diff options
author | Ben Nemec <bnemec@redhat.com> | 2016-03-09 21:46:14 +0000 |
---|---|---|
committer | Ben Nemec <bnemec@redhat.com> | 2016-03-11 20:56:04 +0000 |
commit | 4988d0fc359a59af6ce86c0beb8549a950df57cd (patch) | |
tree | 17275d218f3997e24f448e3ff5d48807ca824bf2 | |
parent | e122bab6a9fe9f727ef5f82bcda6261cbd4ee1d6 (diff) |
Allow enabling authentication on haproxy.stats
Right now we always deploy the haproxy.stats endpoint with no
authentication, which is a security concern. Allow setting a
password on the endpoint so it isn't accessible to the world.
While this allows configuring SSL on the stats endpoint, it does
not use the service_certificate parameter because that certificate
is intended to be used only for public endpoints, and the stats
endpoint is actually on the admin VIP. Once we have support for
SSL on admin endpoints we can have stats use it by default.
Change-Id: I8a5844e89bd81a99d5101ab6bce7a8d79e069565
-rw-r--r-- | manifests/loadbalancer.pp | 45 |
1 files changed, 42 insertions, 3 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index 62023cd..0d70f32 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -103,6 +103,17 @@ # A string. # Defaults to false # +# [*haproxy_stats_user*] +# Username for haproxy stats authentication. +# A string. +# Defaults to 'admin' +# +# [*haproxy_stats_password*] +# Password for haproxy stats authentication. When set, authentication is +# enabled on the haproxy stats endpoint. +# A string. +# Defaults to undef +# # [*service_certificate*] # Filename of an HAProxy-compatible certificate and key file # When set, enables SSL on the public API endpoints using the specified file. @@ -183,6 +194,11 @@ # When set, enables SSL on the Ironic public API endpoint using the specified file. # Defaults to undef # +# [*haproxy_stats_certificate*] +# Filename of an HAProxy-compatible certificate and key file +# When set, enables SSL on the haproxy stats endpoint using the specified file. +# Defaults to undef +# # [*keystone_admin*] # (optional) Enable or not Keystone Admin API binding # Defaults to false @@ -344,6 +360,8 @@ class tripleo::loadbalancer ( $haproxy_listen_bind_param = [ 'transparent' ], $haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ], $haproxy_log_address = '/dev/log', + $haproxy_stats_user = 'admin', + $haproxy_stats_password = undef, $controller_host = undef, $controller_hosts = undef, $controller_hosts_names = undef, @@ -363,6 +381,7 @@ class tripleo::loadbalancer ( $heat_certificate = undef, $horizon_certificate = undef, $ironic_certificate = undef, + $haproxy_stats_certificate = undef, $keystone_admin = false, $keystone_public = false, $neutron = false, @@ -599,6 +618,11 @@ class tripleo::loadbalancer ( } else { $ironic_bind_certificate = $service_certificate } + # TODO(bnemec): When we have support for SSL on private and admin endpoints, + # have the haproxy stats endpoint use that certificate by default. + if $haproxy_stats_certificate { + $haproxy_stats_bind_certificate = $haproxy_stats_certificate + } $keystone_public_api_vip = hiera('keystone_public_api_vip', $controller_virtual_ip) $keystone_admin_api_vip = hiera('keystone_admin_api_vip', $controller_virtual_ip) @@ -862,6 +886,16 @@ class tripleo::loadbalancer ( } } + if $haproxy_stats_bind_certificate { + $haproxy_stats_bind_opts = { + "${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]), + } + } else { + $haproxy_stats_bind_opts = { + "${controller_virtual_ip}:1993" => $haproxy_listen_bind_param, + } + } + $mysql_vip = hiera('mysql_vip', $controller_virtual_ip) $mysql_bind_opts = { "${mysql_vip}:3306" => $haproxy_listen_bind_param, @@ -904,12 +938,17 @@ class tripleo::loadbalancer ( } } + $stats_base = ['enable', 'uri /'] + if $haproxy_stats_password { + $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) + } else { + $stats_config = $stats_base + } haproxy::listen { 'haproxy.stats': - ipaddress => $controller_virtual_ip, - ports => '1993', + bind => $haproxy_stats_bind_opts, mode => 'http', options => { - 'stats' => ['enable', 'uri /'], + 'stats' => $stats_config, }, collect_exported => false, } |