Merge "gitea-lb: test ssl connections during testing too"

2022-08-04 07:19:03 +00:00 · 2022-08-04 07:19:03 +00:00 · 64a389af59
commit 64a389af59
parent fc2ef8a21d 72a0ad6d19
2 changed files with 14 additions and 1 deletions
--- a/playbooks/roles/haproxy/tasks/main.yaml
+++ b/playbooks/roles/haproxy/tasks/main.yaml
@ -49,6 +49,19 @@
    mode: 0644
  notify: Reload haproxy

+# Copy in testing CA so the container can see it.  When running under
+# Zuul this CA is created by the test framework.  We use it to
+# validate the https check path
+- name: Check for OpenDev Infra CA (test only)
+  stat:
+    path: /etc/opendev-ca/ca.crt
+  register: _opendev_ca_crt
+- name: Copy in OpenDev Infra CA (test only)
+  copy:
+    src: /etc/opendev-ca/ca.crt
+    dest: /var/haproxy/etc/
+  when: _opendev_ca_crt.stat.exists
+
 - name: Ensure docker compose configuration directory
  file:
    path: /etc/haproxy-docker
--- a/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2
+++ b/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2
@ -12,4 +12,4 @@ gitea_lb_listeners:
    servers:
      - name: "gitea99.opendev.org"
        address: "{{ (hostvars['gitea99.opendev.org'] | default({})).get('nodepool', {}).get('public_ipv4', '') }}:3081"
-        check_method: "check check-ssl verify none"
+        check_method: "check check-ssl ca-file /usr/local/etc/haproxy/ca.crt"