Refactor galera_use_ssl behaviour

With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.

Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.

[1] 78f0cf99e5/pymysql/connections.py (L267)

Change-Id: I42d544d80d8fef5be9a68e6ef7090f85d0daa88c

defaults/main.yml

@@ -101,7 +101,7 @@ tacker_galera_address: "{{ galera_address | default('127.0.0.1') }}"
 tacker_galera_database: tacker
 tacker_galera_user: tacker
 tacker_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
-tacker_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
+tacker_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}"
 tacker_galera_port: "{{ galera_port | default('3306') }}"
 
 tacker_role_name: admin

templates/tacker.conf.j2

@@ -69,7 +69,7 @@ service_token_roles = {{ tacker_role_name }}
 # be set in the corresponding core plugin '.ini' file. However, it is suggested
 # to put the [database] section and its connection attribute in this
 # configuration file.
-connection = mysql+pymysql://{{ tacker_galera_user }}:{{ tacker_container_mysql_password }}@{{ tacker_galera_address }}/{{ tacker_galera_database }}?charset=utf8{% if tacker_galera_use_ssl | bool %}&ssl_ca={{ tacker_galera_ssl_ca_cert }}{% endif %}
+connection = mysql+pymysql://{{ tacker_galera_user }}:{{ tacker_container_mysql_password }}@{{ tacker_galera_address }}/{{ tacker_galera_database }}?charset=utf8{% if tacker_galera_use_ssl | bool %}&ssl_verify_cert=true{% if tacker_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ tacker_galera_ssl_ca_cert }}{% endif %}{% endif %}
 
 
 [tacker]