Set galera to use TLS for connections by default

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/820857 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/820942 Change-Id: Ied8e6847413bd8ea3dfef1a43fba391884bf659f
2021-09-08 17:32:47 +03:00 · 2021-09-08 17:32:47 +03:00 · 56b63d9fdb
parent fe90f8066c
commit 56b63d9fdb
2 changed files with 10 additions and 0 deletions
--- a/inventory/group_vars/all/infra.yml
+++ b/inventory/group_vars/all/infra.yml
@ -34,6 +34,7 @@ rabbitmq_policies:
 galera_client_package_state: "{{ package_state }}"
 galera_address: "{{ internal_lb_vip_address }}"
 galera_root_user: "admin"
+galera_use_ssl: True

 ## Memcached options
 memcached_port: 11211
--- a/releasenotes/notes/galera_use_ssl-e906b5ba8b2e62ef.yaml
+++ b/releasenotes/notes/galera_use_ssl-e906b5ba8b2e62ef.yaml
@ -0,0 +1,9 @@
+---
+features:
+  - |
+    MariaDB now uses TLS encryption by default. Certificate will be issued
+    and signed with internal CA using PKI role.
+    Deployers can disable encrypting MariaDB connections by setting
+    ``galera_use_ssl: false`` in their user_variables.yml
+    Client certificates could be still provided and they will be distributed
+    with PKI role as well.