gitea-lb: test ssl connections during testing too

To make testing more like production, copy the OpenDev CA into the haproxy container configuration directory during Zuul runs. We then update the testing configuration to use SSL checking like production does with this cert. Change-Id: I1292bc1aa4948c8120dada0f0fd7dfc7ca619afd
2022-07-05 16:13:47 +10:00 · 2022-07-05 16:13:47 +10:00 · 72a0ad6d19
commit 72a0ad6d19
parent 0d83dd3ea0
2 changed files with 14 additions and 1 deletions
--- a/playbooks/roles/haproxy/tasks/main.yaml
+++ b/playbooks/roles/haproxy/tasks/main.yaml
@ -27,6 +27,19 @@
    mode: 0644
  notify: Reload haproxy

+# Copy in testing CA so the container can see it.  When running under
+# Zuul this CA is created by the test framework.  We use it to
+# validate the https check path
+- name: Check for OpenDev Infra CA (test only)
+  stat:
+    path: /etc/opendev-ca/ca.crt
+  register: _opendev_ca_crt
+- name: Copy in OpenDev Infra CA (test only)
+  copy:
+    src: /etc/opendev-ca/ca.crt
+    dest: /var/haproxy/etc/
+  when: _opendev_ca_crt.stat.exists
+
 - name: Ensure docker compose configuration directory
  file:
    path: /etc/haproxy-docker
--- a/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2
+++ b/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2
@ -12,4 +12,4 @@ gitea_lb_listeners:
    servers:
      - name: "gitea99.opendev.org"
        address: "{{ (hostvars['gitea99.opendev.org'] | default({})).get('nodepool', {}).get('public_ipv4', '') }}:3081"
-        check_method: "check check-ssl verify none"
+        check_method: "check check-ssl ca-file /usr/local/etc/haproxy/ca.crt"