diff options
author | Jenkins <jenkins@review.openstack.org> | 2017-09-06 09:37:27 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2017-09-06 09:37:27 +0000 |
commit | 08677754f9622bc9264fda00251cf6bb3f00cc24 (patch) | |
tree | 04c2da4da7cd45dc0ec30c715bec60a6961e8413 /manifests/haproxy.pp | |
parent | 46a34f0a6fbf73b555d70ecd828222a325763a01 (diff) | |
parent | d905ed08052ca5dc78b5f7f56f731394f19958ed (diff) |
Merge "Use TLS proxy for Redis' internal TLS" into stable/pike
Diffstat (limited to 'manifests/haproxy.pp')
-rw-r--r-- | manifests/haproxy.pp | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index e41f0e6..9386036 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -1373,11 +1373,19 @@ class tripleo::haproxy ( } if $redis { + if $enable_internal_tls { + $redis_tcp_check_ssl_options = ['connect ssl'] + $redis_ssl_member_options = ['check-ssl', "ca-file ${ca_bundle}"] + } else { + $redis_tcp_check_ssl_options = [] + $redis_ssl_member_options = [] + } if $redis_password { - $redis_tcp_check_options = ["send AUTH\\ ${redis_password}\\r\\n"] + $redis_tcp_check_password_options = ["send AUTH\\ ${redis_password}\\r\\n"] } else { - $redis_tcp_check_options = [] + $redis_tcp_check_password_options = [] } + $redis_tcp_check_options = union($redis_tcp_check_ssl_options, $redis_tcp_check_password_options) haproxy::listen { 'redis': bind => $redis_bind_opts, options => { @@ -1397,7 +1405,8 @@ class tripleo::haproxy ( ports => '6379', ipaddresses => hiera('redis_node_ips', $controller_hosts_real), server_names => hiera('redis_node_names', $controller_hosts_names_real), - options => $haproxy_member_options, + options => union($haproxy_member_options, $redis_ssl_member_options), + verifyhost => false, } if $manage_firewall { include ::tripleo::firewall |