Set galera to use TLS for connections by default

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/820857
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/820942
Change-Id: Ied8e6847413bd8ea3dfef1a43fba391884bf659f

inventory/group_vars/all/infra.yml

@@ -34,6 +34,7 @@ rabbitmq_policies:
 galera_client_package_state: "{{ package_state }}"
 galera_address: "{{ internal_lb_vip_address }}"
 galera_root_user: "admin"
+galera_use_ssl: True
 
 ## Memcached options
 memcached_port: 11211

releasenotes/notes/galera_use_ssl-e906b5ba8b2e62ef.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    MariaDB now uses TLS encryption by default. Certificate will be issued
+    and signed with internal CA using PKI role.
+    Deployers can disable encrypting MariaDB connections by setting
+    ``galera_use_ssl: false`` in their user_variables.yml
+    Client certificates could be still provided and they will be distributed
+    with PKI role as well.