openstack/openstack-ansible-galera_server
Code Issues Proposed changes
openstack-ansible-galera_se.../tasks/galera_server_encryption.yml
Dmitriy Rabotyagov 4fc4459684 Auto-fix usage of modules via FQCN 
Since ansible-core 2.10 it is recommended to use modules via FQCN
In order to align with recommendation, we perform migration
by applying suggestions made by `ansible-lint --fix=fqcn`

Change-Id: I1ba53c1b0cc33cf7cad8057481275f5757c28b0a
2025-02-12 13:35:20 +00:00

108 lines
3.9 KiB
YAML
Raw Blame History

---
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create encryption config
openstack.config_template.config_template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "root"
group: "root"
mode: "{{ item.mode | default('0644') }}"
config_overrides: "{{ item.config_overrides }}"
config_type: "{{ item.config_type }}"
ignore_none_type: false
when: item.condition | default(True)
with_items:
- src: encryption.cnf.j2
dest: "{{ galera_etc_include_dir }}/encryption.cnf"
config_overrides: "{{ galera_encryption_overrides }}"
config_type: "ini"
notify: Restart all mysql
- name: Use encryption with the file key management plugin
block:
- name: Create encryption directory
ansible.builtin.file:
path: "/etc/mysql/encryption"
state: "directory"
owner: "mysql"
group: "mysql"
mode: "0755"
- name: Create a fact for the name of the temporary directory
ansible.builtin.set_fact:
galera_db_encryption_tmp_dir: "{{ lookup('env', 'OSA_CONFIG_DIR') | default(osa_config_dir, True) }}/mysql"
delegate_to: "localhost"
run_once: true
when: galera_db_encryption_tmp_dir | length == 0
- name: Create a temporary directory to store the keyfile
ansible.builtin.file:
path: "{{ galera_db_encryption_tmp_dir }}"
state: directory
mode: "0750"
delegate_to: "localhost"
run_once: true
- name: Create encryption keys if the user does not specify them and put them on the deploy host # noqa: no-changed-when risky-shell-pipe
ansible.builtin.shell: >-
for i in {1..2}; do echo \"$i;$(openssl rand -hex 32)\"; done | tee {{ galera_db_encryption_tmp_dir }}/mysql_encryption_keys > /dev/null
delegate_to: "localhost"
run_once: true
when:
- galera_db_encryption_keys is not defined
- name: Create the encryption key file from the user provided galera_db_encryption_keys
ansible.builtin.shell: "echo '{{ galera_db_encryption_keys }}' > {{ galera_db_encryption_tmp_dir }}/mysql_encryption_keys" # noqa: no-changed-when
delegate_to: "localhost"
run_once: true
when:
- galera_db_encryption_keys is defined
- name: Create an encrypted keyfile using encryption key
ansible.builtin.command: # noqa: no-changed-when
argv:
- openssl
- enc
- -aes-256-cbc
- -md
- sha1
- -k
- "{{ galera_db_encryption_password }}"
- -in
- "{{ galera_db_encryption_tmp_dir }}/mysql_encryption_keys"
- -out
- "{{ galera_db_encryption_tmp_dir }}/mysql_encryption_keyfile.enc"
delegate_to: "localhost"
run_once: true
- name: Copy encypted keyfile to servers
ansible.builtin.copy:
src: "{{ galera_db_encryption_tmp_dir }}/mysql_encryption_keyfile.enc"
dest: "/etc/mysql/encryption/keyfile.enc"
owner: mysql
group: mysql
mode: "0600"
force: false # only copy the file if it does not exist
notify: Restart all mysql
- name: Copy password to file to servers
ansible.builtin.copy:
content: "{{ galera_db_encryption_password }}"
dest: "/etc/mysql/encryption/.keyfile.key"
owner: mysql
group: mysql
mode: "0600"
when:
- galera_mariadb_encryption_plugin == "file_key_management"
View Git Blame Copy Permalink