Merge "Adding an ability to set cert file path's"
diff --git a/README.rst b/README.rst
index 552c50c..8bad16c 100644
--- a/README.rst
+++ b/README.rst
@@ -67,7 +67,7 @@
mysql:
server:
enabled: true
- version: '5.5'
+ version: '5.7'
replication:
role: slave
master: master.salt.id
@@ -76,6 +76,89 @@
authority: Org_CA
certificate: name_of_service
client_certificate: name_of_client_cert
+ ca_file: /etc/mysql/ca.crt
+ cert_file: /etc/mysql/server.crt
+ key_file: /etc/mysql/server.key
+ client_cert_file: /etc/mysql/client-cert.pem
+ client_key_file: /etc/mysql/client-key.pem
+ tls_version: TLSv1.1,TLSv1.2
+ ciphers:
+ DHE-RSA-AES128-SHA:
+ enabled: True
+ DHE-RSA-AES256-SHA:
+ name: DHE-RSA-AES256-SHA
+ enabled: True
+ EDH-RSA-DES-CBC3-SHA:
+ name: EDH-RSA-DES-CBC3-SHA
+ enabled: True
+ AES128-SHA:AES256-SHA:
+ enabled: True
+ DES-CBC3-SHA:
+ enabled: True
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIB6TCCAZOgAwIBAgIJAIfmjJydRX+GMA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNV
+ BAYTAkNaMRMwEQYDVQQIDApTb21lLVN0YXRlMRkwFwYDVQQHDBBLYXJkYXNvdmEg
+ UmVjaWNlMREwDwYDVQQKDAhNaXJhbnRpczAeFw0xNzA4MzAxMTM1MzhaFw0yNzA4
+ MjgxMTM1MzhaMFAxCzAJBgNVBAYTAkNaMRMwEQYDVQQIDApTb21lLVN0YXRlMRkw
+ FwYDVQQHDBBLYXJkYXNvdmEgUmVjaWNlMREwDwYDVQQKDAhNaXJhbnRpczBcMA0G
+ CSqGSIb3DQEBAQUAA0sAMEgCQQDhW6xXGA2iKd5ngRwqoU0A0pD71/moFm48q0UP
+ Tg8vUsIO3WBIEKVLzpln9sU9gplCTx1ScsFBiRi2E3Wv+PnFAgMBAAGjUDBOMB0G
+ A1UdDgQWBBSJ42eEq3O0faBj+NBXWV5O2Vr1PTAfBgNVHSMEGDAWgBSJ42eEq3O0
+ faBj+NBXWV5O2Vr1PTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA0EA3fbu
+ x0W+XORSyFcChwFyhd+ka0R/FB4IL2udPXWX96x+0inuYi2Pta++3fMGmf30GF7Y
+ 1Iv89B+NrhLHCfkEbg==
+ -----END CERTIFICATE-----
+ key: |
+ -----BEGIN PRIVATE KEY-----
+ MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEA4VusVxgNoineZ4Ec
+ KqFNANKQ+9f5qBZuPKtFD04PL1LCDt1gSBClS86ZZ/bFPYKZQk8dUnLBQYkYthN1
+ r/j5xQIDAQABAkB4ip+Zin0oY3raJF5bkyHsMbVpcHHS7gSTIQ10jU1kAsBAVA2p
+ wIvZte5fIuaA6pEQ/ogZ5oTdCSz+bgtR50ShAiEA+DjNRJeUvaXNYyNBqKyPI1oT
+ na2QqV43z74txQ8FOykCIQDoa3YqPO4b70hglJOJMIYyMQAkAzdichKTWbBaIJf5
+ PQIhANTqLDCU8RIHoXhTKqPbeGAziLXsxjRxS+BXWf05GByZAiB5whpEZGklL0TO
+ e+eSnl4fGzaEpz6zjykWEo1lmd+jzQIgL740kEr8J+Q1ppNDJBtbZnc7yp+P/DKL
+ wo20+sNoyFU=
+ -----END PRIVATE KEY-----
+ client_cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIB6TCCAZOgAwIBAgIJAMOZDw2vHe+UMA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNV
+ BAYTAkNaMRMwEQYDVQQIDApTb21lLVN0YXRlMRkwFwYDVQQHDBBLYXJkYXNvdmEg
+ UmVjaWNlMREwDwYDVQQKDAhNaXJhbnRpczAeFw0xNzA4MzAxMTU0MzVaFw0yNzA4
+ MjgxMTU0MzVaMFAxCzAJBgNVBAYTAkNaMRMwEQYDVQQIDApTb21lLVN0YXRlMRkw
+ FwYDVQQHDBBLYXJkYXNvdmEgUmVjaWNlMREwDwYDVQQKDAhNaXJhbnRpczBcMA0G
