This section describes how to renew or replace the self-managed MySQL/Galera certificates.
To renew or replace the self-managed MySQL/Galera certificates:
Log in to the Salt Master node.
Create the
classes/cluster/<cluster_name>/openstack/ssl/galera_master.yml
file with the following configuration as an example:
classes:
- cluster.<cluster_name>.openstack.ssl
parameters:
galera:
master:
ssl:
enabled: True
cacert_chain: ${_param:galera_ssl_cacert_chain}
key: ${_param:galera_ssl_key}
cert: ${_param:galera_ssl_cert}
ca_file: ${_param:mysql_ssl_ca_file}
key_file: ${_param:mysql_ssl_key_file}
cert_file: ${_param:mysql_ssl_cert_file}
Note
Substitute <cluster_name>
with the appropriate value.
Create the
classes/cluster/<cluster_name>/openstack/ssl/galera_slave.yml
file with the following configuration as an example:
classes:
- cluster.<cluster_name>.openstack.ssl
parameters:
galera:
slave:
ssl:
enabled: True
cacert_chain: ${_param:galera_ssl_key}
key: ${_param:galera_ssl_key}
cert: ${_param:galera_ssl_key}
ca_file: ${_param:mysql_ssl_ca_file}
key_file: ${_param:mysql_ssl_key_file}
cert_file: ${_param:mysql_ssl_cert_file}
Note
Substitute <cluster_name>
with the appropriate value.
Create the classes/cluster/<cluster_name>/openstack/ssl/init.yml
file
with the following configuration as an example:
parameters:
_param:
mysql_ssl_key_file: /etc/mysql/ssl/key.pem
mysql_ssl_cert_file: /etc/mysql/ssl/cert.pem
mysql_ssl_ca_file: /etc/mysql/ssl/ca.pem
galera_ssl_cacert_chain: |
-----BEGIN CERTIFICATE-----
MIIF0TCCA7mgAwIBAgIJAOkTQnjLz6rEMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
...
RHXc4FoWv9/n8ZcfsqjQCjF3vUUZBB3zdlfLCLJRruB4xxYukc3gFpFLm21+0ih+
M8IfJ5I=
-----END CERTIFICATE-----
galera_ssl_key: |
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEArVSJ16ePjCik+6bZBzhiu3enXw8R9Ms1k4x57633IX1sEZTJ
...
0VgM2bDSNyUuiwCbOMK0Kyn+wGeHF/jGSbVsxYI4OeLFz8gdVUqm7olJj4j3xemY
BlWVHRa/dEG1qfSoqFU9+IQTd+U42mtvvH3oJHEXK7WXzborIXTQ/08Ztdvy
-----END RSA PRIVATE KEY-----
galera_ssl_cert: |
-----BEGIN CERTIFICATE-----
MIIGIDCCBAigAwIBAgIJAJznLlNteaZFMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
...
MfXPTUI+7+5WQLx10yavJ2gOhdyVuDVagfUM4epcriJbACuphDxHj45GINOGhaCd
UVVCxqnB9qU16ea/kB3Yzsrus7egr9OienpDCFV2Q/kgUSc7
-----END CERTIFICATE-----
Note
Modify the example above by adding your certificates and key:
key
and
update the cert
and chain
sections.Update the classes/cluster/<cluster_name>/infra/config.yml
file by
adding the newly created classes to the database nodes:
openstack_database_node01:
params:
linux_system_codename: xenial
deploy_address: ${_param:openstack_database_node01_deploy_address}
classes:
- cluster.${_param:cluster_name}.openstack.database_init
- cluster.${_param:cluster_name}.openstack.ssl.galera_master
openstack_database_node02:
params:
linux_system_codename: xenial
deploy_address: ${_param:openstack_database_node02_deploy_address}
classes:
- cluster.${_param:cluster_name}.openstack.ssl.galera_slave
openstack_database_node03:
params:
linux_system_codename: xenial
deploy_address: ${_param:openstack_database_node03_deploy_address}
classes:
- cluster.${_param:cluster_name}.openstack.ssl.galera_slave
Regenerate the Reclass storage:
salt-call state.sls reclass.storage -l debug
Refresh pillars:
salt -C 'I@galera:master or I@galera:slave' saltutil.refresh_pillar
Verify the certificates validity dates:
salt -C 'I@galera:master' cmd.run 'openssl x509 \
-in /etc/mysql/ssl/cert.pem -text -noout' | grep -Ei 'after|before'
salt -C 'I@galera:slave' cmd.run 'openssl x509 \
-in /etc/mysql/ssl/cert.pem -text -noout' | grep -Ei 'after|before'
Example of system response:
Not Before: May 30 17:21:10 2018 GMT
Not After : May 30 17:21:10 2019 GMT
Not Before: May 30 17:25:24 2018 GMT
Not After : May 30 17:25:24 2019 GMT
Not Before: May 30 17:26:52 2018 GMT
Not After : May 30 17:26:52 2019 GMT
Force the certificate regeneration on the Galera master node:
salt -C 'I@galera:master' state.sls galera -l debug
Verify the new certificates validity dates on the Galera master node:
salt -C 'I@galera:master' cmd.run 'openssl x509 \
-in /etc/mysql/ssl/cert.pem -text -noout' | grep -Ei 'after|before'
Restart the MySQL service on the Galera master node:
salt -C 'I@galera:master' service.stop mysql
salt -C 'I@galera:master' service.start mysql
Verify that the Galera cluster status is up:
salt -C 'I@galera:master' mysql.status | \
grep -EA1 'wsrep_(local_state_c|incoming_a|cluster_size)'
Example of system response:
wsrep_cluster_size:
3
wsrep_incoming_addresses:
192.168.2.52:3306,192.168.2.53:3306,192.168.2.51:3306
wsrep_local_state_comment:
Synced
Force the certificate regeneration on the Galera slave nodes:
salt -C 'I@galera:slave' state.sls galera -l debug
Verify that the certificates validity dates have changed:
salt -C 'I@galera:slave' cmd.run 'openssl x509 \
-in /etc/mysql/ssl/cert.pem -text -noout' | grep -Ei 'after|before'
Example of system response:
Not Before: Jun 4 16:14:24 2018 GMT
Not After : Jun 4 16:14:24 2019 GMT
Not Before: Jun 4 16:14:31 2018 GMT
Not After : Jun 4 16:14:31 2019 GMT
Obtain the Galera slave nodes minions IDs:
salt -C 'I@galera:slave' test.ping --output yaml | cut -d':' -f1
Example of system response:
dbs02.multinode-ha.int
dbs03.multinode-ha.int
Restart the MySQL service for every Galera slave minion ID one by one. After each Galera slave minion restart, verify the Galera cluster size and status. Proceed to the next Galera slave minion restart only if the Galera cluster is synced.
To restart the MySQL service for a Galera slave minion:
salt <minion_ID> service.stop mysql
salt <minion_ID> service.start mysql
To verify the Galera cluster size and status:
salt -C 'I@galera:master' mysql.status | \
grep -EA1 'wsrep_(local_state_c|incoming_a|cluster_size)'
Example of system response:
wsrep_cluster_size:
3
wsrep_incoming_addresses:
192.168.2.52:3306,192.168.2.53:3306,192.168.2.51:3306
wsrep_local_state_comment:
Synced