There are situation when it might be required to use different TLS
versions between the services. HAproxy configures TLS version on
bind line in the configuration, there is missing customization.
At the moment we can only set TLS version globally via ssl_options
This code's idea it to configure it per-service. For example, with:
parameter_defaults:
ExtraConfig:
tripleo::haproxy::cinder::internal_bind_options: 'force-tlsv11'
tripleo::haproxy::keystone_public::public_bind_options: 'force-tlsv12'
tripleo::haproxy::horizon::public_bind_options: 'force-tlsv11'
tripleo::haproxy::horizon::internal_bind_options: 'force-tlsv12'
We will get something like the following in the haproxy config:
listen cinder
bind 2620:52:0:13b8:5054:ff:fe3e:1:13776 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
bind fd00:fd00:fd00:2000::17:8776 transparent force-tlsv11
...
listen keystone_public
bind 2620:52:0:13b8:5054:ff:fe3e:1:13000 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv12
bind fd00:fd00:fd00:2000::17:5000 transparent
...
listen horizon
bind 2620:52:0:13b8:5054:ff:fe3e:1:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv11
bind 2620:52:0:13b8:5054:ff:fe3e:1:80 transparent force-tlsv11
bind fd00:fd00:fd00:2000::17:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv12
bind fd00:fd00:fd00:2000::17:80 transparent force-tlsv12
...
The two {public,internal}_bind_options accept both strings and arrays of
strings.
Closes-Bug: #1829328
Change-Id: I4b724a515d729c2e8e0da9cb8f081b8325d51a6b