aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/haproxy.pp
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2017-09-06 09:37:27 +0000
committerGerrit Code Review <review@openstack.org>2017-09-06 09:37:27 +0000
commit08677754f9622bc9264fda00251cf6bb3f00cc24 (patch)
tree04c2da4da7cd45dc0ec30c715bec60a6961e8413 /manifests/haproxy.pp
parent46a34f0a6fbf73b555d70ecd828222a325763a01 (diff)
parentd905ed08052ca5dc78b5f7f56f731394f19958ed (diff)
Merge "Use TLS proxy for Redis' internal TLS" into stable/pike
Diffstat (limited to 'manifests/haproxy.pp')
-rw-r--r--manifests/haproxy.pp15
1 files changed, 12 insertions, 3 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index e41f0e6..9386036 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -1373,11 +1373,19 @@ class tripleo::haproxy (
}
if $redis {
+ if $enable_internal_tls {
+ $redis_tcp_check_ssl_options = ['connect ssl']
+ $redis_ssl_member_options = ['check-ssl', "ca-file ${ca_bundle}"]
+ } else {
+ $redis_tcp_check_ssl_options = []
+ $redis_ssl_member_options = []
+ }
if $redis_password {
- $redis_tcp_check_options = ["send AUTH\\ ${redis_password}\\r\\n"]
+ $redis_tcp_check_password_options = ["send AUTH\\ ${redis_password}\\r\\n"]
} else {
- $redis_tcp_check_options = []
+ $redis_tcp_check_password_options = []
}
+ $redis_tcp_check_options = union($redis_tcp_check_ssl_options, $redis_tcp_check_password_options)
haproxy::listen { 'redis':
bind => $redis_bind_opts,
options => {
@@ -1397,7 +1405,8 @@ class tripleo::haproxy (
ports => '6379',
ipaddresses => hiera('redis_node_ips', $controller_hosts_real),
server_names => hiera('redis_node_names', $controller_hosts_names_real),
- options => $haproxy_member_options,
+ options => union($haproxy_member_options, $redis_ssl_member_options),
+ verifyhost => false,
}
if $manage_firewall {
include ::tripleo::firewall