diff options
| -rw-r--r-- | manifests/loadbalancer.pp | 7 | ||||
| -rw-r--r-- | manifests/loadbalancer/endpoint.pp | 15 |
2 files changed, 20 insertions, 2 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index 02a080c..f9d0473 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -119,6 +119,11 @@ # When set, enables SSL on the public API endpoints using the specified file. # Defaults to undef # +# [*internal_certificate*] +# Filename of an HAProxy-compatible certificate and key file +# When set, enables SSL on the internal API endpoints using the specified file. +# Defaults to undef +# # [*ssl_cipher_suite*] # The default string describing the list of cipher algorithms ("cipher suite") # that are negotiated during the SSL/TLS handshake for all "bind" lines. This @@ -314,6 +319,7 @@ class tripleo::loadbalancer ( $controller_hosts = undef, $controller_hosts_names = undef, $service_certificate = undef, + $internal_certificate = undef, $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', $ssl_options = 'no-sslv3', $haproxy_stats_certificate = undef, @@ -577,6 +583,7 @@ class tripleo::loadbalancer ( haproxy_listen_bind_param => $haproxy_listen_bind_param, member_options => $haproxy_member_options, public_certificate => $service_certificate, + internal_certificate => $internal_certificate, } $stats_base = ['enable', 'uri /'] diff --git a/manifests/loadbalancer/endpoint.pp b/manifests/loadbalancer/endpoint.pp index 12209e3..e6bb185 100644 --- a/manifests/loadbalancer/endpoint.pp +++ b/manifests/loadbalancer/endpoint.pp @@ -64,6 +64,10 @@ # Certificate path used to enable TLS for the public proxy endpoint. # Defaults to undef. # +# [*internal_certificate*] +# Certificate path used to enable TLS for the internal proxy endpoint. +# Defaults to undef. +# define tripleo::loadbalancer::endpoint ( $internal_ip, $service_port, @@ -78,6 +82,7 @@ define tripleo::loadbalancer::endpoint ( }, $public_ssl_port = undef, $public_certificate = undef, + $internal_certificate = undef, ) { if $public_virtual_ip { # service exposed to the public network @@ -96,8 +101,14 @@ define tripleo::loadbalancer::endpoint ( $public_bind_opts = {} } - $internal_bind_opts = { - "${internal_ip}:${service_port}" => $haproxy_listen_bind_param, + if $internal_certificate { + $internal_bind_opts = { + "${internal_ip}:${service_port}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]), + } + } else { + $internal_bind_opts = { + "${internal_ip}:${service_port}" => $haproxy_listen_bind_param, + } } $bind_opts = merge($internal_bind_opts, $public_bind_opts) |