Bug 1277472 - RFE: Support adding security specific attributes in haproxy configuration via puppet / heat templates
Summary: RFE: Support adding security specific attributes in haproxy configuration vi...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 7.0 (Kilo)
Hardware: All
OS: Linux
high
high
Target Milestone: ---
: 10.0 (Newton)
Assignee: Dan Macpherson
QA Contact: RHOS Documentation Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-03 12:21 UTC by Jaison Raju
Modified: 2020-04-15 14:18 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-15 13:53:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jaison Raju 2015-11-03 12:21:13 UTC 
1. Proposed title of this feature request  
      Support adding security specific attributes in haproxy configuration via puppet / heat templates .
      
    3. What is the nature and description of the request?  
Haproxy Puppet module should allow setting the following security information .

tune.ssl.default-dh-param 2048
ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS no-sslv3 no-tls-tickets
      
For example: To set the following information on controller with haproxy:

listen ceilometer
bind 172.22.216.2:13777 ssl crt /etc/pki/instack-certs/undercloud.pem ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS no-sslv3
  bind 172.22.216.3:8777 
  server 172.22.216.1 172.22.216.1:8777 check fall 5 inter 2000 rise 2


    4. Why does the customer need this? (List the business requirements here) 
So that overcloud can be deployed with modified tripleo templates changing the above variables for security concerns .
For example to avoid POODLE vulnerability and weak ciphers for compliance. 

    7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  
      No

    8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  
No      
    9. Is the sales team involved in this request and do they have any additional input?  
  No    
    10. List any affected packages or components.  
      openstack-puppet-modules-
    11. Would the customer be able to assist in testing this functionality if implemented?  
yes
Comment 4 Ivan Chavero 2015-11-21 03:13:23 UTC 
This looks like a OSP-Director issue more than a Openstack Puppet Modules problem, i'm gonna change the bug to the proper component.
Comment 6 Mike Burns 2016-04-07 20:54:03 UTC 
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.
Comment 8 Juan Antonio Osorio 2016-10-03 16:56:33 UTC 
this should already be possible by passing tripleo::haproxy::ssl_cipher_suite tripleo::haproxy::ssl_options via hieradata, which one could pass to Heat via the ExtraConfig parameter.
Comment 12 Juan Antonio Osorio 2016-10-26 09:40:21 UTC 
So, I ended up writing a post about it: https://github.com/JAORMX/JAORMX.github.io/blob/master/_posts/2016-10-14-changing-the-ssl-cypher-and-rules-for-tripleos-haproxy.markdown
Comment 15 Dan Macpherson 2017-02-28 01:12:18 UTC 
I just recently created a new section in the official docs for Security Enhancements:

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/advanced_overcloud_customization/sect-security_enhancements

I'll add documentation for this issue into this section.
Comment 24 Dan Macpherson 2017-05-15 13:12:44 UTC 
No prob. Just moving back to ASSIGNED to take care of the minor change in comment #21
Note You need to log in before you can comment on or make changes to this bug.