summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-05-04 13:28:01 +0300
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-06-08 16:57:18 +0300
commitc8d2a1133e8aff13acf52da2ab29e8dccda1e6b6 (patch)
tree270619a42fecc794661a1c8a88daa119e68c58ab
parent2bb37b6189693d7588730eeb080f85009c3b6d6c (diff)
Use CRL for HAProxy
This sets up the CRL file to be triggered on the certmonger_user resource. Furtherly, HAProxy uses this CRL file in the member options, thus effectively enabling revocation for proxied nodes. So, if a certificate has been revoked by the CA, HAProxy will not proxy requests to it. bp tls-via-certmonger Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
-rw-r--r--manifests/haproxy.pp13
-rw-r--r--manifests/profile/base/certmonger_user.pp10
-rw-r--r--releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml6
3 files changed, 28 insertions, 1 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 5f70647..208f328 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -146,6 +146,10 @@
# the servers it balances
# Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
#
+# [*crl_file*]
+# Path to the CRL file to be used for checking revoked certificates.
+# Defaults to undef
+#
# [*haproxy_stats_certificate*]
# Filename of an HAProxy-compatible certificate and key file
# When set, enables SSL on the haproxy stats endpoint using the specified file.
@@ -565,6 +569,7 @@ class tripleo::haproxy (
$ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
$ssl_options = 'no-sslv3',
$ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
+ $crl_file = undef,
$haproxy_stats_certificate = undef,
$keystone_admin = hiera('keystone_enabled', false),
$keystone_public = hiera('keystone_enabled', false),
@@ -728,7 +733,13 @@ class tripleo::haproxy (
$ports = merge($default_service_ports, $service_ports)
if $enable_internal_tls {
- $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+ $base_internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+
+ if $crl_file {
+ $internal_tls_member_options = concat($base_internal_tls_member_options, "crl-file ${crl_file}")
+ } else {
+ $internal_tls_member_options = $base_internal_tls_member_options
+ }
Haproxy::Balancermember {
verifyhost => true
}
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
index 4ba51ec..7a6559e 100644
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -77,6 +77,16 @@ class tripleo::profile::base::certmonger_user (
$rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
$etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
) {
+ unless empty($haproxy_certificates_specs) {
+ $reload_haproxy = ['systemctl reload haproxy']
+ Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||>
+ Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy']
+ } else {
+ $reload_haproxy = []
+ }
+ class { '::tripleo::certmonger::ca::crl' :
+ reload_cmds => $reload_haproxy,
+ }
include ::tripleo::certmonger::ca::libvirt
unless empty($apache_certificates_specs) {
diff --git a/releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml b/releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml
new file mode 100644
index 0000000..cdfb859
--- /dev/null
+++ b/releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml
@@ -0,0 +1,6 @@
+---
+security:
+ - If the crl_file parameter is given to the ::tripleo::haproxy resource and
+ TLS is enabled in the internal network, it will configure the CRL file for
+ all the nodes it's proxying and thus properly handle revocation of the
+ server certificates.