Options to enable SSL for backend connections

Currently backend connections are always unencrypted. This adds optional parameters to configure backend connections with SSL. This is useful for extra services wich require SSL or to have backend connections to OpenStack services encrypted in the future. Change-Id: I6a032962ae987bb1cbc4982fb6ddbd06f8e53936
2018-03-05 18:49:47 +01:00 · 2018-03-05 18:49:47 +01:00 · 2d0f483c84
parent 1bd0b32519
commit 2d0f483c84
3 changed files with 32 additions and 0 deletions
--- a/doc/source/configure-haproxy.rst
+++ b/doc/source/configure-haproxy.rst
@ -166,6 +166,11 @@ An example HTTP service could look like:
          haproxy_ssl: "{{ haproxy_ssl }}"
          haproxy_port: 10000
          haproxy_balance_type: http
+          # If backend connections should be secured with SSL (default False)
+          haproxy_backend_ssl: True
+          haproxy_backend_ca: /path/to/ca/cert.pem
+          # Or if certificate validation should be disabled
+          # haproxy_backend_ca: False

 Additionally, you can specify haproxy services that are not managed
 in the Ansible inventory by manually specifying their hostnames/IP Addresses:
--- a/templates/service.j2
+++ b/templates/service.j2
@ -115,6 +115,15 @@ backend {{ item.service.haproxy_service_name }}-back
 {% set _ = entry.append(item.service.haproxy_backend_nodes | count | string) %}
 {% set _ = entry.append("fall") %}
 {% set _ = entry.append(item.service.haproxy_backend_nodes | count | string) %}
+{% if item.service.haproxy_backend_ssl | default(False) %}
+{% set _ = entry.append("ssl") %}
+{% if item.service.haproxy_backend_ca %}
+{% set _ = entry.append("ca-file") %}
+{% set _ = entry.append(item.service.haproxy_backend_ca) %}
+{% else %}
+{% set _ = entry.append("verify none") %}
+{% endif %}
+{% endif %}
    {{ entry | join(' ') }}
 {% endfor %}

@ -136,5 +145,14 @@ backend {{ item.service.haproxy_service_name }}-back
 {% set _ = entry.append("fall") %}
 {% set _ = entry.append(item.service.haproxy_backup_nodes | count | string) %}
 {% set _ = entry.append("backup") %}
+{% if item.service.haproxy_backend_ssl | default(False) %}
+{% set _ = entry.append("ssl") %}
+{% if item.service.haproxy_backend_ca %}
+{% set _ = entry.append("ca-file") %}
+{% set _ = entry.append(item.service.haproxy_backend_ca) %}
+{% else %}
+{% set _ = entry.append("verify none") %}
+{% endif %}
+{% endif %}
    {{ entry | join(' ') }}
 {% endfor %}
--- a/tests/test-vars.yml
+++ b/tests/test-vars.yml
@ -22,3 +22,12 @@ haproxy_service_configs:
      haproxy_balance_type: tcp
      haproxy_backend_options:
        - tcp-check
+  - service:
+      haproxy_service_name: test_backend_ssl
+      haproxy_backend_nodes: "{{ groups['haproxy_all'] | default([]) }}"
+      haproxy_port: 8180
+      haproxy_backend_port: 443
+      haproxy_backend_ssl: True
+      haproxy_backend_ca: False
+      haproxy_ssl: False
+      haproxy_balance_type: http