Skip to content

Commit 94bbf26

Browse files
sheikh-armansheikh-arman
authored
Add TLS Support to Maxscale (#19)
Signed-off-by: SK Ali Arman <[email protected]>
1 parent 7e08c4e commit 94bbf26

File tree

2 files changed

+63
-22
lines changed

2 files changed

+63
-22
lines changed

scripts/maxscale.sh

Lines changed: 21 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ args="$@"
44
echo "INFO" "Storing default config into /etc/maxscale/maxscale.cnf"
55

66
mkdir -p /etc/maxscale/maxscale.cnf.d
7-
cat >>/etc/maxscale/maxscale.cnf <<EOL
7+
cat >/etc/maxscale/maxscale.cnf <<EOL
88
[maxscale]
99
threads=1
1010
log_debug=1
@@ -19,20 +19,30 @@ EOL
1919
#EOL
2020
#fi
2121

22-
cat >>/etc/maxscale/maxscale.cnf.d/maxscale.cnf <<EOL
22+
cat >/etc/maxscale/maxscale.cnf.d/maxscale.cnf <<EOL
2323
# Auto-generated server list from environment
2424
EOL
2525

2626
serverList=""
2727
# Split HOST_LIST into an array
2828
for ((i=1; i<=REPLICAS; i++)); do
2929
cat >> /etc/maxscale/maxscale.cnf.d/maxscale.cnf <<EOL
30+
3031
[server$i]
3132
type=server
3233
address=$BASE_NAME-$((i - 1)).$GOVERNING_SERVICE_NAME.$POD_NAMESPACE.svc.cluster.local
3334
port=3306
3435
protocol=MariaDBBackend
3536
EOL
37+
if [[ "${REQUIRE_SSL:-}" == "TRUE" ]]; then
38+
cat >>/etc/maxscale/maxscale.cnf.d/maxscale.cnf <<EOL
39+
ssl=true
40+
ssl_ca=/etc/ssl/maxscale/ca.crt
41+
ssl_cert=/etc/ssl/maxscale/tls.crt
42+
ssl_key=/etc/ssl/maxscale/tls.key
43+
EOL
44+
fi
45+
3646
if [[ -n "$serverList" ]]; then
3747
serverList+=","
3848
fi
@@ -41,6 +51,7 @@ done
4151

4252
if [[ "${UI:-}" == "true" ]]; then
4353
cat >>/etc/maxscale/maxscale.cnf <<EOL
54+
4455
admin_secure_gui=false
4556
# this enables external access to the REST API outside of localhost
4657
# review / modify for any public / non development environments
@@ -95,6 +106,14 @@ service=RW-Split-Router
95106
protocol=MariaDBClient
96107
port=3306
97108
EOL
109+
if [[ "${REQUIRE_SSL:-}" == "TRUE" ]]; then
110+
cat >>/etc/maxscale/maxscale.cnf.d/maxscale.cnf <<EOL
111+
ssl=true
112+
ssl_ca=/etc/ssl/maxscale/ca.crt
113+
ssl_cert=/etc/ssl/maxscale/tls.crt
114+
ssl_key=/etc/ssl/maxscale/tls.key
115+
EOL
116+
fi
98117

99118
echo "INFO: MaxScale configuration files have been successfully created."
100119
IFS=' '

scripts/std-replication-setup.sh

Lines changed: 42 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
#!/usr/bin/env bash
2-
env | sort | grep "POD\|HOST\|NAME"
2+
env | sort | grep "POD\|HOST\|NAME\|SSL"
3+
34
args=$@
45
NAMESPACE="$POD_NAMESPACE"
56
USER="$MYSQL_ROOT_USERNAME"
@@ -60,6 +61,19 @@ function wait_for_mysqld_running() {
6061
}
6162

6263
joining_for_first_time=1
64+
65+
function alter_user(){
66+
local mysql="$mysql_header --host=$localhost"
67+
local ssl_require=""
68+
local user="$1"
69+
if [[ "${REQUIRE_SSL:-}" == "TRUE" ]]; then
70+
ssl_require="REQUIRE SSL"
71+
else
72+
ssl_require="REQUIRE NONE"
73+
fi
74+
retry 120 ${mysql} -N -e "SET SQL_LOG_BIN=0;ALTER USER '$user'@'%' $ssl_require;"
75+
}
76+
6377
function create_replication_user() {
6478
# https://mariadb.com/kb/en/setting-up-replication/
6579
log "INFO" "Checking whether replication user exist or not......"
@@ -77,6 +91,7 @@ function create_replication_user() {
7791
else
7892
log "INFO" "Replication user exists. Skipping creating new one......."
7993
fi
94+
alter_user "repl"
8095
}
8196

8297
function create_maxscale_user() {
@@ -101,9 +116,10 @@ function create_maxscale_user() {
101116
else
102117
log "INFO" "Maxscale user exists. Skipping creating new one......."
103118
fi
119+
alter_user "maxscale"
104120
}
105121

