Open Stack

Thanks for your huge help. It’s is exactly what we wanted to try. We’ll feel more confident.

Best,
Marc-Antoine



> Le 21 févr. 2022 à 18:52, Jonathan Rosser <jonathan.rosser at rd.bbc.co.uk> a écrit :
> 
> Hi Marc-Antoine,
> 
> For setting the horizon acl, see https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html <https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html>
> Specifically:
> 
> "Copy the whole variable haproxy_default_services from /opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml to /etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml and update the section for horizon to include the ACL redirects http-01 challenges to the HAProxy letsencrypt backend as follows: ......"
> 
> It is correct that this is not necessary in later releases and the letsencrypt support is more straightforward to configure in Victoria.
> 
> You can also join #openstack-ansible IRC channel for some real-time help if needed.
> 
> Jonathan.
> 
> On 21/02/2022 17:25, Marc-Antoine Godde wrote:
>> Hello,
>> 
>> I have a question on how to setup LetsEncrypt with OpenStack Ansible. We are still on OpenStack Ussuri.
>> 
>> We added the following variables to user_variables.yml.
>> 
>> ==================================================================================
>> haproxy_ssl_letsencrypt_enable: True
>> haproxy_ssl_letsencrypt_install_method: "distro"
>> haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ ansible_host }} --http-01-port 8888"
>> haproxy_ssl_letsencrypt_email: email at example.com <mailto:email at example.com>
>> haproxy_interval: 2000
>> 
>> user avatar user avatar 
>> haproxy_extra_services:
>>   # an internal only service for acme-challenge whose backend is certbot on the haproxy host
>>   - service:
>>       haproxy_service_name: letsencrypt
>>       haproxy_backend_nodes:
>>         - name: localhost
>>           ip_addr: {{ ansible_host }}                        #certbot binds to the internal IP
>>       backend_rise: 1                                        #quick rise and fall time for multinode deployment to succeed
>>       backend_fall: 2
>>       haproxy_bind:
>>         - 127.0.0.1                                          #bind to 127.0.0.1 as the local internal address  will be used by certbot
>>       haproxy_port: 8888                                     #certbot is configured with http-01-port to be 8888
>>       haproxy_balance_type: http
>> ==================================================================================
>> 
>> Yet, Horizon config for HAproxy is already defined in the default vars (https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml <https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml>) and we don’t know where ta add the required ACL to redirect the traffic from 80 port to 8888:
>> 
>> ====================================
>> haproxy_frontend_acls:                                 #use a frontend ACL specify the backend to use for acme-challenge
>>   letsencrypt-acl:
>>     rule: "path_beg /.well-known/acme-challenge/"
>>     backend_name: letsencrypt
>> ====================================
>> 
>> We know that this is fixed in OpenStack Ansible Victoria. Is it possible with Ussuri tho ?
>> 
>> Many thanks,
>> Best,
>> Marc-Antoine Godde
>> 
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220221/cf7bf25c/attachment.htm>