+ CSqGSIb3DQEBAQUAA0sAMEgCQQD68iXHw1rQDWXFmdEPuv/8OCiUS1R6FoHqL357
+ VvqHA5339j8XKxtPnV2SY8DoMxEy1j7SYAyxD5xsZDVx14RpAgMBAAGjUDBOMB0G
+ A1UdDgQWBBTJ25400u3yEyiHykdeja+TGEMVKjAfBgNVHSMEGDAWgBTJ25400u3y
+ EyiHykdeja+TGEMVKjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA0EAaiMK
+ a4m6eSuk5emcw7igaV3UtydA6tduMvjL3zNcbI58on5YV7xgBTPXqDjq4QvAw06P
+ /PWEXbl2jaCHaX06wA==
+ -----END CERTIFICATE-----
+ client_key: |
+ -----BEGIN PRIVATE KEY-----
+ MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA+vIlx8Na0A1lxZnR
+ D7r//DgolEtUehaB6i9+e1b6hwOd9/Y/FysbT51dkmPA6DMRMtY+0mAMsQ+cbGQ1
+ cdeEaQIDAQABAkEApuTYn4ybHvdqEgsEcVPK37Fxu36GBlRlvpwroFfuck9yYod+
+ CZMPdFWD0/H29Tj1g5p/NKHGAcM3jtqf7daOCQIhAP4DCQguBpJChtQ9/LzGasJe
+ LN5bg/ChpFmN6iVnwEDbAiEA/Oj4ELceNaDVsVG8sVI3IrG/8xgXhYnNex/e5LPR
+ oQsCIEXE7akqgzGPRltrv0zWryI+HdLhjib9LxhOC59ElSD7AiEAz98EFWkNMXLy
+ cP4Ho485thB2/m1s19t9wpddcojB4iUCIBJ1hIyrfWFAh8ktK9mNolMPR50+4eZk
+ nTe8UvFB7ZIB
+ -----END PRIVATE KEY-----
+ cacert: |
+ -----BEGIN CERTIFICATE-----
+ MIIB6TCCAZOgAwIBAgIJAOqENcDHki1ZMA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNV
+ BAYTAkNaMRMwEQYDVQQIDApTb21lLVN0YXRlMRkwFwYDVQQHDBBLYXJkYXNvdmEg
+ UmVjaWNlMREwDwYDVQQKDAhNaXJhbnRpczAeFw0xNzA4MzAxMTU3MjBaFw0yNzA4
+ MjgxMTU3MjBaMFAxCzAJBgNVBAYTAkNaMRMwEQYDVQQIDApTb21lLVN0YXRlMRkw
+ FwYDVQQHDBBLYXJkYXNvdmEgUmVjaWNlMREwDwYDVQQKDAhNaXJhbnRpczBcMA0G
+ CSqGSIb3DQEBAQUAA0sAMEgCQQDR16IIDivaiFCgxe43WuZDNPnn+Efb5E8/oTMY
+ fVR8DS9u+arKL0WRW3unDPErpZAoESa2GV+QIRfmJBtS7MWJAgMBAAGjUDBOMB0G
+ A1UdDgQWBBT3yZnbvcTfd4qUxSSaNMMmToCuETAfBgNVHSMEGDAWgBT3yZnbvcTf
+ d4qUxSSaNMMmToCuETAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA0EArDqA
+ Y5Dnrw3xbFDoAYGVrvSwdabt5IbTA5xpAWYOqomkIMhJf8UptGZ6SkYoPKFLz+bL
+ 1yBBSG809x2L+BRFEA==
+ -----END CERTIFICATE-----
admin:
user: root
password: pass
diff --git a/mysql/conf/my.cnf.Debian b/mysql/conf/my.cnf.Debian
index 6c6e9af..e138ed0 100644
--- a/mysql/conf/my.cnf.Debian
+++ b/mysql/conf/my.cnf.Debian
@@ -28,9 +28,21 @@
{%- endif %}
{%- if server.ssl.enabled and server.replication.role in ['slave'] %}
-ssl-ca=/etc/mysql/cacert.pem
-ssl-cert=/etc/mysql/client-cert.pem
-ssl-key=/etc/mysql/client-key.pem
+ {%- if server.ssl.tls_version is defined %}
+tls_version={{ server.ssl.tls_version }}
+ {%- endif %}
+ {%- if server.ssl.ciphers is defined %}
+ {%- set _ciphers = [] %}
+ {%- for cipher_name, cipher in server.ssl.get('ciphers', {}).iteritems() %}
+ {%- if cipher.get('enabled', False) %}
+ {%- do _ciphers.append(cipher.get('name', cipher_name)) %}
+ {%- endif %}
+ {%- endfor %}
+ssl_cipher={{ ':'.join(_ciphers) }}
+ {%- endif %}
