Skip to content

OCPBUGS-58040: haproxy-config.template: Allow empty ciphers #661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

OCPBUGS-58040: haproxy-config.template: Allow empty ciphers #661

wants to merge 4 commits into from

Conversation

Miciah
Copy link
Contributor

@Miciah Miciah commented Jun 27, 2025

haproxy-config.template: Simplify ROUTER_CIPHERS

Simplify the default ciphers configuration in the configuration template by combining {{else}} and {{if}} stanzas into {{else if}}.

haproxy-config.template: Introduce $routerCiphers

Define a template variable $routerCiphers and use it to avoid unnecessarily calling the env helper repeatedly.

Introduce $routerCiphersuites

Define a template variable $routerCiphersuites for consistency with $routerCiphers.

haproxy-config.template: Allow empty ciphers

Allow the empty value for TLS ciphers (TLSv1.2 and earlier) and cipher suites (TLSv1.3). Rather than filling in a default value, pass the empty value through to HAProxy, which in turn passes it through to OpenSSL. Specifying the empty value means that the corresponding TLS version cannot be used.

Miciah added 4 commits June 27, 2025 13:56
@Miciah
haproxy-config.template: Simplify ROUTER_CIPHERS
bb39b5a 
* haproxy-config.template: Simplify the default ciphers configuration
by combining {{else}} and {{if}} stanzas into {{else if}}.
@Miciah
haproxy-config.template: Introduce $routerCiphers
fdae233 
* haproxy-config.template: Define a variable $routerCiphers and use it
to avoid unnecessarily calling the env helper repeatedly.
@Miciah
Introduce $routerCiphersuites
88f5fad 
* haproxy-config.template: Define a variable $routerCiphersuites for
consistency with $routerCiphers.
@Miciah
haproxy-config.template: Allow empty ciphers
a538c79 
Allow the empty value for TLS ciphers (TLSv1.2 and earlier) and cipher
suites (TLSv1.3), and use the empty value instead of setting a default
value.  Specifying the empty value means that the corresponding TLS
version cannot be used.

This commit fixes bug OCPBUGS-58040.

https://issues.redhat.com/browse/OCPBUGS-58040

* haproxy-config.template: Allow the empty value for ROUTER_CIPHERS and
ROUTER_CIPHERSUITES.  Rather than using a default value, pass an empty
value through to HAProxy (which in turn passes it through to OpenSSL).
@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jun 27, 2025
@openshift-ci-robot
Copy link
Contributor

@Miciah: This pull request references Jira Issue OCPBUGS-58040, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.0) matches configured target version for branch (4.20.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @melvinjoseph86

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

haproxy-config.template: Simplify ROUTER_CIPHERS

Simplify the default ciphers configuration in the configuration template by combining {{else}} and {{if}} stanzas into {{else if}}.

haproxy-config.template: Introduce $routerCiphers

Define a template variable $routerCiphers and use it to avoid unnecessarily calling the env helper repeatedly.

Introduce $routerCiphersuites

Define a template variable $routerCiphersuites for consistency with $routerCiphers.

haproxy-config.template: Allow empty ciphers

Allow the empty value for TLS ciphers (TLSv1.2 and earlier) and cipher suites (TLSv1.3). Rather than filling in a default value, pass the empty value through to HAProxy, which in turn passes it through to OpenSSL. Specifying the empty value means that the corresponding TLS version cannot be used.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jun 27, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign grzpiotrowski for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jun 27, 2025

@Miciah: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/okd-scos-e2e-aws-ovn a538c79 link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-metal-ipi-ovn-router a538c79 link false /test e2e-metal-ipi-ovn-router
ci/prow/e2e-upgrade a538c79 link true /test e2e-upgrade
ci/prow/e2e-agnostic a538c79 link true /test e2e-agnostic
ci/prow/e2e-metal-ipi-ovn-ipv6 a538c79 link false /test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-metal-ipi-ovn-dualstack a538c79 link false /test e2e-metal-ipi-ovn-dualstack
ci/prow/e2e-aws-serial a538c79 link true /test e2e-aws-serial

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@Miciah Miciah marked this pull request as draft July 12, 2025 20:51
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@melvinjoseph86 melvinjoseph86 Awaiting requested review from melvinjoseph86

@gcs278 gcs278 Awaiting requested review from gcs278

@grzpiotrowski grzpiotrowski Awaiting requested review from grzpiotrowski

Assignees
No one assigned
Labels
do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Miciah @openshift-ci-robot