diff options
| author |   Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-04-26 12:36:10 +0300 |
|---|---|---|
| committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-05-03 12:46:14 +0300 |
| commit | 82ff1acf035d277dd2e7b9d7fc6e060ab2415144 (patch) | |
| tree | d8a799b2d00e610b14649e0f074838428684dba0 | |
| parent | e5b3b671eb82abeb8f4bae9bbf7df1d923439656 (diff) | |
Internal TLS: Use specific CA file for haproxy
Instead of using the CA bundle, this sets HAProxy to use a specific file
for validating the certificates of the services it's proxying. This
helps in two ways:
* Improves performance since validation will check only one certificate.
* Improves security since we're only the certificates signed by one CA
are valid, instead of any certificate that the system trusts (which
could include potentially compromised public certs).
Change-Id: Id6de045b3c93c82d37e0b0657c17a3108516016a
| -rw-r--r-- | puppet/services/haproxy.yaml | 6 | ||||
| -rw-r--r-- | releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index c651bbe5..e32b44dd 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -37,6 +37,11 @@ parameters: MonitoringSubscriptionHaproxy: default: 'overcloud-haproxy' type: string + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. resources: @@ -71,6 +76,7 @@ outputs: tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} tripleo::haproxy::redis_password: {get_param: RedisPassword} + tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile} tripleo::profile::base::haproxy::certificates_specs: map_merge: - get_attr: [HAProxyPublicTLS, role_data, certificates_specs] diff --git a/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml b/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml new file mode 100644 index 00000000..8847b22b --- /dev/null +++ b/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml @@ -0,0 +1,6 @@ +--- +features: + - Adds the InternalTLSCAFile parameter, which defines which CA file should be + used by the internal services to verify that the peer's certificate is + trusted. This is applicable if internal TLS is enabled. Currently, it + defaults to using the CA file for FreeIPA, which is the default CA. |