Adding Client Auth Configs to Infra Ansible (#7781)

Adding variables to configure client certificate authentication in the ansible infrastructure's cdn.conf file. Defaulted the values to disable client certificate authentication. Co-authored-by: dsouza550 <dsouza550>
apache · Sep 6, 2023 · 352337d · 352337d
1 parent 9e384c6
commit 352337d
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/infrastructure/ansible/roles/traffic_ops/defaults/main.yml b/infrastructure/ansible/roles/traffic_ops/defaults/main.yml
@@ -98,10 +98,13 @@ to_go_supported_ds_metrics:
   - tps_4xx
   - tps_5xx
 
+to_go_client_auth_enabled: 0
 to_go_whitelisted_oauth_urls: ""
 to_go_oauth_user_attribute: ""
 to_go_oauth_client_secret: ""
 
+to_client_cert_root_directory: "/etc/pki/tls/traffic_ops/"
+
 to_plugin_config: {}
 
 to_le_user_email: user@example.test

diff --git a/infrastructure/ansible/roles/traffic_ops/templates/cdn.conf.j2 b/infrastructure/ansible/roles/traffic_ops/templates/cdn.conf.j2
@@ -68,6 +68,9 @@
       "plugins": {{ to_plugin_config.keys() | list | to_json }},
       "plugin_config" : {{ to_plugin_config | to_nice_json(indent=2) }},
       "traffic_vault_backend": "{{ to_traffic_vault_backend }}",
+      "tls_config": {
+         "ClientAuth": "{{ to_go_client_auth_enabled }}"
+      },
       "traffic_vault_config": {
 {% if to_traffic_vault_backend == "postgres" %}
          "dbname": "{{ to_tvdb_db_name }}",
@@ -86,6 +89,11 @@
       "oauth_client_secret": "{{ to_go_oauth_client_secret }}",
       "oauth_user_attribute": "{{ to_go_oauth_user_attribute }}"
    },
+{% if to_go_client_auth_enabled == 1 %}
+   "client_certificate_authentication" : {
+      "root_certificates_directory" : "{{ to_client_cert_root_directory }}"
+   },
+{% endif %}
    "lets_encrypt": {
       "user_email": "{{ to_le_user_email }}",
       "send_expiration_email": {{ to_le_send_expiration_email | bool | lower }},