Merge branch 'master' into pr/27

README.rst

@@ -56,6 +56,26 @@ Galera cluster slave node
           user: root
           password: pass
 
+Enable TLS support:
+
+.. code-block:: yaml
+
+    galera:
+       slave or master:
+         ssl:
+          enabled: True
+
+          # path
+          cert_file: /etc/mysql/ssl/cert.pem
+          key_file: /etc/mysql/ssl/key.pem
+          ca_file: /etc/mysql/ssl/ca.pem
+
+          # content (not required if files already exists)
+          key: << body of key >>
+          cert: << body of cert >>
+          cacert_chain: << body of ca certs chain >>
+
+
 Additional mysql users:
 
 .. code-block:: yaml
@@ -104,7 +124,7 @@ Usage:
 
     _param:
       galera_innodb_buffer_pool_size: 1024M
-      galera_max_connections: 200 
+      galera_max_connections: 200
 
 
 Usage

galera/files/init_bootstrap.sh

@@ -7,7 +7,7 @@ retries=0
 
 while [ $counter -gt 0 ]
 do
-  mysql -u root -e"quit"
+  mysql -u root -e"quit" || mysql -u {{ service.admin.user }} -p{{ service.admin.password }} -e"quit"
   if [[ $? -eq 0 ]]; then
     echo "Sucessfully connected to the MySQL service ($retries retries)."
     exit 0

galera/files/my.cnf

@@ -9,6 +9,14 @@
 {%- from "galera/map.jinja" import slave with context %}
 {%- set service = slave %}
 {%- endif %}
+
+[mysql]
+{% if service.get('ssl', {}).get('enabled', False) %}
+ssl-ca={{ service.ssl.ca_file }}
+ssl-cert={{ service.ssl.cert_file }}
+ssl-key={{ service.ssl.key_file }}
+{% endif %}
+
 [mysqld_safe]
 syslog
 
@@ -60,6 +68,13 @@ wsrep_node_address={{ service.bind.address }}
 wsrep_provider_options="gcache.size = 256M"
 wsrep_provider_options="gmcast.listen_addr = tcp://{{ service.bind.address }}:4567"
 
+{% if service.get('ssl', {}).get('enabled', False) %}
+wsrep_provider_options="socket.ssl=yes;socket.ssl_key={{ service.ssl.key_file }};socket.ssl_cert={{ service.ssl.cert_file }};socket.ssl_ca={{ service.ssl.ca_file }}"
+ssl-ca={{ service.ssl.ca_file }}
+ssl-cert={{ service.ssl.cert_file }}
+ssl-key={{ service.ssl.key_file }}
+{% endif %}
+
 [xtrabackup]
 parallel=4
 

galera/init.sls

@@ -1,6 +1,7 @@
 
 {%- if pillar.galera is defined %}
 include:
+- galera.ssl
 {%- if pillar.galera.master is defined %}
 - galera.master
 {%- endif %}

galera/master.sls

@@ -168,23 +168,12 @@ mysql_bootstrap_update_maint_password:
   - require:
     - cmd: galera_bootstrap_set_root_password
 
-galera_bootstrap_stop_service_pre:
-  cmd.run:
-  - name: mysqladmin -h localhost -u root -p{{ master.admin.password }} shutdown
-  {%- if not grains.get('noservices', False) %}
-  - ignore_retcode: true
-  - require:
-    - cmd: mysql_bootstrap_update_maint_password
-  {%- else %}
-  - onlyif: /bin/false
-  {%- endif %}
-
 galera_bootstrap_stop_service:
   service.dead:
   - name: {{ master.service }}
   {%- if not grains.get('noservices', False) %}
   - require:
-    - cmd: galera_bootstrap_stop_service_pre
+    - cmd: mysql_bootstrap_update_maint_password
   {%- else %}
   - onlyif: /bin/false
   {%- endif %}

galera/slave.sls

@@ -167,23 +167,12 @@ mysql_bootstrap_update_maint_password:
   - require:
     - cmd: galera_bootstrap_set_root_password
 
