Use CRL for HAProxy

This sets up the CRL file to be triggered on the certmonger_user
resource. Furtherly, HAProxy uses this CRL file in the member options,
thus effectively enabling revocation for proxied nodes.

So, if a certificate has been revoked by the CA, HAProxy will not proxy
requests to it.

bp tls-via-certmonger

Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd

diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 5f70647..208f328 100644 (file)
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -146,6 +146,10 @@
 #  the servers it balances
 #  Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
 #
+# [*crl_file*]
+#  Path to the CRL file to be used for checking revoked certificates.
+#  Defaults to undef
+#
 # [*haproxy_stats_certificate*]
 #  Filename of an HAProxy-compatible certificate and key file
 #  When set, enables SSL on the haproxy stats endpoint using the specified file.
@@ -565,6 +569,7 @@ class tripleo::haproxy (
   $ssl_cipher_suite            = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
   $ssl_options                 = 'no-sslv3',
   $ca_bundle                   = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
+  $crl_file                    = undef,
   $haproxy_stats_certificate   = undef,
   $keystone_admin              = hiera('keystone_enabled', false),
   $keystone_public             = hiera('keystone_enabled', false),
@@ -728,7 +733,13 @@ class tripleo::haproxy (
   $ports = merge($default_service_ports, $service_ports)
 
   if $enable_internal_tls {
-    $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+    $base_internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+
+    if $crl_file {
+      $internal_tls_member_options = concat($base_internal_tls_member_options, "crl-file ${crl_file}")
+    } else {
+      $internal_tls_member_options = $base_internal_tls_member_options
+    }
     Haproxy::Balancermember {
       verifyhost => true
     }

diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
index 4ba51ec..7a6559e 100644 (file)
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -77,6 +77,16 @@ class tripleo::profile::base::certmonger_user (
   $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
   $etcd_certificate_specs     = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
 ) {
+  unless empty($haproxy_certificates_specs) {
+    $reload_haproxy = ['systemctl reload haproxy']
+    Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||>
+    Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy']
+  } else {
+    $reload_haproxy = []
+  }
+  class { '::tripleo::certmonger::ca::crl' :
+    reload_cmds => $reload_haproxy,
+  }
   include ::tripleo::certmonger::ca::libvirt
 
   unless empty($apache_certificates_specs) {

diff --git a/releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml b/releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml
new file mode 100644 (file)
index 0000000..cdfb859
--- /dev/null
+++ b/releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - If the crl_file parameter is given to the ::tripleo::haproxy resource and
+    TLS is enabled in the internal network, it will configure the CRL file for
+    all the nodes it's proxying and thus properly handle revocation of the
+    server certificates.