Add default ssl parameters
When using mode 'strict' parameter in ssl configuration of
apache and nginx it is possible to configure apache and nginx
ssl parmeters directly from pillar, instead for parameters
hardcoded in jinja templates. So the default set of ssl parameters
for nginx and apache is placed under system.apache.server.ssl
and nginx.server.proxy.ssl classes, when both classses are included
to cluster level models and _param:nginx_proxy_ssl_enabled and
_param:apache_ssl_enabled are set to true, paremeters from both classes
eill be effective.
Change-Id: I6803c488b16adfe8dfff83f6f036e9358078d2e1
Related-Prod: https://mirantis.jira.com/browse/PROD-20921
diff --git a/apache/server/proxy/openstack/cinder.yml b/apache/server/proxy/openstack/cinder.yml
index 8b3fb4f..832c013 100644
--- a/apache/server/proxy/openstack/cinder.yml
+++ b/apache/server/proxy/openstack/cinder.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_proxy_ssl:
+ apache_ssl:
enabled: false
+ apache_proxy_ssl: ${_param:apache_ssl}
apache_proxy_openstack_api_host: ${_param:cluster_public_host}
apache_proxy_openstack_api_address: 0.0.0.0
apache_proxy_openstack_cinder_host: ${_param:cinder_service_host}
diff --git a/apache/server/proxy/openstack/designate.yml b/apache/server/proxy/openstack/designate.yml
index b681cf7..c39c9a4 100644
--- a/apache/server/proxy/openstack/designate.yml
+++ b/apache/server/proxy/openstack/designate.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_proxy_ssl:
+ apache_ssl:
enabled: false
+ apache_proxy_ssl: ${_param:apache_ssl}
apache_proxy_openstack_api_host: ${_param:cluster_public_host}
apache_proxy_openstack_api_address: 0.0.0.0
apache_proxy_openstack_designate_host: ${_param:designate_service_host}
diff --git a/apache/server/proxy/openstack/glance.yml b/apache/server/proxy/openstack/glance.yml
index 91bedea..f983ab4 100644
--- a/apache/server/proxy/openstack/glance.yml
+++ b/apache/server/proxy/openstack/glance.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_proxy_ssl:
+ apache_ssl:
enabled: false
+ apache_proxy_ssl: ${_param:apache_ssl}
apache_proxy_openstack_api_host: ${_param:cluster_public_host}
apache_proxy_openstack_api_address: 0.0.0.0
apache_proxy_openstack_glance_host: ${_param:glance_service_host}
diff --git a/apache/server/proxy/openstack/heat.yml b/apache/server/proxy/openstack/heat.yml
index b844c45..f3aab22 100644
--- a/apache/server/proxy/openstack/heat.yml
+++ b/apache/server/proxy/openstack/heat.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_proxy_ssl:
+ apache_ssl:
enabled: false
+ apache_proxy_ssl: ${_param:apache_ssl}
apache_proxy_openstack_api_host: ${_param:cluster_public_host}
apache_proxy_openstack_api_address: 0.0.0.0
apache_proxy_openstack_heat_host: ${_param:heat_service_host}
diff --git a/apache/server/proxy/openstack/ironic.yml b/apache/server/proxy/openstack/ironic.yml
index d6bd7d3..b6abf0f 100644
--- a/apache/server/proxy/openstack/ironic.yml
+++ b/apache/server/proxy/openstack/ironic.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_proxy_ssl:
+ apache_ssl:
enabled: false
+ apache_proxy_ssl: ${_param:apache_ssl}
apache_proxy_openstack_api_host: ${_param:cluster_public_host}
apache_proxy_openstack_api_address: 0.0.0.0
apache_proxy_openstack_ironic_host: ${_param:ironic_service_host}
diff --git a/apache/server/proxy/openstack/neutron.yml b/apache/server/proxy/openstack/neutron.yml
