Add default ssl parameters
When using mode 'strict' parameter in ssl configuration of
apache and nginx it is possible to configure apache and nginx
ssl parmeters directly from pillar, instead for parameters
hardcoded in jinja templates. So the default set of ssl parameters
for nginx and apache is placed under system.apache.server.ssl
and nginx.server.proxy.ssl classes, when both classses are included
to cluster level models and _param:nginx_proxy_ssl_enabled and
_param:apache_ssl_enabled are set to true, paremeters from both classes
eill be effective.
Change-Id: I6803c488b16adfe8dfff83f6f036e9358078d2e1
Related-Prod: https://mirantis.jira.com/browse/PROD-20921
diff --git a/apache/server/proxy/openstack/cinder.yml b/apache/server/proxy/openstack/cinder.yml
index 8b3fb4f..832c013 100644
--- a/apache/server/proxy/openstack/cinder.yml
+++ b/apache/server/proxy/openstack/cinder.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_proxy_ssl:
+ apache_ssl:
enabled: false
+ apache_proxy_ssl: ${_param:apache_ssl}
apache_proxy_openstack_api_host: ${_param:cluster_public_host}
apache_proxy_openstack_api_address: 0.0.0.0
apache_proxy_openstack_cinder_host: ${_param:cinder_service_host}
diff --git a/apache/server/proxy/openstack/designate.yml b/apache/server/proxy/openstack/designate.yml
index b681cf7..c39c9a4 100644
--- a/apache/server/proxy/openstack/designate.yml
+++ b/apache/server/proxy/openstack/designate.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_proxy_ssl:
+ apache_ssl:
enabled: false
+ apache_proxy_ssl: ${_param:apache_ssl}
apache_proxy_openstack_api_host: ${_param:cluster_public_host}
apache_proxy_openstack_api_address: 0.0.0.0
apache_proxy_openstack_designate_host: ${_param:designate_service_host}
diff --git a/apache/server/proxy/openstack/glance.yml b/apache/server/proxy/openstack/glance.yml
index 91bedea..f983ab4 100644
--- a/apache/server/proxy/openstack/glance.yml
+++ b/apache/server/proxy/openstack/glance.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_proxy_ssl:
+ apache_ssl:
enabled: false
+ apache_proxy_ssl: ${_param:apache_ssl}
apache_proxy_openstack_api_host: ${_param:cluster_public_host}
apache_proxy_openstack_api_address: 0.0.0.0
apache_proxy_openstack_glance_host: ${_param:glance_service_host}
diff --git a/apache/server/proxy/openstack/heat.yml b/apache/server/proxy/openstack/heat.yml
index b844c45..f3aab22 100644
--- a/apache/server/proxy/openstack/heat.yml
+++ b/apache/server/proxy/openstack/heat.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_proxy_ssl:
+ apache_ssl:
enabled: false
+ apache_proxy_ssl: ${_param:apache_ssl}
apache_proxy_openstack_api_host: ${_param:cluster_public_host}
apache_proxy_openstack_api_address: 0.0.0.0
apache_proxy_openstack_heat_host: ${_param:heat_service_host}
diff --git a/apache/server/proxy/openstack/ironic.yml b/apache/server/proxy/openstack/ironic.yml
index d6bd7d3..b6abf0f 100644
--- a/apache/server/proxy/openstack/ironic.yml
+++ b/apache/server/proxy/openstack/ironic.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_proxy_ssl:
+ apache_ssl:
enabled: false
+ apache_proxy_ssl: ${_param:apache_ssl}
apache_proxy_openstack_api_host: ${_param:cluster_public_host}
apache_proxy_openstack_api_address: 0.0.0.0
apache_proxy_openstack_ironic_host: ${_param:ironic_service_host}
diff --git a/apache/server/proxy/openstack/neutron.yml b/apache/server/proxy/openstack/neutron.yml
