1 Commits

Author SHA1 Message Date
Robin Cernin
d319662c6c Allow custom per-service bind_options for haproxy
There are situation when it might be required to use different TLS
versions between the services. HAproxy configures TLS version on
bind line in the configuration, there is missing customization.

At the moment we can only set TLS version globally via ssl_options

This code's idea it to configure it per-service. For example, with:
parameter_defaults:
   ExtraConfig:
      tripleo::haproxy::cinder::internal_bind_options: 'force-tlsv11'
      tripleo::haproxy::keystone_public::public_bind_options: 'force-tlsv12'
      tripleo::haproxy::horizon::public_bind_options: 'force-tlsv11'
      tripleo::haproxy::horizon::internal_bind_options: 'force-tlsv12'

We will get something like the following in the haproxy config:
listen cinder
  bind 2620:52:0:13b8:5054:ff:fe3e:1:13776 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
  bind fd00:fd00:fd00:2000::17:8776 transparent force-tlsv11
  ...

listen keystone_public
  bind 2620:52:0:13b8:5054:ff:fe3e:1:13000 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv12
  bind fd00:fd00:fd00:2000::17:5000 transparent
  ...

listen horizon
  bind 2620:52:0:13b8:5054:ff:fe3e:1:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv11
  bind 2620:52:0:13b8:5054:ff:fe3e:1:80 transparent force-tlsv11
  bind fd00:fd00:fd00:2000::17:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv12
  bind fd00:fd00:fd00:2000::17:80 transparent force-tlsv12
  ...

The two {public,internal}_bind_options accept both strings and arrays of
strings.

Closes-Bug: #1829328

Change-Id: I4b724a515d729c2e8e0da9cb8f081b8325d51a6b
2019-05-18 19:41:03 +02:00