From 0cc8e039ea0d8bc860d69e5d613bcd2eaf188180 Mon Sep 17 00:00:00 2001 From: Andrew Bonney Date: Wed, 27 Jul 2022 13:15:41 +0100 Subject: [PATCH] rabbitmq: default to using TLS for management user interface The RabbitMQ role defaults change in Yoga to enable the management UI with TLS/HTTPS. This implicitly disables the HTTP port. This commit adjusts the HAProxy config to take account of this change and switch the port used accordingly. The rabbitmq_management_ssl variable is also set explicitly to ensure it is defined with appropriate scope. Change-Id: I5a9f9855aa701d12bc3c9e2e7e9c651ff606c319 --- inventory/group_vars/all/all.yml | 3 +++ inventory/group_vars/haproxy/haproxy.yml | 6 ++++-- .../rabbitmq-upgrade-management-ssl-d6a7f77f2a65ffa9.yaml | 7 +++++++ 3 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/rabbitmq-upgrade-management-ssl-d6a7f77f2a65ffa9.yaml diff --git a/inventory/group_vars/all/all.yml b/inventory/group_vars/all/all.yml index 8954738f00..144d562e91 100644 --- a/inventory/group_vars/all/all.yml +++ b/inventory/group_vars/all/all.yml @@ -137,3 +137,6 @@ repo_service_user_name: nginx repo_service_group_name: www-data venv_build_host_user_name: "{{ repo_service_user_name }}" venv_build_host_group_name: "{{ repo_service_group_name }}" + +# Set RabbitMQ management UI to use TLS +rabbitmq_management_ssl: true diff --git a/inventory/group_vars/haproxy/haproxy.yml b/inventory/group_vars/haproxy/haproxy.yml index 6b13f571b0..e658fe109c 100644 --- a/inventory/group_vars/haproxy/haproxy.yml +++ b/inventory/group_vars/haproxy/haproxy.yml @@ -458,9 +458,11 @@ haproxy_placement_service: haproxy_rabbitmq_service: haproxy_service_name: rabbitmq_mgmt haproxy_backend_nodes: "{{ groups['rabbitmq'] | default([]) }}" - haproxy_ssl: False + haproxy_ssl: "{{ rabbitmq_management_ssl | bool }}" + haproxy_backend_ssl: "{{ rabbitmq_management_ssl | bool }}" + haproxy_backend_ca: False haproxy_bind: "{{ [internal_lb_vip_address] }}" - haproxy_port: 15672 + haproxy_port: "{{ (rabbitmq_management_ssl | bool) | ternary(15671, 15672) }}" haproxy_balance_type: http haproxy_backend_options: - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" diff --git a/releasenotes/notes/rabbitmq-upgrade-management-ssl-d6a7f77f2a65ffa9.yaml b/releasenotes/notes/rabbitmq-upgrade-management-ssl-d6a7f77f2a65ffa9.yaml new file mode 100644 index 0000000000..412cc0b4ee --- /dev/null +++ b/releasenotes/notes/rabbitmq-upgrade-management-ssl-d6a7f77f2a65ffa9.yaml @@ -0,0 +1,7 @@ +--- +upgrade: + - | + The RabbitMQ management interface surfaced via HAProxy defaults to using + TLS from the Yoga release. Note that when using TLS the default port + switches from 15672 to 15671. TLS can be disabled if required by adjusting + 'rabbitmq_management_ssl'.