index dd18c40..1ed5726 100644
--- a/apache/server/proxy/openstack/neutron.yml
+++ b/apache/server/proxy/openstack/neutron.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_proxy_ssl:
+ apache_ssl:
enabled: false
+ apache_proxy_ssl: ${_param:apache_ssl}
apache_proxy_openstack_api_host: ${_param:cluster_public_host}
apache_proxy_openstack_api_address: 0.0.0.0
apache_proxy_openstack_neutron_host: ${_param:neutron_service_host}
diff --git a/apache/server/proxy/openstack/nova.yml b/apache/server/proxy/openstack/nova.yml
index 66a0107..610c6d5 100644
--- a/apache/server/proxy/openstack/nova.yml
+++ b/apache/server/proxy/openstack/nova.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_proxy_ssl:
+ apache_ssl:
enabled: false
+ apache_proxy_ssl: ${_param:apache_ssl}
apache_proxy_openstack_api_host: ${_param:cluster_public_host}
apache_proxy_openstack_api_address: 0.0.0.0
apache_proxy_openstack_nova_host: ${_param:nova_service_host}
diff --git a/apache/server/proxy/openstack/placement.yml b/apache/server/proxy/openstack/placement.yml
index 9e256b2..6030740 100644
--- a/apache/server/proxy/openstack/placement.yml
+++ b/apache/server/proxy/openstack/placement.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_proxy_ssl:
+ apache_ssl:
enabled: false
+ apache_proxy_ssl: ${_param:apache_ssl}
placement_service_host: ${_param:nova_service_host}
apache_proxy_openstack_api_host: ${_param:cluster_public_host}
apache_proxy_openstack_api_address: 0.0.0.0
diff --git a/apache/server/site/barbican.yml b/apache/server/site/barbican.yml
index 55f5cf5..0e7da2c 100644
--- a/apache/server/site/barbican.yml
+++ b/apache/server/site/barbican.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_barbican_ssl:
+ apache_ssl:
enabled: false
+ apache_barbican_ssl: ${_param:apache_ssl}
apache_barbican_api_address: 0.0.0.0
apache_barbican_api_host: ${linux:network:fqdn}
apache:
diff --git a/apache/server/site/cinder.yml b/apache/server/site/cinder.yml
index 7338b6e..d1e3475 100644
--- a/apache/server/site/cinder.yml
+++ b/apache/server/site/cinder.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_cinder_ssl:
+ apache_ssl:
enabled: false
+ apache_cinder_ssl: ${_param:apache_ssl}
apache_cinder_api_address: 0.0.0.0
apache_cinder_api_host: ${linux:network:fqdn}
cinder:
diff --git a/apache/server/site/gnocchi.yml b/apache/server/site/gnocchi.yml
index a3d6def..12d5f24 100644
--- a/apache/server/site/gnocchi.yml
+++ b/apache/server/site/gnocchi.yml
@@ -1,8 +1,9 @@
parameters:
_param:
gnocchi_api_workers: 2
- apache_gnocchi_ssl:
+ apache_ssl:
enabled: false
+ apache_gnocchi_ssl: ${_param:apache_ssl}
apache_gnocchi_api_host: ${linux:network:fqdn}
apache_gnocchi_api_address: ${_param:single_address}
apache_gnocchi_api_port: 8041
diff --git a/apache/server/site/manila.yml b/apache/server/site/manila.yml
index 2161882..cecf1d4 100644
--- a/apache/server/site/manila.yml
+++ b/apache/server/site/manila.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_manila_ssl:
+ apache_ssl:
enabled: false
+ apache_manila_ssl: ${_param:apache_ssl}
apache_manila_api_address: 0.0.0.0
apache_manila_api_host: ${linux:network:fqdn}
manila:
diff --git a/apache/server/site/nova-placement.yml b/apache/server/site/nova-placement.yml
index 9eeeae4..7c8e8bd 100644
--- a/apache/server/site/nova-placement.yml
+++ b/apache/server/site/nova-placement.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_nova_placement_ssl:
