[#MXS-1463] Would like Galera Monitor to support TLS

I'm setting up MaxScale and Galera cluster, where all access to the databases in the Galera cluster should be encrypted. It turns out that this isn't possible for MaxScale as there doesn't appear to be any support for TLS in GaleraMon; despite MXS-598 implying that there is. This could prevent us from using this solution, especially as the database user used by galeramon can read database metadata.

By default, if the galeramon user (see the configuration below) is required to use SSL, the connection fails, and the tcpdump packet captures show that it is attempting to connect without encryption.

In an attempt to correct this, I added the ssl parameters to the Galera Monitor section of the MaxScale config file:

# Monitoring for the servers

[Galera Monitor]

type=monitor

module=galeramon

servers=dbnode1,dbnode2

user=galeramon

passwd=galeramon

monitor_interval=1000

#ssl=required

#ssl_version=MAX

#ssl_cert=/etc/mysql/ssl/db-client-cert.pem

#ssl_key=/etc/mysql/ssl/db-client-key.pem

#ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem

MariaDB MaxScale  /var/log/maxscale/maxscale.log  Thu Oct  5 10:38:08 2017

----------------------------------------------------------------------------

2017-10-05 10:38:08   notice : MariaDB MaxScale 2.1.9 started

2017-10-05 10:38:08   notice : MaxScale is running in process 31849

2017-10-05 10:38:08   notice : Configuration file: /etc/maxscale.cnf

2017-10-05 10:38:08   notice : Log directory: /var/log/maxscale

2017-10-05 10:38:08   notice : Data directory: /var/lib/maxscale

2017-10-05 10:38:08   notice : Module directory: /usr/lib/x86_64-linux-gnu/maxscale

2017-10-05 10:38:08   notice : Service cache: /var/cache/maxscale

2017-10-05 10:38:08   notice : Loading /etc/maxscale.cnf.

2017-10-05 10:38:08   notice : /etc/maxscale.cnf.d does not exist, not reading.

2017-10-05 10:38:08   notice : [cli] Initialise CLI router module

2017-10-05 10:38:08   notice : Loaded module cli: V1.0.0 from /usr/lib/x86_64-linux-gnu/maxscale/libcli.so

2017-10-05 10:38:08   notice : [readwritesplit] Initializing statement-based read/write split router module.

2017-10-05 10:38:08   notice : Loaded module readwritesplit: V1.1.0 from /usr/lib/x86_64-linux-gnu/maxscale/libreadwritesplit.so

2017-10-05 10:38:08   notice : [galeramon] Initialise the MySQL Galera Monitor module.

2017-10-05 10:38:08   notice : Loaded module galeramon: V2.0.0 from /usr/lib/x86_64-linux-gnu/maxscale/libgaleramon.so

2017-10-05 10:38:08   error  : Unexpected parameter 'ssl_ca_cert' for object 'Galera Monitor' of type 'monitor', or '/etc/mysql/ssl/ca-cert.pem' is an invalid value for parameter 'ssl_ca_cert'.

2017-10-05 10:38:08   error  : Unexpected parameter 'ssl_key' for object 'Galera Monitor' of type 'monitor', or '/etc/mysql/ssl/db-client-key.pem' is an invalid value for parameter 'ssl_key'.

2017-10-05 10:38:08   error  : Unexpected parameter 'ssl_cert' for object 'Galera Monitor' of type 'monitor', or '/etc/mysql/ssl/db-client-cert.pem' is an invalid value for parameter 'ssl_cert'.

2017-10-05 10:38:08   error  : Unexpected parameter 'ssl' for object 'Galera Monitor' of type 'monitor', or 'required' is an invalid value for parameter 'ssl'.

2017-10-05 10:38:08   error  : Failed to open, read or process the MaxScale configuration file /etc/maxscale.cnf. Exiting.

2017-10-05 10:38:08   MariaDB MaxScale is shut down.

----------------------------------------------------

[MXS-1463] Would like Galera Monitor to support TLS Created: 2017-10-05 Updated: 2017-12-01 Resolved: 2017-10-05
Status:	Closed
Project:	MariaDB MaxScale
Component/s:	galeramon
Affects Version/s:	2.1.9
Fix Version/s:	N/A

[MXS-1463] Would like Galera Monitor to support TLS Created: 2017-10-05 Updated: 2017-12-01 Resolved: 2017-10-05