+ssl-ca={{ server.ssl.ca_file }}
+ssl-cert={{ server.ssl.client_cert_file }}
+ssl-key={{ server.ssl.client_key_file }}
{%- endif %}
# Here is entries for some specific programs
@@ -144,11 +156,21 @@
#
{%- if server.ssl.enabled and server.replication.role in ['master', 'slave', 'both', 'none'] %}
-#old_passwords = 1
-#old_passwords param is deprecated in MySQL 5.7 and currently only accepts values 0 or 2
-ssl-ca=/etc/mysql/cacert.pem
-ssl-cert=/etc/mysql/server-cert.pem
-ssl-key=/etc/mysql/server-key.pem
+ {%- if server.ssl.tls_version is defined %}
+tls_version={{ server.ssl.tls_version }}
+ {%- endif %}
+ {%- if server.ssl.ciphers is defined %}
+ {%- set _ciphers = [] %}
+ {%- for cipher_name, cipher in server.ssl.get('ciphers', {}).iteritems() %}
+ {%- if cipher.get('enabled', False) %}
+ {%- do _ciphers.append(cipher.get('name', cipher_name)) %}
+ {%- endif %}
+ {%- endfor %}
+ssl_cipher={{ ':'.join(_ciphers) }}
+ {%- endif %}
+ssl-ca={{ server.ssl.ca_file }}
+ssl-cert={{ server.ssl.cert_file }}
+ssl-key={{ server.ssl.key_file }}
{%- endif %}
[mysqldump]
diff --git a/mysql/map.jinja b/mysql/map.jinja
index d372c2c..b2aebe6 100644
--- a/mysql/map.jinja
+++ b/mysql/map.jinja
@@ -8,10 +8,15 @@
'config': '/etc/mysql/my.cnf',
'maintenance_password': '5Pg91H1flC4HSVns',
'replication': {
- 'role': 'none',
+ 'role': 'none',
},
'ssl': {
- 'enabled': False
+ 'enabled': False,
+ 'ca_file': '/etc/mysql/cacert.pem',
+ 'cert_file': '/etc/mysql/server-cert.pem',
+ 'key_file': '/etc/mysql/server-key.pem',
+ 'client_cert_file': '/etc/mysql/client-cert.pem',
+ 'client_key_file': '/etc/mysql/client-key.pem'
}
},
'RedHat': {
@@ -19,10 +24,15 @@
'service': 'mysqld',
'config': '/etc/my.cnf',
'replication': {
- 'role': 'none',
+ 'role': 'none',
},
'ssl': {
- 'enabled': False
+ 'enabled': False,
+ 'ca_file': '/etc/mysql/cacert.pem',
+ 'cert_file': '/etc/mysql/server-cert.pem',
+ 'key_file': '/etc/mysql/server-key.pem',
+ 'client_cert_file': '/etc/mysql/client-cert.pem',
+ 'client_key_file': '/etc/mysql/client-key.pem'
}
},
}, merge=salt['pillar.get']('mysql:server')) %}
@@ -41,4 +51,4 @@
{%- set mysql_connection_args = {'user': 'root',
'password': '',
'charset': 'utf8'} %}
-{%- endif %}
\ No newline at end of file
+{%- endif %}
diff --git a/mysql/server/_connect_replication_slave.sls b/mysql/server/_connect_replication_slave.sls
index 3c324c3..65d5cbd 100644
--- a/mysql/server/_connect_replication_slave.sls
+++ b/mysql/server/_connect_replication_slave.sls
@@ -7,18 +7,16 @@
file.managed:
- contents: {{ master_status }}
-{%- if pillar.mysql.server.ssl.client_certificate is defined %}
