Octavia: Accept lists for Ciphers parameters
This is follow-up of8751555509
and allows usage of list values for ciphers parameters so that users can more easily maintain items. List values are automatically converted to colon-separated strings by puppet-octavia . Also, some default values are quite long and makes maintenance quite difficult. Instead of hard-coding default, these parameters use service default when the values are unset(or intentionally set to empty lists). Conflicts: deployment/octavia/octavia-api-container-puppet.yaml Change-Id: I09ca5baff60f472edee0a4bde59f9c2e575dfdee (cherry picked from commitfef8dacd9f
)
This commit is contained in:
parent
36d0e18033
commit
549dd7e68b
|
@ -86,14 +86,14 @@ parameters:
|
|||
Use the advanced (eventlet safe) memcached client pool.
|
||||
default: true
|
||||
OctaviaDefaultListenerCiphers:
|
||||
type: string
|
||||
default: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'
|
||||
type: comma_delimited_list
|
||||
default: []
|
||||
OctaviaDefaultPoolCiphers:
|
||||
type: string
|
||||
default: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'
|
||||
type: comma_delimited_list
|
||||
default: []
|
||||
OctaviaTlsCiphersProhibitList:
|
||||
type: string # colon separated list
|
||||
default: ''
|
||||
type: comma_delimited_list
|
||||
default: []
|
||||
OctaviaListenerTlsVersions:
|
||||
type: comma_delimited_list
|
||||
default: ['TLSv1.2', 'TLSv1.3']
|
||||
|
@ -108,7 +108,11 @@ conditions:
|
|||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
|
||||
enable_driver_agent: {equals: [{get_param: OctaviaEnableDriverAgent}, true]}
|
||||
octavia_min_tls_version:
|
||||
octavia_default_listener_ciphers_set:
|
||||
not: {equals : [{get_param: OctaviaDefaultListenerCiphers}, []]}
|
||||
octavia_default_pool_ciphers_set:
|
||||
not: {equals : [{get_param: OctaviaDefaultPoolCiphers}, []]}
|
||||
octavia_min_tls_version_set:
|
||||
not: {equals : [{get_param: OctaviaMinimumTlsVersion}, '']}
|
||||
|
||||
resources:
|
||||
|
@ -215,8 +219,6 @@ outputs:
|
|||
octavia::api::service_name: 'httpd'
|
||||
octavia::api::enable_proxy_headers_parsing: true
|
||||
octavia::api::healthcheck_enabled: true
|
||||
octavia::api::default_listener_ciphers: {get_param: OctaviaDefaultListenerCiphers}
|
||||
octavia::api::default_pool_ciphers: {get_param: OctaviaDefaultPoolCiphers}
|
||||
octavia::api::tls_cipher_prohibit_list: {get_param: OctaviaTlsCiphersProhibitList}
|
||||
octavia::api::default_listener_tls_versions: {get_param: OctaviaListenerTlsVersions}
|
||||
octavia::api::default_pool_tls_versions: {get_param: OctaviaPoolTlsVersions}
|
||||
|
@ -259,9 +261,14 @@ outputs:
|
|||
- {get_attr: [OctaviaProviderConfig, role_data, provider_driver_labels]}
|
||||
- []
|
||||
- if:
|
||||
- octavia_min_tls_version
|
||||
- octavia::api::minimum_tls_version: { get_param: OctaviaMinimumTlsVersion }
|
||||
|
||||
- octavia_default_listener_ciphers_set
|
||||
- octavia::api::default_listener_ciphers: {get_param: OctaviaDefaultListenerCiphers}
|
||||
- if:
|
||||
- octavia_default_pool_ciphers_set
|
||||
- octavia::api::default_pool_ciphers: {get_param: OctaviaDefaultPoolCiphers}
|
||||
- if:
|
||||
- octavia_min_tls_version_set
|
||||
- octavia::api::minimum_tls_version: {get_param: OctaviaMinimumTlsVersion}
|
||||
service_config_settings:
|
||||
rsyslog:
|
||||
tripleo_logging_sources_octavia_api:
|
||||
|
|
Loading…
Reference in New Issue