diff options
| author |   Jenkins <jenkins@review.openstack.org> | 2016-04-14 08:29:15 +0000 |
|---|---|---|
| committer |   Gerrit Code Review <review@openstack.org> | 2016-04-14 08:29:15 +0000 |
| commit | 25d403306d1b300bb344f7b655de7487bdddce0e (patch) | |
| tree | a263f918b9ee62265de04397fa6933dc16c83d44 | |
| parent | 794b0f8b123c840b0abefe829715a92ad25a4d32 (diff) | |
| parent | 7cb2d7d79262d36ac6e0514ef7bc0472824a5d19 (diff) | |
Merge "Add support for internal/admin endpoint TLS in HAProxy"
| -rw-r--r-- | manifests/loadbalancer.pp | 7 | ||||
| -rw-r--r-- | manifests/loadbalancer/endpoint.pp | 15 |
2 files changed, 20 insertions, 2 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index 02a080c..f9d0473 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -119,6 +119,11 @@ # When set, enables SSL on the public API endpoints using the specified file. # Defaults to undef # +# [*internal_certificate*] +# Filename of an HAProxy-compatible certificate and key file +# When set, enables SSL on the internal API endpoints using the specified file. +# Defaults to undef +# # [*ssl_cipher_suite*] # The default string describing the list of cipher algorithms ("cipher suite") # that are negotiated during the SSL/TLS handshake for all "bind" lines. This @@ -314,6 +319,7 @@ class tripleo::loadbalancer ( $controller_hosts = undef, $controller_hosts_names = undef, $service_certificate = undef, + $internal_certificate = undef, $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', $ssl_options = 'no-sslv3', $haproxy_stats_certificate = undef, @@ -577,6 +583,7 @@ class tripleo::loadbalancer ( haproxy_listen_bind_param => $haproxy_listen_bind_param, member_options => $haproxy_member_options, public_certificate => $service_certificate, + internal_certificate => $internal_certificate, } $stats_base = ['enable', 'uri /'] diff --git a/manifests/loadbalancer/endpoint.pp b/manifests/loadbalancer/endpoint.pp index 12209e3..e6bb185 100644 --- a/manifests/loadbalancer/endpoint.pp +++ b/manifests/loadbalancer/endpoint.pp @@ -64,6 +64,10 @@ # Certificate path used to enable TLS for the public proxy endpoint. # Defaults to undef. # +# [*internal_certificate*] +# Certificate path used to enable TLS for the internal proxy endpoint. +# Defaults to undef. +# define tripleo::loadbalancer::endpoint ( $internal_ip, $service_port, @@ -78,6 +82,7 @@ define tripleo::loadbalancer::endpoint ( }, $public_ssl_port = undef, $public_certificate = undef, + $internal_certificate = undef, ) { if $public_virtual_ip { # service exposed to the public network @@ -96,8 +101,14 @@ define tripleo::loadbalancer::endpoint ( $public_bind_opts = {} } - $internal_bind_opts = { - "${internal_ip}:${service_port}" => $haproxy_listen_bind_param, + if $internal_certificate { + $internal_bind_opts = { + "${internal_ip}:${service_port}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]), + } + } else { + $internal_bind_opts = { + "${internal_ip}:${service_port}" => $haproxy_listen_bind_param, + } } $bind_opts = merge($internal_bind_opts, $public_bind_opts) |