-galera_bootstrap_stop_service_pre:
-  cmd.run:
-  - name: mysqladmin -h localhost -u root -p{{ slave.admin.password }} shutdown
-  {%- if not grains.get('noservices', False) %}
-  - ignore_retcode: true
-  - require:
-    - cmd: mysql_bootstrap_update_maint_password
-  {%- else %}
-  - onlyif: /bin/false
-  {%- endif %}
-
 galera_bootstrap_stop_service:
   service.dead:
   - name: {{ slave.service }}
   {%- if not grains.get('noservices', False) %}
   - require:
-    - cmd: galera_bootstrap_stop_service_pre
+    - cmd: mysql_bootstrap_update_maint_password
   {%- else %}
   - onlyif: /bin/false
   {%- endif %}

galera/ssl.sls

@@ -0,0 +1,83 @@
+{%- from "galera/map.jinja" import master, slave with context %}
+
+{%- set service = master if pillar.galera.master is defined else slave %}
+{%- set role = 'master' if pillar.galera.master is defined else 'slave' %}
+
+{%- if service.get('ssl', {}).get('enabled', False) %}
+{%- if service.ssl.cacert_chain is defined %}
+mysql_cacertificate:
+  file.managed:
+    - name: {{ service.ssl.ca_file }}
+    - contents_pillar: galera:{{ role }}:ssl:cacert_chain
+    - mode: 0444
+    - makedirs: true
+    - require_in:
+      - service: galera_service
+{%- else %}
+mysql_cacertificate_exists:
+  file.exists:
+  - name: {{ service.ssl.ca_file }}
+mysql_cacertificate:
+  file.managed:
+  - name: {{ service.ssl.ca_file }}
+  - mode: 644
+  - create: False
+  - require:
+    - file: mysql_cacertificate_exists
+  - require_in:
+    - service: galera_service
+{%- endif %}
+
+{%- if service.ssl.cert is defined %}
+mysql_certificate:
+  file.managed:
+    - name: {{ service.ssl.cert_file }}
+    - contents_pillar: galera:{{ role }}:ssl:cert
+    - mode: 0444
+    - makedirs: true
+    - require_in:
+      - service: galera_service
+{%- else %}
+mysql_certificate_exists:
+  file.exists:
+  - name: {{ service.ssl.cert_file }}
+mysql_certificate:
+  file.managed:
+    - name: {{ service.ssl.cert_file }}
+    - mode: 644
+    - create: False
+    - require:
+      - file: mysql_certificate_exists
+    - require_in:
+      - service: galera_service
+{%- endif %}
+
+{%- if service.ssl.key is defined %}
+mysql_server_key:
+  file.managed:
+    - name: {{ service.ssl.key_file }}
+    - contents_pillar: galera:{{ role }}:ssl:key
+    - user: root
+    - group: mysql
+    - mode: 0440
+    - makedirs: true
+    - require_in:
+      - service: galera_service
+{%- else %}
+mysql_server_key_exists:
+  file.exists:
+    - name: {{ service.ssl.key_file }}
+mysql_server_key:
+  file.managed:
+    - name: {{ service.ssl.key_file }}
+    - user: root
+    - group: mysql
+    - mode: 0440
+    - create: False
+    - require:
+      - file: mysql_server_key_exists
+    - require_in:
+       - service: galera_service
+{%- endif %}
+
+{%- endif %}

metadata/service/ssl.yml

@@ -0,0 +1,21 @@
+# class to enable tls for galera.master and galera.slave
+
+parameters:
+  _param:
+    mysql_ssl_key_file: /etc/mysql/ssl/key.pem
+    mysql_ssl_cert_file: /etc/mysql/ssl/cert.pem
+    mysql_ssl_ca_file: /etc/mysql/ssl/ca.pem
+
+  galera:
+    master:
+      ssl:
+        enabled: True
+        key_file: ${_param:mysql_ssl_key_file}
+        cert_file: ${_param:mysql_ssl_cert_file}
+        ca_file: ${_param:mysql_ssl_ca_file}
+    slave:
+      ssl:
+        enabled: True
+        key_file: ${_param:mysql_ssl_key_file}
+        cert_file: ${_param:mysql_ssl_cert_file}
+        ca_file: ${_param:mysql_ssl_ca_file}