Merge "Fix SSL/TLS ciphers/options for HAProxy services"
This commit is contained in:
commit
9abdd09252
|
@ -20,10 +20,6 @@
|
|||
# (optional) Log file location for haproxy.
|
||||
# Defaults to '/var/log/haproxy.log'
|
||||
#
|
||||
# [*haproxy_ssl_default_dh_param*]
|
||||
# (optional) Sets the maximum size of the Diffie-Hellman parameter.
|
||||
# Defaults to '2048'
|
||||
#
|
||||
# [*primary_controller*]
|
||||
# (optional) Flag to indicate if this is the primary controller
|
||||
# Defaults to false
|
||||
|
@ -45,18 +41,20 @@
|
|||
# Defaults to ['127.0.0.1']
|
||||
#
|
||||
class cluster::haproxy (
|
||||
$haproxy_maxconn = '4000',
|
||||
$haproxy_bufsize = '16384',
|
||||
$haproxy_maxrewrite = '1024',
|
||||
$haproxy_log_file = '/var/log/haproxy.log',
|
||||
$haproxy_ssl_default_dh_param = '2048',
|
||||
$primary_controller = false,
|
||||
$debug = false,
|
||||
$other_networks = false,
|
||||
$colocate_haproxy = false,
|
||||
$stats_ipaddresses = ['127.0.0.1'],
|
||||
$spread_checks = '3',
|
||||
$user_defined_options = {}
|
||||
$haproxy_maxconn = '4000',
|
||||
$haproxy_bufsize = '16384',
|
||||
$haproxy_maxrewrite = '1024',
|
||||
$haproxy_log_file = '/var/log/haproxy.log',
|
||||
$primary_controller = false,
|
||||
$debug = false,
|
||||
$other_networks = false,
|
||||
$colocate_haproxy = false,
|
||||
$stats_ipaddresses = ['127.0.0.1'],
|
||||
$spread_checks = '3',
|
||||
$user_defined_options = {},
|
||||
$ssl_default_ciphers = 'HIGH:!aNULL:!MD5:!kEDH',
|
||||
#TODO(mmalchuk) use this after upgrade HAProxy to at least v1.5.7
|
||||
#$ssl_default_options = 'no-sslv3 no-tls-tickets',
|
||||
) {
|
||||
include ::haproxy::params
|
||||
include ::rsyslog::params
|
||||
|
@ -69,17 +67,21 @@ class cluster::haproxy (
|
|||
# and this override looks the only possible if
|
||||
# upstream manifests must be kept intact
|
||||
$global_options = {
|
||||
'log' => '/dev/log local0',
|
||||
'pidfile' => '/var/run/haproxy.pid',
|
||||
'maxconn' => $haproxy_maxconn,
|
||||
'user' => 'haproxy',
|
||||
'group' => 'haproxy',
|
||||
'daemon' => '',
|
||||
'stats' => 'socket /var/lib/haproxy/stats',
|
||||
'spread-checks' => $spread_checks,
|
||||
'tune.bufsize' => $haproxy_bufsize,
|
||||
'tune.maxrewrite' => $haproxy_maxrewrite,
|
||||
'tune.ssl.default-dh-param' => $haproxy_ssl_default_dh_param,
|
||||
'log' => '/dev/log local0',
|
||||
'pidfile' => '/var/run/haproxy.pid',
|
||||
'maxconn' => $haproxy_maxconn,
|
||||
'user' => 'haproxy',
|
||||
'group' => 'haproxy',
|
||||
'daemon' => '',
|
||||
'stats' => 'socket /var/lib/haproxy/stats',
|
||||
'spread-checks' => $spread_checks,
|
||||
'tune.bufsize' => $haproxy_bufsize,
|
||||
'tune.maxrewrite' => $haproxy_maxrewrite,
|
||||
'ssl-default-bind-ciphers' => $ssl_default_ciphers,
|
||||
'ssl-default-server-ciphers' => $ssl_default_ciphers,
|
||||
#TODO(mmalchuk) use this after upgrade HAProxy to at least v1.5.7
|
||||
#'ssl-default-bind-options' => $ssl_default_options,
|
||||
#'ssl-default-server-options' => $ssl_default_options,
|
||||
}
|
||||
|
||||
$defaults_options = {
|
||||
|
@ -105,7 +107,7 @@ class cluster::haproxy (
|
|||
|
||||
$service_name = 'p_haproxy'
|
||||
|
||||
class { 'haproxy::base':
|
||||
class { '::haproxy::base':
|
||||
global_options => merge($global_options, $user_defined_options['global']),
|
||||
defaults_options => merge($defaults_options, $user_defined_options['defaults']),
|
||||
stats_ipaddresses => $stats_ipaddresses,
|
||||
|
@ -130,7 +132,7 @@ class cluster::haproxy (
|
|||
package_name => $haproxy::params::package_name,
|
||||
}
|
||||
|
||||
class { 'cluster::haproxy::rsyslog':
|
||||
class { '::cluster::haproxy::rsyslog':
|
||||
log_file => $haproxy_log_file,
|
||||
}
|
||||
|
||||
|
@ -147,7 +149,7 @@ class cluster::haproxy (
|
|||
Service['haproxy']
|
||||
|
||||
# Pacemaker
|
||||
class { 'cluster::haproxy_ocf':
|
||||
class { '::cluster::haproxy_ocf':
|
||||
debug => $debug,
|
||||
other_networks => $other_networks,
|
||||
colocate_haproxy => $colocate_haproxy,
|
||||
|
|
|
@ -97,13 +97,13 @@ define openstack::ha::haproxy_service (
|
|||
validate_bool($public)
|
||||
validate_bool($internal)
|
||||
|
||||
include openstack::ha::haproxy_restart
|
||||
