Implement ability to deploy MariaDB using Ansible Kolla with inter-node comunication encrypted via TLS

[fdobrovolny]

Epic #462

As an SCS Operator, I want to deploy MariaDB using Ansible Kolla with encryption between it's node encrypted via TLS so that I can have E2E encryption in OpenStack services.

Definition of Ready:

• [ ] User Story is clear and understood by the whole team
• [ ] Acceptance criteria are defined
• [ ] Acceptance criteria are clear and understood by the whole team

Definition of Done:

• [ ] Ansible Kolla is able to deploy MariDB with encryption between nodes encrypted via TLS
• [ ] The patch has been submitted to upstream and merged.
• [ ] Change has been included in the testbed.
• [ ] CI tests have run successfully
• [ ] Documentation has been updated
• [ ] Release Notes have been updated

[horazont]

As mentioned in https://github.com/SovereignCloudStack/issues/issues/462#issuecomment-1884472190, we've seen issues with reloading TLS certificates on the galera/replication ports of MariaDB. Renewal should be planned with rolling restarts of galera nodes.

[fdobrovolny]

So, as @horazont mentioned, we need to document along this feature that a rolling restart is necessary in cases of certificate renewal. There is already an upgrade playbook inside service so this should be implemented there.

[fdobrovolny]

Note: in cases when the certificate already expires theres no easy way to do the upgrade, it would be nice to have monitoring in place to avoid this issue-

[OgarOgarovic]

Change request upstream created kolla-ansible/925317