diff --git a/defaults/main.yml b/defaults/main.yml
index 39b8c163..e9d68f1b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -121,3 +121,23 @@ qpress_package_download_validate_certs: yes
qpress_package_url: "{{ qpress_arch_url.get( galera_package_arch | lower ) }}"
qpress_package_sha256: "{{ qpress_arch_sha256.get( galera_package_arch | lower ) }}"
qpress_package_path: "/opt/{{ qpress_package_url | basename }}"
+
+# Galera Server SSL functionality.
+
+galera_use_ssl: false
+galera_ssl_cert: /etc/mysql/ssl/galera.pem
+galera_ssl_key: /etc/mysql/ssl/galera.key
+galera_ssl_ca_cert: /etc/mysql/ssl/galera-ca.pem
+# These options should be specified in user_variables if necessary, otherwise self-signed certs are used.
+galera_user_ssl_cert: /etc/openstack_deploy/self_signed_certs/galera.pem
+galera_user_ssl_key: /etc/openstack_deploy/self_signed_certs/galera.key
+galera_user_ssl_ca_cert: /etc/openstack_deploy/self_signed_certs/galera-ca.pem
+# Set galera_ssl_self_signed_regen to true if you want to generate a new
+# SSL certificate for Galera when this playbook runs. You can also change
+# the subject of the self-signed certificate here if you prefer.
+galera_ssl_self_signed_regen: false
+galera_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ galera_ssl_address }}"
+galera_ssl_ca_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT"
+# This option is used for creating the CA and overriding the Galera address on the clients side.
+# Should be set to either public VIP of VIP FQDN, depending on what is currently used in the env.
+galera_ssl_address: "{{ ansible_host }}"
diff --git a/releasenotes/notes/implement-ssl-dd42ad2ff91af0bd.yaml b/releasenotes/notes/implement-ssl-dd42ad2ff91af0bd.yaml
new file mode 100644
index 00000000..96017400
--- /dev/null
+++ b/releasenotes/notes/implement-ssl-dd42ad2ff91af0bd.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - Implements SSL connection ability to MySQL. ``galera_use_ssl`` option has to
+ be set to ``true`` (default), in this case playbooks create self-signed
+ SSL bundle and sets up MySQL configs to use it or distributes user-provided
+ bundle throughout Galera nodes.
diff --git a/tasks/galera_post_install.yml b/tasks/galera_post_install.yml
index bb34580f..582adb39 100644
--- a/tasks/galera_post_install.yml
+++ b/tasks/galera_post_install.yml
@@ -29,6 +29,13 @@
tags:
- galera-config
+- include: galera_ssl.yml
+ when:
+ - galera_use_ssl | bool
+ tags:
+ - galera-config
+ - galera-ssl
+
- name: Drop mariadb config(s)
config_template:
src: "{{ item.src }}"
diff --git a/tasks/galera_ssl.yml b/tasks/galera_ssl.yml
new file mode 100644
index 00000000..d16096ed
--- /dev/null
+++ b/tasks/galera_ssl.yml
@@ -0,0 +1,54 @@
+---
+# Copyright 2015, Rackspace US, Inc., Mirantis Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Check if SSL bundle exists
+ stat:
+ path: "{{ item }}"
+ delegate_to: localhost
+ register: res
+ with_items:
+ - "{{ galera_user_ssl_ca_cert }}"
+ - "{{ galera_user_ssl_cert }}"
+ - "{{ galera_user_ssl_key }}"
+
+- include: galera_ssl_key_create.yml
+ when: >
+ ( not res.results[0].stat.exists or
+ not res.results[1].stat.exists or
+ not res.results[2].stat.exists )
+
+- name: Create ssl directory
+ file:
+ path: "/etc/mysql/ssl"
+ state: "directory"
+ owner: "mysql"
+ group: "mysql"
+ mode: "0750"
+
+- name: Copy CA cert and key
