Secure MySQL clustering with SSL

Accept values through Heat for the contents of an X509 certificate and
key to be used in Galera clustering and write the values into files.
Set the file owner and permissions to only allow mysql access to the
certificate/key pair. Configure Galera clustering to bind to the server
ip:4567 and use the provided certificate/key pair.

This is dependent on the associated change in tripleo-heat-templates
to provide the certificate values.  If values are missing, the
clustering will not be secured.

Turning on/off secure clustering cannot be done without restarting every
node cluster.

Change-Id: I2f3406cd09a2a513347593dfcfd3121d3de096c9

elements/mysql-common/os-apply-config/etc/ssl/mysql/from-heat.crt

@@ -0,0 +1 @@
+{{mysql.cluster_certificate}}

elements/mysql-common/os-apply-config/etc/ssl/mysql/from-heat.key

@@ -0,0 +1 @@
+{{mysql.cluster_key}}

elements/mysql-common/os-apply-config/mnt/state/etc/mysql/conf.d/cluster.cnf

@@ -14,3 +14,8 @@ wsrep_sst_method=rsync
 
 # Cluster name
 wsrep_cluster_name=tripleo-{{mysql.cluster_name}}
+
+{{#mysql.cluster_key}}
+# Security options
+wsrep_provider_options="gmcast.listen_addr=tcp://{{local-ipv4}}:4567; socket.ssl_cert=/etc/ssl/mysql/from-heat.crt; socket.ssl_key=/etc/ssl/mysql/from-heat.key"
+{{/mysql.cluster_key}}

elements/mysql-common/os-refresh-config/post-configure.d/10-mysql-permissions

@@ -2,3 +2,13 @@
 set -eu
 
 chmod 600 /mnt/state/etc/mysql/debian.cnf /mnt/state/etc/mysql/dbusers.json /mnt/state/etc/mysql/static-dbusers.json /mnt/state/root/metadata.my.cnf
+
+# Galera clustering certificates
+if [ -f /etc/ssl/mysql/from-heat.crt ]; then
+    chown mysql /etc/ssl/mysql/from-heat.crt
+    chmod 600 /etc/ssl/mysql/from-heat.crt
+fi
+if [ -f /etc/ssl/mysql/from-heat.key ]; then
+    chown mysql /etc/ssl/mysql/from-heat.key
+    chmod 600 /etc/ssl/mysql/from-heat.key
+fi