Internal TLS: Use specific CA file for haproxy
Instead of using the CA bundle, this sets HAProxy to use a specific file for validating the certificates of the services it's proxying. This helps in two ways: * Improves performance since validation will check only one certificate. * Improves security since we're only the certificates signed by one CA are valid, instead of any certificate that the system trusts (which could include potentially compromised public certs). Change-Id: Id6de045b3c93c82d37e0b0657c17a3108516016a
This commit is contained in:
parent
e5b3b671eb
commit
82ff1acf03
|
@ -37,6 +37,11 @@ parameters:
|
||||||
MonitoringSubscriptionHaproxy:
|
MonitoringSubscriptionHaproxy:
|
||||||
default: 'overcloud-haproxy'
|
default: 'overcloud-haproxy'
|
||||||
type: string
|
type: string
|
||||||
|
InternalTLSCAFile:
|
||||||
|
default: '/etc/ipa/ca.crt'
|
||||||
|
type: string
|
||||||
|
description: Specifies the default CA cert to use if TLS is used for
|
||||||
|
services in the internal network.
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
|
@ -71,6 +76,7 @@ outputs:
|
||||||
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
|
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
|
||||||
tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
|
tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
|
||||||
tripleo::haproxy::redis_password: {get_param: RedisPassword}
|
tripleo::haproxy::redis_password: {get_param: RedisPassword}
|
||||||
|
tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
|
||||||
tripleo::profile::base::haproxy::certificates_specs:
|
tripleo::profile::base::haproxy::certificates_specs:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
|
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- Adds the InternalTLSCAFile parameter, which defines which CA file should be
|
||||||
|
used by the internal services to verify that the peer's certificate is
|
||||||
|
trusted. This is applicable if internal TLS is enabled. Currently, it
|
||||||
|
defaults to using the CA file for FreeIPA, which is the default CA.
|
Loading…
Reference in New Issue