Galera cluster TLS Support

Change-Id: I07624681c53cef53de6c72de97a53b96ea52381b

README.rst

@@ -56,6 +56,27 @@ Galera cluster slave node
           user: root
           password: pass
 
+
+Enable TLS support:
+
+.. code-block:: yaml
+
+    galera:
+       slave or master:
+         ssl:
+          enabled: True
+
+          # path
+          cert_file: /etc/mysql/ssl/cert.pem
+          key_file: /etc/mysql/ssl/key.pem
+          ca_file: /etc/mysql/ssl/ca.pem
+
+          # content (not required if files already exists)
+          key: << body of key >>
+          cert: << body of cert >>
+          cacert_chain: << body of ca certs chain >>
+
+
 Configurable soft parameters
 ============================
 
@@ -68,7 +89,7 @@ Usage:
 
     _param:
       galera_innodb_buffer_pool_size: 1024M
-      galera_max_connections: 200 
+      galera_max_connections: 200
 
 Usage
 =====

galera/files/my.cnf

@@ -9,6 +9,14 @@
 {%- from "galera/map.jinja" import slave with context %}
 {%- set service = slave %}
 {%- endif %}
+
+[mysql]
+{% if service.get('ssl', {}).get('enabled', False) %}
+ssl-ca={{ service.ssl.ca_file }}
+ssl-cert={{ service.ssl.cert_file }}
+ssl-key={{ service.ssl.key_file }}
+{% endif %}
+
 [mysqld_safe]
 syslog
 
@@ -60,6 +68,13 @@ wsrep_node_address={{ service.bind.address }}
 wsrep_provider_options="gcache.size = 256M"
 wsrep_provider_options="gmcast.listen_addr = tcp://{{ service.bind.address }}:4567"
 
+{% if service.get('ssl', {}).get('enabled', False) %}
+wsrep_provider_options="socket.ssl=yes;socket.ssl_key={{ service.ssl.key_file }};socket.ssl_cert={{ service.ssl.cert_file }};socket.ssl_ca={{ service.ssl.ca_file }}"
+ssl-ca={{ service.ssl.ca_file }}
+ssl-cert={{ service.ssl.cert_file }}
+ssl-key={{ service.ssl.key_file }}
+{% endif %}
+
 [xtrabackup]
 parallel=4
 

galera/init.sls

@@ -1,6 +1,7 @@
 
 {%- if pillar.galera is defined %}
 include:
+- galera.ssl
 {%- if pillar.galera.master is defined %}
 - galera.master
 {%- endif %}

galera/ssl.sls

@@ -0,0 +1,83 @@
+{%- from "galera/map.jinja" import master, slave with context %}
+
+{%- set service = master if pillar.galera.master is defined else slave %}
+{%- set role = 'master' if pillar.galera.master is defined else 'slave' %}
+
+{%- if service.get('ssl', {}).get('enabled', False) %}
+{%- if service.ssl.cacert_chain is defined %}
+mysql_cacertificate:
+  file.managed:
+    - name: {{ service.ssl.ca_file }}
+    - contents_pillar: galera:{{ role }}:ssl:cacert_chain
+    - mode: 0444
+    - makedirs: true
+    - require_in:
+      - service: galera_service
+{%- else %}
+mysql_cacertificate_exists:
+  file.exists:
+  - name: {{ service.ssl.ca_file }}
+mysql_cacertificate:
+  file.managed:
+  - name: {{ service.ssl.ca_file }}
+  - mode: 644
+  - create: False
+  - require:
+    - file: mysql_cacertificate_exists
+  - require_in:
+    - service: galera_service
+{%- endif %}
+
+{%- if service.ssl.cert is defined %}
+mysql_certificate:
+  file.managed:
+    - name: {{ service.ssl.cert_file }}
+    - contents_pillar: galera:{{ role }}:ssl:cert
+    - mode: 0444
+    - makedirs: true
+    - require_in:
+      - service: galera_service
+{%- else %}
+mysql_certificate_exists:
+  file.exists:
+  - name: {{ service.ssl.cert_file }}
+mysql_certificate:
+  file.managed:
+    - name: {{ service.ssl.cert_file }}
+    - mode: 644
+    - create: False
+    - require:
+      - file: mysql_certificate_exists
+    - require_in:
+      - service: galera_service
+{%- endif %}
+
+{%- if service.ssl.key is defined %}
+mysql_server_key:
+  file.managed:
+    - name: {{ service.ssl.key_file }}
+    - contents_pillar: galera:{{ role }}:ssl:key
+    - user: root
+    - group: mysql
+    - mode: 0440
+    - makedirs: true
+    - require_in:
+      - service: galera_service
+{%- else %}
+mysql_server_key_exists:
+  file.exists:
+    - name: {{ service.ssl.key_file }}
+mysql_server_key:
+  file.managed:
+    - name: {{ service.ssl.key_file }}
+    - user: root
+    - group: mysql
+    - mode: 0440
+    - create: False
+    - require:
+      - file: mysql_server_key_exists
+    - require_in:
+       - service: galera_service
+{%- endif %}
+
+{%- endif %}

metadata/service/ssl.yml

@@ -0,0 +1,21 @@
+# class to enable tls for galera.master and galera.slave
+
+parameters:
+  _param:
+    mysql_ssl_key_file: /etc/mysql/ssl/key.pem
+    mysql_ssl_cert_file: /etc/mysql/ssl/cert.pem
+    mysql_ssl_ca_file: /etc/mysql/ssl/ca.pem
+
+  galera:
+    master:
+      ssl:
+        enabled: True
+        key_file: ${_param:mysql_ssl_key_file}
+        cert_file: ${_param:mysql_ssl_cert_file}
+        ca_file: ${_param:mysql_ssl_ca_file}
+    slave:
+      ssl:
+        enabled: True
+        key_file: ${_param:mysql_ssl_key_file}
+        cert_file: ${_param:mysql_ssl_cert_file}
+        ca_file: ${_param:mysql_ssl_ca_file}