From 92dac326a94fe0e7577808f66acb861481fe7e70 Mon Sep 17 00:00:00 2001
From: James Gibson <james.gibson@bbc.co.uk>
Date: Wed, 15 Dec 2021 14:06:25 +0000
Subject: [PATCH] Add default CA store to use when haproxy_backend_ca is true

If haproxy_backend_ca set to true, default to using system CA
so you dont have to specify the exact CA to use.

Change-Id: I536c32a0b152a2b754787e07574472ecfaebd7e7
---
 doc/source/configure-haproxy.rst | 2 ++
 templates/service.j2             | 4 ++--
 vars/debian.yml                  | 3 +++
 vars/redhat.yml                  | 3 +++
 vars/ubuntu.yml                  | 3 +++
 5 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/doc/source/configure-haproxy.rst b/doc/source/configure-haproxy.rst
index 9727e69..2b41929 100644
--- a/doc/source/configure-haproxy.rst
+++ b/doc/source/configure-haproxy.rst
@@ -271,6 +271,8 @@ An example HTTP service could look like:
           # If backend connections should be secured with SSL (default False)
           haproxy_backend_ssl: True
           haproxy_backend_ca: /path/to/ca/cert.pem
+          # Or to use system CA for validation
+          # haproxy_backend_ca: True
           # Or if certificate validation should be disabled
           # haproxy_backend_ca: False
 
diff --git a/templates/service.j2 b/templates/service.j2
index 6a638cf..b1c3cd5 100644
--- a/templates/service.j2
+++ b/templates/service.j2
@@ -132,7 +132,7 @@ backend {{ item.service.haproxy_service_name }}-back
 {% endif %}
 {% if item.service.haproxy_backend_ca %}
 {% set _ = entry.append("ca-file") %}
-{% set _ = entry.append(item.service.haproxy_backend_ca) %}
+{% set _ = entry.append(item.service.haproxy_backend_ca is string | ternary(item.service.haproxy_backend_ca, haproxy_system_ca)) %}
 {% else %}
 {% set _ = entry.append("verify none") %}
 {% endif %}
@@ -173,7 +173,7 @@ backend {{ item.service.haproxy_service_name }}-back
 {% endif %}
 {% if item.service.haproxy_backend_ca %}
 {% set _ = entry.append("ca-file") %}
-{% set _ = entry.append(item.service.haproxy_backend_ca) %}
+{% set _ = entry.append(item.service.haproxy_backend_ca is string | ternary(item.service.haproxy_backend_ca, haproxy_system_ca)) %}
 {% else %}
 {% set _ = entry.append("verify none") %}
 {% endif %}
diff --git a/vars/debian.yml b/vars/debian.yml
index 74e233b..ab470eb 100644
--- a/vars/debian.yml
+++ b/vars/debian.yml
@@ -24,3 +24,6 @@ haproxy_distro_packages:
 
 haproxy_distro_certbot_packages:
   - certbot
+
+# Set system CA store which can be used to verify backends
+haproxy_system_ca: /etc/ssl/certs/ca-certificates.crt
diff --git a/vars/redhat.yml b/vars/redhat.yml
index 108214b..1cd1e95 100644
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@@ -16,3 +16,6 @@
 haproxy_distro_packages:
   - haproxy
   - nc # Used for the Ansible haproxy module
+
+# Set system CA store which can be used to verify backends
+haproxy_system_ca: /etc/pki/tls/certs/ca-bundle.crt
diff --git a/vars/ubuntu.yml b/vars/ubuntu.yml
index 74e233b..ab470eb 100644
--- a/vars/ubuntu.yml
+++ b/vars/ubuntu.yml
@@ -24,3 +24,6 @@ haproxy_distro_packages:
 
 haproxy_distro_certbot_packages:
   - certbot
+
+# Set system CA store which can be used to verify backends
+haproxy_system_ca: /etc/ssl/certs/ca-certificates.crt