Bug 1277472 - RFE: Support adding security specific attributes in haproxy configuration via puppet / heat templates
RFE: Support adding security specific attributes in haproxy configuration vi...
Status: CLOSED CURRENTRELEASE
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation (Show other bugs)
7.0 (Kilo)
All Linux
high Severity high
: ---
: 10.0 (Newton)
Assigned To: Dan Macpherson
RHOS Documentation Team
: Documentation, FutureFeature, Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-03 07:21 EST by Jaison Raju
Modified: 2017-05-15 10:05 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-05-15 09:53:51 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jaison Raju 2015-11-03 07:21:13 EST
1. Proposed title of this feature request  
      Support adding security specific attributes in haproxy configuration via puppet / heat templates .
      
    3. What is the nature and description of the request?  
Haproxy Puppet module should allow setting the following security information .

tune.ssl.default-dh-param 2048
ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS no-sslv3 no-tls-tickets
      
For example: To set the following information on controller with haproxy:

listen ceilometer
bind 172.22.216.2:13777 ssl crt /etc/pki/instack-certs/undercloud.pem ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS no-sslv3
  bind 172.22.216.3:8777 
  server 172.22.216.1 172.22.216.1:8777 check fall 5 inter 2000 rise 2


    4. Why does the customer need this? (List the business requirements here) 
So that overcloud can be deployed with modified tripleo templates changing the above variables for security concerns .
For example to avoid POODLE vulnerability and weak ciphers for compliance. 

    7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  
      No

    8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  
No      
    9. Is the sales team involved in this request and do they have any additional input?  
  No    
    10. List any affected packages or components.  
      openstack-puppet-modules-
    11. Would the customer be able to assist in testing this functionality if implemented?  
yes
Comment 4 Ivan Chavero 2015-11-20 22:13:23 EST
This looks like a OSP-Director issue more than a Openstack Puppet Modules problem, i'm gonna change the bug to the proper component.
Comment 6 Mike Burns 2016-04-07 16:54:03 EDT
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.
Comment 8 Juan Antonio Osorio 2016-10-03 12:56:33 EDT
this should already be possible by passing tripleo::haproxy::ssl_cipher_suite tripleo::haproxy::ssl_options via hieradata, which one could pass to Heat via the ExtraConfig parameter.
Comment 15 Dan Macpherson 2017-02-27 20:12:18 EST
I just recently created a new section in the official docs for Security Enhancements:

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/advanced_overcloud_customization/sect-security_enhancements

I'll add documentation for this issue into this section.
Comment 24 Dan Macpherson 2017-05-15 09:12:44 EDT
No prob. Just moving back to ASSIGNED to take care of the minor change in comment #21

Note You need to log in before you can comment on or make changes to this bug.