Add etcd tls cipher suites (#7001)
* Add etcd tls cipher suites * yamllint
This commit is contained in:
Samuel Liu
GitHub
parent
a69f2b09da
commit
cd7212453e
4 changed files with 40 additions and 0 deletions
|
|
@ -65,3 +65,30 @@ etcd_peer_client_auth: true
|
||||||
|
|
||||||
# Number of loop retries
|
# Number of loop retries
|
||||||
etcd_retries: 4
|
etcd_retries: 4
|
||||||
|
|
||||||
|
## Support tls cipher suites.
|
||||||
|
# etcd_tls_cipher_suites: {}
|
||||||
|
# - TLS_RSA_WITH_RC4_128_SHA
|
||||||
|
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
# - TLS_RSA_WITH_AES_128_CBC_SHA
|
||||||
|
# - TLS_RSA_WITH_AES_256_CBC_SHA
|
||||||
|
# - TLS_RSA_WITH_AES_128_CBC_SHA256
|
||||||
|
# - TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||||
|
# - TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||||
|
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
||||||
|
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||||||
|
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
||||||
|
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
||||||
|
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||||
|
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
||||||
|
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
|
||||||
|
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
||||||
|
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||||
|
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||||
|
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||||
|
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
||||||
|
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
||||||
|
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
||||||
|
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
||||||
|
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||||
|
|
|
||||||
|
|
@ -31,6 +31,10 @@ ETCD_PEER_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
|
||||||
ETCD_PEER_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
|
ETCD_PEER_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
|
||||||
ETCD_PEER_CLIENT_CERT_AUTH={{ etcd_peer_client_auth }}
|
ETCD_PEER_CLIENT_CERT_AUTH={{ etcd_peer_client_auth }}
|
||||||
|
|
||||||
|
{% if etcd_tls_cipher_suites is defined %}
|
||||||
|
ETCD_CIPHER_SUITES: {% for tls in etcd_tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% for key, value in etcd_extra_vars.items() %}
|
{% for key, value in etcd_extra_vars.items() %}
|
||||||
{{ key }}={{ value }}
|
{{ key }}={{ value }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
|
||||||
|
|
@ -40,6 +40,10 @@ ETCD_PEER_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
|
||||||
ETCD_PEER_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
|
ETCD_PEER_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
|
||||||
ETCD_PEER_CLIENT_CERT_AUTH={{ etcd_peer_client_auth }}
|
ETCD_PEER_CLIENT_CERT_AUTH={{ etcd_peer_client_auth }}
|
||||||
|
|
||||||
|
{% if etcd_tls_cipher_suites is defined %}
|
||||||
|
ETCD_CIPHER_SUITES: {% for tls in etcd_tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% for key, value in etcd_extra_vars.items() %}
|
{% for key, value in etcd_extra_vars.items() %}
|
||||||
{{ key }}={{ value }}
|
{{ key }}={{ value }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
|
||||||
|
|
@ -33,3 +33,8 @@ kube_oidc_client_id: kubespray-example
|
||||||
tls_min_version: "VersionTLS12"
|
tls_min_version: "VersionTLS12"
|
||||||
tls_cipher_suites:
|
tls_cipher_suites:
|
||||||
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||||
|
|
||||||
|
# test etcd tls cipher suites
|
||||||
|
etcd_tls_cipher_suites:
|
||||||
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||||
|
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue