Galera cluster TLS Support
Change-Id: I07624681c53cef53de6c72de97a53b96ea52381b
diff --git a/README.rst b/README.rst
index 609ec3d..0d86e0d 100644
--- a/README.rst
+++ b/README.rst
@@ -56,6 +56,27 @@
user: root
password: pass
+
+Enable TLS support:
+
+.. code-block:: yaml
+
+ galera:
+ slave or master:
+ ssl:
+ enabled: True
+
+ # path
+ cert_file: /etc/mysql/ssl/cert.pem
+ key_file: /etc/mysql/ssl/key.pem
+ ca_file: /etc/mysql/ssl/ca.pem
+
+ # content (not required if files already exists)
+ key: << body of key >>
+ cert: << body of cert >>
+ cacert_chain: << body of ca certs chain >>
+
+
Configurable soft parameters
============================
@@ -68,7 +89,7 @@
_param:
galera_innodb_buffer_pool_size: 1024M
- galera_max_connections: 200
+ galera_max_connections: 200
Usage
=====
diff --git a/galera/files/my.cnf b/galera/files/my.cnf
index ea04def..049d6d6 100644
--- a/galera/files/my.cnf
+++ b/galera/files/my.cnf
@@ -9,6 +9,14 @@
{%- from "galera/map.jinja" import slave with context %}
{%- set service = slave %}
{%- endif %}
+
+[mysql]
+{% if service.get('ssl', {}).get('enabled', False) %}
+ssl-ca={{ service.ssl.ca_file }}
+ssl-cert={{ service.ssl.cert_file }}
+ssl-key={{ service.ssl.key_file }}
+{% endif %}
+
[mysqld_safe]
syslog
@@ -60,6 +68,13 @@
wsrep_provider_options="gcache.size = 256M"
wsrep_provider_options="gmcast.listen_addr = tcp://{{ service.bind.address }}:4567"
+{% if service.get('ssl', {}).get('enabled', False) %}
+wsrep_provider_options="socket.ssl=yes;socket.ssl_key={{ service.ssl.key_file }};socket.ssl_cert={{ service.ssl.cert_file }};socket.ssl_ca={{ service.ssl.ca_file }}"
+ssl-ca={{ service.ssl.ca_file }}
+ssl-cert={{ service.ssl.cert_file }}
+ssl-key={{ service.ssl.key_file }}
+{% endif %}
+
[xtrabackup]
parallel=4
diff --git a/galera/init.sls b/galera/init.sls
index 94e1414..2835d0e 100644
--- a/galera/init.sls
+++ b/galera/init.sls
@@ -1,6 +1,7 @@
{%- if pillar.galera is defined %}
include:
+- galera.ssl
{%- if pillar.galera.master is defined %}
- galera.master
{%- endif %}
diff --git a/galera/ssl.sls b/galera/ssl.sls
new file mode 100644
index 0000000..f13fe5a
--- /dev/null
+++ b/galera/ssl.sls
@@ -0,0 +1,83 @@
+{%- from "galera/map.jinja" import master, slave with context %}
+
+{%- set service = master if pillar.galera.master is defined else slave %}
+{%- set role = 'master' if pillar.galera.master is defined else 'slave' %}
+
+{%- if service.get('ssl', {}).get('enabled', False) %}
+{%- if service.ssl.cacert_chain is defined %}
+mysql_cacertificate:
+ file.managed:
+ - name: {{ service.ssl.ca_file }}
+ - contents_pillar: galera:{{ role }}:ssl:cacert_chain
+ - mode: 0444
+ - makedirs: true
+ - require_in:
+ - service: galera_service
+{%- else %}
+mysql_cacertificate_exists:
+ file.exists:
+ - name: {{ service.ssl.ca_file }}
+mysql_cacertificate:
+ file.managed:
+ - name: {{ service.ssl.ca_file }}
+ - mode: 644
+ - create: False
+ - require:
+ - file: mysql_cacertificate_exists
+ - require_in:
+ - service: galera_service
+{%- endif %}
+
+{%- if service.ssl.cert is defined %}
+mysql_certificate:
+ file.managed:
+ - name: {{ service.ssl.cert_file }}
+ - contents_pillar: galera:{{ role }}:ssl:cert
+ - mode: 0444
+ - makedirs: true
+ - require_in:
+ - service: galera_service
+{%- else %}
+mysql_certificate_exists:
+ file.exists:
+ - name: {{ service.ssl.cert_file }}
+mysql_certificate:
+ file.managed:
+ - name: {{ service.ssl.cert_file }}
+ - mode: 644
+ - create: False
+ - require:
+ - file: mysql_certificate_exists
+ - require_in:
+ - service: galera_service
+{%- endif %}
+
+{%- if service.ssl.key is defined %}
+mysql_server_key:
+ file.managed:
+ - name: {{ service.ssl.key_file }}
+ - contents_pillar: galera:{{ role }}:ssl:key
+ - user: root
+ - group: mysql
+ - mode: 0440
+ - makedirs: true
+ - require_in:
+ - service: galera_service
+{%- else %}
+mysql_server_key_exists:
+ file.exists:
+ - name: {{ service.ssl.key_file }}
+mysql_server_key:
+ file.managed:
+ - name: {{ service.ssl.key_file }}
+ - user: root
+ - group: mysql
+ - mode: 0440
+ - create: False
+ - require:
+ - file: mysql_server_key_exists
+ - require_in:
+ - service: galera_service
+{%- endif %}
+
+{%- endif %}
diff --git a/metadata/service/ssl.yml b/metadata/service/ssl.yml
new file mode 100644
index 0000000..5b31b31
--- /dev/null
+++ b/metadata/service/ssl.yml
@@ -0,0 +1,21 @@
+# class to enable tls for galera.master and galera.slave
+
+parameters:
+ _param:
+ mysql_ssl_key_file: /etc/mysql/ssl/key.pem
+ mysql_ssl_cert_file: /etc/mysql/ssl/cert.pem
+ mysql_ssl_ca_file: /etc/mysql/ssl/ca.pem
+
+ galera:
+ master:
+ ssl:
+ enabled: True
+ key_file: ${_param:mysql_ssl_key_file}
+ cert_file: ${_param:mysql_ssl_cert_file}
+ ca_file: ${_param:mysql_ssl_ca_file}
+ slave:
+ ssl:
+ enabled: True
+ key_file: ${_param:mysql_ssl_key_file}
+ cert_file: ${_param:mysql_ssl_cert_file}
+ ca_file: ${_param:mysql_ssl_ca_file}