Change-Id: I07624681c53cef53de6c72de97a53b96ea52381bpull/37/head
user: root | user: root | ||||
password: pass | password: pass | ||||
Enable TLS support: | |||||
.. code-block:: yaml | |||||
galera: | |||||
slave or master: | |||||
ssl: | |||||
enabled: True | |||||
# path | |||||
cert_file: /etc/mysql/ssl/cert.pem | |||||
key_file: /etc/mysql/ssl/key.pem | |||||
ca_file: /etc/mysql/ssl/ca.pem | |||||
# content (not required if files already exists) | |||||
key: << body of key >> | |||||
cert: << body of cert >> | |||||
cacert_chain: << body of ca certs chain >> | |||||
Configurable soft parameters | Configurable soft parameters | ||||
============================ | ============================ | ||||
_param: | _param: | ||||
galera_innodb_buffer_pool_size: 1024M | galera_innodb_buffer_pool_size: 1024M | ||||
galera_max_connections: 200 | |||||
galera_max_connections: 200 | |||||
Usage | Usage | ||||
===== | ===== |
{%- from "galera/map.jinja" import slave with context %} | {%- from "galera/map.jinja" import slave with context %} | ||||
{%- set service = slave %} | {%- set service = slave %} | ||||
{%- endif %} | {%- endif %} | ||||
[mysql] | |||||
{% if service.get('ssl', {}).get('enabled', False) %} | |||||
ssl-ca={{ service.ssl.ca_file }} | |||||
ssl-cert={{ service.ssl.cert_file }} | |||||
ssl-key={{ service.ssl.key_file }} | |||||
{% endif %} | |||||
[mysqld_safe] | [mysqld_safe] | ||||
syslog | syslog | ||||
wsrep_provider_options="gcache.size = 256M" | wsrep_provider_options="gcache.size = 256M" | ||||
wsrep_provider_options="gmcast.listen_addr = tcp://{{ service.bind.address }}:4567" | wsrep_provider_options="gmcast.listen_addr = tcp://{{ service.bind.address }}:4567" | ||||
{% if service.get('ssl', {}).get('enabled', False) %} | |||||
wsrep_provider_options="socket.ssl=yes;socket.ssl_key={{ service.ssl.key_file }};socket.ssl_cert={{ service.ssl.cert_file }};socket.ssl_ca={{ service.ssl.ca_file }}" | |||||
ssl-ca={{ service.ssl.ca_file }} | |||||
ssl-cert={{ service.ssl.cert_file }} | |||||
ssl-key={{ service.ssl.key_file }} | |||||
{% endif %} | |||||
[xtrabackup] | [xtrabackup] | ||||
parallel=4 | parallel=4 | ||||
{%- if pillar.galera is defined %} | {%- if pillar.galera is defined %} | ||||
include: | include: | ||||
- galera.ssl | |||||
{%- if pillar.galera.master is defined %} | {%- if pillar.galera.master is defined %} | ||||
- galera.master | - galera.master | ||||
{%- endif %} | {%- endif %} |
{%- from "galera/map.jinja" import master, slave with context %} | |||||
{%- set service = master if pillar.galera.master is defined else slave %} | |||||
{%- set role = 'master' if pillar.galera.master is defined else 'slave' %} | |||||
{%- if service.get('ssl', {}).get('enabled', False) %} | |||||
{%- if service.ssl.cacert_chain is defined %} | |||||
mysql_cacertificate: | |||||
file.managed: | |||||
- name: {{ service.ssl.ca_file }} | |||||
- contents_pillar: galera:{{ role }}:ssl:cacert_chain | |||||
- mode: 0444 | |||||
- makedirs: true | |||||
- require_in: | |||||
- service: galera_service | |||||
{%- else %} | |||||
mysql_cacertificate_exists: | |||||
file.exists: | |||||
- name: {{ service.ssl.ca_file }} | |||||
mysql_cacertificate: | |||||
file.managed: | |||||
- name: {{ service.ssl.ca_file }} | |||||
- mode: 644 | |||||
- create: False | |||||
- require: | |||||
- file: mysql_cacertificate_exists | |||||
- require_in: | |||||
- service: galera_service | |||||
{%- endif %} | |||||
{%- if service.ssl.cert is defined %} | |||||
mysql_certificate: | |||||
file.managed: | |||||
- name: {{ service.ssl.cert_file }} | |||||
- contents_pillar: galera:{{ role }}:ssl:cert | |||||
- mode: 0444 | |||||
- makedirs: true | |||||
- require_in: | |||||
- service: galera_service | |||||
{%- else %} | |||||
mysql_certificate_exists: | |||||
file.exists: | |||||
- name: {{ service.ssl.cert_file }} | |||||
mysql_certificate: | |||||
file.managed: | |||||
- name: {{ service.ssl.cert_file }} | |||||
- mode: 644 | |||||
- create: False | |||||
- require: | |||||
- file: mysql_certificate_exists | |||||
- require_in: | |||||
- service: galera_service | |||||
{%- endif %} | |||||
{%- if service.ssl.key is defined %} | |||||
mysql_server_key: | |||||
file.managed: | |||||
- name: {{ service.ssl.key_file }} | |||||
- contents_pillar: galera:{{ role }}:ssl:key | |||||
- user: root | |||||
- group: mysql | |||||
- mode: 0440 | |||||
- makedirs: true | |||||
- require_in: | |||||
- service: galera_service | |||||
{%- else %} | |||||
mysql_server_key_exists: | |||||
file.exists: | |||||
- name: {{ service.ssl.key_file }} | |||||
mysql_server_key: | |||||
file.managed: | |||||
- name: {{ service.ssl.key_file }} | |||||
- user: root | |||||
- group: mysql | |||||
- mode: 0440 | |||||
- create: False | |||||
- require: | |||||
- file: mysql_server_key_exists | |||||
- require_in: | |||||
- service: galera_service | |||||
{%- endif %} | |||||
{%- endif %} |
# class to enable tls for galera.master and galera.slave | |||||
parameters: | |||||
_param: | |||||
mysql_ssl_key_file: /etc/mysql/ssl/key.pem | |||||
mysql_ssl_cert_file: /etc/mysql/ssl/cert.pem | |||||
mysql_ssl_ca_file: /etc/mysql/ssl/ca.pem | |||||
galera: | |||||
master: | |||||
ssl: | |||||
enabled: True | |||||
key_file: ${_param:mysql_ssl_key_file} | |||||
cert_file: ${_param:mysql_ssl_cert_file} | |||||
ca_file: ${_param:mysql_ssl_ca_file} | |||||
slave: | |||||
ssl: | |||||
enabled: True | |||||
key_file: ${_param:mysql_ssl_key_file} | |||||
cert_file: ${_param:mysql_ssl_cert_file} | |||||
ca_file: ${_param:mysql_ssl_ca_file} |