diff --git a/manifests/api.pp b/manifests/api.pp index 987810d3..492f6c83 100644 --- a/manifests/api.pp +++ b/manifests/api.pp @@ -80,6 +80,33 @@ # (optional) The interval healthcheck plugin should cache results, in seconds. # Defaults to $::os_service_default # +# [*default_listener_ciphers*] +# (optional) Default OpenSSL cipher string (colon-separated) for new +# TLS-enabled pools. +# Defaults to $::os_service_default +# +# [*default_pool_ciphers*] +# (optional) Default OpenSSL cipher string (colon-separated) for new +# TLS-enabled pools. +# Defaults to $::os_service_default +# +# [*tls_cipher_prohibit_list*] +# (optional) Colon separated list of OpenSSL ciphers. Usage of these ciphers +# will be blocked. +# Defaults to $::os_service_default +# +# [*default_listener_tls_versions*] +# (optional) List of TLS versions to use for new TLS-enabled listeners. +# Defaults to $::os_service_default +# +# [*default_pool_tls_versions*] +# (optional) List of TLS versions to use for new TLS-enabled pools. +# Defaults to $::os_service_default +# +# [*minimum_tls_version*] +# (optional) Minimum allowed TLS version for listeners and pools. +# Defaults to $::os_service_default +# class octavia::api ( $enabled = true, $manage_service = true, @@ -99,6 +126,12 @@ class octavia::api ( $pagination_max_limit = $::os_service_default, $healthcheck_enabled = $::os_service_default, $healthcheck_refresh_interval = $::os_service_default, + $default_listener_ciphers = $::os_service_default, + $default_pool_ciphers = $::os_service_default, + $tls_cipher_prohibit_list = $::os_service_default, + $default_listener_tls_versions = $::os_service_default, + $default_pool_tls_versions = $::os_service_default, + $minimum_tls_version = $::os_service_default, ) inherits octavia::params { include octavia::deps @@ -160,6 +193,12 @@ class octavia::api ( 'api_settings/pagination_max_limit': value => $pagination_max_limit; 'api_settings/healthcheck_enabled': value => $healthcheck_enabled; 'api_settings/healthcheck_refresh_interval': value => $healthcheck_refresh_interval; + 'api_settings/default_listener_ciphers': value => join(any2array($default_listener_ciphers), ':'); + 'api_settings/default_pool_ciphers': value => join(any2array($default_pool_ciphers), ':'); + 'api_settings/tls_cipher_prohibit_list': value => join(any2array($tls_cipher_prohibit_list), ':'); + 'api_settings/default_listener_tls_versions': value => join(any2array($default_listener_tls_versions), ','); + 'api_settings/default_pool_tls_versions': value => join(any2array($default_pool_tls_versions), ','); + 'api_settings/minimum_tls_version': value => $minimum_tls_version; } oslo::middleware { 'octavia_config': diff --git a/releasenotes/notes/api-tls-params-48cefc42aee491ab.yaml b/releasenotes/notes/api-tls-params-48cefc42aee491ab.yaml new file mode 100644 index 00000000..e79dd471 --- /dev/null +++ b/releasenotes/notes/api-tls-params-48cefc42aee491ab.yaml @@ -0,0 +1,13 @@ +--- +features: + - | + The following parameters have been added to the ``octavia::api`` class. + These parameters allows customizing the same parameters in + the ``[api_setting]`` section. + + - ``default_listener_ciphers`` + - ``default_pool_ciphers`` + - ``tls_cipher_prohibit_list`` + - ``default_listener_tls_versions`` + - ``default_pool_tls_versions`` + - ``minimum_tls_version`` diff --git a/spec/classes/octavia_api_spec.rb b/spec/classes/octavia_api_spec.rb index f4cb74ec..bb1346a0 100644 --- a/spec/classes/octavia_api_spec.rb +++ b/spec/classes/octavia_api_spec.rb @@ -59,6 +59,12 @@ describe 'octavia::api' do is_expected.to contain_octavia_config('api_settings/pagination_max_limit').with_value('') is_expected.to contain_octavia_config('api_settings/healthcheck_enabled').with_value('') is_expected.to contain_octavia_config('api_settings/healthcheck_refresh_interval').with_value('') + is_expected.to contain_octavia_config('api_settings/default_listener_ciphers').with_value('') + is_expected.to contain_octavia_config('api_settings/default_pool_ciphers').with_value('') + is_expected.to contain_octavia_config('api_settings/tls_cipher_prohibit_list').with_value('') + is_expected.to contain_octavia_config('api_settings/default_listener_tls_versions').with_value('') + is_expected.to contain_octavia_config('api_settings/default_pool_tls_versions').with_value('') + is_expected.to contain_octavia_config('api_settings/minimum_tls_version').with_value('') is_expected.to contain_oslo__middleware('octavia_config').with( :enable_proxy_headers_parsing => '', ) @@ -145,6 +151,34 @@ describe 'octavia::api' do is_expected.to contain_octavia_config('api_settings/healthcheck_enabled').with_value(true) end end + + context 'with tls cipher/version set' do + before do + params.merge!({ + :default_listener_ciphers => ['TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_AES_128_GCM_SHA256'], + :default_pool_ciphers => ['TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256'], + :tls_cipher_prohibit_list => ['ECDHE-RSA-AES256-SHA384', 'ECDHE-RSA-AES128-SHA256'], + :default_listener_tls_versions => ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], + :default_pool_tls_versions => ['TLSv1.2', 'TLSv1.3'], + :minimum_tls_version => 'TLSv1', + }) + end + + it 'configures tls parameters' do + is_expected.to contain_octavia_config('api_settings/default_listener_ciphers')\ + .with_value('TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256') + is_expected.to contain_octavia_config('api_settings/default_pool_ciphers')\ + .with_value('TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') + is_expected.to contain_octavia_config('api_settings/tls_cipher_prohibit_list')\ + .with_value('ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256') + is_expected.to contain_octavia_config('api_settings/default_listener_tls_versions')\ + .with_value('TLSv1.1,TLSv1.2,TLSv1.3') + is_expected.to contain_octavia_config('api_settings/default_pool_tls_versions')\ + .with_value('TLSv1.2,TLSv1.3') + is_expected.to contain_octavia_config('api_settings/minimum_tls_version')\ + .with_value('TLSv1') + end + end end shared_examples 'octavia-api wsgi' do