d319662c6c
There are situation when it might be required to use different TLS
versions between the services. HAproxy configures TLS version on
bind line in the configuration, there is missing customization.
At the moment we can only set TLS version globally via ssl_options
This code's idea it to configure it per-service. For example, with:
parameter_defaults:
ExtraConfig:
tripleo::haproxy::cinder::internal_bind_options: 'force-tlsv11'
tripleo::haproxy::keystone_public::public_bind_options: 'force-tlsv12'
tripleo::haproxy::horizon::public_bind_options: 'force-tlsv11'
tripleo::haproxy::horizon::internal_bind_options: 'force-tlsv12'
We will get something like the following in the haproxy config:
listen cinder
bind 2620:52:0:13b8:5054:ff:fe3e:1:13776 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
bind fd00:fd00:fd00:2000::17:8776 transparent force-tlsv11
...
listen keystone_public
bind 2620:52:0:13b8:5054:ff:fe3e:1:13000 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv12
bind fd00:fd00:fd00:2000::17:5000 transparent
...
listen horizon
bind 2620:52:0:13b8:5054:ff:fe3e:1:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv11
bind 2620:52:0:13b8:5054:ff:fe3e:1:80 transparent force-tlsv11
bind fd00:fd00:fd00:2000::17:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv12
bind fd00:fd00:fd00:2000::17:80 transparent force-tlsv12
...
The two {public,internal}_bind_options accept both strings and arrays of
strings.
Closes-Bug: #1829328
Change-Id: I4b724a515d729c2e8e0da9cb8f081b8325d51a6b
11 lines
517 B
YAML
11 lines
517 B
YAML
---
|
|
features:
|
|
- |
|
|
Two custom per-service hiera keys are added
|
|
tripleo::haproxy::<service>::internal_bind_options and
|
|
tripleo::haproxy::<service>::public_bind_options. They control additional
|
|
custom options that can be added to the bind line of a specific service configuration
|
|
in haproxy. One use case is to force older TLS versions for internal APIs that
|
|
end up pointing to devices that do not support the latest TLS standard.
|
|
They accept a single string or an array of strings.
|