openstack/tripleo-heat-templates
Code Issues Proposed changes

Merge "Add Octavia TLS parameters"

Browse Source
This commit is contained in:
Zuul 2022-03-21 15:33:56 +00:00 committed by Gerrit Code Review
commit 10707e9768
2 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
deployment/octavia/octavia-api-container-puppet.yaml
View File

@ -89,10 +89,30 @@ parameters:
default: 0 default: 0
description: Number of workers for Octavia service. description: Number of workers for Octavia service.
type: number type: number
OctaviaDefaultListenerCiphers:
type: string
default: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'
OctaviaDefaultPoolCiphers:
type: string
default: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'
OctaviaTlsCiphersProhibitList:
type: string # colon separated list
default: ''
OctaviaListenerTlsVersions:
type: comma_delimited_list
default: ['TLSv1.2', 'TLSv1.3']
OctaviaPoolTlsVersions:
type: comma_delimited_list
default: ['TLSv1.2', 'TLSv1.3']
OctaviaMinimumTlsVersion:
type: string
default: ''
conditions: conditions:
octavia_workers_set: octavia_workers_set:
not: {equals : [{get_param: OctaviaWorkers}, 0]} not: {equals : [{get_param: OctaviaWorkers}, 0]}
octavia_min_tls_version:
not: {equals : [{get_param: OctaviaMinimumTlsVersion}, '']}
resources: resources:
ContainersCommon: ContainersCommon:
@ -188,6 +208,11 @@ outputs:
octavia::api::service_name: 'httpd' octavia::api::service_name: 'httpd'
octavia::api::enable_proxy_headers_parsing: true octavia::api::enable_proxy_headers_parsing: true
octavia::api::healthcheck_enabled: true octavia::api::healthcheck_enabled: true
octavia::api::default_listener_ciphers: {get_param: OctaviaDefaultListenerCiphers}
octavia::api::default_pool_ciphers: {get_param: OctaviaDefaultPoolCiphers}
octavia::api::tls_cipher_prohibit_list: {get_param: OctaviaTlsCiphersProhibitList}
octavia::api::default_listener_tls_versions: {get_param: OctaviaListenerTlsVersions}
octavia::api::default_pool_tls_versions: {get_param: OctaviaPoolTlsVersions}
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS} octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
# NOTE: bind IP is found in hiera replacing the network name with the local node IP # NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api): # for the given network; replacement examples (eg. for internal_api):
@ -228,6 +253,9 @@ outputs:
- if: - if:
- octavia_workers_set - octavia_workers_set
- octavia::wsgi::apache::workers: {get_param: OctaviaWorkers} - octavia::wsgi::apache::workers: {get_param: OctaviaWorkers}
- if:
- octavia_min_tls_version
- octavia::api::minimum_tls_version: {get_param: OctaviaMinimumTlsVersion}
service_config_settings: service_config_settings:
rsyslog: rsyslog:
tripleo_logging_sources_octavia_api: tripleo_logging_sources_octavia_api:

4
releasenotes/notes/add-octavia-tls-settings-7583df511c53b27a.yaml Normal file
View File

@ -0,0 +1,4 @@
---
features:
- |
- Added the Octavia TLS parameters.