From 4ccebee06614d2791b2cb82acfa8b5244e8b3942 Mon Sep 17 00:00:00 2001
From: Damien Ciabrini <dciabrin@redhat.com>
Date: Wed, 27 Sep 2017 14:35:38 +0200
Subject: Galera: add support for encrypted SST

When internal TLS is enabled, generate a galera config that enable
encryption of SST rsync traffic.

The configuration relies on a new sst script wsrep_sst_rsync_tunnel,
which encapsulates rsync traffic in a socat-based encrypted tunnel.

Change-Id: I1d6ee8febb596b3ab9dcde3a85a028ee99b2798c
Depends-On: Ia857350ac451fc1bda6659d85019962d3a9d5617
Closes-Bug: #1719885
(cherry picked from commit 9fb617eaea607bc3615edeaf4608fded55045ebd)
---
 manifests/profile/pacemaker/database/mysql.pp      | 42 ++++++++++++++++++++--
 .../profile/pacemaker/database/mysql_bundle.pp     | 42 ++++++++++++++++++++--
 2 files changed, 80 insertions(+), 4 deletions(-)

diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp
index b9f2a65..14faa23 100644
--- a/manifests/profile/pacemaker/database/mysql.pp
+++ b/manifests/profile/pacemaker/database/mysql.pp
@@ -59,6 +59,20 @@
 #   one step.
 #   Defaults to hiera('innodb_flush_log_at_trx_commit', '1')
 #
+# [*sst_tls_cipher*]
+#   (Optional) When enable_internal_tls is true, defines the list of
+#   ciphers that the socat may use to tunnel SST connections.
+#   Defaults to '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES'
+#
+# [*sst_tls_options*]
+#   (Optional) When enable_internal_tls is true, defines additional
+#   parameters to be passed to socat for tunneling SST connections.
+#   Defaults to undef
+#
+# [*ipv6*]
+#   (Optional) Whether to deploy MySQL on IPv6 network.
+#   Defaults to str2bool(hiera('mysql_ipv6', false))
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -76,6 +90,9 @@ class tripleo::profile::pacemaker::database::mysql (
   $enable_internal_tls            = hiera('enable_internal_tls', false),
   $gmcast_listen_addr             = hiera('mysql_bind_host'),
   $innodb_flush_log_at_trx_commit = hiera('innodb_flush_log_at_trx_commit', '1'),
+  $sst_tls_cipher                 = '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
+  $sst_tls_options                = undef,
+  $ipv6                           = str2bool(hiera('mysql_ipv6', false)),
   $step                           = Integer(hiera('step')),
   $pcs_tries                      = hiera('pcs_tries', 20),
 ) {
@@ -105,17 +122,36 @@ class tripleo::profile::pacemaker::database::mysql (
   if $enable_internal_tls {
     $tls_certfile = $certificate_specs['service_certificate']
     $tls_keyfile = $certificate_specs['service_key']
+    $sst_tls = {
+      'tcert' => $tls_certfile,
+      'tkey' => $tls_keyfile,
+    }
     if $ca_file {
       $tls_ca_options = "socket.ssl_ca=${ca_file}"
+      $sst_tca = { 'tca' => $ca_file }
     } else {
       $tls_ca_options = ''
+      $sst_tca = {}
     }
     $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};"
+    $wsrep_sst_method = 'rsync_tunnel'
+    if $ipv6 {
+      $sst_ipv6 = 'pf=ip6'
+    } else {
+      $sst_ipv6 = undef
+    }
+    $all_sst_options = ["cipher=${sst_tls_cipher}", $sst_tls_options, $sst_ipv6]
+    $sst_sockopt = {
+      'sockopt' => join(delete_undef_values($all_sst_options), ',')
+    }
+    $mysqld_options_sst = { 'sst' => merge($sst_tls, $sst_tca, $sst_sockopt) }
   } else {
     $tls_options = ''
+    $wsrep_sst_method = 'rsync'
+    $mysqld_options_sst = {}
   }
 
-  $mysqld_options = {
+  $mysqld_options_mysqld = {
     'mysqld' => {
       'skip-name-resolve'              => '1',
       'binlog_format'                  => 'ROW',
@@ -143,11 +179,13 @@ class tripleo::profile::pacemaker::database::mysql (
       'wsrep_auto_increment_control'   => '1',
       'wsrep_drupal_282555_workaround' => '0',
       'wsrep_causal_reads'             => '0',
-      'wsrep_sst_method'               => 'rsync',
+      'wsrep_sst_method'               => $wsrep_sst_method,
       'wsrep_provider_options'         => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}",
     }
   }
 
