Add internal VIP address to no_proxy

Change-Id: I7a9aa9abf611cdaa47cc91f40a6753f23a7f187e
Closes-Bug: #2087556

ansible/inventory/group_vars/all/proxy

@@ -19,3 +19,4 @@ no_proxy:
   - "127.0.0.1"
   - "localhost"
   - "{{ ('http://' ~ docker_registry) | urlsplit('hostname') if docker_registry else '' }}"
+  - "{{ kolla_internal_vip_address }}"

etc/kayobe/proxy.yml

@@ -12,8 +12,9 @@
 
 # List of domains, hostnames, IP addresses and networks for which no proxy is
 # used. Defaults to ["127.0.0.1", "localhost", "{{ ('http://' ~
-# docker_registry) | urlsplit('hostname') }}"] if docker_registry is set, or
+# docker_registry) | urlsplit('hostname') }}","{{ kolla_internal_vip_address
-# ["127.0.0.1", "localhost"] otherwise. This is configured only if either
+# }}"] if docker_registry is set, or ["127.0.0.1", "localhost","{{
+# kolla_internal_vip_address }}"] otherwise. This is configured only if either
 # http_proxy or https_proxy is set.
 #no_proxy:
 

releasenotes/notes/adds-internal-vip-to-no-proxy-cbb4db4ea3909185.yaml

@@ -0,0 +1,17 @@
+---
+features:
+  - |
+    Adds the internal VIP to the NOPROXY/noproxy environment variables.
+security:
+  - |
+    When running API requests from a host configured with kayobe, traffic
+    destined for the internal VIP is sent via the default proxy. This can be a
+    security issue if not using TLS as the proxy will be able to intercept the
+    traffic. If using an untrusted proxy, with TLS disabled on the internal
+    VIP, it is recommended that you run ``kayobe overcloud host configure -t
+    proxy``, ``kayobe seed hypervisor host configure -t proxy``, ``kayobe seed
+    host configure -t proxy``, and ``kayobe infra vm host configure -t proxy``,
+    to add the internal VIP to the no proxy configuration. This is considered a
+    minor issue as traffic between containers will not use the proxy by
+    default.
+    `LP#2087556 <https://launchpad.net/bugs/2087556>`__