diff options
-rw-r--r-- | inventory/byo/hosts.origin.example | 9 | ||||
-rw-r--r-- | inventory/byo/hosts.ose.example | 9 | ||||
-rw-r--r-- | roles/openshift_master/tasks/main.yml | 2 | ||||
-rw-r--r-- | roles/openshift_master/templates/master.yaml.v1.j2 | 18 | ||||
-rw-r--r-- | roles/openshift_node/tasks/main.yml | 2 | ||||
-rw-r--r-- | roles/openshift_node/templates/node.yaml.v1.j2 | 9 |
6 files changed, 47 insertions, 2 deletions
diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index b9ffbf120..bb9f4706a 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -265,6 +265,15 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Override master servingInfo.maxRequestsInFlight #openshift_master_max_requests_inflight=500 +# Override master and node servingInfo.minTLSVersion and .cipherSuites +# valid TLS versions are VersionTLS10, VersionTLS11, VersionTLS12 +# example cipher suites override, valid cipher suites are https://golang.org/pkg/crypto/tls/#pkg-constants +#openshift_master_min_tls_version=VersionTLS12 +#openshift_master_cipher_suites=['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', '...'] +# +#openshift_node_min_tls_version=VersionTLS12 +#openshift_node_cipher_suites=['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', '...'] + # default storage plugin dependencies to install, by default the ceph and # glusterfs plugin dependencies will be installed, if available. #osn_storage_plugin_deps=['ceph','glusterfs','iscsi'] diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index 10fc4d6f3..12a1b3991 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -265,6 +265,15 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Override master servingInfo.maxRequestsInFlight #openshift_master_max_requests_inflight=500 +# Override master and node servingInfo.minTLSVersion and .cipherSuites +# valid TLS versions are VersionTLS10, VersionTLS11, VersionTLS12 +# example cipher suites override, valid cipher suites are https://golang.org/pkg/crypto/tls/#pkg-constants +#openshift_master_min_tls_version=VersionTLS12 +#openshift_master_cipher_suites=['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', '...'] +# +#openshift_node_min_tls_version=VersionTLS12 +#openshift_node_cipher_suites=['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', '...'] + # default storage plugin dependencies to install, by default the ceph and # glusterfs plugin dependencies will be installed, if available. #osn_storage_plugin_deps=['ceph','glusterfs'] diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 2ef61cddf..98e0da1a2 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -249,7 +249,7 @@ # Using curl here since the uri module requires python-httplib2 and # wait_for port doesn't provide health information. command: > - curl --silent + curl --silent --tlsv1.2 {% if openshift.common.version_gte_3_2_or_1_2 | bool %} --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt {% else %} diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index aec48386e..938ac2a12 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -35,6 +35,15 @@ assetConfig: keyFile: master.server.key maxRequestsInFlight: 0 requestTimeoutSeconds: 0 +{% if openshift_master_min_tls_version is defined %} + minTLSVersion: {{ openshift_master_min_tls_version }} +{% endif %} +{% if openshift_master_cipher_suites is defined %} + cipherSuites: +{% for cipher_suite in openshift_master_cipher_suites %} + - {{ cipher_suite }} +{% endfor %} +{% endif %} {% if openshift_master_ha | bool %} {% if openshift.master.audit_config | default(none) is not none and openshift.common.version_gte_3_2_or_1_2 | bool %} auditConfig:{{ openshift.master.audit_config | to_padded_yaml(level=1) }} @@ -256,5 +265,14 @@ servingInfo: {% endfor %} {% endfor %} {% endif %} +{% if openshift_master_min_tls_version is defined %} + minTLSVersion: {{ openshift_master_min_tls_version }} +{% endif %} +{% if openshift_master_cipher_suites is defined %} + cipherSuites: +{% for cipher_suite in openshift_master_cipher_suites %} + - {{ cipher_suite }} +{% endfor %} +{% endif %} volumeConfig: dynamicProvisioningEnabled: {{ openshift.master.dynamic_provisioning_enabled }} diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 691227915..626248306 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -153,7 +153,7 @@ # Using curl here since the uri module requires python-httplib2 and # wait_for port doesn't provide health information. command: > - curl --silent --cacert {{ openshift.common.config_base }}/node/ca.crt + curl --silent --tlsv1.2 --cacert {{ openshift.common.config_base }}/node/ca.crt {{ openshift_node_master_api_url }}/healthz/ready args: # Disables the following warning: diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2 index d3c3feb68..f2f929232 100644 --- a/roles/openshift_node/templates/node.yaml.v1.j2 +++ b/roles/openshift_node/templates/node.yaml.v1.j2 @@ -40,6 +40,15 @@ servingInfo: certFile: server.crt clientCA: ca.crt keyFile: server.key +{% if openshift_node_min_tls_version is defined %} + minTLSVersion: {{ openshift_node_min_tls_version }} +{% endif %} +{% if openshift_node_cipher_suites is defined %} + cipherSuites: +{% for cipher_suite in openshift_node_cipher_suites %} + - {{ cipher_suite }} +{% endfor %} +{% endif %} volumeDirectory: {{ openshift.common.data_dir }}/openshift.local.volumes proxyArguments: proxy-mode: |