+  $mysqld_options = merge($mysqld_options_mysqld, $mysqld_options_sst)
+
   # since we are configuring rsync for wsrep_sst_method, we ought to make sure
   # it's installed. We only includ this at step 2 since puppet-rsync may be
   # included later and also adds the package resource.
diff --git a/manifests/profile/pacemaker/database/mysql_bundle.pp b/manifests/profile/pacemaker/database/mysql_bundle.pp
index 613be56..436947d 100644
--- a/manifests/profile/pacemaker/database/mysql_bundle.pp
+++ b/manifests/profile/pacemaker/database/mysql_bundle.pp
@@ -67,6 +67,20 @@
 #   one step.
 #   Defaults to hiera('innodb_flush_log_at_trx_commit', '1')
 #
+# [*sst_tls_cipher*]
+#   (Optional) When enable_internal_tls is true, defines the list of
+#   ciphers that the socat may use to tunnel SST connections.
+#   Defaults to '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES'
+#
+# [*sst_tls_options*]
+#   (Optional) When enable_internal_tls is true, defines additional
+#   parameters to be passed to socat for tunneling SST connections.
+#   Defaults to undef
+#
+# [*ipv6*]
+#   (Optional) Whether to deploy MySQL on IPv6 network.
+#   Defaults to str2bool(hiera('mysql_ipv6', false))
+#
 # [*pcs_tries*]
 #   (Optional) The number of times pcs commands should be retried.
 #   Defaults to hiera('pcs_tries', 20)
@@ -87,6 +101,9 @@ class tripleo::profile::pacemaker::database::mysql_bundle (
   $enable_internal_tls            = hiera('enable_internal_tls', false),
   $gmcast_listen_addr             = hiera('mysql_bind_host'),
   $innodb_flush_log_at_trx_commit = hiera('innodb_flush_log_at_trx_commit', '1'),
+  $sst_tls_cipher                 = '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
+  $sst_tls_options                = undef,
+  $ipv6                           = str2bool(hiera('mysql_ipv6', false)),
   $pcs_tries                      = hiera('pcs_tries', 20),
   $step                           = Integer(hiera('step')),
 ) {
@@ -118,17 +135,36 @@ class tripleo::profile::pacemaker::database::mysql_bundle (
   if $enable_internal_tls {
     $tls_certfile = $certificate_specs['service_certificate']
     $tls_keyfile = $certificate_specs['service_key']
+    $sst_tls = {
+      'tcert' => $tls_certfile,
+      'tkey' => $tls_keyfile,
+    }
     if $ca_file {
       $tls_ca_options = "socket.ssl_ca=${ca_file}"
+      $sst_tca = { 'tca' => $ca_file }
     } else {
       $tls_ca_options = ''
+      $sst_tca = {}
     }
     $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};"
+    $wsrep_sst_method = 'rsync_tunnel'
+    if $ipv6 {
+      $sst_ipv6 = 'pf=ip6'
+    } else {
+      $sst_ipv6 = undef
+    }
+    $all_sst_options = ["cipher=${sst_tls_cipher}", $sst_tls_options, $sst_ipv6]
+    $sst_sockopt = {
+      'sockopt' => join(delete_undef_values($all_sst_options), ',')
+    }
+    $mysqld_options_sst = { 'sst' => merge($sst_tls, $sst_tca, $sst_sockopt) }
   } else {
     $tls_options = ''
+    $wsrep_sst_method = 'rsync'
+    $mysqld_options_sst = {}
   }
 
-  $mysqld_options = {
+  $mysqld_options_mysqld = {
     'mysqld' => {
       'pid-file'                       => '/var/lib/mysql/mariadb.pid',
       'skip-name-resolve'              => '1',
@@ -157,7 +193,7 @@ class tripleo::profile::pacemaker::database::mysql_bundle (
       'wsrep_auto_increment_control'   => '1',
       'wsrep_drupal_282555_workaround' => '0',
       'wsrep_causal_reads'             => '0',
-      'wsrep_sst_method'               => 'rsync',
+      'wsrep_sst_method'               => $wsrep_sst_method,
       'wsrep_provider_options'         => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}",
     },
     'mysqld_safe' => {
@@ -165,6 +201,8 @@ class tripleo::profile::pacemaker::database::mysql_bundle (
     }
   }
 
+  $mysqld_options = merge($mysqld_options_mysqld, $mysqld_options_sst)
+
   # remove_default_accounts parameter will execute some mysql commands
   # to remove the default accounts created by MySQL package.
   # We need MySQL running to run the commands successfully, so better to
-- 
cgit 1.2.3-korg