From 3f029767606fe3b82f7f09e4410470fe6e11b541 Mon Sep 17 00:00:00 2001 From: Jimmy McCrory Date: Mon, 4 Mar 2024 14:39:43 -0800 Subject: [PATCH] Additional TLS configuration options Add variables `galera_require_secure_transport` and `galera_tls_version` for requiring encrypted connections to the server and providing the list of permitted protocols of those connections when `galera_use_ssl` is enabled. Change-Id: I28c548a5ee778c4957dc73e3547d585344755c0f Depends-On: I6b77c828d251aeee53b83404e7e3131e3f61cbb1 Depends-On: I23d839e75b202d0400aeefe6e98c429e16ecd37e --- defaults/main.yml | 2 ++ .../notes/additional-tls-options-14b7e1a435581887.yaml | 9 +++++++++ templates/my.cnf.j2 | 2 ++ 3 files changed, 13 insertions(+) create mode 100644 releasenotes/notes/additional-tls-options-14b7e1a435581887.yaml diff --git a/defaults/main.yml b/defaults/main.yml index 953a123b..dc03629b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -244,6 +244,8 @@ galera_ssl_verify: true galera_ssl_cert: /etc/ssl/certs/galera.pem galera_ssl_key: /etc/mysql/ssl/galera.key galera_ssl_ca_cert: /etc/ssl/certs/galera-ca.pem +galera_require_secure_transport: false +galera_tls_version: "TLSv1.2,TLSv1.3" ## These options should be specified in user_variables if necessary, otherwise self-signed certs are used. # galera_user_ssl_cert: /etc/openstack_deploy/self_signed_certs/galera.pem diff --git a/releasenotes/notes/additional-tls-options-14b7e1a435581887.yaml b/releasenotes/notes/additional-tls-options-14b7e1a435581887.yaml new file mode 100644 index 00000000..0c21ed92 --- /dev/null +++ b/releasenotes/notes/additional-tls-options-14b7e1a435581887.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + Additional variables are available when MariaDB is configured to use TLS, + enabled by setting ``galera_use_ssl`` to ``true``. + ``galera_require_secure_transport`` to require that all client connections + are encrypted, defaulting to false. + ``galera_tls_version`` to provide a list of accepted TLS protocols, + defaulting to 'TLSv1.2,TLSv1.3'. diff --git a/templates/my.cnf.j2 b/templates/my.cnf.j2 index 338ebf19..210630e9 100644 --- a/templates/my.cnf.j2 +++ b/templates/my.cnf.j2 @@ -46,6 +46,8 @@ ssl ssl-ca = {{ galera_ssl_ca_cert }} ssl-cert = {{ galera_ssl_cert }} ssl-key = {{ galera_ssl_key }} +require-secure-transport = {{ galera_require_secure_transport }} +tls-version = {{ galera_tls_version }} {% endif %} # LOGGING #