Enable stats to use dedicated server certificate and allow for client cert auth
Some environments use a dedicated PKI for monitoring and metric collection. This change allows to configure the serving certificate for stats independently by setting `haproxy_stats_ssl_cert_path`, the default is to use the same cert. Also client certificate authentication for stats can now be enabled by defining a CA cert via `haproxy_stats_ssl_client_cert_ca`. Change-Id: Ib8be6b7fc3dada9d20905b0f07d90ddce0335605
This commit is contained in:
Christian Rohmann
committed by
Jonathan Rosser
parent
cb4eb8b327
commit
04a8f8532a
2 changed files with 4 additions and 2 deletions
@@ -39,10 +39,10 @@ defaults
timeout http-request {{ haproxy_http_request_timeout }}
timeout server {{ haproxy_server_timeout }}
maxconn {{ haproxy_maxconn }}
{% if haproxy_stats_enabled | bool %}
{% set haproxy_ssl_path=haproxy_ssl_cert_path + "/haproxy_" + (haproxy_host | default(ansible_facts['hostname'])) + "-" + ((vip_interface is truthy) | ternary(vip_address ~ '-' ~ vip_interface, vip_address)) + ".pem" %}
listen stats
bind {{ haproxy_stats_bind_address }}:{{ haproxy_stats_port }} {% if haproxy_stats_ssl | bool %}ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ haproxy_bind_internal_lb_vip_address }}.pem{% endif %}
bind {{ haproxy_stats_bind_address }}:{{ haproxy_stats_port }} {% if haproxy_stats_ssl | bool %}ssl crt {{ haproxy_stats_ssl_cert_path | default(haproxy_ssl_path) }} {% if haproxy_stats_ssl_client_cert_ca is defined %}verify required ca-file {{ haproxy_stats_ssl_client_cert_ca }}{% endif %}{% endif %}
{% if haproxy_stats_process is defined %}
bind-process {{ haproxy_stats_process }}
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.