106-
//TODO:
122+
#//TODO:
107123
#function create_maxscale_confsync_user() {
108124
# log "INFO" "Checking whether maxscale user exist or not......"
109125
# local mysql="$mysql_header --host=$localhost"
@@ -121,6 +137,7 @@ function create_maxscale_user() {
121137
# fi
122138
#}
123139

140+
124141
function create_monitor_user() {
125142
log "INFO" "Checking whether monitor user exist or not......"
126143
local mysql="$mysql_header --host=$localhost"
@@ -146,6 +163,7 @@ function create_monitor_user() {
146163
else
147164
log "INFO" "Monitor user exists. Skipping creating new one......."
148165
fi
166+
alter_user "monitor_user"
149167
}
150168
function bootstrap_cluster() {
151169
echo "this is master node"
@@ -154,13 +172,20 @@ function bootstrap_cluster() {
154172
}
155173

156174
function join_to_master_by_current_pos() {
157-
# member try to join into the existing group as old instance
175+
# member try to join into the existing group as fresh install, datadir is clean and no backup is restored
158176
log "INFO" "The replica, ${report_host} is joining to master node ${master}..."
159177
local mysql="$mysql_header --host=$localhost"
160178
log "INFO" "Joining to master with gtid current_pos.."
161179
retry 20 ${mysql} -N -e "STOP SLAVE;"
162180
retry 20 ${mysql} -N -e "RESET SLAVE ALL;"
163-
retry 20 ${mysql} -N -e "CHANGE MASTER TO MASTER_HOST='$master',MASTER_USER='repl',MASTER_PASSWORD='$MYSQL_ROOT_PASSWORD',MASTER_USE_GTID = current_pos;"
181+
local ssl_options=""
182+
if [[ "${REQUIRE_SSL:-}" == "TRUE" ]]; then
183+
ssl_options=", MASTER_SSL=1, MASTER_SSL_CA='/etc/mysql/certs/server/ca.crt'"
184+
log "INFO" "Configuring replication with TLS enabled"
185+
else
186+
log "INFO" "Configuring replication without TLS"
187+
fi
188+
retry 20 ${mysql} -N -e "CHANGE MASTER TO MASTER_HOST='$master', MASTER_USER='repl', MASTER_PASSWORD='$MYSQL_ROOT_PASSWORD' $ssl_options, MASTER_USE_GTID=current_pos;"
164189
retry 20 ${mysql} -N -e "START SLAVE;"
165190
joining_for_first_time=0
166191
echo "end join to master node by gtid current_pos"
@@ -176,13 +201,18 @@ function join_to_master_by_slave_pos() {
176201
if [ $joining_for_first_time -eq 1 ]; then
177202
retry 20 ${mysql} -N -e "SET GLOBAL gtid_slave_pos = '$gtid';"
178203
fi
179-
retry 20 ${mysql} -N -e "CHANGE MASTER TO MASTER_HOST='$master',MASTER_USER='repl',MASTER_PASSWORD='$MYSQL_ROOT_PASSWORD',MASTER_USE_GTID = slave_pos;"
204+
if [[ "${REQUIRE_SSL:-}" == "TRUE" ]]; then
205+
ssl_options=", MASTER_SSL=1, MASTER_SSL_CA='/etc/mysql/certs/server/ca.crt'"
206+
log "INFO" "Configuring replication with TLS enabled"
207+
else
208+
log "INFO" "Configuring replication without TLS"
209+
fi
210+
retry 20 ${mysql} -N -e "CHANGE MASTER TO MASTER_HOST='$master', MASTER_USER='repl', MASTER_PASSWORD='$MYSQL_ROOT_PASSWORD' $ssl_options, MASTER_USE_GTID=slave_pos;"
180211
retry 20 ${mysql} -N -e "START SLAVE;"
181212
joining_for_first_time=0
182213
echo "end join to master node by gtid slave_pos"
183214
}
184215

185-
186216
export pid
187217
function start_mysqld_in_background() {
188218
log "INFO" "Starting MySQL server with docker-entrypoint.sh mysqld $args..."
@@ -221,7 +251,12 @@ fi
221251

222252
start_mysqld_in_background
223253

224-
export mysql_header="mariadb -u ${USER} --port=3306"
254+
if [[ "${REQUIRE_SSL:-}" == "TRUE" ]]; then
255+
export mysql_header="mariadb -u ${USER} --port=3306 --ssl-ca=/etc/mysql/certs/server/ca.crt --ssl-cert=/etc/mysql/certs/server/tls.crt --ssl-key=/etc/mysql/certs/server/tls.key"
256+
else
257+
export mysql_header="mariadb -u ${USER} --port=3306"
258+
fi
259+
225260
export MYSQL_PWD=${PASSWORD}
226261

227262
# wait for mysqld to be ready
@@ -288,16 +323,3 @@ while true; do
288323
wait $pid
289324
done
290325

291-
292-
293-
294-
295-
296-
297-
298-
299-
300-
301-
302-
303-

0 commit comments

Comments
 (0)