erp5.mariadb: Provide a way to enable SSL support.

54283870 · Vincent Pelletier · 8cffc02a · 54283870 · 54283870 · 54283870
Commit 54283870 authored Feb 05, 2014 by Vincent Pelletier
4 changed files
--- a/software/erp5/instance-mariadb-input-schema.json
+++ b/software/erp5/instance-mariadb-input-schema.json
@@ -90,6 +90,25 @@
      "description": "When enabled, sets innodb_flush_log_at_trx_commit = 0, innodb_flush_method = nosync, innodb_doublewrite = 0 and sync_frm = 0 - RTFM, those options are dangerous",
      "default": false,
      "type": "boolean"
+    },
+    "ssl": {
+      "description": "Enable and define SSL support for network connections",
+      "default": {},
+      "properties": {
+        "ca-crt": {
+          "description": "Certificate Authority's certificate, in PEM format",
+          "type": "string",
+        },
+        "crt": {
+          "description": "Server's certificate, in PEM format (mandatory to enable SSL support)",
+          "type": "string"
+        },
+        "key": {
+          "description": "Server's key, in PEM format (mandatory to enable SSL support)",
+          "type": "string"
+        }
+      },
+      "type": "object"
    }
  }
 }
--- a/stack/erp5/buildout.cfg
+++ b/stack/erp5/buildout.cfg
@@ -174,7 +174,7 @@ context =
 [template-mariadb]
 < = download-base
 filename = instance-mariadb.cfg.in
-md5sum = d51a5ad6cfa76b7bc20519694e88df80
+md5sum = 31e49ad3abb6926f21f29c53cda49ebb
 link-binary =
  ${coreutils:location}/bin/basename
  ${coreutils:location}/bin/cat
@@ -205,7 +205,7 @@ md5sum = b54344ee94519f7e95e270664ba3dc99
 [template-my-cnf]
 < = download-base
 filename = my.cnf.in
-md5sum = 774b0e5d167b75a0ad8ead45fa2eadf6
+md5sum = 21d1e74c964a4882f33c360e9c8a3d44

 [template-mariadb-initial-setup]
 < = download-base

--- a/stack/erp5/instance-mariadb.cfg.in
+++ b/stack/erp5/instance-mariadb.cfg.in
@@ -29,6 +29,40 @@ recipe = slapos.cookbook:publish.serialised
 database-list = {{ render_database_list(database_list) }}
 test-database-list = {{ render_database_list(test_database_list) }}

+[simplefile]
+recipe = slapos.recipe.template:jinja2
+template = inline:{{ '{{ content }}' }}
+
+{% macro simplefile(section_name, file_path, content, mode='') -%}
+{%   set content_section_name = section_name ~ '-content' -%}
+[{{  content_section_name }}]
+content = {{ dumps(content) }}
+
+[{{  section(section_name) }}]
+< = simplefile
+rendered = {{ file_path }}
+context = key content {{content_section_name}}:content
+mode = {{ mode }}
+{%- endmacro %}
+{% set ssl_dict = {} -%}
+{% macro sslfile(key, content, mode='644') -%}
+{%   set path = '${directory:mariadb-ssl}/' ~ key ~ '.pem' -%}
+{%   do ssl_dict.__setitem__(key, path) -%}
+{{   simplefile('ssl-file-' ~ key, path, content, mode) }}
+{%- endmacro %}
+{% set ssl_parameter_dict = slapparameter_dict.get('ssl') -%}
+{% if ssl_parameter_dict -%}
+{%   set base_directory = '${directory:mariadb-ssl}/' -%}
+{# Note: The key content will be stored in .installed.cfg, and this template's
+rendering, so the only point of mode is to avoid risking mariadb complaining
+about laxist file mode. -#}
+{{   sslfile('key', ssl_parameter_dict['key'], mode='600') }}
+{{   sslfile('crt', ssl_parameter_dict['crt']) }}
+{%   if 'ca-crt' in ssl_parameter_dict -%}
+{{     sslfile('ca-crt', ssl_parameter_dict['ca-crt']) }}
+{%   endif -%}
+{%- endif %}
+
 {% if full_backup_retention_days > -1 -%}
 [{{ section('cron-entry-mariadb-backup') }}]
 <= cron
@@ -75,7 +109,10 @@ binlog-path = ${directory:mariadb-backup-incremental}/binlog
 binlog-expire-days = {{ incremental_backup_retention_days }}
 {% else %}
 binlog-path =
-{% endif -%}
+{%- endif %}
+{%- for key, value in ssl_dict.items() -%}
+ssl-{{ key }} = {{ value }}
+{% endfor %}

 [my-cnf]
 recipe = slapos.recipe.template:jinja2
@@ -206,6 +243,7 @@ mariadb-backup-full = ${:backup}/mariadb-full
 mariadb-backup-incremental = ${:backup}/mariadb-incremental
 logrotate-backup = ${:backup}/logrotate
 mariadb-data = ${:srv}/mariadb
+mariadb-ssl = ${:etc}/mariadb-ssl
 var = ${buildout:directory}/var
 log = ${:var}/log
 run = ${:var}/run

--- a/stack/erp5/my.cnf.in
+++ b/stack/erp5/my.cnf.in
@@ -70,6 +70,14 @@ collation_server = utf8_unicode_ci
 character_set_server = utf8
 skip_character_set_client_handshake

+{% if 'ssl-key' in parameter_dict -%}
+ssl_cert = {{ parameter_dict['ssl-crt'] }}
+ssl_key = {{ parameter_dict['ssl-key'] }}
+{%   if 'ssl-ca-crt' in parameter_dict -%}
+ssl_ca = {{ parameter_dict['ssl-ca-crt'] }}
+{%-  endif %}
+{%- endif %}
+
 [client]
 socket = {{ socket }}
 user = root