Merge branch 'master' into pr/27
diff --git a/README.rst b/README.rst
index 5f85850..05ea8da 100644
--- a/README.rst
+++ b/README.rst
@@ -56,6 +56,26 @@
user: root
password: pass
+Enable TLS support:
+
+.. code-block:: yaml
+
+ galera:
+ slave or master:
+ ssl:
+ enabled: True
+
+ # path
+ cert_file: /etc/mysql/ssl/cert.pem
+ key_file: /etc/mysql/ssl/key.pem
+ ca_file: /etc/mysql/ssl/ca.pem
+
+ # content (not required if files already exists)
+ key: << body of key >>
+ cert: << body of cert >>
+ cacert_chain: << body of ca certs chain >>
+
+
Additional mysql users:
.. code-block:: yaml
@@ -104,7 +124,7 @@
_param:
galera_innodb_buffer_pool_size: 1024M
- galera_max_connections: 200
+ galera_max_connections: 200
Usage
diff --git a/galera/files/init_bootstrap.sh b/galera/files/init_bootstrap.sh
index 4683d1a..917c4f0 100644
--- a/galera/files/init_bootstrap.sh
+++ b/galera/files/init_bootstrap.sh
@@ -7,7 +7,7 @@
while [ $counter -gt 0 ]
do
- mysql -u root -e"quit"
+ mysql -u root -e"quit" || mysql -u {{ service.admin.user }} -p{{ service.admin.password }} -e"quit"
if [[ $? -eq 0 ]]; then
echo "Sucessfully connected to the MySQL service ($retries retries)."
exit 0
diff --git a/galera/files/my.cnf b/galera/files/my.cnf
index ea04def..049d6d6 100644
--- a/galera/files/my.cnf
+++ b/galera/files/my.cnf
@@ -9,6 +9,14 @@
{%- from "galera/map.jinja" import slave with context %}
{%- set service = slave %}
{%- endif %}
+
+[mysql]
+{% if service.get('ssl', {}).get('enabled', False) %}
+ssl-ca={{ service.ssl.ca_file }}
+ssl-cert={{ service.ssl.cert_file }}
+ssl-key={{ service.ssl.key_file }}
+{% endif %}
+
[mysqld_safe]
syslog
@@ -60,6 +68,13 @@
wsrep_provider_options="gcache.size = 256M"
wsrep_provider_options="gmcast.listen_addr = tcp://{{ service.bind.address }}:4567"
+{% if service.get('ssl', {}).get('enabled', False) %}
+wsrep_provider_options="socket.ssl=yes;socket.ssl_key={{ service.ssl.key_file }};socket.ssl_cert={{ service.ssl.cert_file }};socket.ssl_ca={{ service.ssl.ca_file }}"
+ssl-ca={{ service.ssl.ca_file }}
+ssl-cert={{ service.ssl.cert_file }}
+ssl-key={{ service.ssl.key_file }}
+{% endif %}
+
[xtrabackup]
parallel=4
diff --git a/galera/init.sls b/galera/init.sls
index bc55f36..9944b4c 100644
--- a/galera/init.sls
+++ b/galera/init.sls
@@ -1,6 +1,7 @@
{%- if pillar.galera is defined %}
include:
+- galera.ssl
{%- if pillar.galera.master is defined %}
- galera.master
{%- endif %}
diff --git a/galera/master.sls b/galera/master.sls
index 8b2ee5f..9fc1f9f 100644
--- a/galera/master.sls
+++ b/galera/master.sls
@@ -168,23 +168,12 @@
- require:
- cmd: galera_bootstrap_set_root_password
-galera_bootstrap_stop_service_pre:
- cmd.run:
- - name: mysqladmin -h localhost -u root -p{{ master.admin.password }} shutdown
- {%- if not grains.get('noservices', False) %}
- - ignore_retcode: true
- - require:
- - cmd: mysql_bootstrap_update_maint_password
- {%- else %}
- - onlyif: /bin/false
- {%- endif %}
-
galera_bootstrap_stop_service:
service.dead:
- name: {{ master.service }}
{%- if not grains.get('noservices', False) %}
- require:
- - cmd: galera_bootstrap_stop_service_pre
+ - cmd: mysql_bootstrap_update_maint_password
{%- else %}
- onlyif: /bin/false
{%- endif %}
diff --git a/galera/slave.sls b/galera/slave.sls
index 547fbad..290d371 100644
--- a/galera/slave.sls
+++ b/galera/slave.sls
@@ -167,23 +167,12 @@
- require:
- cmd: galera_bootstrap_set_root_password
