From 35c22be1fe1feced538ba56cb88445a3502997b0 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Thu, 4 May 2017 15:16:47 +0300
Subject: Configure crl file for HAProxy

This will enable HAProxy to use CRLs for the nodes it's proxying.

bp tls-via-certmonger

Depends-On: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
Change-Id: I2558113bf83674ce22d99364b63c0c5be446bf77
---
 puppet/services/haproxy.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'puppet/services/haproxy.yaml')

diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index a71491c0..619cf131 100644
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -50,6 +50,11 @@ parameters:
     type: string
     description: Specifies the default CA cert to use if TLS is used for
                  services in the internal network.
+  InternalTLSCRLPEMFile:
+    default: '/etc/pki/CA/crl/overcloud-crl.pem'
+    type: string
+    description: Specifies the default CRL PEM file to use for revocation if
+                 TLS is used for services in the internal network.
 
 resources:
 
@@ -89,6 +94,7 @@ outputs:
             tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
             tripleo::haproxy::redis_password: {get_param: RedisPassword}
             tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
+            tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile}
             tripleo::profile::base::haproxy::certificates_specs:
               map_merge:
                 - get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
-- 
cgit 1.2.3-korg