# When set, enables SSL on the public API endpoints using the specified file.
# Defaults to undef
#
+# [*internal_certificate*]
+# Filename of an HAProxy-compatible certificate and key file
+# When set, enables SSL on the internal API endpoints using the specified file.
+# Defaults to undef
+#
# [*ssl_cipher_suite*]
# The default string describing the list of cipher algorithms ("cipher suite")
# that are negotiated during the SSL/TLS handshake for all "bind" lines. This
$controller_hosts = undef,
$controller_hosts_names = undef,
$service_certificate = undef,
+ $internal_certificate = undef,
$ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
$ssl_options = 'no-sslv3',
$haproxy_stats_certificate = undef,
haproxy_listen_bind_param => $haproxy_listen_bind_param,
member_options => $haproxy_member_options,
public_certificate => $service_certificate,
+ internal_certificate => $internal_certificate,
}
$stats_base = ['enable', 'uri /']
# Certificate path used to enable TLS for the public proxy endpoint.
# Defaults to undef.
#
+# [*internal_certificate*]
+# Certificate path used to enable TLS for the internal proxy endpoint.
+# Defaults to undef.
+#
define tripleo::loadbalancer::endpoint (
$internal_ip,
$service_port,
},
$public_ssl_port = undef,
$public_certificate = undef,
+ $internal_certificate = undef,
) {
if $public_virtual_ip {
# service exposed to the public network
$public_bind_opts = {}
}
- $internal_bind_opts = {
- "${internal_ip}:${service_port}" => $haproxy_listen_bind_param,
+ if $internal_certificate {
+ $internal_bind_opts = {
+ "${internal_ip}:${service_port}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]),
+ }
+ } else {
+ $internal_bind_opts = {
+ "${internal_ip}:${service_port}" => $haproxy_listen_bind_param,
+ }
}
$bind_opts = merge($internal_bind_opts, $public_bind_opts)
Code Review / apex-puppet-tripleo.git / commitdiff