Merge "rabbitmq: default to using TLS for management user interface" into stable/yoga

inventory/group_vars/all/all.yml

@@ -137,3 +137,6 @@ repo_service_user_name: nginx
 repo_service_group_name: www-data
 venv_build_host_user_name: "{{ repo_service_user_name }}"
 venv_build_host_group_name: "{{ repo_service_group_name }}"
+
+# Set RabbitMQ management UI to use TLS
+rabbitmq_management_ssl: true

inventory/group_vars/haproxy/haproxy.yml

@@ -435,9 +435,11 @@ haproxy_placement_service:
 haproxy_rabbitmq_service:
   haproxy_service_name: rabbitmq_mgmt
   haproxy_backend_nodes: "{{ groups['rabbitmq'] | default([]) }}"
-  haproxy_ssl: False
+  haproxy_ssl: "{{ rabbitmq_management_ssl | bool }}"
+  haproxy_backend_ssl: "{{ rabbitmq_management_ssl | bool }}"
+  haproxy_backend_ca: False
   haproxy_bind: "{{ [internal_lb_vip_address] }}"
-  haproxy_port: 15672
+  haproxy_port: "{{ (rabbitmq_management_ssl | bool) | ternary(15671, 15672) }}"
   haproxy_balance_type: http
   haproxy_backend_options:
     - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"

releasenotes/notes/rabbitmq-upgrade-management-ssl-d6a7f77f2a65ffa9.yaml

@@ -0,0 +1,7 @@
+---
+upgrade:
+  - |
+    The RabbitMQ management interface surfaced via HAProxy defaults to using
+    TLS from the Yoga release. Note that when using TLS the default port
+    switches from 15672 to 15671. TLS can be disabled if required by adjusting
+    'rabbitmq_management_ssl'.