LetsEncrypt OS Ansible Ussuri

Marc-Antoine Godde marc-antoine.godde at viarezo.fr
Mon Feb 21 17:25:17 UTC 2022 

Hello,

I have a question on how to setup LetsEncrypt with OpenStack Ansible. We are still on OpenStack Ussuri.

We added the following variables to user_variables.yml.

==================================================================================
haproxy_ssl_letsencrypt_enable: True
haproxy_ssl_letsencrypt_install_method: "distro"
haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ ansible_host }} --http-01-port 8888"
haproxy_ssl_letsencrypt_email: email at example.com
haproxy_interval: 2000

user avatar user avatar 
haproxy_extra_services:
  # an internal only service for acme-challenge whose backend is certbot on the haproxy host
  - service:
      haproxy_service_name: letsencrypt
      haproxy_backend_nodes:
        - name: localhost
          ip_addr: {{ ansible_host }}                        #certbot binds to the internal IP
      backend_rise: 1                                        #quick rise and fall time for multinode deployment to succeed
      backend_fall: 2
      haproxy_bind:
        - 127.0.0.1                                          #bind to 127.0.0.1 as the local internal address  will be used by certbot
      haproxy_port: 8888                                     #certbot is configured with http-01-port to be 8888
      haproxy_balance_type: http
==================================================================================

Yet, Horizon config for HAproxy is already defined in the default vars (https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml <https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml>) and we don’t know where ta add the required ACL to redirect the traffic from 80 port to 8888:

====================================
haproxy_frontend_acls:                                 #use a frontend ACL specify the backend to use for acme-challenge
  letsencrypt-acl:
    rule: "path_beg /.well-known/acme-challenge/"
    backend_name: letsencrypt
====================================

We know that this is fixed in OpenStack Ansible Victoria. Is it possible with Ussuri tho ?

Many thanks,
Best,
Marc-Antoine Godde


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220221/70ccaa77/attachment-0001.htm>

More information about the openstack-discuss mailing list