Add defaults for TLS 1.3 and rename TLS <= 1.2 variable

TLS v1.3 uses different (incompatible) cipher suite names, so
a new variable is added to set these in roles which require them.

TLS v1.2 and below is still required, but the variable name is
changed to avoid confusion, whilst using the old name as a default
if set by a user deployment.

Change-Id: I9312daa7ca75e484f8aa3857fe43565c89e3f09a

inventory/group_vars/all/ssl.yml

@@ -18,7 +18,8 @@
 # services running behind Apache (currently, Horizon and Keystone).
 ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
 # Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
-ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
+ssl_cipher_suite_tls12: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
+ssl_cipher_suite_tls13: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
 
 #variables used in OSA roles which call the PKI role
 openstack_pki_dir: "/etc/openstack_deploy/pki"
@@ -63,4 +64,4 @@ openstack_pki_authorities:
 
 #install the root CA certificate on all hosts and containers
 openstack_pki_install_ca:
- - name: "ExampleCorpRoot"
+ - name: "ExampleCorpRoot"

releasenotes/notes/tls_variables-991aec792d58eeb9.yaml

@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    A new 'ssl_cipher_suite_tls13' variable is added for global control of
+    TLS v1.3 cipher suites.
+deprecations:
+  - |
+    The variable 'ssl_cipher_suite' is deprecated in favour of
+    'ssl_cipher_suite_tls12' which will continue to manage configuration of
+    ciphers for TLS v1.2 and earlier.