Adding an ability to set ciphers for galera Change-Id: I4993f997ce3440317a286c8298ded0e96806d5bd

commit: f8433bf8e4f87cb0a027126701a566c4b36fff46 [log] [tgz]
author: Dzmitry Stremkouski <dstremkouski@mirantis.com> Tue Oct 23 11:29:03 2018 +0200
committer: Dzmitry Stremkouski <dstremkouski@mirantis.com> Tue Oct 23 11:29:03 2018 +0200
tree: 38eaedda636c106f519391e2c1409151fad4c1ad
parent: fd319606846234d43d6e803a4b69dfe8f8df2d19 [diff]
diff --git a/README.rst b/README.rst
index 112a2db..92e8a0f 100644
--- a/README.rst
+++ b/README.rst

@@ -70,7 +70,19 @@
        slave or master:
          ssl:
           enabled: True
-
+          ciphers:
+            DHE-RSA-AES128-SHA:
+              enabled: True
+            DHE-RSA-AES256-SHA:
+              enabled: True
+            EDH-RSA-DES-CBC3-SHA:
+              name: EDH-RSA-DES-CBC3-SHA
+              enabled: True
+            AES128-SHA:AES256-SHA:
+              name: AES128-SHA:AES256-SHA
+              enabled: True
+            DES-CBC3-SHA:
+              enabled: True
           # path
           cert_file: /etc/mysql/ssl/cert.pem
           key_file: /etc/mysql/ssl/key.pem

diff --git a/galera/files/my.cnf b/galera/files/my.cnf
index aeb0df6..04612d9 100644
--- a/galera/files/my.cnf
+++ b/galera/files/my.cnf

@@ -78,6 +78,19 @@
 
 {% if service.get('ssl', {}).get('enabled', False) %}
 wsrep_provider_options="socket.ssl=yes;socket.ssl_key={{ service.ssl.key_file }};socket.ssl_cert={{ service.ssl.cert_file }};socket.ssl_ca={{ service.ssl.ca_file }}"
+{%- if service.ssl.ciphers is defined %}
+{%- set _ciphers = [] %}
+{%- for cipher_name, cipher in service.ssl.get('ciphers', {}).iteritems() %}
+{%- if cipher.get('enabled', False) %}
+{%- if cipher.name is defined %}
+{%- do _ciphers.append(cipher.name) %}
+{%- else %}
+{%- do _ciphers.append(cipher_name) %}
+{%- endif %}
+{%- endif %}
+{%- endfor %}
+ssl_cipher={{ ':'.join(_ciphers) }}
+{%- endif %}
 ssl-ca={{ service.ssl.ca_file }}
 ssl-cert={{ service.ssl.cert_file }}
 ssl-key={{ service.ssl.key_file }}

diff --git a/tests/pillar/master_cluster.sls b/tests/pillar/master_cluster.sls
index 0dc88c9..66bd3ef 100644
--- a/tests/pillar/master_cluster.sls
+++ b/tests/pillar/master_cluster.sls

@@ -159,6 +159,19 @@
       key_file: /etc/mysql/ssl/key.pem
       cert_file: /etc/mysql/ssl/cert.pem
       ca_file: /etc/mysql/ssl/ca.pem
+      ciphers:
+        DHE-RSA-AES128-SHA:
+          enabled: True
+        DHE-RSA-AES256-SHA:
+          name: DHE-RSA-AES256-SHA
+          enabled: True
+        EDH-RSA-DES-CBC3-SHA:
+          name: EDH-RSA-DES-CBC3-SHA
+          enabled: True
+        AES128-SHA:AES256-SHA:
+          enabled: True
+        DES-CBC3-SHA:
+          enabled: True
   clustercheck:
     enabled: True
     user: clustercheck
commit	f8433bf8e4f87cb0a027126701a566c4b36fff46	[log] [tgz]
author	Dzmitry Stremkouski <dstremkouski@mirantis.com>	Tue Oct 23 11:29:03 2018 +0200
committer	Dzmitry Stremkouski <dstremkouski@mirantis.com>	Tue Oct 23 11:29:03 2018 +0200
tree	38eaedda636c106f519391e2c1409151fad4c1ad
parent	fd319606846234d43d6e803a4b69dfe8f8df2d19 [diff]