Merge "api: Add support for TLS cipher/version parameters"
This commit is contained in:
commit
7edbd6dcae
|
@ -80,6 +80,33 @@
|
||||||
# (optional) The interval healthcheck plugin should cache results, in seconds.
|
# (optional) The interval healthcheck plugin should cache results, in seconds.
|
||||||
# Defaults to $::os_service_default
|
# Defaults to $::os_service_default
|
||||||
#
|
#
|
||||||
|
# [*default_listener_ciphers*]
|
||||||
|
# (optional) Default OpenSSL cipher string (colon-separated) for new
|
||||||
|
# TLS-enabled pools.
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
|
# [*default_pool_ciphers*]
|
||||||
|
# (optional) Default OpenSSL cipher string (colon-separated) for new
|
||||||
|
# TLS-enabled pools.
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
|
# [*tls_cipher_prohibit_list*]
|
||||||
|
# (optional) Colon separated list of OpenSSL ciphers. Usage of these ciphers
|
||||||
|
# will be blocked.
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
|
# [*default_listener_tls_versions*]
|
||||||
|
# (optional) List of TLS versions to use for new TLS-enabled listeners.
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
|
# [*default_pool_tls_versions*]
|
||||||
|
# (optional) List of TLS versions to use for new TLS-enabled pools.
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
|
# [*minimum_tls_version*]
|
||||||
|
# (optional) Minimum allowed TLS version for listeners and pools.
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
class octavia::api (
|
class octavia::api (
|
||||||
$enabled = true,
|
$enabled = true,
|
||||||
$manage_service = true,
|
$manage_service = true,
|
||||||
|
@ -99,6 +126,12 @@ class octavia::api (
|
||||||
$pagination_max_limit = $::os_service_default,
|
$pagination_max_limit = $::os_service_default,
|
||||||
$healthcheck_enabled = $::os_service_default,
|
$healthcheck_enabled = $::os_service_default,
|
||||||
$healthcheck_refresh_interval = $::os_service_default,
|
$healthcheck_refresh_interval = $::os_service_default,
|
||||||
|
$default_listener_ciphers = $::os_service_default,
|
||||||
|
$default_pool_ciphers = $::os_service_default,
|
||||||
|
$tls_cipher_prohibit_list = $::os_service_default,
|
||||||
|
$default_listener_tls_versions = $::os_service_default,
|
||||||
|
$default_pool_tls_versions = $::os_service_default,
|
||||||
|
$minimum_tls_version = $::os_service_default,
|
||||||
) inherits octavia::params {
|
) inherits octavia::params {
|
||||||
|
|
||||||
include octavia::deps
|
include octavia::deps
|
||||||
|
@ -160,6 +193,12 @@ class octavia::api (
|
||||||
'api_settings/pagination_max_limit': value => $pagination_max_limit;
|
'api_settings/pagination_max_limit': value => $pagination_max_limit;
|
||||||
'api_settings/healthcheck_enabled': value => $healthcheck_enabled;
|
'api_settings/healthcheck_enabled': value => $healthcheck_enabled;
|
||||||
'api_settings/healthcheck_refresh_interval': value => $healthcheck_refresh_interval;
|
'api_settings/healthcheck_refresh_interval': value => $healthcheck_refresh_interval;
|
||||||
|
'api_settings/default_listener_ciphers': value => join(any2array($default_listener_ciphers), ':');
|
||||||
|
'api_settings/default_pool_ciphers': value => join(any2array($default_pool_ciphers), ':');
|
||||||
|
'api_settings/tls_cipher_prohibit_list': value => join(any2array($tls_cipher_prohibit_list), ':');
|
||||||
|
'api_settings/default_listener_tls_versions': value => join(any2array($default_listener_tls_versions), ',');
|
||||||
|
'api_settings/default_pool_tls_versions': value => join(any2array($default_pool_tls_versions), ',');
|
||||||
|
'api_settings/minimum_tls_version': value => $minimum_tls_version;
|
||||||
}
|
}
|
||||||
|
|
||||||
oslo::middleware { 'octavia_config':
|
oslo::middleware { 'octavia_config':
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
The following parameters have been added to the ``octavia::api`` class.
|
||||||
|
These parameters allows customizing the same parameters in
|
||||||
|
the ``[api_setting]`` section.
|
||||||
|
|
||||||
|
- ``default_listener_ciphers``
|
||||||
|
- ``default_pool_ciphers``
|
||||||
|
- ``tls_cipher_prohibit_list``
|
||||||
|
- ``default_listener_tls_versions``
|
||||||
|
- ``default_pool_tls_versions``
|
||||||
|
- ``minimum_tls_version``
|
|
@ -59,6 +59,12 @@ describe 'octavia::api' do
|
||||||
is_expected.to contain_octavia_config('api_settings/pagination_max_limit').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_octavia_config('api_settings/pagination_max_limit').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_octavia_config('api_settings/healthcheck_enabled').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_octavia_config('api_settings/healthcheck_enabled').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_octavia_config('api_settings/healthcheck_refresh_interval').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_octavia_config('api_settings/healthcheck_refresh_interval').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_octavia_config('api_settings/default_listener_ciphers').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_octavia_config('api_settings/default_pool_ciphers').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_octavia_config('api_settings/tls_cipher_prohibit_list').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_octavia_config('api_settings/default_listener_tls_versions').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_octavia_config('api_settings/default_pool_tls_versions').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_octavia_config('api_settings/minimum_tls_version').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_oslo__middleware('octavia_config').with(
|
is_expected.to contain_oslo__middleware('octavia_config').with(
|
||||||
:enable_proxy_headers_parsing => '<SERVICE DEFAULT>',
|
:enable_proxy_headers_parsing => '<SERVICE DEFAULT>',
|
||||||
)
|
)
|
||||||
|
@ -145,6 +151,34 @@ describe 'octavia::api' do
|
||||||
is_expected.to contain_octavia_config('api_settings/healthcheck_enabled').with_value(true)
|
is_expected.to contain_octavia_config('api_settings/healthcheck_enabled').with_value(true)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'with tls cipher/version set' do
|
||||||
|
before do
|
||||||
|
params.merge!({
|
||||||
|
:default_listener_ciphers => ['TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_AES_128_GCM_SHA256'],
|
||||||
|
:default_pool_ciphers => ['TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256'],
|
||||||
|
:tls_cipher_prohibit_list => ['ECDHE-RSA-AES256-SHA384', 'ECDHE-RSA-AES128-SHA256'],
|
||||||
|
:default_listener_tls_versions => ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'],
|
||||||
|
:default_pool_tls_versions => ['TLSv1.2', 'TLSv1.3'],
|
||||||
|
:minimum_tls_version => 'TLSv1',
|
||||||
|
})
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'configures tls parameters' do
|
||||||
|
is_expected.to contain_octavia_config('api_settings/default_listener_ciphers')\
|
||||||
|
.with_value('TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256')
|
||||||
|
is_expected.to contain_octavia_config('api_settings/default_pool_ciphers')\
|
||||||
|
.with_value('TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256')
|
||||||
|
is_expected.to contain_octavia_config('api_settings/tls_cipher_prohibit_list')\
|
||||||
|
.with_value('ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256')
|
||||||
|
is_expected.to contain_octavia_config('api_settings/default_listener_tls_versions')\
|
||||||
|
.with_value('TLSv1.1,TLSv1.2,TLSv1.3')
|
||||||
|
is_expected.to contain_octavia_config('api_settings/default_pool_tls_versions')\
|
||||||
|
.with_value('TLSv1.2,TLSv1.3')
|
||||||
|
is_expected.to contain_octavia_config('api_settings/minimum_tls_version')\
|
||||||
|
.with_value('TLSv1')
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
shared_examples 'octavia-api wsgi' do
|
shared_examples 'octavia-api wsgi' do
|
||||||
|
|
Loading…
Reference in New Issue