Add table encryption support?

To add: There is some missing code to remove the plaintext password files. However I wanted to get this out first and see if interest is there for this feature.

Hi Sebastian,

Thanks for reaching us!

Generally feature looks interesting. There are some concerns about the usecase, because with file implementation encrypton keys are stored on the same place as database which does not feel like secure. So I guess implementing option to select encryption plugin and install it (like aws_key_management) would be also cool.

Also there are some comments regarding current patch, since in case of the cluster, you probably need to generate them on localhost and later distribute to galera containers/hosts.

But yes, I'd say we have nothing against implementing this feature, and you may go ahead and push patch for it. For this you will need to setup a gerrit account https://docs.openstack.org/contributors/common/setup-gerrit.html after which you can make a commit and run `git review` to push it.

Thanks for your answer, Dmitriy!

> There are some concerns about the usecase, because with file implementation encrypton keys are stored on the same place as database which does not feel like secure.

Yes, that is a problem. The keys are only needed on startup of the mysql instances and can afterwards be deleted. This however can be a operational problem since you have to provide the keys on startup, which is then not automatic, anymore.

Right now I think the best idea is to put the keys on the server with Ansible, startup the instance, then delete the keys. What do you think?

> So I guess implementing option to select encryption plugin and install it (like aws_key_management) would be also cool.

I have no possibility to test this with AWS or eperi, however I can provide some initial code and if some other person needs it, it can be further developed.

> Also there are some comments regarding current patch, since in case of the cluster, you probably need to generate them on localhost and later distribute to galera containers/hosts.

Good idea! I'll add that.

> But yes, I'd say we have nothing against implementing this feature, and you may go ahead and push patch for it.

Thanks, will do!

> Right now I think the best idea is to put the keys on the server with Ansible, startup the instance, then delete the keys. What do you think?

Will that mean service restart will fail without keys being in place? If they're required only during initial startup, than this might be good idea to remove them afterwards. And we probably would need to avoid their deployment as well during following runs. This can be probably done with ansible local facts. We already have galera_deployed that can be leveraged

> I have no possibility to test this with AWS or eperi, however I can provide some initial code and if some other person needs it, it can be further developed.

Yeah, that's what I meant - let's make an option to choose driver at least config wise, and interested ppl may iterate later.

Also you can join us on Freenode IRC in #openstack-ansible channel if you want.

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/784069
Committed: https://opendev.org/openstack/openstack-ansible-galera_server/commit/e91c8be4492aee2327911ddea5b7decede388af9
Submitter: "Zuul (22348)"
Branch: master

commit e91c8be4492aee2327911ddea5b7decede388af9
Author: Sebastian Gumprich <email address hidden>
Date: Wed Mar 31 12:32:37 2021 +0200

    add support for encryption

    Closes-Bug: #1921861

    Change-Id: I73e548ac208a96ddaa687a1b5fbb22cac20037d0

This issue was fixed in the openstack/openstack-ansible-galera_server yoga-eom release.

This issue was fixed in the openstack/openstack-ansible-galera_server wallaby-eom release.

This issue was fixed in the openstack/openstack-ansible-galera_server xena-eom release.