[salt.minion.cert] MySQL certificate and key

Adds ability to generate certificates and keys using
salt.minion.cert state for MySQL.

Usage:

Add the class to reclass model for db nodes:

classes:
 - system.salt.minion.cert.mysql.server

Apply state:
 salt 'db*' state.sls salt.minion.cert

PROD-14210
Change-Id: I8366dd618032c6179428ed5a25f59286fa518925
diff --git a/.releasenotes/notes/add-mysql-cert-definition-c6a2e6445020d66f.yaml b/.releasenotes/notes/add-mysql-cert-definition-c6a2e6445020d66f.yaml
new file mode 100644
index 0000000..06398e1
--- /dev/null
+++ b/.releasenotes/notes/add-mysql-cert-definition-c6a2e6445020d66f.yaml
@@ -0,0 +1,19 @@
+---
+features:
+  - |
+    Added a system class to generate certificates and keys for MySQL.
+
+    **To generate files:**
+
+    #. Include the class to the Reclass model of your deployment:
+
+       .. code-block:: yaml
+
+          classes:
+             - system.salt.minion.cert.mysql.server
+
+    #. Apply the :command:`salt.minion.cert` Salt state:
+
+       .. code-block:: bash
+
+          salt '*' state.sls salt.minion.cert
diff --git a/salt/minion/cert/mysql/init.yml b/salt/minion/cert/mysql/init.yml
new file mode 100644
index 0000000..a1c480f
--- /dev/null
+++ b/salt/minion/cert/mysql/init.yml
@@ -0,0 +1,13 @@
+parameters:
+  _param:
+    salt_minion_ca_host: cfg01.${_param:cluster_domain}
+    salt_minion_ca_authority: salt_master_ca
+  salt:
+    minion:
+      cert:
+        mysql_server:
+          host: ${_param:salt_minion_ca_host}
+          signing_policy: cert_server
+          authority: ${_param:salt_minion_ca_authority}
+          common_name: mysql_server
+          signing_policy: cert_open
diff --git a/salt/minion/cert/mysql/pki.yml b/salt/minion/cert/mysql/pki.yml
new file mode 100644
index 0000000..b19ef5e
--- /dev/null
+++ b/salt/minion/cert/mysql/pki.yml
@@ -0,0 +1,8 @@
+parameters:
+  salt:
+    minion:
+      cert:
+        mysql_server:
+          key_file:   /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:mysql_server:common_name}.key
+          cert_file:  /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:mysql_server:common_name}.crt
+          all_file:   /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:mysql_server:common_name}-chain-with-key.pem
diff --git a/salt/minion/cert/mysql/server.yml b/salt/minion/cert/mysql/server.yml
new file mode 100644
index 0000000..8ff7519
--- /dev/null
+++ b/salt/minion/cert/mysql/server.yml
@@ -0,0 +1,27 @@
+classes:
+- system.salt.minion.cert.mysql
+
+parameters:
+  _param:
+    mysql_ssl_key_file: /etc/mysql/ssl/key.pem
+    mysql_ssl_cert_file: /etc/mysql/ssl/cert.pem
+    mysql_ssl_ca_file: /etc/mysql/ssl/ca.pem
+  salt:
+    minion:
+      cert:
+        mysql_server:
+          # IP are used as DNS due to cert verificaiton issue of python2:
+          # https://bugs.python.org/issue12000
+          alternative_names: >
+            IP:${_param:cluster_local_address},
+            IP:${_param:cluster_vip_address},
+            DNS:${_param:cluster_local_address},
+            DNS:${_param:cluster_vip_address},
+            DNS:${linux:system:name},
+            DNS:${linux:network:fqdn}
+          key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+          key_file: ${_param:mysql_ssl_key_file}
+          cert_file: ${_param:mysql_ssl_cert_file}
+          ca_file: ${_param:mysql_ssl_ca_file}
+          user: mysql
+          group: mysql