+ copy:
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ owner: "mysql"
+ group: "mysql"
+ mode: "{{ item.mode|default('0640') }}"
+ with_items:
+ - src: "{{ galera_user_ssl_ca_cert }}"
+ dest: "{{ galera_ssl_ca_cert }}"
+ - src: "{{ galera_user_ssl_cert }}"
+ dest: "{{ galera_ssl_cert }}"
+ - src: "{{ galera_user_ssl_key }}"
+ dest: "{{ galera_ssl_key }}"
+ mode: "0600"
diff --git a/tasks/galera_ssl_key_create.yml b/tasks/galera_ssl_key_create.yml
new file mode 100644
index 00000000..5372cf39
--- /dev/null
+++ b/tasks/galera_ssl_key_create.yml
@@ -0,0 +1,65 @@
+---
+# Copyright 2015, Rackspace US, Inc., Mirantis Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Create ssl directory
+ file:
+ path: "{{ galera_user_ssl_ca_cert | dirname }}"
+ state: "directory"
+ delegate_to: localhost
+
+- name: Remove self signed cert for regen
+ file:
+ dest: "{{ item }}"
+ state: "absent"
+ with_items:
+ - "{{ galera_user_ssl_ca_cert }}"
+ - "{{ galera_user_ssl_cert }}"
+ - "{{ galera_user_ssl_key }}"
+ - "{{ galera_user_ssl_ca_cert | dirname }}/galera-ca.key "
+ - "{{ galera_user_ssl_ca_cert | dirname }}/galera-req.pem "
+ delegate_to: localhost
+ when: galera_ssl_self_signed_regen | bool
+
+- name: Create galera CA cert
+ command: >
+ openssl req -new -nodes -x509 -subj
+ "{{ galera_ssl_ca_self_signed_subject }}"
+ -keyout {{ galera_user_ssl_ca_cert | dirname }}/galera-ca.key
+ -out {{ galera_user_ssl_ca_cert }}
+ creates={{ galera_user_ssl_ca_cert }}
+ delegate_to: localhost
+
+- name: Create galera ssl request
+ command: >
+ openssl req -new -nodes -sha256 -subj
+ "{{ galera_ssl_self_signed_subject }}"
+ -days 3650
+ -keyout {{ galera_user_ssl_key }}
+ -out {{ galera_user_ssl_ca_cert | dirname }}/galera-req.pem
+ -extensions v3_ca
+ creates={{ galera_user_ssl_ca_cert | dirname }}/galera-req.pem
+ delegate_to: localhost
+
+- name: Create galera ssl cert
+ command: >
+ openssl x509 -req
+ -days 3650
+ -in {{ galera_user_ssl_ca_cert | dirname }}/galera-req.pem
+ -CA {{ galera_user_ssl_ca_cert }}
+ -CAkey {{ galera_user_ssl_ca_cert | dirname }}/galera-ca.key
+ -out {{ galera_user_ssl_cert }}
+ -set_serial 01
+ creates={{ galera_user_ssl_cert }}
+ delegate_to: localhost
diff --git a/templates/my.cnf.j2 b/templates/my.cnf.j2
index 54df3fc0..dadbb849 100644
--- a/templates/my.cnf.j2
+++ b/templates/my.cnf.j2
@@ -33,6 +33,11 @@ bind-address = ::
{% if galera_server_id is defined %}
server-id = {{ galera_server_id }}
{% endif %}
+{% if galera_use_ssl | bool %}
+ssl-ca = {{ galera_ssl_ca_cert }}
+ssl-cert = {{ galera_ssl_cert }}
+ssl-key = {{ galera_ssl_key }}
+{% endif %}
# LOGGING #
log-queries-not-using-indexes = {{ galera_unindexed_query_logging }}
diff --git a/tox.ini b/tox.ini
index a40b56b2..dee96448 100644
--- a/tox.ini
+++ b/tox.ini
@@ -108,6 +108,15 @@ commands =
{[testenv:tests_clone]commands}
bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
+[testenv:ssl]
+deps =
+ {[testenv:ansible]deps}
+setenv =
+ {[testenv]setenv}
+ ANSIBLE_PARAMETERS=-vvv -e galera_use_ssl=True -e galera_user_ssl_ca_cert="/tmp/self-signed-certs/galera-ca.crt" -e galera_user_ssl_cert="/tmp/self-signed-certs/galera.crt" -e galera_user_ssl_key="/tmp/self-signed-certs/galera.key"
+commands =
+ {[testenv:tests_clone]commands}
+ bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
[testenv:linters]
deps =