summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2017-05-03 15:28:03 +0000
committerGerrit Code Review <review@openstack.org>2017-05-03 15:28:04 +0000
commit6b80b35736378002df05c13bd78ddc12e35ab209 (patch)
treec167e2775b428b273aeb67cf1ca39b23dbe2a1fd
parent9697f70dcbbb30882bf8cb90f9dd0bcfc35f087f (diff)
parent82ff1acf035d277dd2e7b9d7fc6e060ab2415144 (diff)
Merge "Internal TLS: Use specific CA file for haproxy"
-rw-r--r--puppet/services/haproxy.yaml6
-rw-r--r--releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml6
2 files changed, 12 insertions, 0 deletions
diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index c651bbe5..e32b44dd 100644
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -37,6 +37,11 @@ parameters:
MonitoringSubscriptionHaproxy:
default: 'overcloud-haproxy'
type: string
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
resources:
@@ -71,6 +76,7 @@ outputs:
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
tripleo::haproxy::redis_password: {get_param: RedisPassword}
+ tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
tripleo::profile::base::haproxy::certificates_specs:
map_merge:
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
diff --git a/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml b/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml
new file mode 100644
index 00000000..8847b22b
--- /dev/null
+++ b/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - Adds the InternalTLSCAFile parameter, which defines which CA file should be
+ used by the internal services to verify that the peer's certificate is
+ trusted. This is applicable if internal TLS is enabled. Currently, it
+ defaults to using the CA file for FreeIPA, which is the default CA.