From 5c248dbd67de167c14bf73fd077f71fb18fcf29b Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Fri, 18 Mar 2016 09:57:42 +0200
Subject: Make cipher suite and SSL options configurable

This CR enables the ability to set the cipher suite to be used by
HAproxy and the SSL options. So now the user can enable these through
hiera.  The cipher suite comes from the Fedora system crypto policy.

Change-Id: Ia5751d4049026683fa13d4bc4cbf4eaffe054b48
Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a
---
 manifests/loadbalancer.pp | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 0d70f32..140713b 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -120,6 +120,16 @@
 #  Any service-specific certificates take precedence over this one.
 #  Defaults to undef
 #
+# [*ssl_cipher_suite*]
+#  The default string describing the list of cipher algorithms ("cipher suite")
+#  that are negotiated during the SSL/TLS handshake for all "bind" lines. This
+#  value comes from the Fedora system crypto policy.
+#  Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES'
+#
+# [*ssl_options*]
+#  String that sets the default ssl options to force on all "bind" lines.
+#  Defaults to 'no-sslv3'
+#
 # [*keystone_certificate*]
 #  Filename of an HAProxy-compatible certificate and key file
 #  When set, enables SSL on the Keystone public API endpoint using the specified file.
@@ -366,6 +376,8 @@ class tripleo::loadbalancer (
   $controller_hosts          = undef,
   $controller_hosts_names    = undef,
   $service_certificate       = undef,
+  $ssl_cipher_suite          = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
+  $ssl_options               = 'no-sslv3',
   $keystone_certificate      = undef,
   $neutron_certificate       = undef,
   $cinder_certificate        = undef,
@@ -916,12 +928,14 @@ class tripleo::loadbalancer (
   class { '::haproxy':
     service_manage   => $haproxy_service_manage,
     global_options   => {
-      'log'     => "${haproxy_log_address} local0",
-      'pidfile' => '/var/run/haproxy.pid',
-      'user'    => 'haproxy',
-      'group'   => 'haproxy',
-      'daemon'  => '',
-      'maxconn' => $haproxy_global_maxconn,
+      'log'                      => "${haproxy_log_address} local0",
+      'pidfile'                  => '/var/run/haproxy.pid',
+      'user'                     => 'haproxy',
+      'group'                    => 'haproxy',
+      'daemon'                   => '',
+      'maxconn'                  => $haproxy_global_maxconn,
+      'ssl-default-bind-ciphers' => $ssl_cipher_suite,
+      'ssl-default-bind-options' => $ssl_options,
     },
     defaults_options => {
       'mode'    => 'tcp',
-- 
cgit 1.2.3-korg