Code Review / apex-tripleo-heat-templates.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: e5b3b67)
Internal TLS: Use specific CA file for haproxy
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>
Wed, 26 Apr 2017 09:36:10 +0000 (12:36 +0300)
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>
Wed, 3 May 2017 09:46:14 +0000 (12:46 +0300)
Instead of using the CA bundle, this sets HAProxy to use a specific file
for validating the certificates of the services it's proxying. This
helps in two ways:

* Improves performance since validation will check only one certificate.
* Improves security since we're only the certificates signed by one CA
  are valid, instead of any certificate that the system trusts (which
  could include potentially compromised public certs).

Change-Id: Id6de045b3c93c82d37e0b0657c17a3108516016a

puppet/services/haproxy.yaml patch | blob | history
releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml [new file with mode: 0644] patch | blob

diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index c651bbe..e32b44d 100644 (file)
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -37,6 +37,11 @@ parameters:
   MonitoringSubscriptionHaproxy:
     default: 'overcloud-haproxy'
     type: string
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
 
 resources:
 
@@ -71,6 +76,7 @@ outputs:
             tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
             tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
             tripleo::haproxy::redis_password: {get_param: RedisPassword}
+            tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
             tripleo::profile::base::haproxy::certificates_specs:
               map_merge:
                 - get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
diff --git a/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml b/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml
new file mode 100644 (file)
index 0000000..8847b22
--- /dev/null
+++ b/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - Adds the InternalTLSCAFile parameter, which defines which CA file should be
+    used by the internal services to verify that the peer's certificate is
+    trusted. This is applicable if internal TLS is enabled. Currently, it
+    defaults to using the CA file for FreeIPA, which is the default CA.