summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBen Nemec <bnemec@redhat.com>2016-03-09 21:46:14 +0000
committerBen Nemec <bnemec@redhat.com>2016-03-11 20:56:04 +0000
commit4988d0fc359a59af6ce86c0beb8549a950df57cd (patch)
tree17275d218f3997e24f448e3ff5d48807ca824bf2
parente122bab6a9fe9f727ef5f82bcda6261cbd4ee1d6 (diff)
Allow enabling authentication on haproxy.stats
Right now we always deploy the haproxy.stats endpoint with no authentication, which is a security concern. Allow setting a password on the endpoint so it isn't accessible to the world. While this allows configuring SSL on the stats endpoint, it does not use the service_certificate parameter because that certificate is intended to be used only for public endpoints, and the stats endpoint is actually on the admin VIP. Once we have support for SSL on admin endpoints we can have stats use it by default. Change-Id: I8a5844e89bd81a99d5101ab6bce7a8d79e069565
-rw-r--r--manifests/loadbalancer.pp45
1 files changed, 42 insertions, 3 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 62023cd..0d70f32 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -103,6 +103,17 @@
# A string.
# Defaults to false
#
+# [*haproxy_stats_user*]
+# Username for haproxy stats authentication.
+# A string.
+# Defaults to 'admin'
+#
+# [*haproxy_stats_password*]
+# Password for haproxy stats authentication. When set, authentication is
+# enabled on the haproxy stats endpoint.
+# A string.
+# Defaults to undef
+#
# [*service_certificate*]
# Filename of an HAProxy-compatible certificate and key file
# When set, enables SSL on the public API endpoints using the specified file.
@@ -183,6 +194,11 @@
# When set, enables SSL on the Ironic public API endpoint using the specified file.
# Defaults to undef
#
+# [*haproxy_stats_certificate*]
+# Filename of an HAProxy-compatible certificate and key file
+# When set, enables SSL on the haproxy stats endpoint using the specified file.
+# Defaults to undef
+#
# [*keystone_admin*]
# (optional) Enable or not Keystone Admin API binding
# Defaults to false
@@ -344,6 +360,8 @@ class tripleo::loadbalancer (
$haproxy_listen_bind_param = [ 'transparent' ],
$haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ],
$haproxy_log_address = '/dev/log',
+ $haproxy_stats_user = 'admin',
+ $haproxy_stats_password = undef,
$controller_host = undef,
$controller_hosts = undef,
$controller_hosts_names = undef,
@@ -363,6 +381,7 @@ class tripleo::loadbalancer (
$heat_certificate = undef,
$horizon_certificate = undef,
$ironic_certificate = undef,
+ $haproxy_stats_certificate = undef,
$keystone_admin = false,
$keystone_public = false,
$neutron = false,
@@ -599,6 +618,11 @@ class tripleo::loadbalancer (
} else {
$ironic_bind_certificate = $service_certificate
}
+ # TODO(bnemec): When we have support for SSL on private and admin endpoints,
+ # have the haproxy stats endpoint use that certificate by default.
+ if $haproxy_stats_certificate {
+ $haproxy_stats_bind_certificate = $haproxy_stats_certificate
+ }
$keystone_public_api_vip = hiera('keystone_public_api_vip', $controller_virtual_ip)
$keystone_admin_api_vip = hiera('keystone_admin_api_vip', $controller_virtual_ip)
@@ -862,6 +886,16 @@ class tripleo::loadbalancer (
}
}
+ if $haproxy_stats_bind_certificate {
+ $haproxy_stats_bind_opts = {
+ "${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]),
+ }
+ } else {
+ $haproxy_stats_bind_opts = {
+ "${controller_virtual_ip}:1993" => $haproxy_listen_bind_param,
+ }
+ }
+
$mysql_vip = hiera('mysql_vip', $controller_virtual_ip)
$mysql_bind_opts = {
"${mysql_vip}:3306" => $haproxy_listen_bind_param,
@@ -904,12 +938,17 @@ class tripleo::loadbalancer (
}
}
+ $stats_base = ['enable', 'uri /']
+ if $haproxy_stats_password {
+ $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"])
+ } else {
+ $stats_config = $stats_base
+ }
haproxy::listen { 'haproxy.stats':
- ipaddress => $controller_virtual_ip,
- ports => '1993',
+ bind => $haproxy_stats_bind_opts,
mode => 'http',
options => {
- 'stats' => ['enable', 'uri /'],
+ 'stats' => $stats_config,
},
collect_exported => false,
}