index dd18c40..1ed5726 100644
--- a/apache/server/proxy/openstack/neutron.yml
+++ b/apache/server/proxy/openstack/neutron.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_proxy_ssl:
+ apache_ssl:
enabled: false
+ apache_proxy_ssl: ${_param:apache_ssl}
apache_proxy_openstack_api_host: ${_param:cluster_public_host}
apache_proxy_openstack_api_address: 0.0.0.0
apache_proxy_openstack_neutron_host: ${_param:neutron_service_host}
diff --git a/apache/server/proxy/openstack/nova.yml b/apache/server/proxy/openstack/nova.yml
index 66a0107..610c6d5 100644
--- a/apache/server/proxy/openstack/nova.yml
+++ b/apache/server/proxy/openstack/nova.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_proxy_ssl:
+ apache_ssl:
enabled: false
+ apache_proxy_ssl: ${_param:apache_ssl}
apache_proxy_openstack_api_host: ${_param:cluster_public_host}
apache_proxy_openstack_api_address: 0.0.0.0
apache_proxy_openstack_nova_host: ${_param:nova_service_host}
diff --git a/apache/server/proxy/openstack/placement.yml b/apache/server/proxy/openstack/placement.yml
index 9e256b2..6030740 100644
--- a/apache/server/proxy/openstack/placement.yml
+++ b/apache/server/proxy/openstack/placement.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_proxy_ssl:
+ apache_ssl:
enabled: false
+ apache_proxy_ssl: ${_param:apache_ssl}
placement_service_host: ${_param:nova_service_host}
apache_proxy_openstack_api_host: ${_param:cluster_public_host}
apache_proxy_openstack_api_address: 0.0.0.0
diff --git a/apache/server/site/barbican.yml b/apache/server/site/barbican.yml
index 55f5cf5..0e7da2c 100644
--- a/apache/server/site/barbican.yml
+++ b/apache/server/site/barbican.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_barbican_ssl:
+ apache_ssl:
enabled: false
+ apache_barbican_ssl: ${_param:apache_ssl}
apache_barbican_api_address: 0.0.0.0
apache_barbican_api_host: ${linux:network:fqdn}
apache:
diff --git a/apache/server/site/cinder.yml b/apache/server/site/cinder.yml
index 7338b6e..d1e3475 100644
--- a/apache/server/site/cinder.yml
+++ b/apache/server/site/cinder.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_cinder_ssl:
+ apache_ssl:
enabled: false
+ apache_cinder_ssl: ${_param:apache_ssl}
apache_cinder_api_address: 0.0.0.0
apache_cinder_api_host: ${linux:network:fqdn}
cinder:
diff --git a/apache/server/site/gnocchi.yml b/apache/server/site/gnocchi.yml
index a3d6def..12d5f24 100644
--- a/apache/server/site/gnocchi.yml
+++ b/apache/server/site/gnocchi.yml
@@ -1,8 +1,9 @@
parameters:
_param:
gnocchi_api_workers: 2
- apache_gnocchi_ssl:
+ apache_ssl:
enabled: false
+ apache_gnocchi_ssl: ${_param:apache_ssl}
apache_gnocchi_api_host: ${linux:network:fqdn}
apache_gnocchi_api_address: ${_param:single_address}
apache_gnocchi_api_port: 8041
diff --git a/apache/server/site/manila.yml b/apache/server/site/manila.yml
index 2161882..cecf1d4 100644
--- a/apache/server/site/manila.yml
+++ b/apache/server/site/manila.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_manila_ssl:
+ apache_ssl:
enabled: false
+ apache_manila_ssl: ${_param:apache_ssl}
apache_manila_api_address: 0.0.0.0
apache_manila_api_host: ${linux:network:fqdn}
manila:
diff --git a/apache/server/site/nova-placement.yml b/apache/server/site/nova-placement.yml
index 9eeeae4..7c8e8bd 100644
--- a/apache/server/site/nova-placement.yml
+++ b/apache/server/site/nova-placement.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_nova_placement_ssl:
