Use CRL for HAProxy

This sets up the CRL file to be triggered on the certmonger_user
resource. Furtherly, HAProxy uses this CRL file in the member options,
thus effectively enabling revocation for proxied nodes.

So, if a certificate has been revoked by the CA, HAProxy will not proxy
requests to it.

bp tls-via-certmonger

Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd

1 files changed, 10 insertions, 0 deletions

diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
index 4ba51ec..7a6559e 100644
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -77,6 +77,16 @@ class tripleo::profile::base::certmonger_user (
   $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
   $etcd_certificate_specs     = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
 ) {
+  unless empty($haproxy_certificates_specs) {
+    $reload_haproxy = ['systemctl reload haproxy']
+    Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||>
+    Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy']
+  } else {
+    $reload_haproxy = []
+  }
+  class { '::tripleo::certmonger::ca::crl' :
+    reload_cmds => $reload_haproxy,
+  }
   include ::tripleo::certmonger::ca::libvirt
 
   unless empty($apache_certificates_specs) {