From a0761a0e66aebad2951473e676c603cca59fe567 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Fri, 11 Sep 2020 18:32:29 +0300 Subject: [PATCH] Simplify path for letsencrypt usage Adding required parameters into horizon service will allow deployers not to maintain their own versions of haproxy_default_services, and we can simply add letsencrypt service when haproxy_ssl_letsencrypt_enable is true. Depends-On: https://review.opendev.org/751316 Change-Id: I4f9f8d9d9fc0ec8c57a3e1e7dda49ccea8cda388 --- doc/source/user/security/ssl-certificates.rst | 55 +++++++------------ inventory/group_vars/haproxy/haproxy.yml | 12 ++++ .../haproxy_letsencrypt-a49fb3846fa19c65.yaml | 7 +++ 3 files changed, 38 insertions(+), 36 deletions(-) create mode 100644 releasenotes/notes/haproxy_letsencrypt-a49fb3846fa19c65.yaml diff --git a/doc/source/user/security/ssl-certificates.rst b/doc/source/user/security/ssl-certificates.rst index db62e264dd..be85fdac37 100644 --- a/doc/source/user/security/ssl-certificates.rst +++ b/doc/source/user/security/ssl-certificates.rst @@ -171,45 +171,28 @@ http-01 challenge requests. haproxy_ssl: true haproxy_ssl_letsencrypt_enable: True haproxy_ssl_letsencrypt_install_method: "distro" - haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ ansible_host }} --http-01-port 8888" haproxy_ssl_letsencrypt_email: "email.address@example.com" - haproxy_extra_services: - # an internal only service for acme-challenge whose backend is certbot running on any haproxy instance - - service: - haproxy_service_name: letsencrypt - haproxy_backend_nodes: "{{ groups['haproxy_all'] }}" - backend_rise: 1 #rise quickly to detect certbot running without delay - backend_fall: 2 - haproxy_bind: - - 127.0.0.1 #bind to the localhost as the host internal IP will be used by certbot - haproxy_port: 8888 - haproxy_balance_type: http - -Copy the whole variable ``haproxy_default_services`` from -``/opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml`` -to ``/etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml`` and -update the section for horizon to include the ACL redirects http-01 -challenges to the HAProxy ``letsencrypt`` backend as follows: +If you don't have horizon deployed, you will need to define dummy service that +will listen on 80 and 443 ports and will be used for acme-challenge, whose +backend is certbot on the haproxy host: .. code-block:: shell-session - - service: - haproxy_service_name: horizon - haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: true - haproxy_port: "{{ haproxy_ssl | ternary(443,80) }}" - haproxy_backend_port: 80 - haproxy_redirect_http_port: 80 - haproxy_balance_type: http - haproxy_balance_alg: source - haproxy_backend_options: - - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}" - haproxy_redirect_scheme: "https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }" #redirect all non-ssl traffic to ssl except acme-challenge - haproxy_frontend_acls: #use a frontend ACL specify the backend to use for acme-challenge - letsencrypt-acl: - rule: "path_beg /.well-known/acme-challenge/" - backend_name: letsencrypt + haproxy_extra_services: + # the external facing service which serves the apache test site, with a acl for LE requests + - service: + haproxy_service_name: certbot + haproxy_redirect_http_port: 80 #redirect port 80 to port ssl + haproxy_redirect_scheme: "https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }" #redirect all non-ssl traffic to ssl except acme-challenge + haproxy_port: 443 + haproxy_frontend_acls: "{{ haproxy_ssl_letsencrypt_acl }}" #use a frontend ACL specify the backend to use for acme-challenge + haproxy_ssl: True + haproxy_backend_nodes: #apache is running on locally on 127.0.0.1:80 serving a dummy site + - name: local-test-service + ip_addr: 127.0.0.1 + haproxy_balance_type: http + haproxy_backend_port: 80 + haproxy_backend_options: + - "httpchk HEAD /" # request to use for health check for the example service diff --git a/inventory/group_vars/haproxy/haproxy.yml b/inventory/group_vars/haproxy/haproxy.yml index ac9f88fa02..4617a3eb0f 100644 --- a/inventory/group_vars/haproxy/haproxy.yml +++ b/inventory/group_vars/haproxy/haproxy.yml @@ -216,6 +216,18 @@ haproxy_default_services: haproxy_backend_options: - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}" + haproxy_redirect_scheme: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary('https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }', 'https if !{ ssl_fc }') }}" + haproxy_frontend_acls: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary(haproxy_ssl_letsencrypt_acl, {}) }}" + - service: + haproxy_service_name: letsencrypt + haproxy_backend_nodes: "{{ groups['haproxy_all'] }}" + backend_rise: 1 + backend_fall: 2 + haproxy_bind: + - 127.0.0.1 + haproxy_port: "{{ haproxy_ssl_letsencrypt_certbot_backend_port }}" + haproxy_balance_type: http + haproxy_service_enabled: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) }}" - service: haproxy_service_name: sahara_api haproxy_backend_nodes: "{{ groups['sahara_api'] | default([]) }}" diff --git a/releasenotes/notes/haproxy_letsencrypt-a49fb3846fa19c65.yaml b/releasenotes/notes/haproxy_letsencrypt-a49fb3846fa19c65.yaml new file mode 100644 index 0000000000..66bd98a267 --- /dev/null +++ b/releasenotes/notes/haproxy_letsencrypt-a49fb3846fa19c65.yaml @@ -0,0 +1,7 @@ +--- +upgrade: + - | + There's no need in keeping `letsencrypt` service in haproxy_extra_services + as well as copying and maintaining whole haproxy_default_services in order + to get overrides for horizon. From now on required adjustments are provided + by defualt and letsecrypt installation path has been simplified.