-galera_bootstrap_stop_service_pre:
- cmd.run:
- - name: mysqladmin -h localhost -u root -p{{ slave.admin.password }} shutdown
- {%- if not grains.get('noservices', False) %}
- - ignore_retcode: true
- - require:
- - cmd: mysql_bootstrap_update_maint_password
- {%- else %}
- - onlyif: /bin/false
- {%- endif %}
-
galera_bootstrap_stop_service:
service.dead:
- name: {{ slave.service }}
{%- if not grains.get('noservices', False) %}
- require:
- - cmd: galera_bootstrap_stop_service_pre
+ - cmd: mysql_bootstrap_update_maint_password
{%- else %}
- onlyif: /bin/false
{%- endif %}
diff --git a/galera/ssl.sls b/galera/ssl.sls
new file mode 100644
index 0000000..f13fe5a
--- /dev/null
+++ b/galera/ssl.sls
@@ -0,0 +1,83 @@
+{%- from "galera/map.jinja" import master, slave with context %}
+
+{%- set service = master if pillar.galera.master is defined else slave %}
+{%- set role = 'master' if pillar.galera.master is defined else 'slave' %}
+
+{%- if service.get('ssl', {}).get('enabled', False) %}
+{%- if service.ssl.cacert_chain is defined %}
+mysql_cacertificate:
+ file.managed:
+ - name: {{ service.ssl.ca_file }}
+ - contents_pillar: galera:{{ role }}:ssl:cacert_chain
+ - mode: 0444
+ - makedirs: true
+ - require_in:
+ - service: galera_service
+{%- else %}
+mysql_cacertificate_exists:
+ file.exists:
+ - name: {{ service.ssl.ca_file }}
+mysql_cacertificate:
+ file.managed:
+ - name: {{ service.ssl.ca_file }}
+ - mode: 644
+ - create: False
+ - require:
+ - file: mysql_cacertificate_exists
+ - require_in:
+ - service: galera_service
+{%- endif %}
+
+{%- if service.ssl.cert is defined %}
+mysql_certificate:
+ file.managed:
+ - name: {{ service.ssl.cert_file }}
+ - contents_pillar: galera:{{ role }}:ssl:cert
+ - mode: 0444
+ - makedirs: true
+ - require_in:
+ - service: galera_service
+{%- else %}
+mysql_certificate_exists:
+ file.exists:
+ - name: {{ service.ssl.cert_file }}
+mysql_certificate:
+ file.managed:
+ - name: {{ service.ssl.cert_file }}
+ - mode: 644
+ - create: False
+ - require:
+ - file: mysql_certificate_exists
+ - require_in:
+ - service: galera_service
+{%- endif %}
+
+{%- if service.ssl.key is defined %}
+mysql_server_key:
+ file.managed:
+ - name: {{ service.ssl.key_file }}
+ - contents_pillar: galera:{{ role }}:ssl:key
+ - user: root
+ - group: mysql
+ - mode: 0440
+ - makedirs: true
+ - require_in:
+ - service: galera_service
+{%- else %}
+mysql_server_key_exists:
+ file.exists:
+ - name: {{ service.ssl.key_file }}
+mysql_server_key:
+ file.managed:
+ - name: {{ service.ssl.key_file }}
+ - user: root
+ - group: mysql
+ - mode: 0440
+ - create: False
+ - require:
+ - file: mysql_server_key_exists
+ - require_in:
+ - service: galera_service
+{%- endif %}
+
+{%- endif %}
diff --git a/metadata/service/ssl.yml b/metadata/service/ssl.yml
new file mode 100644
index 0000000..5b31b31
--- /dev/null
+++ b/metadata/service/ssl.yml
@@ -0,0 +1,21 @@
+# class to enable tls for galera.master and galera.slave
+
+parameters:
+ _param:
+ mysql_ssl_key_file: /etc/mysql/ssl/key.pem
+ mysql_ssl_cert_file: /etc/mysql/ssl/cert.pem
+ mysql_ssl_ca_file: /etc/mysql/ssl/ca.pem
+
+ galera:
+ master:
+ ssl:
+ enabled: True
+ key_file: ${_param:mysql_ssl_key_file}
+ cert_file: ${_param:mysql_ssl_cert_file}
+ ca_file: ${_param:mysql_ssl_ca_file}
+ slave:
+ ssl:
+ enabled: True
+ key_file: ${_param:mysql_ssl_key_file}
+ cert_file: ${_param:mysql_ssl_cert_file}
+ ca_file: ${_param:mysql_ssl_ca_file}