Merge "Internal TLS: Use specific CA file for haproxy"

2017-05-03 15:28:03 +00:00 · 2017-05-03 15:28:03 +00:00 · 6b80b35736
parent 9697f70dcb 82ff1acf03
commit 6b80b35736
2 changed files with 12 additions and 0 deletions
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@ -37,6 +37,11 @@ parameters:
  MonitoringSubscriptionHaproxy:
    default: 'overcloud-haproxy'
    type: string
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.

 resources:

@ -71,6 +76,7 @@ outputs:
            tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
            tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
            tripleo::haproxy::redis_password: {get_param: RedisPassword}
+            tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
            tripleo::profile::base::haproxy::certificates_specs:
              map_merge:
                - get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
--- a/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml
+++ b/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - Adds the InternalTLSCAFile parameter, which defines which CA file should be
+    used by the internal services to verify that the peer's certificate is
+    trusted. This is applicable if internal TLS is enabled. Currently, it
+    defaults to using the CA file for FreeIPA, which is the default CA.