From 4988d0fc359a59af6ce86c0beb8549a950df57cd Mon Sep 17 00:00:00 2001 From: Ben Nemec Date: Wed, 9 Mar 2016 21:46:14 +0000 Subject: Allow enabling authentication on haproxy.stats Right now we always deploy the haproxy.stats endpoint with no authentication, which is a security concern. Allow setting a password on the endpoint so it isn't accessible to the world. While this allows configuring SSL on the stats endpoint, it does not use the service_certificate parameter because that certificate is intended to be used only for public endpoints, and the stats endpoint is actually on the admin VIP. Once we have support for SSL on admin endpoints we can have stats use it by default. Change-Id: I8a5844e89bd81a99d5101ab6bce7a8d79e069565 --- manifests/loadbalancer.pp | 45 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 42 insertions(+), 3 deletions(-) diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index 62023cd..0d70f32 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -103,6 +103,17 @@ # A string. # Defaults to false # +# [*haproxy_stats_user*] +# Username for haproxy stats authentication. +# A string. +# Defaults to 'admin' +# +# [*haproxy_stats_password*] +# Password for haproxy stats authentication. When set, authentication is +# enabled on the haproxy stats endpoint. +# A string. +# Defaults to undef +# # [*service_certificate*] # Filename of an HAProxy-compatible certificate and key file # When set, enables SSL on the public API endpoints using the specified file. @@ -183,6 +194,11 @@ # When set, enables SSL on the Ironic public API endpoint using the specified file. # Defaults to undef # +# [*haproxy_stats_certificate*] +# Filename of an HAProxy-compatible certificate and key file +# When set, enables SSL on the haproxy stats endpoint using the specified file. +# Defaults to undef +# # [*keystone_admin*] # (optional) Enable or not Keystone Admin API binding # Defaults to false @@ -344,6 +360,8 @@ class tripleo::loadbalancer ( $haproxy_listen_bind_param = [ 'transparent' ], $haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ], $haproxy_log_address = '/dev/log', + $haproxy_stats_user = 'admin', + $haproxy_stats_password = undef, $controller_host = undef, $controller_hosts = undef, $controller_hosts_names = undef, @@ -363,6 +381,7 @@ class tripleo::loadbalancer ( $heat_certificate = undef, $horizon_certificate = undef, $ironic_certificate = undef, + $haproxy_stats_certificate = undef, $keystone_admin = false, $keystone_public = false, $neutron = false, @@ -599,6 +618,11 @@ class tripleo::loadbalancer ( } else { $ironic_bind_certificate = $service_certificate } + # TODO(bnemec): When we have support for SSL on private and admin endpoints, + # have the haproxy stats endpoint use that certificate by default. + if $haproxy_stats_certificate { + $haproxy_stats_bind_certificate = $haproxy_stats_certificate + } $keystone_public_api_vip = hiera('keystone_public_api_vip', $controller_virtual_ip) $keystone_admin_api_vip = hiera('keystone_admin_api_vip', $controller_virtual_ip) @@ -862,6 +886,16 @@ class tripleo::loadbalancer ( } } + if $haproxy_stats_bind_certificate { + $haproxy_stats_bind_opts = { + "${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]), + } + } else { + $haproxy_stats_bind_opts = { + "${controller_virtual_ip}:1993" => $haproxy_listen_bind_param, + } + } + $mysql_vip = hiera('mysql_vip', $controller_virtual_ip) $mysql_bind_opts = { "${mysql_vip}:3306" => $haproxy_listen_bind_param, @@ -904,12 +938,17 @@ class tripleo::loadbalancer ( } } + $stats_base = ['enable', 'uri /'] + if $haproxy_stats_password { + $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) + } else { + $stats_config = $stats_base + } haproxy::listen { 'haproxy.stats': - ipaddress => $controller_virtual_ip, - ports => '1993', + bind => $haproxy_stats_bind_opts, mode => 'http', options => { - 'stats' => ['enable', 'uri /'], + 'stats' => $stats_config, }, collect_exported => false, } -- cgit 1.2.3-korg