e9445504f4
This patch allows haproxy to communicate with service backends over TLS. It's disabled by default and each service role needs to have TLS backend support implemented to get it working. For example, TLS support for glance was added in [1] [1] https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/821011 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/880872 Change-Id: I5fc507f4031dcf63ed95dae307c30d9f436ef3da
71 lines
2.7 KiB
YAML
71 lines
2.7 KiB
YAML
---
|
|
# Copyright 2017, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
## SSL
|
|
# These do not need to be configured unless you're creating certificates for
|
|
# services running behind Apache (currently, Horizon and Keystone).
|
|
ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
|
|
# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
|
ssl_cipher_suite_tls12: "{{ ssl_cipher_suite | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM') }}"
|
|
ssl_cipher_suite_tls13: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
|
|
|
|
#variables used in OSA roles which call the PKI role
|
|
openstack_pki_dir: "{{ openstack_config_dir }}/pki"
|
|
openstack_pki_service_intermediate_cert_name: "ExampleCorpIntermediate"
|
|
|
|
openstack_pki_service_intermediate_cert_path: "{{ openstack_pki_dir ~ '/roots/' ~ openstack_pki_service_intermediate_cert_name ~ '/certs/' ~ openstack_pki_service_intermediate_cert_name ~ '.crt' }}"
|
|
|
|
# regenerate the CA or intermediate CA
|
|
openstack_pki_regen_ca: ''
|
|
|
|
#example self-signed certificate authority
|
|
openstack_pki_authorities:
|
|
- name: "ExampleCorpRoot"
|
|
provider: selfsigned
|
|
basic_constraints: "CA:TRUE"
|
|
cn: "Example Corp Root CA"
|
|
email_address: "pki@example.com"
|
|
country_name: "GB"
|
|
state_or_province_name: "England"
|
|
organization_name: "Example Corporation"
|
|
organizational_unit_name: "IT Security"
|
|
key_usage:
|
|
- digitalSignature
|
|
- cRLSign
|
|
- keyCertSign
|
|
not_after: "+3650d"
|
|
- name: "ExampleCorpIntermediate"
|
|
provider: ownca
|
|
basic_constraints: "CA:TRUE,pathlen:0"
|
|
cn: "Example Corp Openstack Infrastructure Intermediate CA"
|
|
email_address: "pki@example.com"
|
|
country_name: "GB"
|
|
state_or_province_name: "England"
|
|
organization_name: "Example Corporation"
|
|
organizational_unit_name: "IT Security"
|
|
key_usage:
|
|
- digitalSignature
|
|
- cRLSign
|
|
- keyCertSign
|
|
not_after: "+3650d"
|
|
signed_by: "ExampleCorpRoot"
|
|
|
|
#install the root CA certificate on all hosts and containers
|
|
openstack_pki_install_ca:
|
|
- name: "ExampleCorpRoot"
|
|
|
|
# Subject Alternate Name(SAN) for certificates
|
|
openstack_pki_san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address }}"
|