From f600f995e4105ff7ddfe4d9ca2d7984bb2d80cbb Mon Sep 17 00:00:00 2001 From: Damian Dabrowski Date: Wed, 29 Mar 2023 21:41:55 +0200 Subject: [PATCH] Enable TLS frontend for repo_server by default We aim to secure traffic from haproxy to repo backends with TLS[1]. But there is no point in doing that unless the traffic to haproxy frontend is encrypted. This patch enables TLS on repo frontend when `haproxy_ssl_all_vips` is enabled. [1] https://review.opendev.org/c/openstack/openstack-ansible-repo_server/+/876429 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-repo_server/+/877429 Change-Id: I9f0f40977b13a150e30f000dee8d7309bbffe74f --- inventory/group_vars/haproxy/haproxy.yml | 1 + playbooks/defaults/source_install.yml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/inventory/group_vars/haproxy/haproxy.yml b/inventory/group_vars/haproxy/haproxy.yml index 1946bbf111..6f3f0c0017 100644 --- a/inventory/group_vars/haproxy/haproxy.yml +++ b/inventory/group_vars/haproxy/haproxy.yml @@ -538,6 +538,7 @@ haproxy_repo_service: haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}" haproxy_bind: "{{ [internal_lb_vip_address] }}" haproxy_port: 8181 + haproxy_ssl: "{{ haproxy_ssl_all_vips }}" haproxy_balance_type: http haproxy_backend_options: - "httpchk GET /constraints/upper_constraints_cached.txt HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" diff --git a/playbooks/defaults/source_install.yml b/playbooks/defaults/source_install.yml index e417c6ac1e..69c9abf65d 100644 --- a/playbooks/defaults/source_install.yml +++ b/playbooks/defaults/source_install.yml @@ -22,7 +22,8 @@ neutron_bin: "/openstack/venvs/neutron-{{ venv_tag }}/bin" repo_release_path: "{{ openstack_repo_url }}/os-releases/{{ openstack_release }}/{{ os_distro_version }}" ## OpenStack source options -openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}" +openstack_repo_protocol: "{{ openstack_service_internaluri_proto }}" +openstack_repo_url: "{{ openstack_repo_protocol }}://{{ internal_lb_vip_address }}:{{ repo_server_port }}" openstack_repo_git_url: "git://{{ internal_lb_vip_address }}" ## Delegate all service setup tasks to the utility host, and use the utility venv python interpreter