+ apache_ssl:
enabled: false
+ apache_nova_placement_ssl: ${_param:apache_ssl}
apache_nova_placement_api_address: 0.0.0.0
apache_nova_placement_api_host: ${linux:network:fqdn}
nova_placement:
diff --git a/apache/server/site/panko.yml b/apache/server/site/panko.yml
index d052c37..eff49c5 100644
--- a/apache/server/site/panko.yml
+++ b/apache/server/site/panko.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_panko_ssl:
+ apache_ssl:
enabled: false
+ apache_panko_ssl: ${_param:apache_ssl}
panko_api_workers: 2
apache_panko_api_host: ${linux:network:fqdn}
apache_panko_api_address: ${_param:single_address}
diff --git a/apache/server/ssl.yml b/apache/server/ssl.yml
new file mode 100644
index 0000000..b720d5d
--- /dev/null
+++ b/apache/server/ssl.yml
@@ -0,0 +1,112 @@
+parameters:
+ _param:
+ apache_ssl_enabled: false
+ apache_ssl:
+ mode: 'strict'
+ enabled: ${_param:apache_ssl_enabled}
+ engine: salt
+ prefer_server_ciphers: "on"
+ protocols:
+ all:
+ name: 'all'
+ enabled: True
+ excludeSSLv2:
+ name: '-SSLv2'
+ enabled: True
+ excludeSSLv3:
+ name: '-SSLv3'
+ enabled: True
+ ciphers:
+ ECDHE-ECDSA-CHACHA20-POLY1305:
+ name: 'ECDHE-ECDSA-CHACHA20-POLY1305'
+ enabled: True
+ ECDHE-RSA-CHACHA20-POLY1305:
+ name: 'ECDHE-RSA-CHACHA20-POLY1305'
+ enabled: True
+ ECDHE-ECDSA-AES128-GCM-SHA256:
+ name: 'ECDHE-ECDSA-AES128-GCM-SHA256'
+ enabled: True
+ ECDHE-RSA-AES128-GCM-SHA256:
+ name: 'ECDHE-RSA-AES128-GCM-SHA256'
+ enabled: True
+ ECDHE-ECDSA-AES256-GCM-SHA384:
+ name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
+ enabled: True
+ ECDHE-RSA-AES256-GCM-SHA384:
+ name: 'ECDHE-RSA-AES256-GCM-SHA384'
+ enabled: True
+ DHE-RSA-AES128-GCM-SHA256:
+ name: 'DHE-RSA-AES128-GCM-SHA256'
+ enabled: True
+ DHE-RSA-AES256-GCM-SHA384:
+ name: 'DHE-RSA-AES256-GCM-SHA384'
+ enabled: True
+ ECDHE-ECDSA-AES128-SHA256:
+ name: 'ECDHE-ECDSA-AES128-SHA256'
+ enabled: True
+ ECDHE-RSA-AES128-SHA256:
+ name: 'ECDHE-RSA-AES128-SHA256'
+ enabled: True
+ ECDHE-ECDSA-AES128-SHA:
+ name: 'ECDHE-ECDSA-AES128-SHA'
+ enabled: True
+ ECDHE-RSA-AES256-SHA384:
+ name: 'ECDHE-RSA-AES256-SHA384'
+ enabled: True
+ ECDHE-RSA-AES128-SHA:
+ name: 'ECDHE-RSA-AES128-SHA'
+ enabled: True
+ ECDHE-ECDSA-AES256-SHA384:
+ name: 'ECDHE-ECDSA-AES256-SHA384'
+ enabled: True
+ ECDHE-ECDSA-AES256-SHA:
+ name: 'ECDHE-ECDSA-AES256-SHA'
+ enabled: True
+ ECDHE-RSA-AES256-SHA:
+ name: 'ECDHE-RSA-AES256-SHA'
+ enabled: True
+ DHE-RSA-AES128-SHA256:
+ name: 'DHE-RSA-AES128-SHA256'
+ enabled: True
+ DHE-RSA-AES128-SHA:
+ name: 'DHE-RSA-AES128-SHA'
+ enabled: True
+ DHE-RSA-AES256-SHA256:
+ name: 'DHE-RSA-AES256-SHA256'
+ enabled: True
+ DHE-RSA-AES256-SHA:
+ name: 'DHE-RSA-AES256-SHA'
+ enabled: True
+ ECDHE-ECDSA-DES-CBC3-SHA:
+ name: 'ECDHE-ECDSA-DES-CBC3-SHA'
+ enabled: True
+ ECDHE-RSA-DES-CBC3-SHA:
+ name: 'ECDHE-RSA-DES-CBC3-SHA'
+ enabled: True
+ EDH-RSA-DES-CBC3-SHA:
+ name: 'EDH-RSA-DES-CBC3-SHA'
+ enabled: True
+ AES128-GCM-SHA256:
+ name: 'AES128-GCM-SHA256'
+ enabled: True
+ AES256-GCM-SHA384:
+ name: 'AES256-GCM-SHA384'
+ enabled: True
+ AES128-SHA256:
+ name: 'AES128-SHA256'
+ enabled: True
+ AES256-SHA256:
+ name: 'AES256-SHA256'
+ enabled: True
+ AES256-SHA:
+ name: 'AES256-SHA'
+ enabled: True
+ AES128-SHA:
+ name: 'AES128-SHA'
+ enabled: True
+ DES-CBC3-SHA:
+ name: 'DES-CBC3-SHA'
+ enabled: True
+ removeDSS:
