diff options
| author |   Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-07-13 12:27:23 +0300 |
|---|---|---|
| committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-10-19 17:37:32 +0300 |
| commit | 76bf2f532f9541eaf9cd7242ad2bf520f6788033 (patch) | |
| tree | a324b63a3e9de8e21ecc0c0e7b5368b1be726d19 /manifests/haproxy.pp | |
| parent | e86706f0f6c589ed8baeb9616b128a738b330a94 (diff) | |
Enable TLS in the internal network for keystone
This optionally enables TLS for keystone in the internal network.
If internal TLS is enabled, each node that is serving the keystone
service will use certmonger to request its certificate.
This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).
bp tls-via-certmonger
Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039
Diffstat (limited to 'manifests/haproxy.pp')
| -rw-r--r-- | manifests/haproxy.pp | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index c4d018d..3ad10eb 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -106,6 +106,11 @@ # flag is set. # Defaults to {} # +# [*enable_internal_tls*] +# A flag that indicates if the servers in the internal network are using TLS. +# This enables the 'ssl' option for the server members that are proxied. +# Defaults to hiera('enable_internal_tls', false) +# # [*ssl_cipher_suite*] # The default string describing the list of cipher algorithms ("cipher suite") # that are negotiated during the SSL/TLS handshake for all "bind" lines. This @@ -427,6 +432,7 @@ class tripleo::haproxy ( $service_certificate = undef, $use_internal_certificates = false, $internal_certificates_specs = {}, + $enable_internal_tls = hiera('enable_internal_tls', false), $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', $ssl_options = 'no-sslv3', $haproxy_stats_certificate = undef, @@ -541,6 +547,13 @@ class tripleo::haproxy ( } $ports = merge($default_service_ports, $service_ports) + if $enable_internal_tls { + # TODO(jaosorior): change verify none to verify required. + $internal_tls_member_options = ['ssl', 'verify none'] + } else { + $internal_tls_member_options = [] + } + $controller_hosts_real = any2array(split($controller_hosts, ',')) if ! $controller_hosts_names { $controller_hosts_names_real = $controller_hosts_real @@ -680,6 +693,7 @@ class tripleo::haproxy ( }, public_ssl_port => $ports[keystone_admin_api_ssl_port], service_network => $keystone_admin_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -709,6 +723,7 @@ class tripleo::haproxy ( listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts), public_ssl_port => $ports[keystone_public_api_ssl_port], service_network => $keystone_public_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } |