Allow custom per-service bind_options for haproxy

There are situation when it might be required to use different TLS versions between the services. HAproxy configures TLS version on bind line in the configuration, there is missing customization. At the moment we can only set TLS version globally via ssl_options This code's idea it to configure it per-service. For example, with: parameter_defaults: ExtraConfig: tripleo::haproxy::cinder::internal_bind_options: 'force-tlsv11' tripleo::haproxy::keystone_public::public_bind_options: 'force-tlsv12' tripleo::haproxy::horizon::public_bind_options: 'force-tlsv11' tripleo::haproxy::horizon::internal_bind_options: 'force-tlsv12' We will get something like the following in the haproxy config: listen cinder bind 2620:52:0:13b8:5054:ff:fe3e:1:13776 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind fd00:fd00:fd00:2000::17:8776 transparent force-tlsv11 ... listen keystone_public bind 2620:52:0:13b8:5054:ff:fe3e:1:13000 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv12 bind fd00:fd00:fd00:2000::17:5000 transparent ... listen horizon bind 2620:52:0:13b8:5054:ff:fe3e:1:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv11 bind 2620:52:0:13b8:5054:ff:fe3e:1:80 transparent force-tlsv11 bind fd00:fd00:fd00:2000::17:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv12 bind fd00:fd00:fd00:2000::17:80 transparent force-tlsv12 ... The two {public,internal}_bind_options accept both strings and arrays of strings. Closes-Bug: #1829328 Change-Id: I4b724a515d729c2e8e0da9cb8f081b8325d51a6b
2019-05-18 14:16:47 +02:00 · 2019-05-18 14:16:47 +02:00 · d319662c6c
commit d319662c6c
parent d4df475b74
3 changed files with 29 additions and 11 deletions
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@ -160,6 +160,8 @@ define tripleo::haproxy::endpoint (
  }
  # Let users override the options on a per-service basis
  $custom_options = hiera("tripleo::haproxy::${name}::options", undef)
+  $custom_bind_options_public = delete(any2array(hiera("tripleo::haproxy::${name}::public_bind_options", undef)), undef).flatten()
+  $custom_bind_options_internal = delete(any2array(hiera("tripleo::haproxy::${name}::internal_bind_options", undef)), undef).flatten()
  if $public_virtual_ip {
    # service exposed to the public network

@ -175,10 +177,11 @@ define tripleo::haproxy::endpoint (
        $listen_options_precookie = merge($listen_options, $custom_options)
      }
      $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"),
-                                        union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
+                                        union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate], $custom_bind_options_public))
    } else {
      $listen_options_precookie = merge($listen_options, $custom_options)
-      $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${haproxy_port_real}"), $haproxy_listen_bind_param)
+      $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${haproxy_port_real}"),
+                                        union($haproxy_listen_bind_param, $custom_bind_options_public))
    }
  } else {
    # internal service only
@ -211,13 +214,16 @@ define tripleo::haproxy::endpoint (
      $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem']
    }
    $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"),
-                                        union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path]))
+                                        union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path],
+                                        $custom_bind_options_internal))
  } else {
    if $service_network == 'external' and $public_certificate {
      $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"),
-                                          union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
+                                          union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate],
+                                          $custom_bind_options_internal))
    } else {
-      $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"), $haproxy_listen_bind_param)
+      $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"),
+                                          union($haproxy_listen_bind_param, $custom_bind_options_internal))
    }
  }
  if $authorized_userlist {
--- a/manifests/haproxy/horizon_endpoint.pp
+++ b/manifests/haproxy/horizon_endpoint.pp
@ -80,6 +80,8 @@ class tripleo::haproxy::horizon_endpoint (
 ) {
  # Let users override the options on a per-service basis
  $custom_options = hiera('tripleo::haproxy::horizon::options', undef)
+  $custom_bind_options_public = delete(any2array(hiera('tripleo::haproxy::horizon::public_bind_options', undef)), undef).flatten()
+  $custom_bind_options_internal = delete(any2array(hiera('tripleo::haproxy::horizon::internal_bind_options', undef)), undef).flatten()
  # service exposed to the public network
  if $public_certificate {
    if $use_internal_certificates {
@ -107,10 +109,10 @@ class tripleo::haproxy::horizon_endpoint (
    # Even though for the public_virtual_ip the port 80 is listening, we
    # redirect to https in the horizon_options below.
    $horizon_bind_opts = {
-      "${internal_ip}:80"        => $haproxy_listen_bind_param,
-      "${internal_ip}:443"       => $internal_bind_opts,
-      "${public_virtual_ip}:80"  => $haproxy_listen_bind_param,
-      "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]),
+      "${internal_ip}:80"        => union($haproxy_listen_bind_param, $custom_bind_options_internal),
+      "${internal_ip}:443"       => union($internal_bind_opts, $custom_bind_options_internal),
+      "${public_virtual_ip}:80"  => union($haproxy_listen_bind_param, $custom_bind_options_public),
+      "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate], $custom_bind_options_public),
    }
    $horizon_options = merge({
      'cookie'       => 'SERVERID insert indirect nocache',
@ -124,8 +126,8 @@ class tripleo::haproxy::horizon_endpoint (
    }, $custom_options)
  } else {
    $horizon_bind_opts = {
-      "${internal_ip}:80" => $haproxy_listen_bind_param,
-      "${public_virtual_ip}:80" => $haproxy_listen_bind_param,
+      "${internal_ip}:80" => union($haproxy_listen_bind_param, $custom_bind_options_internal),
+      "${public_virtual_ip}:80" => union($haproxy_listen_bind_param, $custom_bind_options_public),
    }
    $horizon_options = merge({
      'cookie' => 'SERVERID insert indirect nocache',
--- a/releasenotes/notes/haproxy-custom-bind-opts-09226d990c62063d.yaml
+++ b/releasenotes/notes/haproxy-custom-bind-opts-09226d990c62063d.yaml
@ -0,0 +1,10 @@
+---
+features:
+  - |
+     Two custom per-service hiera keys are added
+     tripleo::haproxy::<service>::internal_bind_options and
+     tripleo::haproxy::<service>::public_bind_options. They control additional
+     custom options that can be added to the bind line of a specific service configuration
+     in haproxy. One use case is to force older TLS versions for internal APIs that
+     end up pointing to devices that do not support the latest TLS standard.
+     They accept a single string or an array of strings.