Use CRL for HAProxy

This sets up the CRL file to be triggered on the certmonger_user resource. Furtherly, HAProxy uses this CRL file in the member options, thus effectively enabling revocation for proxied nodes. So, if a certificate has been revoked by the CA, HAProxy will not proxy requests to it. bp tls-via-certmonger Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
2017-05-04 13:28:01 +03:00 · 2017-05-04 13:28:01 +03:00 · c8d2a1133e
commit c8d2a1133e
parent 2bb37b6189
3 changed files with 28 additions and 1 deletions
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@ -146,6 +146,10 @@
 #  the servers it balances
 #  Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
 #
+# [*crl_file*]
+#  Path to the CRL file to be used for checking revoked certificates.
+#  Defaults to undef
+#
 # [*haproxy_stats_certificate*]
 #  Filename of an HAProxy-compatible certificate and key file
 #  When set, enables SSL on the haproxy stats endpoint using the specified file.
@ -565,6 +569,7 @@ class tripleo::haproxy (
  $ssl_cipher_suite            = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
  $ssl_options                 = 'no-sslv3',
  $ca_bundle                   = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
+  $crl_file                    = undef,
  $haproxy_stats_certificate   = undef,
  $keystone_admin              = hiera('keystone_enabled', false),
  $keystone_public             = hiera('keystone_enabled', false),
@ -728,7 +733,13 @@ class tripleo::haproxy (
  $ports = merge($default_service_ports, $service_ports)

  if $enable_internal_tls {
-    $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+    $base_internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+
+    if $crl_file {
+      $internal_tls_member_options = concat($base_internal_tls_member_options, "crl-file ${crl_file}")
+    } else {
+      $internal_tls_member_options = $base_internal_tls_member_options
+    }
    Haproxy::Balancermember {
      verifyhost => true
    }
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@ -77,6 +77,16 @@ class tripleo::profile::base::certmonger_user (
  $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
  $etcd_certificate_specs     = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
 ) {
+  unless empty($haproxy_certificates_specs) {
+    $reload_haproxy = ['systemctl reload haproxy']
+    Class['::tripleo::certmonger::ca::crl'] ~> Haproxy::Balancermember<||>
+    Class['::tripleo::certmonger::ca::crl'] ~> Class['::haproxy']
+  } else {
+    $reload_haproxy = []
+  }
+  class { '::tripleo::certmonger::ca::crl' :
+    reload_cmds => $reload_haproxy,
+  }
  include ::tripleo::certmonger::ca::libvirt

  unless empty($apache_certificates_specs) {
--- a/releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml
+++ b/releasenotes/notes/HAProxy-CRL-d05b555f92ff55ed.yaml
@ -0,0 +1,6 @@
+---
+security:
+  - If the crl_file parameter is given to the ::tripleo::haproxy resource and
+    TLS is enabled in the internal network, it will configure the CRL file for
+    all the nodes it's proxying and thus properly handle revocation of the
+    server certificates.