Replace the hard-coded idle-close-on-response setting with a conditional
based on the IngressController's spec.idleConnectionTerminationPolicy
field, which controls whether HAProxy maintains idle frontend
connections during reloads or closes them immediately.

The default behaviour returns to closing idle connections immediately,
reversing https://issues.redhat.com/browse/OCPBUGS-32044 which had made
'option idle-close-on-response' always present in the configuration.

Previously, default_pub_keys.pem used SHA1 which is no longer supported
by OpenSSL. This resulted in router deployments that didn't specify a
default cert, to fail due to default_pub_keys.pem being too weak.
Additionally, a 2048 byte RSA key is used so that default_pub_keys.pem
will work with FIPS clusters.

This fix regenerates the default_pub_keys.pem cert file by executing the
following commmands:

    openssl req -x509 -newkey rsa:2048 -sha256 -days 3650 -keyout exampleca.key -out exampleca.crt -nodes -subj '/C=US/ST=SC/L=Default City/O=Default Company Ltd/OU=Test CA/CN=www.exampleca.com/emailAddress=example@example.com'
    openssl req -newkey rsa:2048 -nodes -keyout example.key -out example.csr -subj '/CN=www.example.com/ST=SC/C=US/emailAddress=example@example.com/O=Example/OU=Example'
    openssl x509 -req -days 3650 -sha256 -in example.csr -CA exampleca.crt -CAcreateserial -CAkey exampleca.key -extensions ext -extfile <(echo $'[ext]\nbasicConstraints = CA:FALSE\nsubjectKeyIdentifier = none\nauthorityKeyIdentifier = none') -out example.crt
    cat example.crt example.key > default_pub_keys.pem

Add default_pub_keys.pem to .gitleaks.toml since this default certificate
and key have always been publicly stored in this repo. This avoids false
positive alerts in our tooling. See
https://source.redhat.com/departments/operations/it-information-security/wiki/pattern_distribution_server#handling-false-positives
for more details.

…46-to-release-4.18

[release-4.18] OCPBUGS-49717: Update default_pub_keys.pem to use SHA256

Previously, only SHA1 leaf certs were rejected. However, in 4.16, any
SHA1 cert that is CA-signed (not self-signed) is unsupported. This led
to cases were routes with SHA1 intermediate CA certs were accepted, but
HAProxy rejects them. Self-signed SHA1 certificates (i.e. root CA)
remain supported since they are not subject to verification.

This update ensures all route certs, including the server, CA, and
destination CA certs, are inspected, and any SHA1 cert that is not
self-signed is rejected.

Similar to SHA1, this fix also allows self-signed MD5 certificates
which were incorrectly rejected previously.

Additionally, explicitly reject DSA SHA1 certificates. While all DSA
certificates are already rejected by the router, this change provides
a clearer and more precise rejection error message.

Lastly, explicitly reject MD2 certificates. Since MD2 certificates
also cause HAProxy to fail to start, they should be explicitly
rejected too.

…42-to-release-4.18

[release-4.18] OCPBUGS-49389: Reject All CA-Signed Certs Using SHA1

…39-to-release-4.18

[release-4.18] OCPBUGS-48377: Add support for IdleCloseTerminationPolicy

Signed-off-by: Davide Salerno <dsalerno@redhat.com>

…01-to-release-4.18

[release-4.18] OCPBUGS-67214: Add option abortonclose to HAProxy configuration template