Group replication SSL #115
Conversation
pkg/apis/mysql/v1/cluster.go
Outdated
| // SSLSecretRef allows a user to specify custom CA certificate, server certificate | ||
| // and server key for group replication ssl | ||
| // +optional | ||
| SSLSecretRef *corev1.LocalObjectReference `json:"sslSecretRef,omitempty"` |
There was a problem hiding this comment.
Maybe it's bikeshedding but I'm not sure we made the right decision re {Foo}Ref I'd rather SSLSecret, RootPasswordSecret and MyCNF or similar. Probably out of scope though.
There was a problem hiding this comment.
This should be a separate issue to do them all at once
There was a problem hiding this comment.
Agree with you both. I'm not a huge fan. Let's do this afterwards.
| LocalObjectReference: v1.LocalObjectReference{ | ||
| Name: cluster.Spec.SSLSecretRef.Name, | ||
| }, | ||
| Items: []v1.KeyToPath{ |
There was a problem hiding this comment.
If we can use it i'd like to - unfortunately we have to provide the CA cert file too for MySQL to be happy - tls secrets only have the server cert and key pair. Also it isn't tls, it's ssl still.
So we could 1) add a ca.crt field to the tls secret. 2) have the ca.crt in a different secret or 3) leave it how it is.
Thoughts?
There was a problem hiding this comment.
Ah, shame. I’d follow the naming scheme from the TLS secret and add the ca.crt as you suggest.
| @@ -211,6 +219,10 @@ func mysqlServerContainer(cluster *api.MySQLCluster, mysqlServerImage string, ro | |||
| "--log-error-verbosity=3", | |||
| } | |||
|
|
|||
| if cluster.RequiresCustomSSLSetup() { | |||
| args = append(args, "--ssl-ca=/etc/ssl/mysql/ca.crt", "--ssl-cert=/etc/ssl/mysql/server.crt", "--ssl-key=/etc/ssl/mysql/server.key") | |||
There was a problem hiding this comment.
nit: would probably split into an arg per line
examples/custom-ssl-secret.yaml
Outdated
| cacert: <base64'd Root CA certifacte> | ||
| servercert: <base64'd server certificate> | ||
| serverkey: <base64'd server private key> | ||
|
|
| } | ||
| } | ||
|
|
||
| if !hasExpectedVolumeMount { |
There was a problem hiding this comment.
assert.True(t, hasExpectedVolumeMount, "Cluster is missing expected volume mount for custom ssl certs")(github.com/stretchr/testify/assert)
pkg/apis/mysql/v1/cluster_test.go
Outdated
| }, | ||
| } | ||
|
|
||
| if !cluster.RequiresCustomSSLSetup() { |
There was a problem hiding this comment.
assert.True(t, cluster.RequiresCustomSSLSetup(), "Cluster with sslSecretRef should require custom ssl setup")(github.com/stretchr/testify/assert)
pkg/apis/mysql/v1/cluster_test.go
Outdated
| cluster := &MySQLCluster{} | ||
| cluster.EnsureDefaults() | ||
|
|
||
| if cluster.RequiresCustomSSLSetup() { |
There was a problem hiding this comment.
assert.False(t, cluster.RequiresCustomSSLSetup(), "Cluster without sslSecretRef should not require custom ssl setup")(github.com/stretchr/testify/assert)
simonlord
force-pushed
the
group-replication-ssl
branch
3 times, most recently
from
1e98125 to
a6bd303
Compare
examples/custom-ssl-secret.yaml
Outdated
| name: mysql-ssl-secret | ||
| type: Opaque | ||
| data: | ||
| ca.crt: <base64'd Root CA certifacte> |
There was a problem hiding this comment.
Typo certifact => certificate
pkg/apis/mysql/v1/cluster.go
Outdated
| @@ -95,6 +95,11 @@ type MySQLClusterSpec struct { | |||
| // ConfigRef allows a user to specify a custom configuration file for MySQL. | |||
| // +optional | |||
| ConfigRef *corev1.LocalObjectReference `json:"configRef,omitempty"` | |||
|
|
|||
| // SSLSecretRef allows a user to specify custom CA certificate, server certificate | |||
| // and server key for group replication ssl | |||
pkg/apis/mysql/v1/cluster.go
Outdated
| @@ -203,6 +208,13 @@ func (c *MySQLCluster) RequiresSecret() bool { | |||
| return c.Spec.SecretRef == nil | |||
| } | |||
|
|
|||
| // RequiresCustomSSLSetup returns true is the user has provided a secret | |||
| // that contains CA cert, server cert and server key for group replication | |||
| // ssl support | |||
| @@ -84,3 +85,20 @@ func TestRequiresConfigMount(t *testing.T) { | |||
| t.Errorf("Cluster with configRef should require a config mount") | |||
| } | |||
| } | |||
|
|
|||
| func TestRequiresCustomSSLSetup(t *testing.T) { | |||
| cluster := &MySQLCluster{} | |||
There was a problem hiding this comment.
Not relevant to this PR but I'd be in favour of abstracting this given how often it comes up in the codebase and how easy it would be to make a mistake by not setting defaults.
cluster := NewMySQLCluster() | NewMySQLClusterWithDefaults()
pkg/apis/mysql/v1/cluster_test.go
Outdated
| }, | ||
| } | ||
|
|
||
| assert.True(t, cluster.RequiresCustomSSLSetup(), "Cluster with sslSecretRef should require custom ssl setup") |
| } | ||
| } | ||
|
|
||
| assert.True(t, hasExpectedVolumeMount, "Cluster is missing expected volume mount for custom ssl certs") |
- SSL with autogenerated certs as standard (a feature of mysql, certs valid for 10 years) - Confirgurable with your own CA cert, tls cert and tls key via a tls secret
simonlord
force-pushed
the
group-replication-ssl
branch
from
a6bd303 to
72b2396
Compare
Limitations:
to enforce hostname/common name checking. This would require vault/cert-manager
Resolves: #89
Changelog: