Merge "[salt.minion.cert] MySQL certificate and key"
diff --git a/.releasenotes/notes/add-mysql-cert-definition-c6a2e6445020d66f.yaml b/.releasenotes/notes/add-mysql-cert-definition-c6a2e6445020d66f.yaml
new file mode 100644
index 0000000..06398e1
--- /dev/null
+++ b/.releasenotes/notes/add-mysql-cert-definition-c6a2e6445020d66f.yaml
@@ -0,0 +1,19 @@
+---
+features:
+ - |
+ Added a system class to generate certificates and keys for MySQL.
+
+ **To generate files:**
+
+ #. Include the class to the Reclass model of your deployment:
+
+ .. code-block:: yaml
+
+ classes:
+ - system.salt.minion.cert.mysql.server
+
+ #. Apply the :command:`salt.minion.cert` Salt state:
+
+ .. code-block:: bash
+
+ salt '*' state.sls salt.minion.cert
diff --git a/salt/minion/cert/mysql/init.yml b/salt/minion/cert/mysql/init.yml
new file mode 100644
index 0000000..a1c480f
--- /dev/null
+++ b/salt/minion/cert/mysql/init.yml
@@ -0,0 +1,13 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ salt:
+ minion:
+ cert:
+ mysql_server:
+ host: ${_param:salt_minion_ca_host}
+ signing_policy: cert_server
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: mysql_server
+ signing_policy: cert_open
diff --git a/salt/minion/cert/mysql/pki.yml b/salt/minion/cert/mysql/pki.yml
new file mode 100644
index 0000000..b19ef5e
--- /dev/null
+++ b/salt/minion/cert/mysql/pki.yml
@@ -0,0 +1,8 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ mysql_server:
+ key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:mysql_server:common_name}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:mysql_server:common_name}.crt
+ all_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:mysql_server:common_name}-chain-with-key.pem
diff --git a/salt/minion/cert/mysql/server.yml b/salt/minion/cert/mysql/server.yml
new file mode 100644
index 0000000..8ff7519
--- /dev/null
+++ b/salt/minion/cert/mysql/server.yml
@@ -0,0 +1,27 @@
+classes:
+- system.salt.minion.cert.mysql
+
+parameters:
+ _param:
+ mysql_ssl_key_file: /etc/mysql/ssl/key.pem
+ mysql_ssl_cert_file: /etc/mysql/ssl/cert.pem
+ mysql_ssl_ca_file: /etc/mysql/ssl/ca.pem
+ salt:
+ minion:
+ cert:
+ mysql_server:
+ # IP are used as DNS due to cert verificaiton issue of python2:
+ # https://bugs.python.org/issue12000
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ IP:${_param:cluster_vip_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${_param:cluster_vip_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:mysql_ssl_key_file}
+ cert_file: ${_param:mysql_ssl_cert_file}
+ ca_file: ${_param:mysql_ssl_ca_file}
+ user: mysql
+ group: mysql