diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-05-04 13:28:01 +0300 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-06-08 16:57:18 +0300 |
commit | c8d2a1133e8aff13acf52da2ab29e8dccda1e6b6 (patch) | |
tree | 270619a42fecc794661a1c8a88daa119e68c58ab | |
parent | 2bb37b6189693d7588730eeb080f85009c3b6d6c (diff) |
Use CRL for HAProxy
This sets up the CRL file to be triggered on the certmonger_user
resource. Furtherly, HAProxy uses this CRL file in the member options,
thus effectively enabling revocation for proxied nodes.
So, if a certificate has been revoked by the CA, HAProxy will not proxy
requests to it.
bp tls-via-certmonger
Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
-rw-r--r-- | manifests/haproxy.pp | 13 | ||||
-rw-r--r-- | manifests/profile/base/certmonger_user.pp | 10 | ||||
-rw-r--r-- | releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml | 6 |
3 files changed, 28 insertions, 1 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 5f70647..208f328 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -146,6 +146,10 @@ # the servers it balances # Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt' # +# [*crl_file*] +# Path to the CRL file to be used for checking revoked certificates. +# Defaults to undef +# # [*haproxy_stats_certificate*] # Filename of an HAProxy-compatible certificate and key file # When set, enables SSL on the haproxy stats endpoint using the specified file. @@ -565,6 +569,7 @@ class tripleo::haproxy ( $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', $ssl_options = 'no-sslv3', $ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt', + $crl_file = undef, $haproxy_stats_certificate = undef, $keystone_admin = hiera('keystone_enabled', false), $keystone_public = hiera('keystone_enabled', false), @@ -728,7 +733,13 @@ class tripleo::haproxy ( $ports = merge($default_service_ports, $service_ports) if $enable_internal_tls { - $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"] + $base_internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"] + + if $crl_file { + $internal_tls_member_options = concat($base_internal_tls_member_options, "crl-file ${crl_file}") + } else { + $internal_tls_member_options = $base_internal_tls_member_options + } Haproxy::Balancermember { verifyhost => true } diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 4ba51ec..7a6559e 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -77,6 +77,16 @@ class tripleo::profile::base::certmonger_user ( $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}), $etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}), ) { + unless empty($haproxy_certificates_specs) { + $reload_haproxy = ['systemctl reload haproxy'] + Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||> + Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy'] + } else { + $reload_haproxy = [] + } + class { '::tripleo::certmonger::ca::crl' : + reload_cmds => $reload_haproxy, + } include ::tripleo::certmonger::ca::libvirt unless empty($apache_certificates_specs) { diff --git a/releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml b/releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml new file mode 100644 index 0000000..cdfb859 --- /dev/null +++ b/releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml @@ -0,0 +1,6 @@ +--- +security: + - If the crl_file parameter is given to the ::tripleo::haproxy resource and + TLS is enabled in the internal network, it will configure the CRL file for + all the nodes it's proxying and thus properly handle revocation of the + server certificates. |