+{%- set setup_replication_query = "CHANGE MASTER TO MASTER_HOST='" + server.replication.master_address + "', MASTER_USER='" + server.replication.user + "', MASTER_PASSWORD='" + server.replication.password + "', MASTER_LOG_FILE='" + master_status.get('File', 'mysql-bin.000001') + "', MASTER_LOG_POS=" + master_status.get('Position', '1')|string %}
-{%- set setup_replication_query = "CHANGE MASTER TO MASTER_HOST='"+server.replication.master_address+"', MASTER_USER='"+server.replication.user+"', MASTER_PASSWORD='"+server.replication.password+"', MASTER_LOG_FILE='"+master_status.get('File', 'mysql-bin.000001')+"', MASTER_SSL=1, MASTER_LOG_POS="+master_status.get('Position', '1')|string+", MASTER_SSL_CA='/etc/mysql/cacert.pem', MASTER_SSL_CERT='/etc/mysql/client-cert.pem', MASTER_SSL_KEY='/etc/mysql/client-key.pem'; START SLAVE;" %}
-
+{%- if server.ssl.enabled %}
+ {%- set ssl_opts = ", MASTER_SSL=1, MASTER_SSL_CA='" + server.ssl.ca_file + "', MASTER_SSL_CERT='" + server.ssl.client_cert_file + "', MASTER_SSL_KEY='" + server.ssl.client_key_file + "'" %}
{%- else %}
-
-{%- set setup_replication_query = "CHANGE MASTER TO MASTER_HOST='"+server.replication.master_address+"', MASTER_USER='"+server.replication.user+"', MASTER_PASSWORD='"+server.replication.password+"', MASTER_LOG_FILE='"+master_status.get('File', 'mysql-bin.000001')+"', MASTER_SSL=0, MASTER_LOG_POS="+master_status.get('Position', '1')|string+"; START SLAVE;" %}
-
+ {%- set ssl_opts = ", MASTER_SSL=0" %}
{%- endif %}
-{%- if salt['mysql.query'] is defined %}
+{%- if salt['mysql.query'] is defined %}
-{%- set setup_replication_result = salt['mysql.query']('mysql', setup_replication_query) %}
+{%- set setup_replication_result = salt['mysql.query']('mysql', setup_replication_query + ssl_opts + "; START SLAVE;") %}
{%- endif %}
diff --git a/mysql/server/service.sls b/mysql/server/service.sls
index e276267..2ce3e64 100644
--- a/mysql/server/service.sls
+++ b/mysql/server/service.sls
@@ -7,8 +7,10 @@
{%- if server.ssl.enabled %}
-/etc/mysql/server-cert.pem:
+{%- if server.ssl.certificate is defined %}
+mysql_server_cert:
file.managed:
+ - name: {{ server.ssl.cert_file }}
{%- if server.ssl.cert is defined %}
- contents_pillar: mysql:server:ssl:cert
{%- else %}
@@ -19,9 +21,12 @@
- pkg: mysql_packages
- watch_in:
- service: mysql_service
+{%- endif %}
-/etc/mysql/server-key.pem:
+{%- if server.ssl.certificate is defined %}
+mysql_server_key:
file.managed:
+ - name: {{ server.ssl.key_file }}
{%- if server.ssl.key is defined %}
- contents_pillar: mysql:server:ssl:key
{%- else %}
@@ -33,11 +38,14 @@
- pkg: mysql_packages
- watch_in:
- service: mysql_service
+{%- endif %}
{%- if server.replication.role in ['slave', 'both'] %}
-/etc/mysql/client-cert.pem:
+{%- if server.ssl.client_certificate is defined %}
+mysql_client_cert:
file.managed:
+ - name: {{ server.ssl.client_cert_file }}
{%- if server.ssl.client_cert is defined %}
- contents_pillar: mysql:server:ssl:client_cert
{%- else %}
@@ -48,9 +56,12 @@
- pkg: mysql_packages
- watch_in:
- service: mysql_service
+{%- endif %}
-/etc/mysql/client-key.pem:
+{%- if server.ssl.client_certificate is defined %}
+mysql_client_key:
file.managed:
+ - name: {{ server.ssl.client_key_file }}
{%- if server.ssl.client_key is defined %}
- contents_pillar: mysql:server:ssl:client_key
{%- else %}
@@ -62,11 +73,14 @@
- pkg: mysql_packages
- watch_in:
- service: mysql_service
+{%- endif %}
{%- endif %}
-/etc/mysql/cacert.pem:
+{%- if server.ssl.authority is defined %}
+mysql_ca_file:
file.managed:
+ - name: {{ server.ssl.ca_file }}
{%- if server.ssl.cacert is defined %}
- contents_pillar: mysql:server:ssl:cacert
{%- else %}
@@ -77,6 +91,7 @@
- pkg: mysql_packages
- watch_in:
- service: mysql_service
+{%- endif %}
{%- endif %}
diff --git a/tests/pillar/replication_master.sls b/tests/pillar/replication_master.sls
index 4eac076..1b77afe 100644
--- a/tests/pillar/replication_master.sls
+++ b/tests/pillar/replication_master.sls
@@ -10,6 +10,20 @@
server_id: 1
ssl:
enabled: true
+ tls_version: TLSv1.1,TLSv1.2
+ ciphers:
+ DHE-RSA-AES128-SHA:
+ enabled: True
+ DHE-RSA-AES256-SHA:
+ name: DHE-RSA-AES256-SHA
+ enabled: True
+ EDH-RSA-DES-CBC3-SHA:
+ name: EDH-RSA-DES-CBC3-SHA
+ enabled: True
+ AES128-SHA:AES256-SHA:
+ enabled: True
+ DES-CBC3-SHA:
+ enabled: True
cert: |
-----BEGIN CERTIFICATE-----
MIIB6TCCAZOgAwIBAgIJAIfmjJydRX+GMA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNV
@@ -35,7 +49,6 @@
e+eSnl4fGzaEpz6zjykWEo1lmd+jzQIgL740kEr8J+Q1ppNDJBtbZnc7yp+P/DKL
wo20+sNoyFU=
-----END PRIVATE KEY-----
-
client_cert: |
-----BEGIN CERTIFICATE-----
MIIB6TCCAZOgAwIBAgIJAMOZDw2vHe+UMA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNV
@@ -50,7 +63,6 @@
a4m6eSuk5emcw7igaV3UtydA6tduMvjL3zNcbI58on5YV7xgBTPXqDjq4QvAw06P
/PWEXbl2jaCHaX06wA==
-----END CERTIFICATE-----
-
client_key: |
-----BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA+vIlx8Na0A1lxZnR
@@ -62,7 +74,6 @@
cP4Ho485thB2/m1s19t9wpddcojB4iUCIBJ1hIyrfWFAh8ktK9mNolMPR50+4eZk
nTe8UvFB7ZIB
-----END PRIVATE KEY-----
-
cacert: |
-----BEGIN CERTIFICATE-----
MIIB6TCCAZOgAwIBAgIJAOqENcDHki1ZMA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNV
@@ -88,4 +99,4 @@
minion:
mine:
module:
- mysql.get_master_status: []
\ No newline at end of file
+ mysql.get_master_status: []