Simplify path for letsencrypt usage

Adding required parameters into horizon service will allow deployers not to
maintain their own versions of haproxy_default_services,
and we can simply add letsencrypt service when
haproxy_ssl_letsencrypt_enable is true.

Depends-On: https://review.opendev.org/751316
Change-Id: I4f9f8d9d9fc0ec8c57a3e1e7dda49ccea8cda388
This commit is contained in:
Dmitriy Rabotyagov 2020-09-11 18:32:29 +03:00 committed by Dmitriy Rabotyagov (noonedeadpunk)
parent 7ec0a966ab
commit a0761a0e66
3 changed files with 38 additions and 36 deletions

View File

@ -171,45 +171,28 @@ http-01 challenge requests.
haproxy_ssl: true haproxy_ssl: true
haproxy_ssl_letsencrypt_enable: True haproxy_ssl_letsencrypt_enable: True
haproxy_ssl_letsencrypt_install_method: "distro" haproxy_ssl_letsencrypt_install_method: "distro"
haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ ansible_host }} --http-01-port 8888"
haproxy_ssl_letsencrypt_email: "email.address@example.com" haproxy_ssl_letsencrypt_email: "email.address@example.com"
haproxy_extra_services:
# an internal only service for acme-challenge whose backend is certbot running on any haproxy instance
- service:
haproxy_service_name: letsencrypt
haproxy_backend_nodes: "{{ groups['haproxy_all'] }}"
backend_rise: 1 #rise quickly to detect certbot running without delay
backend_fall: 2
haproxy_bind:
- 127.0.0.1 #bind to the localhost as the host internal IP will be used by certbot
haproxy_port: 8888
haproxy_balance_type: http
If you don't have horizon deployed, you will need to define dummy service that
Copy the whole variable ``haproxy_default_services`` from will listen on 80 and 443 ports and will be used for acme-challenge, whose
``/opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml`` backend is certbot on the haproxy host:
to ``/etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml`` and
update the section for horizon to include the ACL redirects http-01
challenges to the HAProxy ``letsencrypt`` backend as follows:
.. code-block:: shell-session .. code-block:: shell-session
- service: haproxy_extra_services:
haproxy_service_name: horizon # the external facing service which serves the apache test site, with a acl for LE requests
haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}" - service:
haproxy_ssl: "{{ haproxy_ssl }}" haproxy_service_name: certbot
haproxy_ssl_all_vips: true haproxy_redirect_http_port: 80 #redirect port 80 to port ssl
haproxy_port: "{{ haproxy_ssl | ternary(443,80) }}" haproxy_redirect_scheme: "https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }" #redirect all non-ssl traffic to ssl except acme-challenge
haproxy_backend_port: 80 haproxy_port: 443
haproxy_redirect_http_port: 80 haproxy_frontend_acls: "{{ haproxy_ssl_letsencrypt_acl }}" #use a frontend ACL specify the backend to use for acme-challenge
haproxy_balance_type: http haproxy_ssl: True
haproxy_balance_alg: source haproxy_backend_nodes: #apache is running on locally on 127.0.0.1:80 serving a dummy site
haproxy_backend_options: - name: local-test-service
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" ip_addr: 127.0.0.1
haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}" haproxy_balance_type: http
haproxy_redirect_scheme: "https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }" #redirect all non-ssl traffic to ssl except acme-challenge haproxy_backend_port: 80
haproxy_frontend_acls: #use a frontend ACL specify the backend to use for acme-challenge haproxy_backend_options:
letsencrypt-acl: - "httpchk HEAD /" # request to use for health check for the example service
rule: "path_beg /.well-known/acme-challenge/"
backend_name: letsencrypt

View File

@ -216,6 +216,18 @@ haproxy_default_services:
haproxy_backend_options: haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}" haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}"
haproxy_redirect_scheme: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary('https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }', 'https if !{ ssl_fc }') }}"
haproxy_frontend_acls: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary(haproxy_ssl_letsencrypt_acl, {}) }}"
- service:
haproxy_service_name: letsencrypt
haproxy_backend_nodes: "{{ groups['haproxy_all'] }}"
backend_rise: 1
backend_fall: 2
haproxy_bind:
- 127.0.0.1
haproxy_port: "{{ haproxy_ssl_letsencrypt_certbot_backend_port }}"
haproxy_balance_type: http
haproxy_service_enabled: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) }}"
- service: - service:
haproxy_service_name: sahara_api haproxy_service_name: sahara_api
haproxy_backend_nodes: "{{ groups['sahara_api'] | default([]) }}" haproxy_backend_nodes: "{{ groups['sahara_api'] | default([]) }}"

View File

@ -0,0 +1,7 @@
---
upgrade:
- |
There's no need in keeping `letsencrypt` service in haproxy_extra_services
as well as copying and maintaining whole haproxy_default_services in order
to get overrides for horizon. From now on required adjustments are provided
by defualt and letsecrypt installation path has been simplified.