[openstack-ansible] Configure API endpoints on port 443

Jonathan Rosser jonathan.rosser at rd.bbc.co.uk
Tue Jul 20 09:04:25 UTC 2021


Hi Gilles,

I've never tried what you describe, but I think that all the 
settings/variables are in place for this to be possible.....

With a recent version of OSA you can define a list of ACL for haproxy 
frontends. This was introduced to bring support for LetsEncrypt 
challenges and Horizon on the same port 80/443 frontend. See the LE ACL 
definition here 
https://github.com/openstack/openstack-ansible-haproxy_server/blob/1dc4fa621c153f1503933f1bb185d9fef2789f79/defaults/main.yml#L166-L169

The standard ACL for port 80/443 is defined here 
https://github.com/openstack/openstack-ansible/blob/0965d2a22da9b03b27e9648e83d7d4d0dbe561c5/inventory/group_vars/haproxy/haproxy.yml#L198

In order to support all endpoints on HTTPS/443 you should override the 
definition of haproxy_horizon_service in your user_variables.yml, and 
extend the haproxy acl list to include rules for each service backend 
you need under the haproxy_frontend_acls key. See the main HAProxy docs 
for ACL stuff.

Re-running the haproxy playbook will deploy these changes. If this works 
out OK then you'll need to update the service catalog for all the 
services you want on port 443, taking keystone as an example, override 
the setting of keystone_service_publicuri 
(https://github.com/openstack/openstack-ansible-os_keystone/blob/96b76aea88938e404367a75040ef3b786ea2a1f1/defaults/main.yml#L176) 
in your user_variables.yml, and re-run the keystone role. Do similar for 
the other services.

All of this assumes you've already got DNS records in place and an 
appropriate certificate with the necessary names.

Older releases of OSA might need slightly different overrides, or be 
missing the HAproxy ACL functionality. Contributing documentation for 
this use case would be great if you can get it to work.

Jonathan.

On 19/07/2021 21:15, Gilles Mocellin wrote:
> Hi OSA users,
>
> Does someone have a guide to configure a deployment via openstack-ansible and
> have all API endpoints on HTTPS/443 ?
> Of course to distinguish the services, we should user either :
> - DNS names : https://image.endpointdomain.tld, https://
> compute.endpointdomain.tld...
> - URI  : https://endpointdomain.tld/image, https://endpointdomain.tld/
> compute...
>
> As I understand, HAproxy configuration is really different for these cases only
> one frontend instead of on by service ?
>
>
>
>



More information about the openstack-discuss mailing list