---
features:
  - |
    Harden the HAProxy TLS default configuration according to the mozilla
    ``modern`` recommendation:

    `<https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7>`__

    If you want to revert back to the old behaviour, e.g. because
    you have old clients, you can do so by setting the following
    variable in your globals.yml:

    ``kolla_haproxy_ssl_settings: legacy`` or if you want to have
    at least some improved security settings:
    ``kolla_haproxy_ssl_settings: intermediate``

    See `LP#2060787 <https://bugs.launchpad.net/kolla-ansible/+bug/2060787>`__
upgrade:
  - |
    If you have old clients that do not support the new TLS settings,
    you can revert back to the old behaviour by setting the following
    variable in your globals.yml:

    ``kolla_haproxy_ssl_settings: legacy`` or if you want to have
    at least some improved security settings:
    ``kolla_haproxy_ssl_settings: intermediate``

    See `LP#2060787 <https://bugs.launchpad.net/kolla-ansible/+bug/2060787>`__