From 7cb2d7d79262d36ac6e0514ef7bc0472824a5d19 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Fri, 8 Apr 2016 10:33:30 +0000 Subject: Add support for internal/admin endpoint TLS in HAProxy This commits adds the option to pass an internal certificate. The aforementioned certificate will be used to terminate TLS connections for the internal and admin endpoints. Change-Id: I9d781b42c63cf34bd1f5ba2c71014c6b9de0f990 --- manifests/loadbalancer.pp | 7 +++++++ manifests/loadbalancer/endpoint.pp | 15 +++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index 0a14290..eb4a6fc 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -119,6 +119,11 @@ # When set, enables SSL on the public API endpoints using the specified file. # Defaults to undef # +# [*internal_certificate*] +# Filename of an HAProxy-compatible certificate and key file +# When set, enables SSL on the internal API endpoints using the specified file. +# Defaults to undef +# # [*ssl_cipher_suite*] # The default string describing the list of cipher algorithms ("cipher suite") # that are negotiated during the SSL/TLS handshake for all "bind" lines. This @@ -314,6 +319,7 @@ class tripleo::loadbalancer ( $controller_hosts = undef, $controller_hosts_names = undef, $service_certificate = undef, + $internal_certificate = undef, $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', $ssl_options = 'no-sslv3', $haproxy_stats_certificate = undef, @@ -577,6 +583,7 @@ class tripleo::loadbalancer ( haproxy_listen_bind_param => $haproxy_listen_bind_param, member_options => $haproxy_member_options, public_certificate => $service_certificate, + internal_certificate => $internal_certificate, } $stats_base = ['enable', 'uri /'] diff --git a/manifests/loadbalancer/endpoint.pp b/manifests/loadbalancer/endpoint.pp index 12209e3..e6bb185 100644 --- a/manifests/loadbalancer/endpoint.pp +++ b/manifests/loadbalancer/endpoint.pp @@ -64,6 +64,10 @@ # Certificate path used to enable TLS for the public proxy endpoint. # Defaults to undef. # +# [*internal_certificate*] +# Certificate path used to enable TLS for the internal proxy endpoint. +# Defaults to undef. +# define tripleo::loadbalancer::endpoint ( $internal_ip, $service_port, @@ -78,6 +82,7 @@ define tripleo::loadbalancer::endpoint ( }, $public_ssl_port = undef, $public_certificate = undef, + $internal_certificate = undef, ) { if $public_virtual_ip { # service exposed to the public network @@ -96,8 +101,14 @@ define tripleo::loadbalancer::endpoint ( $public_bind_opts = {} } - $internal_bind_opts = { - "${internal_ip}:${service_port}" => $haproxy_listen_bind_param, + if $internal_certificate { + $internal_bind_opts = { + "${internal_ip}:${service_port}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]), + } + } else { + $internal_bind_opts = { + "${internal_ip}:${service_port}" => $haproxy_listen_bind_param, + } } $bind_opts = merge($internal_bind_opts, $public_bind_opts) -- cgit 1.2.3-korg