include ::openstack::ha::haproxy_restart
|
||||
|
||||
if $public_ssl and !$public_ssl_path {
|
||||
fail("You must set up path to public ssl keypair if you want to use public ssl")
|
||||
fail('You must set up path to public ssl keypair if you want to use public ssl')
|
||||
}
|
||||
if $internal_ssl and !$internal_ssl_path {
|
||||
fail("You must set up path to internal ssl keypair if you want to use internal ssl")
|
||||
fail('You must set up path to internal ssl keypair if you want to use internal ssl')
|
||||
}
|
||||
if !($internal or $public) {
|
||||
fail('At least one of $public or $internal must be set to true')
|
||||
|
@ -112,21 +112,22 @@ define openstack::ha::haproxy_service (
|
|||
if $public {
|
||||
$public_bind_address = suffix(any2array($public_virtual_ip), ":${listen_port}")
|
||||
if $public_ssl {
|
||||
# TODO(sbog): add !SHA here as soon as all our clients will support TLS1.2
|
||||
$public_bind = array_to_hash($public_bind_address, ['ssl', 'crt', $public_ssl_path, 'no-sslv3', 'no-tls-tickets', 'ciphers AES128+EECDH:AES128+EDH:AES256+EECDH:AES256+EDH'])
|
||||
#TODO(mmalchuk) move options to the cluster::haproxy after upgrade HAProxy to at least v1.5.7
|
||||
$public_bind = array_to_hash($public_bind_address, ['ssl', 'crt', $public_ssl_path, 'no-sslv3', 'no-tls-tickets'])
|
||||
} else {
|
||||
$public_bind = array_to_hash($public_bind_address, "")
|
||||
$public_bind = array_to_hash($public_bind_address, '')
|
||||
}
|
||||
} else {
|
||||
$public_bind = {}
|
||||
}
|
||||
|
||||
if $internal {
|
||||
$internal_bind_address = suffix(any2array($internal_virtual_ip), ":$listen_port")
|
||||
$internal_bind_address = suffix(any2array($internal_virtual_ip), ":${listen_port}")
|
||||
if $internal_ssl {
|
||||
# TODO(sbog): add !SHA here too as soon as all our clients will support TLS1.2
|
||||
$internal_bind = array_to_hash($internal_bind_address, ['ssl', 'crt', $internal_ssl_path, 'no-sslv3', 'no-tls-tickets', 'ciphers AES128+EECDH:AES128+EDH:AES256+EECDH:AES256+EDH'])
|
||||
#TODO(mmalchuk) move options to the cluster::haproxy after upgrade HAProxy to at least v1.5.7
|
||||
$internal_bind = array_to_hash($internal_bind_address, ['ssl', 'crt', $internal_ssl_path, 'no-sslv3', 'no-tls-tickets'])
|
||||
} else {
|
||||
$internal_bind = array_to_hash($internal_bind_address, "")
|
||||
$internal_bind = array_to_hash($internal_bind_address, '')
|
||||
}
|
||||
} else {
|
||||
$internal_bind = {}
|
||||
|
|
|
@ -2,15 +2,16 @@ class osnailyfacter::cluster_haproxy::cluster_haproxy {
|
|||
|
||||
notice('MODULAR: cluster_haproxy/cluster_haproxy.pp')
|
||||
|
||||
$network_scheme = hiera_hash('network_scheme', {})
|
||||
$management_vip = hiera('management_vip')
|
||||
$database_vip = hiera('database_vip', '')
|
||||
$service_endpoint = hiera('service_endpoint', '')
|
||||
$primary_controller = hiera('primary_controller')
|
||||
$haproxy_hash = hiera_hash('haproxy', {})
|
||||
$external_lb = hiera('external_lb', false)
|
||||
$network_scheme = hiera_hash('network_scheme', {})
|
||||
$management_vip = hiera('management_vip')
|
||||
$database_vip = hiera('database_vip', '')
|
||||
$service_endpoint = hiera('service_endpoint', '')
|
||||
$primary_controller = hiera('primary_controller')
|
||||
$haproxy_hash = hiera_hash('haproxy', {})
|
||||
$external_lb = hiera('external_lb', false)
|
||||
#FIXME(mattymo): Move colocations to a separate task
|
||||
$colocate_haproxy = hiera('colocate_haproxy', false)
|
||||
$colocate_haproxy = hiera('colocate_haproxy', false)
|
||||
$ssl_default_ciphers = hiera('ssl_default_ciphers', 'HIGH:!aNULL:!MD5:!kEDH')
|
||||
|
||||
$override_configuration = hiera_hash('configuration', {})
|
||||
$user_defined_options = $override_configuration['haproxy']
|
||||
|
@ -26,7 +27,8 @@ class osnailyfacter::cluster_haproxy::cluster_haproxy {
|
|||
other_networks => direct_networks($network_scheme['endpoints']),
|
||||
stats_ipaddresses => $stats_ipaddresses,
|
||||
colocate_haproxy => $colocate_haproxy,
|
||||
user_defined_options => $user_defined_options
|
||||
user_defined_options => $user_defined_options,
|
||||
ssl_default_ciphers => $ssl_default_ciphers,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue