Merge "api: Add support for TLS cipher/version parameters"
This commit is contained in:
commit
7edbd6dcae
|
@ -80,6 +80,33 @@
|
|||
# (optional) The interval healthcheck plugin should cache results, in seconds.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*default_listener_ciphers*]
|
||||
# (optional) Default OpenSSL cipher string (colon-separated) for new
|
||||
# TLS-enabled pools.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*default_pool_ciphers*]
|
||||
# (optional) Default OpenSSL cipher string (colon-separated) for new
|
||||
# TLS-enabled pools.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*tls_cipher_prohibit_list*]
|
||||
# (optional) Colon separated list of OpenSSL ciphers. Usage of these ciphers
|
||||
# will be blocked.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*default_listener_tls_versions*]
|
||||
# (optional) List of TLS versions to use for new TLS-enabled listeners.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*default_pool_tls_versions*]
|
||||
# (optional) List of TLS versions to use for new TLS-enabled pools.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*minimum_tls_version*]
|
||||
# (optional) Minimum allowed TLS version for listeners and pools.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
class octavia::api (
|
||||
$enabled = true,
|
||||
$manage_service = true,
|
||||
|
@ -99,6 +126,12 @@ class octavia::api (
|
|||
$pagination_max_limit = $::os_service_default,
|
||||
$healthcheck_enabled = $::os_service_default,
|
||||
$healthcheck_refresh_interval = $::os_service_default,
|
||||
$default_listener_ciphers = $::os_service_default,
|
||||
$default_pool_ciphers = $::os_service_default,
|
||||
$tls_cipher_prohibit_list = $::os_service_default,
|
||||
$default_listener_tls_versions = $::os_service_default,
|
||||
$default_pool_tls_versions = $::os_service_default,
|
||||
$minimum_tls_version = $::os_service_default,
|
||||
) inherits octavia::params {
|
||||
|
||||
include octavia::deps
|
||||
|
@ -160,6 +193,12 @@ class octavia::api (
|
|||
'api_settings/pagination_max_limit': value => $pagination_max_limit;
|
||||
'api_settings/healthcheck_enabled': value => $healthcheck_enabled;
|
||||
'api_settings/healthcheck_refresh_interval': value => $healthcheck_refresh_interval;
|
||||
'api_settings/default_listener_ciphers': value => join(any2array($default_listener_ciphers), ':');
|
||||
'api_settings/default_pool_ciphers': value => join(any2array($default_pool_ciphers), ':');
|
||||
'api_settings/tls_cipher_prohibit_list': value => join(any2array($tls_cipher_prohibit_list), ':');
|
||||
'api_settings/default_listener_tls_versions': value => join(any2array($default_listener_tls_versions), ',');
|
||||
'api_settings/default_pool_tls_versions': value => join(any2array($default_pool_tls_versions), ',');
|
||||
'api_settings/minimum_tls_version': value => $minimum_tls_version;
|
||||
}
|
||||
|
||||
oslo::middleware { 'octavia_config':
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
The following parameters have been added to the ``octavia::api`` class.
|
||||
These parameters allows customizing the same parameters in
|
||||
the ``[api_setting]`` section.
|
||||
|
||||
- ``default_listener_ciphers``
|
||||
- ``default_pool_ciphers``
|
||||
- ``tls_cipher_prohibit_list``
|
||||
- ``default_listener_tls_versions``
|
||||
- ``default_pool_tls_versions``
|
||||
- ``minimum_tls_version``
|
|
@ -59,6 +59,12 @@ describe 'octavia::api' do
|
|||
is_expected.to contain_octavia_config('api_settings/pagination_max_limit').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_octavia_config('api_settings/healthcheck_enabled').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_octavia_config('api_settings/healthcheck_refresh_interval').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_octavia_config('api_settings/default_listener_ciphers').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_octavia_config('api_settings/default_pool_ciphers').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_octavia_config('api_settings/tls_cipher_prohibit_list').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_octavia_config('api_settings/default_listener_tls_versions').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_octavia_config('api_settings/default_pool_tls_versions').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_octavia_config('api_settings/minimum_tls_version').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_oslo__middleware('octavia_config').with(
|
||||
:enable_proxy_headers_parsing => '<SERVICE DEFAULT>',
|
||||
)
|
||||
|
@ -145,6 +151,34 @@ describe 'octavia::api' do
|
|||
is_expected.to contain_octavia_config('api_settings/healthcheck_enabled').with_value(true)
|
||||
end
|
||||
end
|
||||
|
||||
context 'with tls cipher/version set' do
|
||||
before do
|
||||
params.merge!({
|
||||
:default_listener_ciphers => ['TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_AES_128_GCM_SHA256'],
|
||||
:default_pool_ciphers => ['TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256'],
|
||||
:tls_cipher_prohibit_list => ['ECDHE-RSA-AES256-SHA384', 'ECDHE-RSA-AES128-SHA256'],
|
||||
:default_listener_tls_versions => ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'],
|
||||
:default_pool_tls_versions => ['TLSv1.2', 'TLSv1.3'],
|
||||
:minimum_tls_version => 'TLSv1',
|
||||
})
|
||||
end
|
||||
|
||||
it 'configures tls parameters' do
|
||||
is_expected.to contain_octavia_config('api_settings/default_listener_ciphers')\
|
||||
.with_value('TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256')
|
||||
is_expected.to contain_octavia_config('api_settings/default_pool_ciphers')\
|
||||
.with_value('TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256')
|
||||
is_expected.to contain_octavia_config('api_settings/tls_cipher_prohibit_list')\
|
||||
.with_value('ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256')
|
||||
is_expected.to contain_octavia_config('api_settings/default_listener_tls_versions')\
|
||||
.with_value('TLSv1.1,TLSv1.2,TLSv1.3')
|
||||
is_expected.to contain_octavia_config('api_settings/default_pool_tls_versions')\
|
||||
.with_value('TLSv1.2,TLSv1.3')
|
||||
is_expected.to contain_octavia_config('api_settings/minimum_tls_version')\
|
||||
.with_value('TLSv1')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
shared_examples 'octavia-api wsgi' do
|
||||
|
|
Loading…
Reference in New Issue