Merge "Octavia: Accept lists for Ciphers parameters"

2022-05-25 12:46:19 +00:00 · 2022-05-25 12:46:19 +00:00 · c0e154e231
parent 413d35ac7d fef8dacd9f
commit c0e154e231
1 changed files with 18 additions and 10 deletions
--- a/deployment/octavia/octavia-api-container-puppet.yaml
+++ b/deployment/octavia/octavia-api-container-puppet.yaml
@ -90,14 +90,14 @@ parameters:
    description: Number of workers for Octavia service.
    type: number
  OctaviaDefaultListenerCiphers:
-    type: string
-    default: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'
+    type: comma_delimited_list
+    default: []
  OctaviaDefaultPoolCiphers:
-    type: string
-    default: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'
+    type: comma_delimited_list
+    default: []
  OctaviaTlsCiphersProhibitList:
-    type: string  # colon separated list
-    default: ''
+    type: comma_delimited_list
+    default: []
  OctaviaListenerTlsVersions:
    type: comma_delimited_list
    default: ['TLSv1.2', 'TLSv1.3']
@ -111,7 +111,11 @@ parameters:
 conditions:
  octavia_workers_set:
    not: {equals : [{get_param: OctaviaWorkers}, 0]}
-  octavia_min_tls_version:
+  octavia_default_listener_ciphers_set:
+    not: {equals : [{get_param: OctaviaDefaultListenerCiphers}, []]}
+  octavia_default_pool_ciphers_set:
+    not: {equals : [{get_param: OctaviaDefaultPoolCiphers}, []]}
+  octavia_min_tls_version_set:
    not: {equals : [{get_param: OctaviaMinimumTlsVersion}, '']}

 resources:
@ -215,8 +219,6 @@ outputs:
            octavia::api::service_name: 'httpd'
            octavia::api::enable_proxy_headers_parsing: true
            octavia::api::healthcheck_enabled: true
-            octavia::api::default_listener_ciphers: {get_param: OctaviaDefaultListenerCiphers}
-            octavia::api::default_pool_ciphers: {get_param: OctaviaDefaultPoolCiphers}
            octavia::api::tls_cipher_prohibit_list: {get_param: OctaviaTlsCiphersProhibitList}
            octavia::api::default_listener_tls_versions: {get_param: OctaviaListenerTlsVersions}
            octavia::api::default_pool_tls_versions: {get_param: OctaviaPoolTlsVersions}
@ -261,7 +263,13 @@ outputs:
              - octavia_workers_set
              - octavia::wsgi::apache::workers: {get_param: OctaviaWorkers}
          - if:
-              - octavia_min_tls_version
+              - octavia_default_listener_ciphers_set
+              - octavia::api::default_listener_ciphers: {get_param: OctaviaDefaultListenerCiphers}
+          - if:
+              - octavia_default_pool_ciphers_set
+              - octavia::api::default_pool_ciphers: {get_param: OctaviaDefaultPoolCiphers}
+          - if:
+              - octavia_min_tls_version_set
              - octavia::api::minimum_tls_version: {get_param: OctaviaMinimumTlsVersion}
      service_config_settings:
        rsyslog: