From fe6986e57ebc1cf739f193a9de098e535c295674 Mon Sep 17 00:00:00 2001
From: Proskurin Kirill <kproskurin@mirantis.com>
Date: Thu, 12 Jan 2017 13:43:00 +0000
Subject: [PATCH] Add SSL encryption to galera

Change-Id: I9e6d9ee439cab734eba02320d58ccfcd73e23106
---
 service/files/ca.pem.j2          |  1 +
 service/files/defaults.yaml      |  2 ++
 service/files/my.cnf.j2          | 14 +++++++++++++-
 service/files/server-cert.pem.j2 |  1 +
 service/files/server-key.pem.j2  |  1 +
 service/galera.yaml              | 19 +++++++++++++++++++
 6 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 service/files/ca.pem.j2
 create mode 100644 service/files/server-cert.pem.j2
 create mode 100644 service/files/server-key.pem.j2

diff --git a/service/files/ca.pem.j2 b/service/files/ca.pem.j2
new file mode 100644
index 0000000..d52069b
--- /dev/null
+++ b/service/files/ca.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.ca_cert }}
diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml
index 1af9da4..c35a01e 100644
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@@ -15,6 +15,8 @@ configs:
       node: null
     port:
       cont: 3306
+    tls:
+      enabled: false
 url:
   percona:
     debian:
diff --git a/service/files/my.cnf.j2 b/service/files/my.cnf.j2
index 4dc5e4e..276742d 100644
--- a/service/files/my.cnf.j2
+++ b/service/files/my.cnf.j2
@@ -31,4 +31,16 @@ wsrep_provider = /usr/lib/galera3/libgalera_smm.so
 wsrep_cluster_name = {{ percona.cluster_name }}
 wsrep_sst_method = xtrabackup-v2
 wsrep_sst_auth = "xtrabackup:{{ percona.xtrabackup_password }}"
-wsrep_provider_options = "gcache.size={{ percona.gcache_size }};gcache.recover=yes"
+wsrep_provider_options = "gcache.size={{ percona.gcache_size }};gcache.recover=yes{% if percona.tls.enabled and security.tls.enabled %},socket.ssl=yes;socket.ssl_key=/etc/mysql/certs/server-key.pem;socket.ssl_cert=/etc/mysql/certs/server-cert.pem;socket.ssl_ca=/etc/mysql/certs/ca.pem"{% endif %}
+
+{% if percona.tls.enabled and security.tls.enabled %}
+ssl-ca = /etc/mysql/certs/ca.pem
+ssl-cert = /etc/mysql/certs/server-cert.pem
+ssl-key = /etc/mysql/certs/server-key.pem
+
+[sst]
+encrypt = 4
+ssl-ca = /etc/mysql/certs/ca.pem
+ssl-cert = /etc/mysql/certs/server-cert.pem
+ssl-key = /etc/mysql/certs/server-key.pem
+{% endif %}
diff --git a/service/files/server-cert.pem.j2 b/service/files/server-cert.pem.j2
new file mode 100644
index 0000000..8abc152
--- /dev/null
+++ b/service/files/server-cert.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.server_cert }}
diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2
new file mode 100644
index 0000000..70cf751
--- /dev/null
+++ b/service/files/server-key.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.server_key }}
diff --git a/service/galera.yaml b/service/galera.yaml
index a898206..b6a9b4b 100644
--- a/service/galera.yaml
+++ b/service/galera.yaml
@@ -63,6 +63,11 @@ service:
           - entrypoint
           - mycnf
           - galera-checker
+          # {% if percona.tls.enabled %}
+          - ca.pem
+          - server-key.pem
+          - server-cert.pem
+          # {% endif %}
         dependencies:
           - etcd
         command: /opt/ccp/bin/entrypoint.py
@@ -86,3 +91,17 @@ files:
     path: /opt/ccp/bin/haproxy_entrypoint.py
     content: haproxy_entrypoint.py
     perm: "0755"
+# {% if percona.tls.enabled %}
+  ca.pem:
+    path: /etc/mysql/certs/ca.pem
+    content: ca.pem.j2
+    perm: "0400"
+  server-key.pem:
+    path: /etc/mysql/certs/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  server-cert.pem:
+    path: /etc/mysql/certs/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+# {% endif %}