[openstack-ansible] Configure API endpoints on port 443
Hi OSA users, Does someone have a guide to configure a deployment via openstack-ansible and have all API endpoints on HTTPS/443 ? Of course to distinguish the services, we should user either : - DNS names : https://image.endpointdomain.tld, https:// compute.endpointdomain.tld... - URI : https://endpointdomain.tld/image, https://endpointdomain.tld/ compute... As I understand, HAproxy configuration is really different for these cases only one frontend instead of on by service ?
Hi Gilles, I've never tried what you describe, but I think that all the settings/variables are in place for this to be possible..... With a recent version of OSA you can define a list of ACL for haproxy frontends. This was introduced to bring support for LetsEncrypt challenges and Horizon on the same port 80/443 frontend. See the LE ACL definition here https://github.com/openstack/openstack-ansible-haproxy_server/blob/1dc4fa621... The standard ACL for port 80/443 is defined here https://github.com/openstack/openstack-ansible/blob/0965d2a22da9b03b27e9648e... In order to support all endpoints on HTTPS/443 you should override the definition of haproxy_horizon_service in your user_variables.yml, and extend the haproxy acl list to include rules for each service backend you need under the haproxy_frontend_acls key. See the main HAProxy docs for ACL stuff. Re-running the haproxy playbook will deploy these changes. If this works out OK then you'll need to update the service catalog for all the services you want on port 443, taking keystone as an example, override the setting of keystone_service_publicuri (https://github.com/openstack/openstack-ansible-os_keystone/blob/96b76aea8893...) in your user_variables.yml, and re-run the keystone role. Do similar for the other services. All of this assumes you've already got DNS records in place and an appropriate certificate with the necessary names. Older releases of OSA might need slightly different overrides, or be missing the HAproxy ACL functionality. Contributing documentation for this use case would be great if you can get it to work. Jonathan. On 19/07/2021 21:15, Gilles Mocellin wrote:
Hi OSA users,
Does someone have a guide to configure a deployment via openstack-ansible and have all API endpoints on HTTPS/443 ? Of course to distinguish the services, we should user either : - DNS names : https://image.endpointdomain.tld, https:// compute.endpointdomain.tld... - URI : https://endpointdomain.tld/image, https://endpointdomain.tld/ compute...
As I understand, HAproxy configuration is really different for these cases only one frontend instead of on by service ?
Le mardi 20 juillet 2021, 11:04:25 CEST Jonathan Rosser a écrit :
Hi Gilles,
I've never tried what you describe, but I think that all the settings/variables are in place for this to be possible.....
With a recent version of OSA you can define a list of ACL for haproxy frontends. This was introduced to bring support for LetsEncrypt challenges and Horizon on the same port 80/443 frontend. See the LE ACL definition here https://github.com/openstack/openstack-ansible-haproxy_server/blob/1dc4fa621 c153f1503933f1bb185d9fef2789f79/defaults/main.yml#L166-L169
[...] Ah yes ! I remember having seen something with ACL lately in the haproxy role. [...]
Older releases of OSA might need slightly different overrides, or be missing the HAproxy ACL functionality. Contributing documentation for this use case would be great if you can get it to work.
Jonathan.
Thanks Jonathan, If I managed to get something working, I'll try to contribute. Let's see.
participants (2)
-
Gilles Mocellin
-
Jonathan Rosser