DEV-383: enable SSL for mariadb-connections

group_vars/all/plain.yml

@@ -207,3 +207,5 @@ hetzner_authentication_csi: "{{ hetzner_authentication_csi_vault }}"
 k8s_basic_services:
   - kubelet
   - containerd
+
+selfsigned_ca_private_key_passphrase: '{{ selfsigned_ca_private_key_passphrase_vault }}'

roles/connect_wordpress/vars/main.yml

@@ -42,6 +42,7 @@ wordpress_docker: {
         "WORDPRESS_CONFIG_EXTRA: |",
         "  define( 'WP_HOME', 'https://{{ wordpress_base_url }}' );",
         "  define( 'WP_SITEURL', 'https://{{ wordpress_base_url }}' );",
+        "  define( 'MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT );",
         "AUTH_API: \"https://{{ shared_service_keycloak_hostname }}\"",
         "RESOURCE_API: \"https://{{ connect_base_url }}\"",
         "REALM_ID: \"{{ current_realm_name }}\"",

roles/maria/handlers/main.yml

@@ -4,3 +4,9 @@
     name: prometheus-mysqld-exporter
     state: restarted
     enabled: yes
+
+- name: "restart mysql"
+  service:
+    name: mariadb
+    state: restarted
+    enabled: yes

roles/maria/tasks/_create_database.yml

@@ -13,6 +13,8 @@
 - name: Ensure MySQL users are present.
   community.mysql.mysql_user:
     name: "{{ item.name }}"
+    tls_requires:
+      SSL:
     password: "{{ item.password }}"
     priv: "{{ item.priv | default('*.*:USAGE') }}"
     state: "{{ item.state | default('present') }}"

roles/maria/tasks/main.yml

@@ -14,16 +14,48 @@
     - python3-pymysql
     - prometheus-mysqld-exporter
 
+- name: "Set vars"
+  set_fact:
+    cert_private_key: '/etc/mysql/conf.d/{{ inventory_hostname }}.{{ domain }}-key.pem'
+    cert_public_key: '/etc/mysql/conf.d/{{ inventory_hostname }}.{{ domain }}-crt.pem'
+    ca_cert: '/etc/mysql/conf.d/ca-certificate.pem'
+
+- name: "Include role for self-signed CA"
+  include_role:
+    name: selfsigned_ca
+
+- name: "Create certs with selfsigned CA"
+  include_role:
+    name: selfsigned_ca
+    tasks_from: _create_cert
+  vars:
+    selfsigned_ca_cert_private_key: '{{ cert_private_key }}'
+    selfsigned_ca_cert_public_key: '{{ cert_public_key }}'
+    selfsigned_ca_cacert: '{{ ca_cert }}'
+    selfsigned_ca_cert_altnames:
+      - 'DNS:{{ inventory_hostname }}.{{ domain }}'
+    selfsigned_ca_trigger_handler: restart mysql
+
 - name: Fix binding..
   ansible.builtin.lineinfile:
     path: /etc/mysql/mariadb.conf.d/50-server.cnf
     regexp: '^bind-address'
     line: 'bind-address={{ ansible_all_ipv4_addresses | ansible.netcommon.ipaddr(shared_service_network) | first }}'
+  notify: restart mysql
+
+- name: "Create my.cnf containing ssl stuff"
+  template:
+    src: 50-ssl.cnf
+    dest: /etc/mysql/conf.d/
+    mode: '0644'
+    owner: root
+    group: root
+  notify: restart mysql
 
 - name: Ensure service is started
   service:
     name: mariadb
-    state: restarted
+    state: started
     enabled: yes
 
 - name: Check if root password is set
@@ -55,6 +87,8 @@
 - name: Ensure MySQL users are present.
   community.mysql.mysql_user:
     name: "{{ item.name }}"
+    tls_requires:
+      SSL:
     password: "{{ item.password }}"
     priv: "{{ item.priv | default('*.*:USAGE') }}"
     state: "{{ item.state | default('present') }}"

roles/maria/templates/50-ssl.cnf

@@ -0,0 +1,5 @@
+[mysqld]
+ssl_key = {{ cert_private_key }}
+ssl_cert = {{ cert_public_key }} 
+ssl_ca = {{ ca_cert }}
+ssl = on

roles/restore_maria/tasks/main.yml

@@ -1,13 +1,38 @@
 ---
+- name: "Set vars"
+  set_fact:
+    cert_private_key: '/etc/mysql/conf.d/{{ inventory_hostname }}.{{ domain }}-key.pem'
+    cert_public_key: '/etc/mysql/conf.d/{{ inventory_hostname }}.{{ domain }}-crt.pem'
+    ca_cert: '/etc/mysql/conf.d/ca-certificate.pem'
+
 - name: "Install mariadb via include_role"
   vars:
     mysql_packages:
       - mariadb-client
       - mariadb-server
       - mariadb-backup
+    mysql_bind_address: '{{ ansible_all_ipv4_addresses | ansible.netcommon.ipaddr(shared_service_network) | first }}'
+    mysql_config_include_files:
+      - src: 50-ssl.cnf
   include_role:
     name: geerlingguy.mysql
 
+- name: "Include role for self-signed CA"
+  include_role:
+    name: selfsigned_ca
+
+- name: "Create certs with selfsigned CA"
+  include_role:
+    name: selfsigned_ca
+    tasks_from: _create_cert
+  vars:
+    selfsigned_ca_cert_private_key: '{{ cert_private_key }}'
+    selfsigned_ca_cert_public_key: '{{ cert_public_key }}'
+    selfsigned_ca_cacert: '{{ ca_cert }}'
+    selfsigned_ca_cert_altnames:
+      - 'DNS:{{ inventory_hostname }}.{{ domain }}'
+    selfsigned_ca_trigger_handler: restart mysql
+
 - name: "Copy restore script to restore server"
   copy:
     src: restore.sh

roles/restore_maria/templates/50-ssl.cnf

@@ -0,0 +1,5 @@
+[mysqld]
+ssl_key = {{ cert_private_key }}
+ssl_cert = {{ cert_public_key }} 
+ssl_ca = {{ ca_cert }}
+ssl = on

roles/selfsigned_ca/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+selfsigned_ca_dir: '/etc/ssl/selfsigned_ca'
+selfsigned_ca_private_key_passphrase: '{{ selfsigned_ca_private_key_passphrase_vault }}'

roles/selfsigned_ca/tasks/_create_cert.yml

@@ -0,0 +1,44 @@
+---
+- name: "Generate an OpenSSL private key"
+  community.crypto.openssl_privatekey:
+    path: '{{ selfsigned_ca_cert_private_key }}'
+    backup: yes
+    regenerate: full_idempotence
+    size: 4096
+    type: RSA
+    group: mysql
+    mode: '0640'
+
+- name: "Create certificate signing request (CSR) for new certificate"
+  community.crypto.openssl_csr_pipe:
+    privatekey_path: '{{ selfsigned_ca_cert_private_key }}'
+    subject_alt_name: '{{ selfsigned_ca_cert_altnames | list }}'
+  run_once: true
+  register: csr
+
+- name: "Sign certificate with our CA"
+  community.crypto.x509_certificate_pipe:
+    csr_content: "{{ csr.csr }}"
+    provider: ownca
+    ownca_path: '{{ selfsigned_ca_dir }}/ca-certificate.pem'
+    ownca_privatekey_path: '{{ selfsigned_ca_dir }}/ca-certificate.key'
+    ownca_privatekey_passphrase: "{{ selfsigned_ca_private_key_passphrase }}"
+    ownca_not_after: +1000d
+    ownca_not_before: "-3d"
+  run_once: true
+  register: certificate
+
+- name: "Write certificate file"
+  copy:
+    dest: '{{ selfsigned_ca_cert_public_key }}'
+    content: "{{ certificate.certificate }}"
+  run_once: true
+  notify: '{{ selfsigned_ca_trigger_handler | default([]) }}'
+
+- name: "Write CA certificate"
+  copy:
+    src: '{{ selfsigned_ca_dir }}/ca-certificate.pem'
+    remote_src: yes
+    dest: '{{ selfsigned_ca_cacert }}'
+  run_once: true
+  notify: '{{ selfsigned_ca_trigger_handler | default([]) }}'

roles/selfsigned_ca/tasks/main.yml

@@ -0,0 +1,38 @@
+---
+# create a CA to create SSL certs just for transport encryption
+#
+- name: "Ensure directory for selfsigned CA"
+  file:
+    path: "{{ selfsigned_ca_dir }}"
+    state: directory
+    mode: "0755"
+    owner: root
+    group: root
+
+- name: "Create private key with password protection"
+  community.crypto.openssl_privatekey:
+    path: "{{ selfsigned_ca_dir }}/ca-certificate.key"
+    passphrase: "{{ selfsigned_ca_private_key_passphrase }}"
+    cipher: auto
+
+- name: "Create certificate signing request (CSR) for CA certificate"
+  community.crypto.openssl_csr_pipe:
+    privatekey_path: "{{ selfsigned_ca_dir }}/ca-certificate.key"
+    privatekey_passphrase: "{{ selfsigned_ca_private_key_passphrase }}"
+    common_name: "SMARDIGO Ansible CA {{ stage }}"
+    use_common_name_for_san: false
+    basic_constraints:
+      - "CA:TRUE"
+    basic_constraints_critical: yes
+    key_usage:
+      - keyCertSign
+    key_usage_critical: true
+  register: ca_csr
+
+- name: "Create self-signed CA certificate from CSR"
+  community.crypto.x509_certificate:
+    path: "{{ selfsigned_ca_dir }}/ca-certificate.pem"
+    csr_content: "{{ ca_csr.csr }}"
+    privatekey_path: "{{ selfsigned_ca_dir }}/ca-certificate.key"
+    privatekey_passphrase: "{{ selfsigned_ca_private_key_passphrase }}"
+    provider: selfsigned