Skip to content

Commit

Permalink
Support TLS for galera
Browse files Browse the repository at this point in the history
Ability to specify a certificate and a CA to be used for galera
cluster communication (GCOMM, SST).

Updates to the certificate used for galera automatically triggers
a rolling restart of the galera pods, without service disruption.

When the Galera CR is configured to use TLS, the mariadbdatabase
CR creates DB users that still allow connection to the DB without
using TLS. This is because Openstack clients currently cannot be
configured to connect via TLS or via plain TCP. This specific
part will be addressed in a subsequent commit.
  • Loading branch information
dciabrin committed Sep 5, 2023
1 parent c186339 commit 529b8b3
Show file tree
Hide file tree
Showing 16 changed files with 439 additions and 17 deletions.
12 changes: 12 additions & 0 deletions api/bases/mariadb.openstack.org_galeras.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,18 @@ spec:
storageRequest:
description: Storage size allocated for the mariadb databases
type: string
tls:
description: TLS settings to use for MySQL and Galera replication
properties:
caSecretName:
description: Secret in the same namespace containing the CA cert
(ca.crt) for client certificate validation
type: string
secretName:
description: Secret in the same namespace containing the server
private key (tls.key) and public cert (tls.crt) for TLS
type: string
type: object
required:
- containerImage
- replicas
Expand Down
10 changes: 10 additions & 0 deletions api/v1beta1/galera_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,16 @@ type GaleraSpec struct {
// +kubebuilder:validation:Enum=rsync;mariabackup
// Snapshot State Transfer method to use for full node synchronization
SST GaleraSST `json:"sst"`
// TLS settings to use for MySQL and Galera replication
TLS TLSSpec `json:"tls,omitempty"`
}

// TLSSpec defines the TLS options
type TLSSpec struct {
// Secret in the same namespace containing the server private key (tls.key) and public cert (tls.crt) for TLS
SecretName string `json:"secretName,omitempty"`
// Secret in the same namespace containing the CA cert (ca.crt) for client certificate validation
CaSecretName string `json:"caSecretName,omitempty"`
}

// Supported SST type
Expand Down
16 changes: 16 additions & 0 deletions api/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 12 additions & 0 deletions config/crd/bases/mariadb.openstack.org_galeras.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,18 @@ spec:
storageRequest:
description: Storage size allocated for the mariadb databases
type: string
tls:
description: TLS settings to use for MySQL and Galera replication
properties:
caSecretName:
description: Secret in the same namespace containing the CA cert
(ca.crt) for client certificate validation
type: string
secretName:
description: Secret in the same namespace containing the server
private key (tls.key) and public cert (tls.crt) for TLS
type: string
type: object
required:
- containerImage
- replicas
Expand Down
12 changes: 12 additions & 0 deletions config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,18 @@ rules:
- pods/exec
verbs:
- create
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
Expand Down
75 changes: 75 additions & 0 deletions config/samples/cert-manager-galera-cert.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
# the cluster-wide issuer, used to generate a root certificate
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
# The root certificate. they cert/key/ca will be generated in the secret 'root-secret'
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-selfsigned-ca
namespace: openstack
spec:
isCA: true
commonName: my-selfsigned-ca
secretName: root-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
---
# The CA issuer for galera, uses the certificate from `my-selfsigned-ca`
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: my-ca-issuer
namespace: openstack
spec:
ca:
secretName: root-secret
---
# The certificate used by all galera replicas for GCOMM and SST.
# The replicas in the galera statefulset all share the same
# certificate, so the latter requires wildcard in dnsNames for TLS
# validation.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: galera-cert
spec:
secretName: galera-tls
secretTemplate:
labels:
mariadb-ref: openstack
duration: 6h
renewBefore: 1h
subject:
organizations:
- cluster.local
commonName: openstack-galera
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS8
size: 2048
usages:
- server auth
- client auth
dnsNames:
- "openstack.openstack.svc"
- "openstack.openstack.svc.cluster.local"
- "*.openstack-galera"
- "*.openstack-galera.openstack"
- "*.openstack-galera.openstack.svc"
- "*.openstack-galera.openstack.svc.cluster"
- "*.openstack-galera.openstack.svc.cluster.local"
issuerRef:
name: my-ca-issuer
group: cert-manager.io
kind: Issuer
12 changes: 12 additions & 0 deletions config/samples/mariadb_v1beta1_galera_tls.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: mariadb.openstack.org/v1beta1
kind: Galera
metadata:
name: openstack
spec:
secret: osp-secret
storageClass: local-storage
storageRequest: 500M
replicas: 3
tls:
secretName: galera-tls
caSecretName: galera-tls
Loading

0 comments on commit 529b8b3

Please sign in to comment.