0d74b74bfc
TLS v1.3 uses different (incompatible) cipher suite names, so a new variable is added to set these in roles which require them. TLS v1.2 and below is still required, but the variable name is changed to avoid confusion, whilst using the old name as a default if set by a user deployment. Change-Id: I9312daa7ca75e484f8aa3857fe43565c89e3f09a
68 lines
2.6 KiB
YAML
68 lines
2.6 KiB
YAML
---
|
|
# Copyright 2017, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
## SSL
|
|
# These do not need to be configured unless you're creating certificates for
|
|
# services running behind Apache (currently, Horizon and Keystone).
|
|
ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
|
|
# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
|
ssl_cipher_suite_tls12: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
|
|
ssl_cipher_suite_tls13: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
|
|
|
|
#variables used in OSA roles which call the PKI role
|
|
openstack_pki_dir: "/etc/openstack_deploy/pki"
|
|
openstack_pki_service_intermediate_cert_name: "ExampleCorpIntermediate"
|
|
|
|
openstack_pki_service_intermediate_cert_path: "{{ openstack_pki_dir ~ '/roots/' ~ openstack_pki_service_intermediate_cert_name ~ '/certs/' ~ openstack_pki_service_intermediate_cert_name ~ '.crt' }}"
|
|
|
|
# regenerate the CA or intermediate CA
|
|
openstack_pki_regen_ca: ''
|
|
|
|
#example self-signed certificate authority
|
|
openstack_pki_authorities:
|
|
- name: "ExampleCorpRoot"
|
|
provider: selfsigned
|
|
basic_constraints: "CA:TRUE"
|
|
cn: "Example Corp Root CA"
|
|
email_address: "pki@example.com"
|
|
country_name: "GB"
|
|
state_or_province_name: "England"
|
|
organization_name: "Example Corporation"
|
|
organizational_unit_name: "IT Security"
|
|
key_usage:
|
|
- digitalSignature
|
|
- cRLSign
|
|
- keyCertSign
|
|
not_after: "+3650d"
|
|
- name: "ExampleCorpIntermediate"
|
|
provider: ownca
|
|
basic_constraints: "CA:TRUE,pathlen:0"
|
|
cn: "Example Corp Openstack Infrastructure Intermediate CA"
|
|
email_address: "pki@example.com"
|
|
country_name: "GB"
|
|
state_or_province_name: "England"
|
|
organization_name: "Example Corporation"
|
|
organizational_unit_name: "IT Security"
|
|
key_usage:
|
|
- digitalSignature
|
|
- cRLSign
|
|
- keyCertSign
|
|
not_after: "+3650d"
|
|
signed_by: "ExampleCorpRoot"
|
|
|
|
#install the root CA certificate on all hosts and containers
|
|
openstack_pki_install_ca:
|
|
- name: "ExampleCorpRoot"
|