+ name: '!DSS'
+ enabled: True
\ No newline at end of file
diff --git a/keystone/server/wsgi.yml b/keystone/server/wsgi.yml
index 333cb76..df8af68 100644
--- a/keystone/server/wsgi.yml
+++ b/keystone/server/wsgi.yml
@@ -2,8 +2,9 @@
- system.apache.server.single
parameters:
_param:
- apache_keystone_ssl:
+ apache_ssl:
enabled: false
+ apache_keystone_ssl: ${_param:apache_ssl}
apache_keystone_api_host: ${linux:network:fqdn}
keystone:
server:
diff --git a/nginx/server/proxy/ssl.yml b/nginx/server/proxy/ssl.yml
new file mode 100644
index 0000000..66a1938
--- /dev/null
+++ b/nginx/server/proxy/ssl.yml
@@ -0,0 +1,121 @@
+parameters:
+ _param:
+ nginx_proxy_ssl_enabled: false
+ nginx_proxy_ssl:
+ mode: 'strict'
+ enabled: ${_param:nginx_proxy_ssl_enabled}
+ engine: salt
+ dhparam:
+ enabled: True
+ numbits: 2048
+ ecdh_curve:
+ secp521r1:
+ name: 'secp521r1'
+ enabled: True
+ prefer_server_ciphers: "on"
+ protocols:
+ TLSv1:
+ name: 'TLSv1'
+ enabled: True
+ TLSv1.1:
+ name: 'TLSv1.1'
+ enabled: True
+ TLSv1.2:
+ name: 'TLSv1.2'
+ enabled: True
+ stapling: "on"
+ stapling_verify: "on"
+ ciphers:
+ ECDHE-ECDSA-CHACHA20-POLY1305:
+ name: 'ECDHE-ECDSA-CHACHA20-POLY1305'
+ enabled: True
+ ECDHE-RSA-CHACHA20-POLY1305:
+ name: 'ECDHE-RSA-CHACHA20-POLY1305'
+ enabled: True
+ ECDHE-ECDSA-AES128-GCM-SHA256:
+ name: 'ECDHE-ECDSA-AES128-GCM-SHA256'
+ enabled: True
+ ECDHE-RSA-AES128-GCM-SHA256:
+ name: 'ECDHE-RSA-AES128-GCM-SHA256'
+ enabled: True
+ ECDHE-ECDSA-AES256-GCM-SHA384:
+ name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
+ enabled: True
+ ECDHE-RSA-AES256-GCM-SHA384:
+ name: 'ECDHE-RSA-AES256-GCM-SHA384'
+ enabled: True
+ DHE-RSA-AES128-GCM-SHA256:
+ name: 'DHE-RSA-AES128-GCM-SHA256'
+ enabled: True
+ DHE-RSA-AES256-GCM-SHA384:
+ name: 'DHE-RSA-AES256-GCM-SHA384'
+ enabled: True
+ ECDHE-ECDSA-AES128-SHA256:
+ name: 'ECDHE-ECDSA-AES128-SHA256'
+ enabled: True
+ ECDHE-RSA-AES128-SHA256:
+ name: 'ECDHE-RSA-AES128-SHA256'
+ enabled: True
+ ECDHE-ECDSA-AES128-SHA:
+ name: 'ECDHE-ECDSA-AES128-SHA'
+ enabled: True
+ ECDHE-RSA-AES256-SHA384:
+ name: 'ECDHE-RSA-AES256-SHA384'
+ enabled: True
+ ECDHE-RSA-AES128-SHA:
+ name: 'ECDHE-RSA-AES128-SHA'
+ enabled: True
+ ECDHE-ECDSA-AES256-SHA384:
+ name: 'ECDHE-ECDSA-AES256-SHA384'
+ enabled: True
+ ECDHE-ECDSA-AES256-SHA:
+ name: 'ECDHE-ECDSA-AES256-SHA'
+ enabled: True
+ ECDHE-RSA-AES256-SHA:
+ name: 'ECDHE-RSA-AES256-SHA'
+ enabled: True
+ DHE-RSA-AES128-SHA256:
+ name: 'DHE-RSA-AES128-SHA256'
+ enabled: True
+ DHE-RSA-AES128-SHA:
+ name: 'DHE-RSA-AES128-SHA'
+ enabled: True
+ DHE-RSA-AES256-SHA256:
+ name: 'DHE-RSA-AES256-SHA256'
+ enabled: True
+ DHE-RSA-AES256-SHA:
+ name: 'DHE-RSA-AES256-SHA'
+ enabled: True
+ ECDHE-ECDSA-DES-CBC3-SHA:
+ name: 'ECDHE-ECDSA-DES-CBC3-SHA'
+ enabled: True
+ ECDHE-RSA-DES-CBC3-SHA:
+ name: 'ECDHE-RSA-DES-CBC3-SHA'
+ enabled: True
+ EDH-RSA-DES-CBC3-SHA:
+ name: 'EDH-RSA-DES-CBC3-SHA'
+ enabled: True
+ AES128-GCM-SHA256:
+ name: 'AES128-GCM-SHA256'
+ enabled: True
+ AES256-GCM-SHA384:
+ name: 'AES256-GCM-SHA384'
+ enabled: True
+ AES128-SHA256:
+ name: 'AES128-SHA256'
+ enabled: True
+ AES256-SHA256:
+ name: 'AES256-SHA256'
+ enabled: True
+ AES256-SHA:
+ name: 'AES256-SHA'
+ enabled: True
+ AES128-SHA:
+ name: 'AES128-SHA'
+ enabled: True
+ DES-CBC3-SHA:
+ name: 'DES-CBC3-SHA'
+ enabled: True
+ removeDSS:
+ name: '!DSS'
+ enabled: True
\ No newline at end of file