+ apache_ssl:
enabled: false
+ apache_nova_placement_ssl: ${_param:apache_ssl}
apache_nova_placement_api_address: 0.0.0.0
apache_nova_placement_api_host: ${linux:network:fqdn}
nova_placement:
diff --git a/apache/server/site/panko.yml b/apache/server/site/panko.yml
index d052c37..eff49c5 100644
--- a/apache/server/site/panko.yml
+++ b/apache/server/site/panko.yml
@@ -1,7 +1,8 @@
parameters:
_param:
- apache_panko_ssl:
+ apache_ssl:
enabled: false
+ apache_panko_ssl: ${_param:apache_ssl}
panko_api_workers: 2
apache_panko_api_host: ${linux:network:fqdn}
apache_panko_api_address: ${_param:single_address}
diff --git a/apache/server/ssl.yml b/apache/server/ssl.yml
new file mode 100644
index 0000000..b720d5d
--- /dev/null
+++ b/apache/server/ssl.yml
@@ -0,0 +1,112 @@
+parameters:
+ _param:
+ apache_ssl_enabled: false
+ apache_ssl:
+ mode: 'strict'
+ enabled: ${_param:apache_ssl_enabled}
+ engine: salt
+ prefer_server_ciphers: "on"
+ protocols:
+ all:
+ name: 'all'
+ enabled: True
+ excludeSSLv2:
+ name: '-SSLv2'
+ enabled: True
+ excludeSSLv3:
+ name: '-SSLv3'
+ enabled: True
+ ciphers:
+ ECDHE-ECDSA-CHACHA20-POLY1305:
+ name: 'ECDHE-ECDSA-CHACHA20-POLY1305'
+ enabled: True
+ ECDHE-RSA-CHACHA20-POLY1305:
+ name: 'ECDHE-RSA-CHACHA20-POLY1305'
+ enabled: True
+ ECDHE-ECDSA-AES128-GCM-SHA256:
+ name: 'ECDHE-ECDSA-AES128-GCM-SHA256'
+ enabled: True
+ ECDHE-RSA-AES128-GCM-SHA256:
+ name: 'ECDHE-RSA-AES128-GCM-SHA256'
+ enabled: True
+ ECDHE-ECDSA-AES256-GCM-SHA384:
+ name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
+ enabled: True
+ ECDHE-RSA-AES256-GCM-SHA384:
+ name: 'ECDHE-RSA-AES256-GCM-SHA384'
+ enabled: True
+ DHE-RSA-AES128-GCM-SHA256:
+ name: 'DHE-RSA-AES128-GCM-SHA256'
+ enabled: True
+ DHE-RSA-AES256-GCM-SHA384:
+ name: 'DHE-RSA-AES256-GCM-SHA384'
+ enabled: True
+ ECDHE-ECDSA-AES128-SHA256:
+ name: 'ECDHE-ECDSA-AES128-SHA256'
+ enabled: True
+ ECDHE-RSA-AES128-SHA256:
+ name: 'ECDHE-RSA-AES128-SHA256'
+ enabled: True
+ ECDHE-ECDSA-AES128-SHA:
+ name: 'ECDHE-ECDSA-AES128-SHA'
+ enabled: True
+ ECDHE-RSA-AES256-SHA384:
+ name: 'ECDHE-RSA-AES256-SHA384'
+ enabled: True
+ ECDHE-RSA-AES128-SHA:
+ name: 'ECDHE-RSA-AES128-SHA'
+ enabled: True
+ ECDHE-ECDSA-AES256-SHA384:
+ name: 'ECDHE-ECDSA-AES256-SHA384'
+ enabled: True
+ ECDHE-ECDSA-AES256-SHA:
+ name: 'ECDHE-ECDSA-AES256-SHA'
+ enabled: True
+ ECDHE-RSA-AES256-SHA:
+ name: 'ECDHE-RSA-AES256-SHA'
+ enabled: True
+ DHE-RSA-AES128-SHA256:
+ name: 'DHE-RSA-AES128-SHA256'
+ enabled: True
+ DHE-RSA-AES128-SHA:
+ name: 'DHE-RSA-AES128-SHA'
+ enabled: True
+ DHE-RSA-AES256-SHA256:
+ name: 'DHE-RSA-AES256-SHA256'
+ enabled: True
+ DHE-RSA-AES256-SHA:
+ name: 'DHE-RSA-AES256-SHA'
+ enabled: True
+ ECDHE-ECDSA-DES-CBC3-SHA:
+ name: 'ECDHE-ECDSA-DES-CBC3-SHA'
+ enabled: True
+ ECDHE-RSA-DES-CBC3-SHA:
+ name: 'ECDHE-RSA-DES-CBC3-SHA'
+ enabled: True
+ EDH-RSA-DES-CBC3-SHA:
+ name: 'EDH-RSA-DES-CBC3-SHA'
+ enabled: True
+ AES128-GCM-SHA256:
+ name: 'AES128-GCM-SHA256'
+ enabled: True
+ AES256-GCM-SHA384:
+ name: 'AES256-GCM-SHA384'
+ enabled: True
+ AES128-SHA256:
+ name: 'AES128-SHA256'
+ enabled: True
+ AES256-SHA256:
+ name: 'AES256-SHA256'
+ enabled: True
+ AES256-SHA:
+ name: 'AES256-SHA'
+ enabled: True
+ AES128-SHA:
+ name: 'AES128-SHA'
+ enabled: True
+ DES-CBC3-SHA:
+ name: 'DES-CBC3-SHA'
+ enabled: True
+ removeDSS:
+ name: '!DSS'
+ enabled: True
\ No newline at end of file