From b75a9d0dd07d1fe1b578398714e776911f3fb2a9 Mon Sep 17 00:00:00 2001 From: Damian Dabrowski Date: Thu, 25 May 2023 19:29:49 +0200 Subject: [PATCH] Implement support for haproxy_accept_both_protocols Enabling TLS on the internal VIP for existing deployments will cause downtime until each client is configured to use HTTPS instead of HTTP. To avoid downtime, it is recommended to enable `openstack_service_accept_both_protocols` until all services are configured correctly. It allows haproxy frontends to accept both HTTP and HTTPS. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/864784 Change-Id: Ie6f5b73c54b0a6d1f661a9d4f33b8a301d8c4170 --- doc/source/user/security/ssl-certificates.rst | 7 +++---- inventory/group_vars/adjutant_all/haproxy_service.yml | 1 + inventory/group_vars/all/all.yml | 3 +++ inventory/group_vars/aodh_all/haproxy_service.yml | 1 + inventory/group_vars/barbican_all/haproxy_service.yml | 1 + inventory/group_vars/blazar_all/haproxy_service.yml | 1 + inventory/group_vars/cinder_all/haproxy_service.yml | 1 + inventory/group_vars/cloudkitty_all/haproxy_service.yml | 1 + inventory/group_vars/designate_all/haproxy_service.yml | 1 + inventory/group_vars/glance_all/haproxy_service.yml | 1 + inventory/group_vars/heat_all/haproxy_service.yml | 2 ++ inventory/group_vars/ironic_all/haproxy_service.yml | 2 ++ inventory/group_vars/keystone_all/haproxy_service.yml | 1 + inventory/group_vars/magnum_all/haproxy_service.yml | 1 + inventory/group_vars/manila_all/haproxy_service.yml | 1 + inventory/group_vars/masakari_all/haproxy_service.yml | 1 + inventory/group_vars/mistral_all/haproxy_service.yml | 1 + inventory/group_vars/murano_all/haproxy_service.yml | 1 + inventory/group_vars/neutron_all/haproxy_service.yml | 1 + inventory/group_vars/nova_all/haproxy_service.yml | 5 +++++ inventory/group_vars/octavia_all/haproxy_service.yml | 1 + inventory/group_vars/placement_all/haproxy_service.yml | 1 + inventory/group_vars/repo_all.yml | 1 + inventory/group_vars/sahara_all/haproxy_service.yml | 1 + inventory/group_vars/senlin_all/haproxy_service.yml | 1 + inventory/group_vars/swift_all/haproxy_service.yml | 1 + inventory/group_vars/tacker_all/haproxy_service.yml | 1 + inventory/group_vars/trove_all/haproxy_service.yml | 1 + inventory/group_vars/zun_all/haproxy_service.yml | 1 + ...ack_service_accept_both_protocols-c7d1a89befeae9fe.yaml | 6 ++++++ 30 files changed, 45 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/openstack_service_accept_both_protocols-c7d1a89befeae9fe.yaml diff --git a/doc/source/user/security/ssl-certificates.rst b/doc/source/user/security/ssl-certificates.rst index e1c76b10fb..fcd0dc0575 100644 --- a/doc/source/user/security/ssl-certificates.rst +++ b/doc/source/user/security/ssl-certificates.rst @@ -285,10 +285,9 @@ each OpenStack service and OpenStack services are configured to use http or https. This means once haproxy is updated to only accept HTTPS connections, the OpenStack services will stop working until they are updated to use HTTPS. -For this reason it is recommended that TLS for haproxy internal VIP on existing -deployments is deployed at the same time as enabling TLS for Haproxy backends, -as this may also cause downtime. For new deployments this should be enabled from -the start. +To avoid downtime, it is recommended to enable +``openstack_service_accept_both_protocols`` until all services are configured +correctly. It allows haproxy frontends to listen on both HTTP and HTTPS. TLS for Haproxy Backends ~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/inventory/group_vars/adjutant_all/haproxy_service.yml b/inventory/group_vars/adjutant_all/haproxy_service.yml index 003adade83..a384a64925 100644 --- a/inventory/group_vars/adjutant_all/haproxy_service.yml +++ b/inventory/group_vars/adjutant_all/haproxy_service.yml @@ -25,6 +25,7 @@ haproxy_adjutant_api_service: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ adjutant_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ adjutant_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ adjutant_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['adjutant_api'] is defined and groups['adjutant_api'] | length > 0 }}" adjutant_haproxy_services: diff --git a/inventory/group_vars/all/all.yml b/inventory/group_vars/all/all.yml index 0aab64b941..cb8bad5443 100644 --- a/inventory/group_vars/all/all.yml +++ b/inventory/group_vars/all/all.yml @@ -73,6 +73,9 @@ openstack_external_ssl: true ## be encrypted. openstack_service_backend_ssl: False +## Allows haproxy frontend to accept both HTTP and HTTPS traffic. +openstack_service_accept_both_protocols: False + ## OpenStack global Endpoint Protos openstack_service_publicuri_proto: https openstack_service_adminuri_proto: http diff --git a/inventory/group_vars/aodh_all/haproxy_service.yml b/inventory/group_vars/aodh_all/haproxy_service.yml index b6a1efc8e0..1892f636a9 100644 --- a/inventory/group_vars/aodh_all/haproxy_service.yml +++ b/inventory/group_vars/aodh_all/haproxy_service.yml @@ -24,6 +24,7 @@ haproxy_aodh_api_service: - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ aodh_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ aodh_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ aodh_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['aodh_api'] is defined and groups['aodh_api'] | length > 0 }}" aodh_haproxy_services: diff --git a/inventory/group_vars/barbican_all/haproxy_service.yml b/inventory/group_vars/barbican_all/haproxy_service.yml index 6eb17c8a22..e9416161a0 100644 --- a/inventory/group_vars/barbican_all/haproxy_service.yml +++ b/inventory/group_vars/barbican_all/haproxy_service.yml @@ -24,6 +24,7 @@ haproxy_barbican_service: - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ barbican_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ barbican_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ barbican_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['barbican_api'] is defined and groups['barbican_api'] | length > 0 }}" barbican_haproxy_services: diff --git a/inventory/group_vars/blazar_all/haproxy_service.yml b/inventory/group_vars/blazar_all/haproxy_service.yml index f083f8f748..e9e0e34f9e 100644 --- a/inventory/group_vars/blazar_all/haproxy_service.yml +++ b/inventory/group_vars/blazar_all/haproxy_service.yml @@ -26,6 +26,7 @@ haproxy_blazar_api_service: - 'expect rstatus (200|401)' haproxy_backend_ssl: "{{ blazar_backend_ssl | default(False) }}" haproxy_backend_ca: "{{ openstack_haproxy_backend_ca | default(True) }}" + haproxy_accept_both_protocols: "{{ blazar_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['blazar_api'] is defined and groups['blazar_api'] | length > 0 }}" blazar_haproxy_services: diff --git a/inventory/group_vars/cinder_all/haproxy_service.yml b/inventory/group_vars/cinder_all/haproxy_service.yml index 46e3c09e0c..d9e6ea30a2 100644 --- a/inventory/group_vars/cinder_all/haproxy_service.yml +++ b/inventory/group_vars/cinder_all/haproxy_service.yml @@ -24,6 +24,7 @@ haproxy_cinder_api_service: - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ cinder_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ cinder_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ cinder_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['cinder_api'] is defined and groups['cinder_api'] | length > 0 }}" cinder_haproxy_services: diff --git a/inventory/group_vars/cloudkitty_all/haproxy_service.yml b/inventory/group_vars/cloudkitty_all/haproxy_service.yml index cfa54938ef..83f9ca8411 100644 --- a/inventory/group_vars/cloudkitty_all/haproxy_service.yml +++ b/inventory/group_vars/cloudkitty_all/haproxy_service.yml @@ -25,6 +25,7 @@ haproxy_cloudkitty_api_service: - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ cloudkitty_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ cloudkitty_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ cloudkitty_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['cloudkitty_api'] is defined and groups['cloudkitty_api'] | length > 0 }}" cloudkitty_haproxy_services: diff --git a/inventory/group_vars/designate_all/haproxy_service.yml b/inventory/group_vars/designate_all/haproxy_service.yml index c6849471f5..136e081cb4 100644 --- a/inventory/group_vars/designate_all/haproxy_service.yml +++ b/inventory/group_vars/designate_all/haproxy_service.yml @@ -26,6 +26,7 @@ haproxy_designate_api_service: - "httplog" haproxy_backend_ssl: "{{ designate_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ designate_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ designate_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['designate_api'] is defined and groups['designate_api'] | length > 0 }}" designate_haproxy_services: diff --git a/inventory/group_vars/glance_all/haproxy_service.yml b/inventory/group_vars/glance_all/haproxy_service.yml index aa4ed1e2fa..7fc8bc69e5 100644 --- a/inventory/group_vars/glance_all/haproxy_service.yml +++ b/inventory/group_vars/glance_all/haproxy_service.yml @@ -25,6 +25,7 @@ haproxy_glance_api_service: - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ (glance_use_uwsgi | default(True)) | ternary((glance_backend_ssl | default(openstack_service_backend_ssl)), False) }}" haproxy_backend_ca: "{{ glance_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ glance_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['glance_api'] is defined and groups['glance_api'] | length > 0 }}" glance_haproxy_services: diff --git a/inventory/group_vars/heat_all/haproxy_service.yml b/inventory/group_vars/heat_all/haproxy_service.yml index d31c7a4695..d37b82554a 100644 --- a/inventory/group_vars/heat_all/haproxy_service.yml +++ b/inventory/group_vars/heat_all/haproxy_service.yml @@ -24,6 +24,7 @@ haproxy_heat_api_service: - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ heat_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ heat_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ heat_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['heat_api'] is defined and