aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/loadbalancer.pp7
-rw-r--r--manifests/loadbalancer/endpoint.pp15
2 files changed, 20 insertions, 2 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 0a14290..eb4a6fc 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -119,6 +119,11 @@
# When set, enables SSL on the public API endpoints using the specified file.
# Defaults to undef
#
+# [*internal_certificate*]
+# Filename of an HAProxy-compatible certificate and key file
+# When set, enables SSL on the internal API endpoints using the specified file.
+# Defaults to undef
+#
# [*ssl_cipher_suite*]
# The default string describing the list of cipher algorithms ("cipher suite")
# that are negotiated during the SSL/TLS handshake for all "bind" lines. This
@@ -314,6 +319,7 @@ class tripleo::loadbalancer (
$controller_hosts = undef,
$controller_hosts_names = undef,
$service_certificate = undef,
+ $internal_certificate = undef,
$ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
$ssl_options = 'no-sslv3',
$haproxy_stats_certificate = undef,
@@ -577,6 +583,7 @@ class tripleo::loadbalancer (
haproxy_listen_bind_param => $haproxy_listen_bind_param,
member_options => $haproxy_member_options,
public_certificate => $service_certificate,
+ internal_certificate => $internal_certificate,
}
$stats_base = ['enable', 'uri /']
diff --git a/manifests/loadbalancer/endpoint.pp b/manifests/loadbalancer/endpoint.pp
index 12209e3..e6bb185 100644
--- a/manifests/loadbalancer/endpoint.pp
+++ b/manifests/loadbalancer/endpoint.pp
@@ -64,6 +64,10 @@
# Certificate path used to enable TLS for the public proxy endpoint.
# Defaults to undef.
#
+# [*internal_certificate*]
+# Certificate path used to enable TLS for the internal proxy endpoint.
+# Defaults to undef.
+#
define tripleo::loadbalancer::endpoint (
$internal_ip,
$service_port,
@@ -78,6 +82,7 @@ define tripleo::loadbalancer::endpoint (
},
$public_ssl_port = undef,
$public_certificate = undef,
+ $internal_certificate = undef,
) {
if $public_virtual_ip {
# service exposed to the public network
@@ -96,8 +101,14 @@ define tripleo::loadbalancer::endpoint (
$public_bind_opts = {}
}
- $internal_bind_opts = {
- "${internal_ip}:${service_port}" => $haproxy_listen_bind_param,
+ if $internal_certificate {
+ $internal_bind_opts = {
+ "${internal_ip}:${service_port}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]),
+ }
+ } else {
+ $internal_bind_opts = {
+ "${internal_ip}:${service_port}" => $haproxy_listen_bind_param,
+ }
}
$bind_opts = merge($internal_bind_opts, $public_bind_opts)