From 99ffcf3e0f0560475f86075d45c729a5c4159434 Mon Sep 17 00:00:00 2001
From: Kevin Carter <kevin.carter@rackspace.com>
Date: Mon, 25 Jul 2016 10:51:58 -0500
Subject: [PATCH] Implement git server HAP backend

This change implements the git server backend by changing the variable
``openstack_repo_git_url`` from using the http backend to using the
generic git protocol.

This change was made possible by "f59bafd778b081b1e0bf4dee9cd14995346ab8a1"
and is being done in support of "https://review.openstack.org/#/c/346154/"
which removes the fastcgi wrapper around the git daemon. This will allow
for faster more reliable internal git clones and better multi-os support.

Change-Id: I09bc504490d4b5114895f7f646fc8254748a7f41
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
---
 playbooks/inventory/group_vars/all.yml               |  2 +-
 playbooks/vars/configs/haproxy_config.yml            | 12 ++++++++++++
 .../haproxy-git-server-backend-862e004e61a43292.yaml |  8 ++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/haproxy-git-server-backend-862e004e61a43292.yaml

diff --git a/playbooks/inventory/group_vars/all.yml b/playbooks/inventory/group_vars/all.yml
index 144fed3fcf..6a0f7a6471 100644
--- a/playbooks/inventory/group_vars/all.yml
+++ b/playbooks/inventory/group_vars/all.yml
@@ -36,7 +36,7 @@ pip_links:
 # URL for the frozen internal openstack repo.
 repo_server_port: 8181
 openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}"
-openstack_repo_git_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}/openstackgit"
+openstack_repo_git_url: "git://{{ internal_lb_vip_address }}"
 
 ## kernel modules for specific group hosts
 # :param name: name of the kernel module
diff --git a/playbooks/vars/configs/haproxy_config.yml b/playbooks/vars/configs/haproxy_config.yml
index 315fab0750..13f93daf7e 100644
--- a/playbooks/vars/configs/haproxy_config.yml
+++ b/playbooks/vars/configs/haproxy_config.yml
@@ -27,6 +27,18 @@ haproxy_default_services:
         - 192.168.0.0/16
         - 172.16.0.0/12
         - 10.0.0.0/8
+  - service:
+      haproxy_service_name: repo_git
+      haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}"
+      haproxy_ssl: "{{ haproxy_ssl }}"
+      haproxy_port: 9418
+      haproxy_balance_type: tcp
+      haproxy_backend_options:
+        - tcp-check
+      haproxy_whitelist_networks:
+        - 192.168.0.0/16
+        - 172.16.0.0/12
+        - 10.0.0.0/8
   - service:
       haproxy_service_name: repo_all
       haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}"
diff --git a/releasenotes/notes/haproxy-git-server-backend-862e004e61a43292.yaml b/releasenotes/notes/haproxy-git-server-backend-862e004e61a43292.yaml
new file mode 100644
index 0000000000..9fcf639781
--- /dev/null
+++ b/releasenotes/notes/haproxy-git-server-backend-862e004e61a43292.yaml
@@ -0,0 +1,8 @@
+---
+upgrade:
+  - Haproxy has a new backend to support using the repo
+    server nodes as a git server. The new backend
+    is called "repo_git" and uses port "9418".
+    Default ACLs have been created to lock down the port's
+    availability to only internal networks originating from
+    an RFC1918 address.