Simplify path for letsencrypt usage
Adding required parameters into horizon service will allow deployers not to maintain their own versions of haproxy_default_services, and we can simply add letsencrypt service when haproxy_ssl_letsencrypt_enable is true. Depends-On: https://review.opendev.org/751316 Change-Id: I4f9f8d9d9fc0ec8c57a3e1e7dda49ccea8cda388
This commit is contained in:
parent
7ec0a966ab
commit
a0761a0e66
@ -171,45 +171,28 @@ http-01 challenge requests.
|
|||||||
haproxy_ssl: true
|
haproxy_ssl: true
|
||||||
haproxy_ssl_letsencrypt_enable: True
|
haproxy_ssl_letsencrypt_enable: True
|
||||||
haproxy_ssl_letsencrypt_install_method: "distro"
|
haproxy_ssl_letsencrypt_install_method: "distro"
|
||||||
haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ ansible_host }} --http-01-port 8888"
|
|
||||||
haproxy_ssl_letsencrypt_email: "email.address@example.com"
|
haproxy_ssl_letsencrypt_email: "email.address@example.com"
|
||||||
|
|
||||||
haproxy_extra_services:
|
|
||||||
# an internal only service for acme-challenge whose backend is certbot running on any haproxy instance
|
|
||||||
- service:
|
|
||||||
haproxy_service_name: letsencrypt
|
|
||||||
haproxy_backend_nodes: "{{ groups['haproxy_all'] }}"
|
|
||||||
backend_rise: 1 #rise quickly to detect certbot running without delay
|
|
||||||
backend_fall: 2
|
|
||||||
haproxy_bind:
|
|
||||||
- 127.0.0.1 #bind to the localhost as the host internal IP will be used by certbot
|
|
||||||
haproxy_port: 8888
|
|
||||||
haproxy_balance_type: http
|
|
||||||
|
|
||||||
|
If you don't have horizon deployed, you will need to define dummy service that
|
||||||
Copy the whole variable ``haproxy_default_services`` from
|
will listen on 80 and 443 ports and will be used for acme-challenge, whose
|
||||||
``/opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml``
|
backend is certbot on the haproxy host:
|
||||||
to ``/etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml`` and
|
|
||||||
update the section for horizon to include the ACL redirects http-01
|
|
||||||
challenges to the HAProxy ``letsencrypt`` backend as follows:
|
|
||||||
|
|
||||||
.. code-block:: shell-session
|
.. code-block:: shell-session
|
||||||
|
|
||||||
- service:
|
haproxy_extra_services:
|
||||||
haproxy_service_name: horizon
|
# the external facing service which serves the apache test site, with a acl for LE requests
|
||||||
haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}"
|
- service:
|
||||||
haproxy_ssl: "{{ haproxy_ssl }}"
|
haproxy_service_name: certbot
|
||||||
haproxy_ssl_all_vips: true
|
haproxy_redirect_http_port: 80 #redirect port 80 to port ssl
|
||||||
haproxy_port: "{{ haproxy_ssl | ternary(443,80) }}"
|
haproxy_redirect_scheme: "https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }" #redirect all non-ssl traffic to ssl except acme-challenge
|
||||||
haproxy_backend_port: 80
|
haproxy_port: 443
|
||||||
haproxy_redirect_http_port: 80
|
haproxy_frontend_acls: "{{ haproxy_ssl_letsencrypt_acl }}" #use a frontend ACL specify the backend to use for acme-challenge
|
||||||
haproxy_balance_type: http
|
haproxy_ssl: True
|
||||||
haproxy_balance_alg: source
|
haproxy_backend_nodes: #apache is running on locally on 127.0.0.1:80 serving a dummy site
|
||||||
haproxy_backend_options:
|
- name: local-test-service
|
||||||
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
|
ip_addr: 127.0.0.1
|
||||||
haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}"
|
haproxy_balance_type: http
|
||||||
haproxy_redirect_scheme: "https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }" #redirect all non-ssl traffic to ssl except acme-challenge
|
haproxy_backend_port: 80
|
||||||
haproxy_frontend_acls: #use a frontend ACL specify the backend to use for acme-challenge
|
haproxy_backend_options:
|
||||||
letsencrypt-acl:
|
- "httpchk HEAD /" # request to use for health check for the example service
|
||||||
rule: "path_beg /.well-known/acme-challenge/"
|
|
||||||
backend_name: letsencrypt
|
|
||||||
|
@ -216,6 +216,18 @@ haproxy_default_services:
|
|||||||
haproxy_backend_options:
|
haproxy_backend_options:
|
||||||
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
|
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
|
||||||
haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}"
|
haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}"
|
||||||
|
haproxy_redirect_scheme: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary('https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }', 'https if !{ ssl_fc }') }}"
|
||||||
|
haproxy_frontend_acls: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary(haproxy_ssl_letsencrypt_acl, {}) }}"
|
||||||
|
- service:
|
||||||
|
haproxy_service_name: letsencrypt
|
||||||
|
haproxy_backend_nodes: "{{ groups['haproxy_all'] }}"
|
||||||
|
backend_rise: 1
|
||||||
|
backend_fall: 2
|
||||||
|
haproxy_bind:
|
||||||
|
- 127.0.0.1
|
||||||
|
haproxy_port: "{{ haproxy_ssl_letsencrypt_certbot_backend_port }}"
|
||||||
|
haproxy_balance_type: http
|
||||||
|
haproxy_service_enabled: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) }}"
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: sahara_api
|
haproxy_service_name: sahara_api
|
||||||
haproxy_backend_nodes: "{{ groups['sahara_api'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['sahara_api'] | default([]) }}"
|
||||||
|
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
There's no need in keeping `letsencrypt` service in haproxy_extra_services
|
||||||
|
as well as copying and maintaining whole haproxy_default_services in order
|
||||||
|
to get overrides for horizon. From now on required adjustments are provided
|
||||||
|
by defualt and letsecrypt installation path has been simplified.
|
Loading…
Reference in New Issue
Block a user