From 56b63d9fdbfcc16f1a7871186a833c32130a3999 Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@citynetwork.eu>
Date: Wed, 8 Sep 2021 17:32:47 +0300
Subject: [PATCH] Set galera to use TLS for connections by default

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/820857
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/820942
Change-Id: Ied8e6847413bd8ea3dfef1a43fba391884bf659f
---
 inventory/group_vars/all/infra.yml                      | 1 +
 releasenotes/notes/galera_use_ssl-e906b5ba8b2e62ef.yaml | 9 +++++++++
 2 files changed, 10 insertions(+)
 create mode 100644 releasenotes/notes/galera_use_ssl-e906b5ba8b2e62ef.yaml

diff --git a/inventory/group_vars/all/infra.yml b/inventory/group_vars/all/infra.yml
index 139b973d92..b06a0d2508 100644
--- a/inventory/group_vars/all/infra.yml
+++ b/inventory/group_vars/all/infra.yml
@@ -34,6 +34,7 @@ rabbitmq_policies:
 galera_client_package_state: "{{ package_state }}"
 galera_address: "{{ internal_lb_vip_address }}"
 galera_root_user: "admin"
+galera_use_ssl: True
 
 ## Memcached options
 memcached_port: 11211
diff --git a/releasenotes/notes/galera_use_ssl-e906b5ba8b2e62ef.yaml b/releasenotes/notes/galera_use_ssl-e906b5ba8b2e62ef.yaml
new file mode 100644
index 0000000000..8b50643b84
--- /dev/null
+++ b/releasenotes/notes/galera_use_ssl-e906b5ba8b2e62ef.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    MariaDB now uses TLS encryption by default. Certificate will be issued
+    and signed with internal CA using PKI role.
+    Deployers can disable encrypting MariaDB connections by setting
+    ``galera_use_ssl: false`` in their user_variables.yml
+    Client certificates could be still provided and they will be distributed
+    with PKI role as well.