groups['heat_api'] | length > 0 }}" haproxy_heat_api_cfn_service: @@ -37,6 +38,7 @@ haproxy_heat_api_cfn_service: - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ heat_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ heat_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ heat_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['heat_api_cfn'] is defined and groups['heat_api_cfn'] | length > 0 }}" heat_haproxy_services: diff --git a/inventory/group_vars/ironic_all/haproxy_service.yml b/inventory/group_vars/ironic_all/haproxy_service.yml index 443de0a475..cf503ff90b 100644 --- a/inventory/group_vars/ironic_all/haproxy_service.yml +++ b/inventory/group_vars/ironic_all/haproxy_service.yml @@ -30,6 +30,7 @@ haproxy_ironic_api_service: - "http-request deny if { path_beg /v1/heartbeat } !{ src {{ haproxy_ironic_allowlist_networks | join(' } !{ src ') }} }" haproxy_backend_ssl: "{{ ironic_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ ironic_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ ironic_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['ironic_api'] is defined and groups['ironic_api'] | length > 0 }}" haproxy_ironic_inspector_service: @@ -45,6 +46,7 @@ haproxy_ironic_inspector_service: - "http-request deny if { path_beg /v1/continue } !{ src {{ haproxy_ironic_inspector_allowlist_networks | join(' } !{ src ') }} }" haproxy_backend_ssl: "{{ ironic_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ ironic_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ ironic_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['ironic_inspector'] is defined and groups['ironic_inspector'] | length > 0 }}" ironic_haproxy_services: diff --git a/inventory/group_vars/keystone_all/haproxy_service.yml b/inventory/group_vars/keystone_all/haproxy_service.yml index 6829feb53c..a10f7ce5aa 100644 --- a/inventory/group_vars/keystone_all/haproxy_service.yml +++ b/inventory/group_vars/keystone_all/haproxy_service.yml @@ -24,6 +24,7 @@ haproxy_keystone_service: - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ keystone_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ keystone_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ keystone_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['keystone_all'] is defined and groups['keystone_all'] | length > 0 }}" keystone_haproxy_services: diff --git a/inventory/group_vars/magnum_all/haproxy_service.yml b/inventory/group_vars/magnum_all/haproxy_service.yml index 1313393c00..6ccb9027b1 100644 --- a/inventory/group_vars/magnum_all/haproxy_service.yml +++ b/inventory/group_vars/magnum_all/haproxy_service.yml @@ -24,6 +24,7 @@ haproxy_magnum_service: - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ magnum_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ magnum_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ magnum_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['magnum_all'] is defined and groups['magnum_all'] | length > 0 }}" magnum_haproxy_services: diff --git a/inventory/group_vars/manila_all/haproxy_service.yml b/inventory/group_vars/manila_all/haproxy_service.yml index 130dc7c7ec..0ff1942526 100644 --- a/inventory/group_vars/manila_all/haproxy_service.yml +++ b/inventory/group_vars/manila_all/haproxy_service.yml @@ -24,6 +24,7 @@ haproxy_manila_service: - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ manila_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ manila_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ manila_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['manila_api'] is defined and groups['manila_api'] | length > 0 }}" manila_haproxy_services: diff --git a/inventory/group_vars/masakari_all/haproxy_service.yml b/inventory/group_vars/masakari_all/haproxy_service.yml index d2e74a3441..66738357ee 100644 --- a/inventory/group_vars/masakari_all/haproxy_service.yml +++ b/inventory/group_vars/masakari_all/haproxy_service.yml @@ -24,6 +24,7 @@ haproxy_masakari_api_service: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ masakari_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ masakari_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ masakari_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['masakari_api'] is defined and groups['masakari_api'] | length > 0 }}" masakari_haproxy_services: diff --git a/inventory/group_vars/mistral_all/haproxy_service.yml b/inventory/group_vars/mistral_all/haproxy_service.yml index 0f0a9a78e5..6a59f14695 100644 --- a/inventory/group_vars/mistral_all/haproxy_service.yml +++ b/inventory/group_vars/mistral_all/haproxy_service.yml @@ -24,6 +24,7 @@ haproxy_mistral_service: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ mistral_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ mistral_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ mistral_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['mistral_all'] is defined and groups['mistral_all'] | length > 0 }}" mistral_haproxy_services: diff --git a/inventory/group_vars/murano_all/haproxy_service.yml b/inventory/group_vars/murano_all/haproxy_service.yml index 2b8ec68620..f5b2545062 100644 --- a/inventory/group_vars/murano_all/haproxy_service.yml +++ b/inventory/group_vars/murano_all/haproxy_service.yml @@ -26,6 +26,7 @@ haproxy_murano_service: - "expect status 401" haproxy_backend_ssl: "{{ murano_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ murano_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ murano_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['murano_all'] is defined and groups['murano_all'] | length > 0 }}" murano_haproxy_services: diff --git a/inventory/group_vars/neutron_all/haproxy_service.yml b/inventory/group_vars/neutron_all/haproxy_service.yml index d3c1ad549d..78af887aa4 100644 --- a/inventory/group_vars/neutron_all/haproxy_service.yml +++ b/inventory/group_vars/neutron_all/haproxy_service.yml @@ -26,6 +26,7 @@ haproxy_neutron_server_service: - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ neutron_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ neutron_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ neutron_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['neutron_server'] is defined and groups['neutron_server'] | length > 0 }}" haproxy_opendaylight_neutron_service: diff --git a/inventory/group_vars/nova_all/haproxy_service.yml b/inventory/group_vars/nova_all/haproxy_service.yml index 67569cc348..0c5854b86a 100644 --- a/inventory/group_vars/nova_all/haproxy_service.yml +++ b/inventory/group_vars/nova_all/haproxy_service.yml @@ -33,6 +33,7 @@ haproxy_nova_api_metadata_service: haproxy_allowlist_networks: "{{ haproxy_nova_metadata_allowlist_networks }}" haproxy_backend_ssl: "{{ nova_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ nova_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ nova_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['nova_api_metadata'] is defined and groups['nova_api_metadata'] | length > 0 }}" haproxy_nova_api_compute_service: @@ -46,6 +47,7 @@ haproxy_nova_api_compute_service: - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ nova_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ nova_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ nova_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['nova_api_os_compute'] is defined and groups['nova_api_os_compute'] | length > 0 }}" haproxy_nova_spice_console_service: @@ -62,6 +64,7 @@ haproxy_nova_spice_console_service: haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}" haproxy_backend_ssl: "{{ nova_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ nova_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ nova_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'spice' }}" haproxy_nova_serial_console_service: @@ -78,6 +81,7 @@ haproxy_nova_serial_console_service: haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}" haproxy_backend_ssl: "{{ nova_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ nova_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ nova_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ (groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'serial') or (groups['ironic_console'] is defined and groups['ironic_console'] | length > 0 and ironic_console_type == 'serial') }}" @@ -95,6 +99,7 @@ haproxy_nova_novnc_console_service: haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}" haproxy_backend_ssl: "{{ nova_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ nova_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ nova_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'novnc' }}" # NOTE(jrosser) Clean up legacy console haproxy configs from previous releases diff --git a/inventory/group_vars/octavia_all/haproxy_service.yml b/inventory/group_vars/octavia_all/haproxy_service.yml index 3bdc38dbfd..15da69063a 100644 --- a/inventory/group_vars/octavia_all/haproxy_service.yml +++ b/inventory/group_vars/octavia_all/haproxy_service.yml @@ -24,6 +24,7 @@ haproxy_octavia_service: - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ octavia_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ octavia_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ octavia_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['octavia_all'] is defined and groups['octavia_all'] | length > 0 }}" octavia_haproxy_services: diff --git a/inventory/group_vars/placement_all/haproxy_service.yml b/inventory/group_vars/placement_all/haproxy_service.yml index 8ad3c05644..2c344816a4 100644 --- a/inventory/group_vars/placement_all/haproxy_service.yml +++ b/inventory/group_vars/placement_all/haproxy_service.yml @@ -24,6 +24,7 @@ haproxy_placement_service: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ placement_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ placement_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ placement_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['placement_all'] is defined and groups['placement_all'] | length > 0 }}" placement_haproxy_services: diff --git a/inventory/group_vars/repo_all.yml b/inventory/group_vars/repo_all.yml index 325853b2b4..b39c685219 100644 --- a/inventory/group_vars/repo_all.yml +++ b/inventory/group_vars/repo_all.yml @@ -44,6 +44,7 @@ haproxy_repo_service: - "expect status 200" haproxy_backend_ssl: "{{ repo_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ repo_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ repo_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['repo_all'] is defined and groups['repo_all'] | length > 0 }}" repo_haproxy_services: diff --git a/inventory/group_vars/sahara_all/haproxy_service.yml b/inventory/group_vars/sahara_all/haproxy_service.yml index d460cab384..935776c081 100644 --- a/inventory/group_vars/sahara_all/haproxy_service.yml +++ b/inventory/group_vars/sahara_all/haproxy_service.yml @@ -25,6 +25,7 @@ haproxy_sahara_api_service: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ sahara_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ sahara_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ sahara_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['sahara_api'] is defined and groups['sahara_api'] | length > 0 }}" sahara_haproxy_services: diff --git a/inventory/group_vars/senlin_all/haproxy_service.yml b/inventory/group_vars/senlin_all/haproxy_service.yml index b0cfcfdbe9..d79a221abb 100644 --- a/inventory/group_vars/senlin_all/haproxy_service.yml +++ b/inventory/group_vars/senlin_all/haproxy_service.yml @@ -24,6 +24,7 @@ haproxy_senlin_api_service: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ senlin_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ senlin_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ senlin_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['senlin_api'] is defined and groups['senlin_api'] | length > 0 }}" senlin_haproxy_services: diff --git a/inventory/group_vars/swift_all/haproxy_service.yml b/inventory/group_vars/swift_all/haproxy_service.yml index c7374ce3a9..18c93d792b 100644 --- a/inventory/group_vars/swift_all/haproxy_service.yml +++ b/inventory/group_vars/swift_all/haproxy_service.yml @@ -28,6 +28,7 @@ haproxy_swift_proxy_service: # https://opendev.org/openstack/swift/src/commit/c78a5962b5f6c9e75f154cac924a226815236e98/etc/proxy-server.conf-sample haproxy_backend_ssl: "{{ swift_backend_ssl | default(False) }}" haproxy_backend_ca: "{{ swift_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ swift_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['swift_proxy'] is defined and groups['swift_proxy'] | length > 0 }}" swift_haproxy_services: diff --git a/inventory/group_vars/tacker_all/haproxy_service.yml b/inventory/group_vars/tacker_all/haproxy_service.yml index 79c5902f17..1991de6270 100644 --- a/inventory/group_vars/tacker_all/haproxy_service.yml +++ b/inventory/group_vars/tacker_all/haproxy_service.yml @@ -26,6 +26,7 @@ haproxy_tacker_service: - "httplog" haproxy_backend_ssl: "{{ tacker_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ tacker_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ tacker_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['tacker_all'] is defined and groups['tacker_all'] | length > 0 }}" tacker_haproxy_services: diff --git a/inventory/group_vars/trove_all/haproxy_service.yml b/inventory/group_vars/trove_all/haproxy_service.yml index c21dbdea1f..5e9decc8e7 100644 --- a/inventory/group_vars/trove_all/haproxy_service.yml +++ b/inventory/group_vars/trove_all/haproxy_service.yml @@ -24,6 +24,7 @@ haproxy_trove_service: - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_ssl: "{{ trove_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ trove_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ trove_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['trove_api'] is defined and groups['trove_api'] | length > 0 }}" trove_haproxy_services: diff --git a/inventory/group_vars/zun_all/haproxy_service.yml b/inventory/group_vars/zun_all/haproxy_service.yml index d854eaf540..14e378c107 100644 --- a/inventory/group_vars/zun_all/haproxy_service.yml +++ b/inventory/group_vars/zun_all/haproxy_service.yml @@ -43,6 +43,7 @@ haproxy_zun_console_service: # haproxy_backend_ssl disabled due to: https://bugs.launchpad.net/zun/+bug/2016917 haproxy_backend_ssl: False haproxy_backend_ca: "{{ zun_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ zun_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['zun_api'] is defined and groups['zun_api'] | length > 0 }}" zun_haproxy_services: diff --git a/releasenotes/notes/openstack_service_accept_both_protocols-c7d1a89befeae9fe.yaml b/releasenotes/notes/openstack_service_accept_both_protocols-c7d1a89befeae9fe.yaml new file mode 100644 index 0000000000..8d8c1375ea --- /dev/null +++ b/releasenotes/notes/openstack_service_accept_both_protocols-c7d1a89befeae9fe.yaml @@ -0,0 +1,6 @@ +--- +other: + - | + Variable ``openstack_service_accept_both_protocols`` was implemented to + temporarily accept both HTTP and HTTPS traffic on haproxy frontends. + It is useful when changing protocol of service endpoints.