From 76bf2f532f9541eaf9cd7242ad2bf520f6788033 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Wed, 13 Jul 2016 12:27:23 +0300
Subject: Enable TLS in the internal network for keystone

This optionally enables TLS for keystone in the internal network.
If internal TLS is enabled, each node that is serving the keystone
service will use certmonger to request its certificate.

This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).

bp tls-via-certmonger
Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039
---
 manifests/haproxy.pp | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'manifests/haproxy.pp')

diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index c4d018d..3ad10eb 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -106,6 +106,11 @@
 #  flag is set.
 #  Defaults to {}
 #
+# [*enable_internal_tls*]
+#  A flag that indicates if the servers in the internal network are using TLS.
+#  This enables the 'ssl' option for the server members that are proxied.
+#  Defaults to hiera('enable_internal_tls', false)
+#
 # [*ssl_cipher_suite*]
 #  The default string describing the list of cipher algorithms ("cipher suite")
 #  that are negotiated during the SSL/TLS handshake for all "bind" lines. This
@@ -427,6 +432,7 @@ class tripleo::haproxy (
   $service_certificate         = undef,
   $use_internal_certificates   = false,
   $internal_certificates_specs = {},
+  $enable_internal_tls         = hiera('enable_internal_tls', false),
   $ssl_cipher_suite            = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
   $ssl_options                 = 'no-sslv3',
   $haproxy_stats_certificate   = undef,
@@ -541,6 +547,13 @@ class tripleo::haproxy (
   }
   $ports = merge($default_service_ports, $service_ports)
 
+  if $enable_internal_tls {
+    # TODO(jaosorior): change verify none to verify required.
+    $internal_tls_member_options = ['ssl', 'verify none']
+  } else {
+    $internal_tls_member_options = []
+  }
+
   $controller_hosts_real = any2array(split($controller_hosts, ','))
   if ! $controller_hosts_names {
     $controller_hosts_names_real = $controller_hosts_real
@@ -680,6 +693,7 @@ class tripleo::haproxy (
       },
       public_ssl_port   => $ports[keystone_admin_api_ssl_port],
       service_network   => $keystone_admin_network,
+      member_options    => union($haproxy_member_options, $internal_tls_member_options),
     }
   }
 
@@ -709,6 +723,7 @@ class tripleo::haproxy (
       listen_options    => merge($keystone_listen_opts, $keystone_public_tls_listen_opts),
       public_ssl_port   => $ports[keystone_public_api_ssl_port],
       service_network   => $keystone_public_network,
+      member_options    => union($haproxy_member_options, $internal_tls_member_options),
     }
   }
 
-- 
cgit 1.2.3-korg