openstack
/
puppet-octavia
Code Issues Proposed changes

Merge "api: Add support for TLS cipher/version parameters"

This commit is contained in:
Zuul 2022-02-20 10:39:33 +00:00 committed by Gerrit Code Review
parent 26f6cb58ed 5357bb2e87
commit 7edbd6dcae
3 changed files with 86 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
manifests/api.pp
View File

@ -80,6 +80,33 @@
# (optional) The interval healthcheck plugin should cache results, in seconds.
# Defaults to $::os_service_default
#
# [*default_listener_ciphers*]
# (optional) Default OpenSSL cipher string (colon-separated) for new
# TLS-enabled pools.
# Defaults to $::os_service_default
#
# [*default_pool_ciphers*]
# (optional) Default OpenSSL cipher string (colon-separated) for new
# TLS-enabled pools.
# Defaults to $::os_service_default
#
# [*tls_cipher_prohibit_list*]
# (optional) Colon separated list of OpenSSL ciphers. Usage of these ciphers
# will be blocked.
# Defaults to $::os_service_default
#
# [*default_listener_tls_versions*]
# (optional) List of TLS versions to use for new TLS-enabled listeners.
# Defaults to $::os_service_default
#
# [*default_pool_tls_versions*]
# (optional) List of TLS versions to use for new TLS-enabled pools.
# Defaults to $::os_service_default
#
# [*minimum_tls_version*]
# (optional) Minimum allowed TLS version for listeners and pools.
# Defaults to $::os_service_default
#
class octavia::api (
$enabled = true,
$manage_service = true,
@ -99,6 +126,12 @@ class octavia::api (
$pagination_max_limit = $::os_service_default,
$healthcheck_enabled = $::os_service_default,
$healthcheck_refresh_interval = $::os_service_default,
$default_listener_ciphers = $::os_service_default,
$default_pool_ciphers = $::os_service_default,
$tls_cipher_prohibit_list = $::os_service_default,
$default_listener_tls_versions = $::os_service_default,
$default_pool_tls_versions = $::os_service_default,
$minimum_tls_version = $::os_service_default,
) inherits octavia::params {
include octavia::deps
@ -160,6 +193,12 @@ class octavia::api (
'api_settings/pagination_max_limit': value => $pagination_max_limit;
'api_settings/healthcheck_enabled': value => $healthcheck_enabled;
'api_settings/healthcheck_refresh_interval': value => $healthcheck_refresh_interval;
'api_settings/default_listener_ciphers': value => join(any2array($default_listener_ciphers), ':');
'api_settings/default_pool_ciphers': value => join(any2array($default_pool_ciphers), ':');
'api_settings/tls_cipher_prohibit_list': value => join(any2array($tls_cipher_prohibit_list), ':');
'api_settings/default_listener_tls_versions': value => join(any2array($default_listener_tls_versions), ',');
'api_settings/default_pool_tls_versions': value => join(any2array($default_pool_tls_versions), ',');
'api_settings/minimum_tls_version': value => $minimum_tls_version;
}
oslo::middleware { 'octavia_config':

13
releasenotes/notes/api-tls-params-48cefc42aee491ab.yaml Normal file
View File

@ -0,0 +1,13 @@
---
features:
- |
The following parameters have been added to the ``octavia::api`` class.
These parameters allows customizing the same parameters in
the ``[api_setting]`` section.
- ``default_listener_ciphers``
- ``default_pool_ciphers``
- ``tls_cipher_prohibit_list``
- ``default_listener_tls_versions``
- ``default_pool_tls_versions``
- ``minimum_tls_version``

34
spec/classes/octavia_api_spec.rb
View File

@ -59,6 +59,12 @@ describe 'octavia::api' do
is_expected.to contain_octavia_config('api_settings/pagination_max_limit').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('api_settings/healthcheck_enabled').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('api_settings/healthcheck_refresh_interval').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('api_settings/default_listener_ciphers').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('api_settings/default_pool_ciphers').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('api_settings/tls_cipher_prohibit_list').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('api_settings/default_listener_tls_versions').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('api_settings/default_pool_tls_versions').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('api_settings/minimum_tls_version').with_value('<SERVICE DEFAULT>')
is_expected.to contain_oslo__middleware('octavia_config').with(
:enable_proxy_headers_parsing => '<SERVICE DEFAULT>',
)
@ -145,6 +151,34 @@ describe 'octavia::api' do
is_expected.to contain_octavia_config('api_settings/healthcheck_enabled').with_value(true)
end
end
context 'with tls cipher/version set' do
before do
params.merge!({
:default_listener_ciphers => ['TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_AES_128_GCM_SHA256'],
:default_pool_ciphers => ['TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256'],
:tls_cipher_prohibit_list => ['ECDHE-RSA-AES256-SHA384', 'ECDHE-RSA-AES128-SHA256'],
:default_listener_tls_versions => ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'],
:default_pool_tls_versions => ['TLSv1.2', 'TLSv1.3'],
:minimum_tls_version => 'TLSv1',
})
end
it 'configures tls parameters' do
is_expected.to contain_octavia_config('api_settings/default_listener_ciphers')\
.with_value('TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256')
is_expected.to contain_octavia_config('api_settings/default_pool_ciphers')\
.with_value('TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256')
is_expected.to contain_octavia_config('api_settings/tls_cipher_prohibit_list')\
.with_value('ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256')
is_expected.to contain_octavia_config('api_settings/default_listener_tls_versions')\
.with_value('TLSv1.1,TLSv1.2,TLSv1.3')
is_expected.to contain_octavia_config('api_settings/default_pool_tls_versions')\
.with_value('TLSv1.2,TLSv1.3')
is_expected.to contain_octavia_config('api_settings/minimum_tls_version')\
.with_value('TLSv1')
end
end
end
shared_examples 'octavia-api wsgi' do