Merge "Internal TLS: Use specific CA file for haproxy"

This commit is contained in:
Jenkins 2017-05-03 15:28:03 +00:00 committed by Gerrit Code Review
commit 6b80b35736
2 changed files with 12 additions and 0 deletions

View File

@ -37,6 +37,11 @@ parameters:
MonitoringSubscriptionHaproxy:
default: 'overcloud-haproxy'
type: string
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
resources:
@ -71,6 +76,7 @@ outputs:
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
tripleo::haproxy::redis_password: {get_param: RedisPassword}
tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
tripleo::profile::base::haproxy::certificates_specs:
map_merge:
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]

View File

@ -0,0 +1,6 @@
---
features:
- Adds the InternalTLSCAFile parameter, which defines which CA file should be
used by the internal services to verify that the peer's certificate is
trusted. This is applicable if internal TLS is enabled. Currently, it
defaults to using the CA file for FreeIPA, which is the default CA.