diff --git a/octavia_lib/api/drivers/data_models.py b/octavia_lib/api/drivers/data_models.py index d6ba211..dd93d2c 100644 --- a/octavia_lib/api/drivers/data_models.py +++ b/octavia_lib/api/drivers/data_models.py @@ -133,7 +133,7 @@ class Listener(BaseDataModel): client_ca_tls_container_data=Unset, client_authentication=Unset, client_crl_container_ref=Unset, client_crl_container_data=Unset, project_id=Unset, - allowed_cidrs=Unset, tls_ciphers=Unset): + allowed_cidrs=Unset, tls_versions=Unset, tls_ciphers=Unset): self.admin_state_up = admin_state_up self.connection_limit = connection_limit @@ -162,6 +162,7 @@ class Listener(BaseDataModel): self.client_crl_container_data = client_crl_container_data self.project_id = project_id self.allowed_cidrs = allowed_cidrs + self.tls_versions = tls_versions self.tls_ciphers = tls_ciphers @@ -174,7 +175,7 @@ class Pool(BaseDataModel): tls_container_data=Unset, ca_tls_container_ref=Unset, ca_tls_container_data=Unset, crl_container_ref=Unset, crl_container_data=Unset, tls_enabled=Unset, - project_id=Unset, tls_ciphers=Unset): + project_id=Unset, tls_versions=Unset, tls_ciphers=Unset): self.admin_state_up = admin_state_up self.description = description @@ -195,6 +196,7 @@ class Pool(BaseDataModel): self.crl_container_data = crl_container_data self.tls_enabled = tls_enabled self.project_id = project_id + self.tls_versions = tls_versions self.tls_ciphers = tls_ciphers diff --git a/octavia_lib/common/constants.py b/octavia_lib/common/constants.py index 1ab1821..4b88e51 100644 --- a/octavia_lib/common/constants.py +++ b/octavia_lib/common/constants.py @@ -251,6 +251,12 @@ TLS_CIPHERS = 'tls_ciphers' TLS_CONTAINER_DATA = 'tls_container_data' TLS_CONTAINER_REF = 'tls_container_ref' TLS_ENABLED = 'tls_enabled' +TLS_VERSIONS = 'tls_versions' +SSL_VERSION_3 = 'SSLv3' +TLS_VERSION_1 = 'TLSv1' +TLS_VERSION_1_1 = 'TLSv1.1' +TLS_VERSION_1_2 = 'TLSv1.2' +TLS_VERSION_1_3 = 'TLSv1.3' TYPE = 'type' URL_PATH = 'url_path' VALUE = 'value' diff --git a/octavia_lib/tests/unit/api/drivers/test_data_models.py b/octavia_lib/tests/unit/api/drivers/test_data_models.py index 2c2dc39..1640bb6 100644 --- a/octavia_lib/tests/unit/api/drivers/test_data_models.py +++ b/octavia_lib/tests/unit/api/drivers/test_data_models.py @@ -17,6 +17,7 @@ from copy import deepcopy from oslo_utils import uuidutils from octavia_lib.api.drivers import data_models +from octavia_lib.common import constants from octavia_lib.tests.unit import base @@ -101,6 +102,11 @@ class TestProviderDataModels(base.TestCase): client_crl_container_data=None, client_crl_container_ref=None, allowed_cidrs=None, + tls_versions=[constants.SSL_VERSION_3, + constants.TLS_VERSION_1, + constants.TLS_VERSION_1_1, + constants.TLS_VERSION_1_2, + constants.TLS_VERSION_1_3], tls_ciphers=None) self.ref_lb = data_models.LoadBalancer( @@ -169,6 +175,11 @@ class TestProviderDataModels(base.TestCase): listener_id=self.listener_id, protocol='avian', session_persistence=self.session_persistence, + tls_versions=[constants.SSL_VERSION_3, + constants.TLS_VERSION_1, + constants.TLS_VERSION_1_1, + constants.TLS_VERSION_1_2, + constants.TLS_VERSION_1_3], tls_ciphers=None) self.ref_l7rule_dict = {'admin_state_up': True, @@ -237,6 +248,11 @@ class TestProviderDataModels(base.TestCase): 'client_crl_container_data': None, 'client_crl_container_ref': None, 'allowed_cidrs': None, + 'tls_versions': [constants.SSL_VERSION_3, + constants.TLS_VERSION_1, + constants.TLS_VERSION_1_1, + constants.TLS_VERSION_1_2, + constants.TLS_VERSION_1_3], 'tls_ciphers': None} self.ref_lb_dict_with_listener = { @@ -305,6 +321,11 @@ class TestProviderDataModels(base.TestCase): 'listener_id': self.listener_id, 'protocol': 'avian', 'session_persistence': self.session_persistence, + 'tls_versions': [constants.SSL_VERSION_3, + constants.TLS_VERSION_1, + constants.TLS_VERSION_1_1, + constants.TLS_VERSION_1_2, + constants.TLS_VERSION_1_3], 'tls_ciphers': None} def test_equality(self): @@ -345,9 +366,11 @@ class TestProviderDataModels(base.TestCase): ref_list_dict.pop('l7policies', None) ref_list_dict.pop('sni_container_data', None) ref_list_dict.pop('sni_container_refs', None) + ref_list_dict.pop('tls_versions', None) ref_pool_dict = deepcopy(self.ref_pool_dict) ref_pool_dict['healthmonitor'] = None ref_pool_dict.pop('members', None) + ref_pool_dict.pop('tls_versions', None) ref_l7policy_dict = deepcopy(self.ref_l7policy_dict) ref_l7policy_dict.pop('rules', None) diff --git a/releasenotes/notes/add-tls-protocols-for-listener-and-pool-model-e9083b85afc62ef0.yaml b/releasenotes/notes/add-tls-protocols-for-listener-and-pool-model-e9083b85afc62ef0.yaml new file mode 100644 index 0000000..d5d2433 --- /dev/null +++ b/releasenotes/notes/add-tls-protocols-for-listener-and-pool-model-e9083b85afc62ef0.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + Added a parameter called ``tls_versions`` for + passing allowed TLS versions to pools and listeners. + The available TLS versions have corresponding + constants. The constants are prefixed with + ``TLS_VERSION`` (except SSLv3 which is + ``SSL_VERSION_3``).