openstack
/
openstack-ansible
Code Issues Proposed changes

Adding docs for HAProxy SSL configuration 

Closes-Bug: #1487380

Change-Id: I94929291d7c5cdd2e09615e7e93eb3cff4620db7
This commit is contained in:
Major Hayden 2015-09-17 22:33:22 -05:00
parent 3e2147410e
commit 4eeda12103
1 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
doc/source/install-guide/configure-haproxy.rst
View File

@ -23,6 +23,53 @@ balancer prior to deploying OSA.
123458-infra03:
ip: 172.29.236.53
SSL certificates for HAProxy
----------------------------
There are two options for deploying SSL certificates with HAProxy: self-signed
and user-provided certificates. Auto-generated self-signed certificates are
currently the default.
Self-signed SSL certificates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For self-signed certificates, users can configure the subject of the
certificate using the ``haproxy_ssl_self_signed_subject`` variable.
By default, the playbook won't regenerate a self-signed SSL certificate if one
already exists on the target. To force the certificate to be regenerated
the next time the playbook runs, set ``haproxy_ssl_self_signed_regen`` to
``true``. To do a one-time SSL certificate regeneration, you can run:
.. code-block:: bash
openstack-ansible -e 'haproxy_ssl_self_signed_regen=True' haproxy-install.yml
Keep in mind that regenerating self-signed certificates will overwrite any
existing certificates and keys, including ones that were previously
user-provided (see the following section).
The playbook will then use memcached to distribute the certificates and keys to
each HAProxy host.
User-provided SSL certificates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Users can provide their own trusted certificates in a two step process:
#. Copy the SSL certificate, key, and CA certificate to the deployment host
#. Specify the path to those files on the deployment host
The path to the SSL certificate, key and CA certificate on the `deployment
host` must be specified in ``/etc/openstack_deploy/user_variables.yml``:
* ``haproxy_user_ssl_cert`` - path to the SSL certificate
* ``haproxy_user_ssl_key`` - path to the key
* ``haproxy_user_ssl_ca_cert`` - path to the CA certificate
If those three variables are provided, the playbook will deploy the files to
each HAProxy host.
--------------
.. include:: navigation.txt