From c8d2a1133e8aff13acf52da2ab29e8dccda1e6b6 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Thu, 4 May 2017 13:28:01 +0300
Subject: Use CRL for HAProxy

This sets up the CRL file to be triggered on the certmonger_user
resource. Furtherly, HAProxy uses this CRL file in the member options,
thus effectively enabling revocation for proxied nodes.

So, if a certificate has been revoked by the CA, HAProxy will not proxy
requests to it.

bp tls-via-certmonger

Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
---
 releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml

(limited to 'releasenotes')

diff --git a/releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml b/releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml
new file mode 100644
index 0000000..cdfb859
--- /dev/null
+++ b/releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - If the crl_file parameter is given to the ::tripleo::haproxy resource and
+    TLS is enabled in the internal network, it will configure the CRL file for
+    all the nodes it's proxying and thus properly handle revocation of the
+    server certificates.
-- 
cgit 1.2.3-korg