[openstack-ansible] LetsEncrypt OS Ansible Ussuri

Jonathan Rosser jonathan.rosser at rd.bbc.co.uk
Tue Feb 22 15:18:08 UTC 2022


Yes, in a standard deployment this would request 3 identical 
certificates which would be inside the rate limit.

This keeps the complexity down and decouples the haproxy nodes from each 
other during the deployment. The compromise is requesting a fresh 
certificate per haproxy instance.

In some situations it might be possible to add a haproxy instance 
specific additional domain name to each certificate by passing a 
templated value to haproxy_ssl_letsencrypt_setup_extra_params making 
each certificate unique. openstack-ansible exposes all of these role 
defaults for you to override through user_variables.yml as necessary.

> /
> /
> Does that mean that the the deployment is limited to 5 HAProxy nodes ? 
> Normally we are safe tho, we have 3.
>
> Concerning, the timeout values, we’ll make sure to check them out. 
> We’ll upgrade to Wallaby or Xena by the end of the year in any case.
>
> Thanks,
> Marc-Antoine
>
>> Le 22 févr. 2022 à 10:35, Jonathan Rosser 
>> <jonathan.rosser at rd.bbc.co.uk> a écrit :
>>
>> Hi Marc-Antione,
>>
>> No problem. I would recommend adding --staging to 
>> haproxy_ssl_letsencrypt_setup_extra_params whilst you get the 
>> letsencrypt support working. You will not get a proper certificate 
>> with that flag but it will bypass the letsencrypt rate limit so you 
>> can have as many tests as you need.
>>
>> It would be also worth checking the timeout values on later branches, 
>> Ussuri is now in extended-maintenance so not receiving back ported 
>> bug fixes.
>>
>> See for example 
>> https://github.com/openstack/openstack-ansible/blob/stable/xena/inventory/group_vars/haproxy/haproxy.yml#L248-L258
>>
>> On 21/02/2022 18:51, Marc-Antoine Godde wrote:
>>> Thanks for your huge help. It’s is exactly what we wanted to try. 
>>> We’ll feel more confident.
>>>
>>> Best,
>>> Marc-Antoine
>>>
>>>
>>>
>>>> Le 21 févr. 2022 à 18:52, Jonathan Rosser 
>>>> <jonathan.rosser at rd.bbc.co.uk> a écrit :
>>>>
>>>> Hi Marc-Antoine,
>>>>
>>>> For setting the horizon acl, see 
>>>> https://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html
>>>>
>>>> Specifically:
>>>>
>>>> "Copy the whole variable haproxy_default_services from 
>>>> /opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml to 
>>>> /etc/openstack_deploy/group_vars/haproxy/haproxy_all.yml and update 
>>>> the section for horizon to include the ACL redirects http-01 
>>>> challenges to the HAProxy letsencrypt backend as follows: ......"
>>>>
>>>> It is correct that this is not necessary in later releases and the 
>>>> letsencrypt support is more straightforward to configure in Victoria.
>>>>
>>>> You can also join #openstack-ansible IRC channel for some real-time 
>>>> help if needed.
>>>>
>>>> Jonathan.
>>>>
>>>> On 21/02/2022 17:25, Marc-Antoine Godde wrote:
>>>>> Hello,
>>>>>
>>>>> I have a question on how to setup LetsEncrypt with OpenStack 
>>>>> Ansible. We are still on OpenStack Ussuri.
>>>>>
>>>>> We added the following variables to user_variables.yml.
>>>>>
>>>>> ==================================================================================
>>>>> haproxy_ssl_letsencrypt_enable: True
>>>>> haproxy_ssl_letsencrypt_install_method: "distro"
>>>>> haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ 
>>>>> ansible_host }} --http-01-port 8888"
>>>>> haproxy_ssl_letsencrypt_email: email at example.com
>>>>> haproxy_interval: 2000
>>>>>
>>>>> user avatar user avatar
>>>>> haproxy_extra_services:
>>>>>   # an internal only service for acme-challenge whose backend is 
>>>>> certbot on the haproxy host
>>>>>   - service:
>>>>> haproxy_service_name: letsencrypt
>>>>> haproxy_backend_nodes:
>>>>>         - name: localhost
>>>>>           ip_addr: {{ ansible_host }}    #certbot binds to the 
>>>>> internal IP
>>>>>       backend_rise: 1  #quick rise and fall time for multinode 
>>>>> deployment to succeed
>>>>>       backend_fall: 2
>>>>>       haproxy_bind:
>>>>>         - 127.0.0.1  #bind to 127.0.0.1 as the local internal 
>>>>> address  will be used by certbot
>>>>>       haproxy_port: 8888 #certbot is configured with http-01-port 
>>>>> to be 8888
>>>>> haproxy_balance_type: http
>>>>> ==================================================================================
>>>>>
>>>>> Yet, Horizon config for HAproxy is already defined in the default 
>>>>> vars 
>>>>> (https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/haproxy/haproxy.yml) 
>>>>> and we don’t know where ta add the required ACL to redirect the 
>>>>> traffic from 80 port to 8888:
>>>>>
>>>>> ====================================
>>>>> haproxy_frontend_acls:                               #use a 
>>>>> frontend ACL specify the backend to use for acme-challenge
>>>>>   letsencrypt-acl:
>>>>>     rule: "path_beg /.well-known/acme-challenge/"
>>>>>     backend_name: letsencrypt
>>>>> ====================================
>>>>>
>>>>> We know that this is fixed in OpenStack Ansible Victoria. Is it 
>>>>> possible with Ussuri tho ?
>>>>>
>>>>> Many thanks,
>>>>> Best,
>>>>> Marc-Antoine Godde
>>>>>
>>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220222/bc944b09/attachment.htm>


More information about the openstack-discuss mailing list