openstack
/
openstack-ansible-galera_server
Code Issues Proposed changes

Additional TLS configuration options 

Add variables `galera_require_secure_transport` and `galera_tls_version`
for requiring encrypted connections to the server and providing the list
of permitted protocols of those connections when `galera_use_ssl` is
enabled.

Change-Id: I28c548a5ee778c4957dc73e3547d585344755c0f
Depends-On: I6b77c828d251aeee53b83404e7e3131e3f61cbb1
Depends-On: I23d839e75b202d0400aeefe6e98c429e16ecd37e
This commit is contained in:
Jimmy McCrory 2024-03-04 14:39:43 -08:00
parent e697948b34
commit 3f02976760
3 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml
View File

@ -244,6 +244,8 @@ galera_ssl_verify: true
galera_ssl_cert: /etc/ssl/certs/galera.pem
galera_ssl_key: /etc/mysql/ssl/galera.key
galera_ssl_ca_cert: /etc/ssl/certs/galera-ca.pem
galera_require_secure_transport: false
galera_tls_version: "TLSv1.2,TLSv1.3"
## These options should be specified in user_variables if necessary, otherwise self-signed certs are used.
# galera_user_ssl_cert: /etc/openstack_deploy/self_signed_certs/galera.pem

9
releasenotes/notes/additional-tls-options-14b7e1a435581887.yaml Normal file
View File

@ -0,0 +1,9 @@
---
upgrade:
- |
Additional variables are available when MariaDB is configured to use TLS,
enabled by setting ``galera_use_ssl`` to ``true``.
``galera_require_secure_transport`` to require that all client connections
are encrypted, defaulting to false.
``galera_tls_version`` to provide a list of accepted TLS protocols,
defaulting to 'TLSv1.2,TLSv1.3'.

2
templates/my.cnf.j2
View File

@ -46,6 +46,8 @@ ssl
ssl-ca = {{ galera_ssl_ca_cert }}
ssl-cert = {{ galera_ssl_cert }}
ssl-key = {{ galera_ssl_key }}
require-secure-transport = {{ galera_require_secure_transport }}
tls-version = {{ galera_tls_version }}
{% endif %}
# LOGGING #