl/galera/ca-certificate.pem
+      csr_content: "{{ ca_csr.csr }}"
+      privatekey_path: /etc/ssl/galera/ca-certificate.key
+      selfsigned_not_after: "{{ mariadb_cluster_cert_length }}"
+      provider: selfsigned
+
+  - name: Copy ca-certificate locally for transfer
+    fetch:
+      src: /etc/ssl/galera/ca-certificate.pem
+      dest: /tmp/galera-ca-certificate.pem
+      flat: yes
+  when: inventory_hostname == mariadb_cluster_master
+
+- name: Transfer ca cert to other members
+  copy:
+    src: /tmp/galera-ca-certificate.pem
+    dest: /etc/ssl/galera/ca-certificate.pem
+    owner: mysql
+    group: mysql
+    mode: '0644'
+
+- name: Server Certificates
+  include_tasks: certificates-server.yml
+  loop: "{{ groups['mariadb_cluster'] }}"
+  loop_control:
+    extended: yes
+
+- name: Ensure mysql has permissions to access certs
+  file:
+    path: /etc/ssl/galera/
+    state: directory
+    owner: mysql
+    group: mysql
+    recurse: true
--- a/roles/mariadb_cluster/tasks/main.yml
+++ b/roles/mariadb_cluster/tasks/main.yml
@ -11,13 +11,24 @@
      - mariadb-server
      - galera
    state: latest
+  tags: packages

 - name: Update galera config
  template:
    src: "galera.cnf.j2"
-    dest: "/etc/my.cnf.d/galera.cnf"
+    dest: "/etc/my.cnf.d/z-galera.cnf"
  notify: Bootstrap Galera

+- name: Certificates tasks
+  include_tasks: certificates.yml
+  when: mariadb_cluster_ssl == true
+
+- name: Update ssl config
+  template:
+    src: "ssl.cnf.j2"
+    dest: "/etc/my.cnf.d/z-ssl.cnf"
+  when: mariadb_cluster_ssl == true
+
 - name: Enable firewall rule for MySQL access
  firewalld:
    port: 3306/tcp
@ -29,11 +40,12 @@

 - name: "Enable firewall rule for MySQL access to Access IP"
  firewalld:
-    rich_rule: 'rule family="ipv4" source address="{{ mariadb_cluster_access_ip }}" port port="3306" protocol="tcp" accept'
+    rich_rule: 'rule family="ipv4" source address="{{ item }}" port port="3306" protocol="tcp" accept'
    permanent: yes
    state: enabled
    immediate: yes
  notify: Reload firewalld
+  loop: "{{ mariadb_cluster_access_ip }}"
  when: mariadb_cluster_access_ip != ""

 - name: Setup access for other servers
@ -66,6 +78,12 @@
    dest: /etc/systemd/system/mariadb.service.d/override.conf
  notify: Daemon Reload

+- name: Set selinux nis_enabled
+  seboolean:
+    name: nis_enabled
+    state: true
+    persistent: true
+
 - name: Flush handlers
  meta: flush_handlers