Additional TLS configuration options

Add variables `galera_require_secure_transport` and `galera_tls_version`
for requiring encrypted connections to the server and providing the list
of permitted protocols of those connections when `galera_use_ssl` is
enabled.

Change-Id: I28c548a5ee778c4957dc73e3547d585344755c0f
Depends-On: I6b77c828d251aeee53b83404e7e3131e3f61cbb1
Depends-On: I23d839e75b202d0400aeefe6e98c429e16ecd37e

defaults/main.yml

@@ -244,6 +244,8 @@ galera_ssl_verify: true
 galera_ssl_cert: /etc/ssl/certs/galera.pem
 galera_ssl_key: /etc/mysql/ssl/galera.key
 galera_ssl_ca_cert: /etc/ssl/certs/galera-ca.pem
+galera_require_secure_transport: false
+galera_tls_version: "TLSv1.2,TLSv1.3"
 
 ## These options should be specified in user_variables if necessary, otherwise self-signed certs are used.
 # galera_user_ssl_cert: /etc/openstack_deploy/self_signed_certs/galera.pem

releasenotes/notes/additional-tls-options-14b7e1a435581887.yaml

@@ -0,0 +1,9 @@
+---
+upgrade:
+  - |
+    Additional variables are available when MariaDB is configured to use TLS,
+    enabled by setting ``galera_use_ssl`` to ``true``.
+    ``galera_require_secure_transport`` to require that all client connections
+    are encrypted, defaulting to false.
+    ``galera_tls_version`` to provide a list of accepted TLS protocols,
+    defaulting to 'TLSv1.2,TLSv1.3'.

templates/my.cnf.j2

@@ -46,6 +46,8 @@ ssl
 ssl-ca = {{ galera_ssl_ca_cert }}
 ssl-cert = {{ galera_ssl_cert }}
 ssl-key = {{ galera_ssl_key }}
+require-secure-transport = {{ galera_require_secure_transport }}
+tls-version = {{ galera_tls_version }}
 {% endif %}
 
 # LOGGING #