Red Hat Bugzilla – Bug 1277472
RFE: Support adding security specific attributes in haproxy configuration via puppet / heat templates
Last modified: 2017-05-15 10:05:03 EDT
1. Proposed title of this feature request
Support adding security specific attributes in haproxy configuration via puppet / heat templates .
3. What is the nature and description of the request?
Haproxy Puppet module should allow setting the following security information .
ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS no-sslv3 no-tls-tickets
For example: To set the following information on controller with haproxy:
bind 172.22.216.2:13777 ssl crt /etc/pki/instack-certs/undercloud.pem ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS no-sslv3
server 172.22.216.1 172.22.216.1:8777 check fall 5 inter 2000 rise 2
4. Why does the customer need this? (List the business requirements here)
So that overcloud can be deployed with modified tripleo templates changing the above variables for security concerns .
For example to avoid POODLE vulnerability and weak ciphers for compliance.
7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
9. Is the sales team involved in this request and do they have any additional input?
10. List any affected packages or components.
11. Would the customer be able to assist in testing this functionality if implemented?
This looks like a OSP-Director issue more than a Openstack Puppet Modules problem, i'm gonna change the bug to the proper component.
This bug did not make the OSP 8.0 release. It is being deferred to OSP 10.
this should already be possible by passing tripleo::haproxy::ssl_cipher_suite tripleo::haproxy::ssl_options via hieradata, which one could pass to Heat via the ExtraConfig parameter.
So, I ended up writing a post about it: https://github.com/JAORMX/JAORMX.github.io/blob/master/_posts/2016-10-14-changing-the-ssl-cypher-and-rules-for-tripleos-haproxy.markdown
I just recently created a new section in the official docs for Security Enhancements:
I'll add documentation for this issue into this section.
No prob. Just moving back to ASSIGNED to take care of the minor change in comment #21