aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2016-12-04 01:48:53 +0000
committerGerrit Code Review <review@openstack.org>2016-12-04 01:48:53 +0000
commitc6ad1436284ff379eacfb3715cf2a609785b9e6c (patch)
treec7b49887dad0e6e06de419617fc25595b6bd99fb
parent0921a93d42d228c391ab6b2caaacf0713e628994 (diff)
parent5b0bd1c00aef1b03bf697d0f05046c4ad8b641e5 (diff)
Merge "Add verify required and CA bundle to haproxy"
-rw-r--r--manifests/haproxy.pp9
1 files changed, 7 insertions, 2 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 2f3f062..a4ab0cc 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -117,6 +117,11 @@
# String that sets the default ssl options to force on all "bind" lines.
# Defaults to 'no-sslv3'
#
+# [*ca_bundle*]
+# Path to the CA bundle to be used for HAProxy to validate the certificates of
+# the servers it balances
+# Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
+#
# [*haproxy_stats_certificate*]
# Filename of an HAProxy-compatible certificate and key file
# When set, enables SSL on the haproxy stats endpoint using the specified file.
@@ -472,6 +477,7 @@ class tripleo::haproxy (
$enable_internal_tls = hiera('enable_internal_tls', false),
$ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
$ssl_options = 'no-sslv3',
+ $ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
$haproxy_stats_certificate = undef,
$keystone_admin = hiera('keystone_enabled', false),
$keystone_public = hiera('keystone_enabled', false),
@@ -601,8 +607,7 @@ class tripleo::haproxy (
$ports = merge($default_service_ports, $service_ports)
if $enable_internal_tls {
- # TODO(jaosorior): change verify none to verify required.
- $internal_tls_member_options = ['ssl', 'verify none']
+ $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
} else {
$internal_tls_member_options = []
}