aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/certmonger/haproxy.pp
AgeCommit message (Collapse)AuthorFilesLines
2016-11-08Include local CA in haproxy PEMJuan Antonio Osorio Robles1-2/+18
In order for the browser to trust the certificate served by HAProxy we need to include the CA cert in the PEM file that the endpoints serve. Change-Id: Ibce76c1aa04bd3cb09a804c6e9789c55d8f2b417 Closes-Bug: #1639807
2016-09-15Fix dependencies for HAProxy when certmonger is usedJuan Antonio Osorio Robles1-4/+6
Installing the undercloud with generate_service_certificate=True fails if HAProxy is not pre-installed. This is due to missing dependency setting on our puppet manifests. We need to specify that the PEM file needs to be written only if the haproxy user and group exist (which comes from the package) and that the haproxy frontend configuration needs to be notified if there are changes in the certificates. Change-Id: Iba3030e4489eb31f9c07ab49913687d8b595a91b Closes-Bug: #1623805
2016-09-12Fill DNS name for haproxy certificatesJuan Antonio Osorio Robles1-0/+1
This sets the subject alt name field for the certificates we auto-generate, which will remove the security warnings we constantly see in the undercloud. This is the proper way to set certificates, since the usage of the CN as a replacement for the subjectAltName is being deprecated (very slowly). Change-Id: I475cbffd47425e850902838eec06bf461df2acd0 Closes-Bug: #1622446
2016-07-18Add principal to certmonger's haproxy helperJuan Antonio Osorio Robles1-0/+5
The principal is needed for kerberos-based solutions like FreeIPA. bp tls-via-certmonger Change-Id: Ie27848f522d11135b061aef766de2b696c77fcb9
2016-07-13Add resource for requesting certificates for HAProxyJuan Antonio Osorio Robles1-0/+70
This resource will be used in both the overcloud and the undercloud, and can be called in several instances (for public-facing or internal-facing certificates). bp tls-via-certmonger Change-Id: I0410fe0dbbed97d16909e911f7318d78a5bd7d7b