aboutsummaryrefslogtreecommitdiffstats
path: root/manifests
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-03-18 09:57:42 +0200
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-03-22 11:18:40 +0200
commit5c248dbd67de167c14bf73fd077f71fb18fcf29b (patch)
treef17c8c0045f54fd1cbb112d8e10deca14c7a0014 /manifests
parent4988d0fc359a59af6ce86c0beb8549a950df57cd (diff)
Make cipher suite and SSL options configurable
This CR enables the ability to set the cipher suite to be used by HAproxy and the SSL options. So now the user can enable these through hiera. The cipher suite comes from the Fedora system crypto policy. Change-Id: Ia5751d4049026683fa13d4bc4cbf4eaffe054b48 Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a
Diffstat (limited to 'manifests')
-rw-r--r--manifests/loadbalancer.pp26
1 files changed, 20 insertions, 6 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 0d70f32..140713b 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -120,6 +120,16 @@
# Any service-specific certificates take precedence over this one.
# Defaults to undef
#
+# [*ssl_cipher_suite*]
+# The default string describing the list of cipher algorithms ("cipher suite")
+# that are negotiated during the SSL/TLS handshake for all "bind" lines. This
+# value comes from the Fedora system crypto policy.
+# Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES'
+#
+# [*ssl_options*]
+# String that sets the default ssl options to force on all "bind" lines.
+# Defaults to 'no-sslv3'
+#
# [*keystone_certificate*]
# Filename of an HAProxy-compatible certificate and key file
# When set, enables SSL on the Keystone public API endpoint using the specified file.
@@ -366,6 +376,8 @@ class tripleo::loadbalancer (
$controller_hosts = undef,
$controller_hosts_names = undef,
$service_certificate = undef,
+ $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
+ $ssl_options = 'no-sslv3',
$keystone_certificate = undef,
$neutron_certificate = undef,
$cinder_certificate = undef,
@@ -916,12 +928,14 @@ class tripleo::loadbalancer (
class { '::haproxy':
service_manage => $haproxy_service_manage,
global_options => {
- 'log' => "${haproxy_log_address} local0",
- 'pidfile' => '/var/run/haproxy.pid',
- 'user' => 'haproxy',
- 'group' => 'haproxy',
- 'daemon' => '',
- 'maxconn' => $haproxy_global_maxconn,
+ 'log' => "${haproxy_log_address} local0",
+ 'pidfile' => '/var/run/haproxy.pid',
+ 'user' => 'haproxy',
+ 'group' => 'haproxy',
+ 'daemon' => '',
+ 'maxconn' => $haproxy_global_maxconn,
+ 'ssl-default-bind-ciphers' => $ssl_cipher_suite,
+ 'ssl-default-bind-options' => $ssl_options,
},
defaults_options => {
'mode' => 'tcp',