MonitoringSubscriptionHaproxy:
default: 'overcloud-haproxy'
type: string
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
resources:
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
tripleo::haproxy::redis_password: {get_param: RedisPassword}
+ tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
tripleo::profile::base::haproxy::certificates_specs:
map_merge:
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
--- /dev/null
+---
+features:
+ - Adds the InternalTLSCAFile parameter, which defines which CA file should be
+ used by the internal services to verify that the peer's certificate is
+ trusted. This is applicable if internal TLS is enabled. Currently, it
+ defaults to using the CA file for FreeIPA, which is the default CA.