[openstack-ansible] Configure API endpoints on port 443
Jonathan Rosser
jonathan.rosser at rd.bbc.co.uk
Tue Jul 20 09:04:25 UTC 2021
Hi Gilles,
I've never tried what you describe, but I think that all the
settings/variables are in place for this to be possible.....
With a recent version of OSA you can define a list of ACL for haproxy
frontends. This was introduced to bring support for LetsEncrypt
challenges and Horizon on the same port 80/443 frontend. See the LE ACL
definition here
https://github.com/openstack/openstack-ansible-haproxy_server/blob/1dc4fa621c153f1503933f1bb185d9fef2789f79/defaults/main.yml#L166-L169
The standard ACL for port 80/443 is defined here
https://github.com/openstack/openstack-ansible/blob/0965d2a22da9b03b27e9648e83d7d4d0dbe561c5/inventory/group_vars/haproxy/haproxy.yml#L198
In order to support all endpoints on HTTPS/443 you should override the
definition of haproxy_horizon_service in your user_variables.yml, and
extend the haproxy acl list to include rules for each service backend
you need under the haproxy_frontend_acls key. See the main HAProxy docs
for ACL stuff.
Re-running the haproxy playbook will deploy these changes. If this works
out OK then you'll need to update the service catalog for all the
services you want on port 443, taking keystone as an example, override
the setting of keystone_service_publicuri
(https://github.com/openstack/openstack-ansible-os_keystone/blob/96b76aea88938e404367a75040ef3b786ea2a1f1/defaults/main.yml#L176)
in your user_variables.yml, and re-run the keystone role. Do similar for
the other services.
All of this assumes you've already got DNS records in place and an
appropriate certificate with the necessary names.
Older releases of OSA might need slightly different overrides, or be
missing the HAproxy ACL functionality. Contributing documentation for
this use case would be great if you can get it to work.
Jonathan.
On 19/07/2021 21:15, Gilles Mocellin wrote:
> Hi OSA users,
>
> Does someone have a guide to configure a deployment via openstack-ansible and
> have all API endpoints on HTTPS/443 ?
> Of course to distinguish the services, we should user either :
> - DNS names : https://image.endpointdomain.tld, https://
> compute.endpointdomain.tld...
> - URI : https://endpointdomain.tld/image, https://endpointdomain.tld/
> compute...
>
> As I understand, HAproxy configuration is really different for these cases only
> one frontend instead of on by service ?
>
>
>
>
More information about the openstack-discuss
mailing list