Internal TLS: Use specific CA file for haproxy

Instead of using the CA bundle, this sets HAProxy to use a specific file
for validating the certificates of the services it's proxying. This
helps in two ways:

* Improves performance since validation will check only one certificate.
* Improves security since we're only the certificates signed by one CA
  are valid, instead of any certificate that the system trusts (which
  could include potentially compromised public certs).

Change-Id: Id6de045b3c93c82d37e0b0657c17a3108516016a
This commit is contained in:
Juan Antonio Osorio Robles 2017-04-26 12:36:10 +03:00
parent e5b3b671eb
commit 82ff1acf03
2 changed files with 12 additions and 0 deletions

View File

@ -37,6 +37,11 @@ parameters:
MonitoringSubscriptionHaproxy:
default: 'overcloud-haproxy'
type: string
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
resources:
@ -71,6 +76,7 @@ outputs:
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
tripleo::haproxy::redis_password: {get_param: RedisPassword}
tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
tripleo::profile::base::haproxy::certificates_specs:
map_merge:
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]

View File

@ -0,0 +1,6 @@
---
features:
- Adds the InternalTLSCAFile parameter, which defines which CA file should be
used by the internal services to verify that the peer's certificate is
trusted. This is applicable if internal TLS is enabled. Currently, it
defaults to using the CA file for FreeIPA, which is the default CA.