summaryrefslogtreecommitdiffstats
path: root/releasenotes/notes
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-05-04 13:28:01 +0300
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-06-08 16:57:18 +0300
commitc8d2a1133e8aff13acf52da2ab29e8dccda1e6b6 (patch)
tree270619a42fecc794661a1c8a88daa119e68c58ab /releasenotes/notes
parent2bb37b6189693d7588730eeb080f85009c3b6d6c (diff)
Use CRL for HAProxy
This sets up the CRL file to be triggered on the certmonger_user resource. Furtherly, HAProxy uses this CRL file in the member options, thus effectively enabling revocation for proxied nodes. So, if a certificate has been revoked by the CA, HAProxy will not proxy requests to it. bp tls-via-certmonger Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
Diffstat (limited to 'releasenotes/notes')
-rw-r--r--releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml6
1 files changed, 6 insertions, 0 deletions
diff --git a/releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml b/releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml
new file mode 100644
index 0000000..cdfb859
--- /dev/null
+++ b/releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml
@@ -0,0 +1,6 @@
+---
+security:
+ - If the crl_file parameter is given to the ::tripleo::haproxy resource and
+ TLS is enabled in the internal network, it will configure the CRL file for
+ all the nodes it's proxying and thus properly handle revocation of the
+ server certificates.