tripleo

Extend customization of haproxy per-service basis to bind options.

Bug #1829328 reported by Robin Cernin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Michele Baldessari
tripleo train-2

Bug Description

At the moment HAProxy takes a SSL configuration on the bind line directly. As per the endpoint manifest, we don't allow setting custom bind options unfortunately.

We already have extended haproxy listen options per-service in https://bugs.launchpad.net/tripleo/+bug/1755711

Robin Cernin (rcernin)
Changed in tripleo:
assignee: nobody → Robin Cernin (rcernin)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.opendev.org/659437

Changed in tripleo:
status: New → In Progress
Bogdan Dobrelya (bogdando)
Changed in tripleo:
importance: Undecided → Medium
milestone: none → train-1
OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: Robin Cernin (rcernin) → Michele Baldessari (michele)
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: train-1 → train-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.opendev.org/659437
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=d319662c6c3a3adac6bfa3016ee1c5955070c038
Submitter: Zuul
Branch: master

commit d319662c6c3a3adac6bfa3016ee1c5955070c038
Author: Robin Cernin <email address hidden>
Date: Sat May 18 14:16:47 2019 +0200

    Allow custom per-service bind_options for haproxy

    There are situation when it might be required to use different TLS
    versions between the services. HAproxy configures TLS version on
    bind line in the configuration, there is missing customization.

    At the moment we can only set TLS version globally via ssl_options

    This code's idea it to configure it per-service. For example, with:
    parameter_defaults:
       ExtraConfig:
          tripleo::haproxy::cinder::internal_bind_options: 'force-tlsv11'
          tripleo::haproxy::keystone_public::public_bind_options: 'force-tlsv12'
          tripleo::haproxy::horizon::public_bind_options: 'force-tlsv11'
          tripleo::haproxy::horizon::internal_bind_options: 'force-tlsv12'

    We will get something like the following in the haproxy config:
    listen cinder
      bind 2620:52:0:13b8:5054:ff:fe3e:1:13776 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
      bind fd00:fd00:fd00:2000::17:8776 transparent force-tlsv11
      ...

    listen keystone_public
      bind 2620:52:0:13b8:5054:ff:fe3e:1:13000 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv12
      bind fd00:fd00:fd00:2000::17:5000 transparent
      ...

    listen horizon
      bind 2620:52:0:13b8:5054:ff:fe3e:1:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv11
      bind 2620:52:0:13b8:5054:ff:fe3e:1:80 transparent force-tlsv11
      bind fd00:fd00:fd00:2000::17:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem force-tlsv12
      bind fd00:fd00:fd00:2000::17:80 transparent force-tlsv12
      ...

    The two {public,internal}_bind_options accept both strings and arrays of
    strings.

    Closes-Bug: #1829328

    Change-Id: I4b724a515d729c2e8e0da9cb8f081b8325d51a6b

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 11.1.0

This issue was fixed in the openstack/puppet-tripleo 11.1.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.