From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Tue, 18 Apr 2017 11:49:09 +0000 (+0300)
Subject: Haproxy: When using TLS everywhere, use verifyhost for the balancermembers
X-Git-Tag: opnfv-6.0.0~227^2
X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=commitdiff_plain;h=c372d01a9427d65ae44063adf68c78748770eac4;p=apex-puppet-tripleo.git

Haproxy: When using TLS everywhere, use verifyhost for the balancermembers

This checks that the subjectAltName in the backend server's certificate
matches the server's name that was intended to be used.

Change-Id: If1c61e1becf9cc84c9b18835aef1eaaa8c0d4341
---

diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index a6bd1eb..d497056 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -718,6 +718,9 @@ class tripleo::haproxy (
 
   if $enable_internal_tls {
     $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+    Haproxy::Balancermember {
+      verifyhost => true
+    }
   } else {
     $internal_tls_member_options = []
   }