Skip to content

chore: first version of the SSL implementation #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
jfavellar90 wants to merge 1 commit into
base: Jhony/mysql_encrypt
Choose a base branch
from
Draft

chore: first version of the SSL implementation #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions roles/mysql_8_4/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,29 @@ MYSQL_CONFIG_KEYRING_DIR: /var/lib/mysql-keyring
# This enables encryption-at-rest for new tables and logs.
MYSQL_CONFIG_AUTO_ENCRYPTION_ENABLED: true

### SSL settings ###
MYSQL_CONFIG_SSL_ENABLED: false
# This is where we will store the SSL certs and keys
MYSQL_CONFIG_SSL_DIR: /etc/mysql/ssl
# Force all clients to use SSL
MYSQL_CONFIG_SSL_REQUIRE_SECURE_TRANSPORT: false

# Contenido PEM inline:
MYSQL_CONFIG_SSL_CA_PEM: |
-----BEGIN CERTIFICATE-----
SETMEPLEASE
-----END CERTIFICATE-----

MYSQL_CONFIG_SSL_SERVER_CERT_PEM: |
-----BEGIN CERTIFICATE-----
SETMEPLEASE
-----END CERTIFICATE-----

MYSQL_CONFIG_SSL_SERVER_KEY_PEM: |
-----BEGIN PRIVATE KEY-----
SETMEPLEASE
-----END PRIVATE KEY-----

MYSQL_CONFIG_USERS: []
MYSQL_CONFIG_DEFAULT_ALLOWED_HOSTS: "%"

Expand Down
14 changes: 14 additions & 0 deletions roles/mysql_8_4/tasks/configure.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,17 @@
when: not MYSQL_CONFIG_ENCRYPTION_ENABLED
notify:
- Restart mysql

- name: Configure SSL for MySQL
ansible.builtin.include_tasks: ssl_config.yml
when: MYSQL_CONFIG_SSL_ENABLED

# Render the SSL config file when disabling SSL
- name: Put SSL configuration file
ansible.builtin.template:
src: ssl.cnf.j2
dest: "{{ MYSQL_CONFIG_EXTRA_CONFIG_PATH }}/ssl.cnf"
mode: preserve
when: not MYSQL_CONFIG_SSL_ENABLED
notify:
- Restart mysql
40 changes: 40 additions & 0 deletions roles/mysql_8_4/tasks/ssl_config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
- name: Ensure SSL dir exists for MySQL
ansible.builtin.file:
path: "{{ MYSQL_CONFIG_SSL_DIR }}"
state: directory
owner: mysql
group: mysql
mode: '0700'

- name: Install ca.pem
ansible.builtin.copy:
dest: "{{ MYSQL_CONFIG_SSL_DIR }}/ca.pem"
content: "{{ MYSQL_CONFIG_SSL_CA_PEM }}"
owner: mysql
group: mysql
mode: '0600'

- name: Install server-cert.pem
ansible.builtin.copy:
dest: "{{ MYSQL_CONFIG_SSL_DIR }}/server-cert.pem"
content: "{{ MYSQL_CONFIG_SSL_SERVER_CERT_PEM }}"
owner: mysql
group: mysql
mode: '0644'

- name: Install server-key.pem
ansible.builtin.copy:
dest: "{{ MYSQL_CONFIG_SSL_DIR }}/server-key.pem"
content: "{{ MYSQL_CONFIG_SSL_SERVER_KEY_PEM }}"
owner: mysql
group: mysql
mode: '0600'

- name: Put SSL configuration file
ansible.builtin.template:
src: ssl.cnf.j2
dest: "{{ MYSQL_CONFIG_EXTRA_CONFIG_PATH }}/ssl.cnf"
mode: preserve
notify:
- Restart mysql
14 changes: 14 additions & 0 deletions roles/mysql_8_4/templates/ssl.cnf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
[mysqld]
{% if MYSQL_CONFIG_SSL_ENABLED %}
ssl_ca={{ MYSQL_CONFIG_SSL_DIR }}/ca.pem
ssl_cert={{ MYSQL_CONFIG_SSL_DIR }}/server-cert.pem
ssl_key={{ MYSQL_CONFIG_SSL_DIR }}/server-key.pem

# Obliga conexiones cifradas por TCP/IP (Unix socket sigue permitido)
{% if MYSQL_CONFIG_SSL_REQUIRE_SECURE_TRANSPORT %}
require_secure_transport=ON
{% endif %}

# Protocolos recomendados
tls_version=TLSv1.2,TLSv1.3
{% endif %}