From 8e7c2737b6c6c9ca08f9fce0867955c4c3740332 Mon Sep 17 00:00:00 2001
From: Gregory Thiemonge <gthiemon@redhat.com>
Date: Mon, 20 Nov 2023 13:43:48 -0500
Subject: [PATCH] Fix TLS-HELLO healthmonitors in the amphora-driver

TLS-HELLO HMs were based on the ssl-hello-chk option of haproxy, which
uses SSLv3 messages. SSLv3 is deprecated and most distributions have
disabled it, remove this option and rely only on the default checker
when ssl is enabled [0]

[0] https://docs.haproxy.org/2.8/configuration.html#5.2-check

Related-Bug: #2043812

Change-Id: Ia681679e24437832e1e23e7399e1a34da8ab54c5
---
 .../jinja/haproxy/combined_listeners/templates/macros.j2      | 3 ---
 .../common/jinja/haproxy/combined_listeners/test_jinja_cfg.py | 1 -
 .../notes/fix-tls-hello-healthmonitors-a4b98a80f6de8394.yaml  | 4 ++++
 3 files changed, 4 insertions(+), 4 deletions(-)
 create mode 100644 releasenotes/notes/fix-tls-hello-healthmonitors-a4b98a80f6de8394.yaml

diff --git a/octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2 b/octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2
index e07683c65a..f4d42377a2 100644
--- a/octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2
+++ b/octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2
@@ -375,9 +375,6 @@ backend {{ pool.id }}:{{ listener.id }}
     option httpchk {{ pool.health_monitor.http_method }} {{ pool.health_monitor.url_path }}
             {% endif %}
     http-check expect rstatus {{ pool.health_monitor.expected_codes }}
-        {% endif %}
-        {% if pool.health_monitor.type == constants.HEALTH_MONITOR_TLS_HELLO %}
-    option ssl-hello-chk
         {% endif %}
         {% if pool.health_monitor.type == constants.HEALTH_MONITOR_PING %}
     option external-check
diff --git a/octavia/tests/unit/common/jinja/haproxy/combined_listeners/test_jinja_cfg.py b/octavia/tests/unit/common/jinja/haproxy/combined_listeners/test_jinja_cfg.py
index 28e7a2c991..3ab3c166eb 100644
--- a/octavia/tests/unit/common/jinja/haproxy/combined_listeners/test_jinja_cfg.py
+++ b/octavia/tests/unit/common/jinja/haproxy/combined_listeners/test_jinja_cfg.py
@@ -813,7 +813,6 @@ class TestHaproxyCfg(base.TestCase):
               "    balance roundrobin\n"
               "    cookie SRV insert indirect nocache\n"
               "    timeout check 31s\n"
-              "    option ssl-hello-chk\n"
               "    fullconn {maxconn}\n"
               "    option allbackups\n"
               "    timeout connect 5000\n"
diff --git a/releasenotes/notes/fix-tls-hello-healthmonitors-a4b98a80f6de8394.yaml b/releasenotes/notes/fix-tls-hello-healthmonitors-a4b98a80f6de8394.yaml
new file mode 100644
index 0000000000..07b909109d
--- /dev/null
+++ b/releasenotes/notes/fix-tls-hello-healthmonitors-a4b98a80f6de8394.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Fixed TLS-HELLO health-monitors in the amphora-driver.