[openstack-ansible] LetsEncrypt OS Ansible Ussuri

Jonathan Rosser jonathan.rosser at rd.bbc.co.uk
Mon Feb 21 17:52:19 UTC 2022 

Hi Marc-Antoine,

For setting the horizon acl, see 
https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html

Specifically:

"Copy the whole variable haproxy_default_services from 
/opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml to 
/etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml and update the 
section for horizon to include the ACL redirects http-01 challenges to 
the HAProxy letsencrypt backend as follows: ......"

It is correct that this is not necessary in later releases and the 
letsencrypt support is more straightforward to configure in Victoria.

You can also join #openstack-ansible IRC channel for some real-time help 
if needed.

Jonathan.

On 21/02/2022 17:25, Marc-Antoine Godde wrote:
> Hello,
>
> I have a question on how to setup LetsEncrypt with OpenStack Ansible. 
> We are still on OpenStack Ussuri.
>
> We added the following variables to user_variables.yml.
>
> ==================================================================================
> haproxy_ssl_letsencrypt_enable: True
> haproxy_ssl_letsencrypt_install_method: "distro"
> haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ 
> ansible_host }} --http-01-port 8888"
> haproxy_ssl_letsencrypt_email: email at example.com
> haproxy_interval: 2000
>
> user avatar user avatar
> haproxy_extra_services:
>   # an internal only service for acme-challenge whose backend is 
> certbot on the haproxy host
>   - service:
>       haproxy_service_name: letsencrypt
>       haproxy_backend_nodes:
>         - name: localhost
>           ip_addr: {{ ansible_host }}            #certbot binds to the 
> internal IP
>       backend_rise: 1            #quick rise and fall time for 
> multinode deployment to succeed
>       backend_fall: 2
>       haproxy_bind:
>         - 127.0.0.1            #bind to 127.0.0.1 as the local 
> internal address  will be used by certbot
>       haproxy_port: 8888           #certbot is configured with 
> http-01-port to be 8888
>       haproxy_balance_type: http
> ==================================================================================
>
> Yet, Horizon config for HAproxy is already defined in the default vars 
> (https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml) 
> and we don’t know where ta add the required ACL to redirect the 
> traffic from 80 port to 8888:
>
> ====================================
> haproxy_frontend_acls:     #use a frontend ACL specify the backend to 
> use for acme-challenge
>   letsencrypt-acl:
>     rule: "path_beg /.well-known/acme-challenge/"
>     backend_name: letsencrypt
> ====================================
>
> We know that this is fixed in OpenStack Ansible Victoria. Is it 
> possible with Ussuri tho ?
>
> Many thanks,
> Best,
> Marc-Antoine Godde
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220221/a41a1699/attachment.htm>

More information about the openstack-discuss mailing list