From 3ffd179216bd07ca35ca775876f0e8af7114b40a Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 28 Sep 2018 18:46:08 +0200 Subject: [PATCH] Simplify reverseproxy for openshift and setup SSL config for it Signed-off-by: Patrick Uiterwijk --- playbooks/include/proxies-reverseproxy.yml | 19 ++++++++++--------- roles/httpd/reverseproxy/tasks/main.yml | 5 +++++ .../templates/reversepassproxy.conf | 6 ++++++ 3 files changed, 21 insertions(+), 9 deletions(-) diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index 8155509daa..2033399a9a 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -281,7 +281,7 @@ website: bodhi.fedoraproject.org destname: bodhi balancer_name: app-os - balancer_members: "{{ openshift_nodes }}" + targettype: openshift keephost: true tags: bodhi @@ -313,7 +313,7 @@ website: koschei.fedoraproject.org destname: koschei balancer_name: app-os - balancer_members: "{{ openshift_nodes }}" + targettype: openshift keephost: true tags: koschei @@ -661,6 +661,7 @@ website: "os{{ env_suffix }}.fedoraproject.org" destname: os balancer_name: os + targettype: openshift balancer_members: "{{ openshift_masters }}" keephost: true tags: @@ -670,7 +671,7 @@ website: "app.os{{ env_suffix }}.fedoraproject.org" destname: app.os balancer_name: app-os - balancer_members: "{{ openshift_nodes }}" + targettype: openshift keephost: true tags: - app.os.fedoraproject.org @@ -693,7 +694,7 @@ website: greenwave.fedoraproject.org destname: greenwave balancer_name: app-os - balancer_members: "{{ openshift_nodes }}" + targettype: openshift keephost: true tags: greenwave @@ -701,7 +702,7 @@ website: waiverdb.fedoraproject.org destname: waiverdb balancer_name: app-os - balancer_members: "{{ openshift_nodes }}" + targettype: openshift keephost: true tags: waiverdb @@ -709,7 +710,7 @@ website: coreos.fedoraproject.org destname: coreos balancer_name: app-os - balancer_members: "{{ openshift_nodes }}" + targettype: openshift keephost: true tags: coreos @@ -717,7 +718,7 @@ website: silverblue.fedoraproject.org destname: silverblue balancer_name: app-os - balancer_members: "{{ openshift_nodes }}" + targettype: openshift keephost: true tags: silverblue @@ -725,7 +726,7 @@ website: stg.release-monitoring.org destname: stg.release-monitoring balancer_name: app-os - balancer_members: "{{ openshift_nodes }}" + targettype: openshift keephost: true tags: release-montoring.org when: env == "staging" @@ -734,7 +735,7 @@ website: fpdc.fedoraproject.org destname: fpdc balancer_name: app-os - balancer_members: "{{ openshift_nodes }}" + targettype: openshift keephost: true tags: fpdc diff --git a/roles/httpd/reverseproxy/tasks/main.yml b/roles/httpd/reverseproxy/tasks/main.yml index f9d37a645a..b95649ade3 100644 --- a/roles/httpd/reverseproxy/tasks/main.yml +++ b/roles/httpd/reverseproxy/tasks/main.yml @@ -6,6 +6,11 @@ # - rewrite # - keephost +- name: Set OpenShift information if not preconfigured + set_fact: + balancer_members: "{{ openshift_nodes }}" + when: targettype == "openshift" and not defined balancer_members + - name: Copy in ProxyPassReverse for {{destname}} ({{website}}{{remotepath}}) template: > src={{item}} diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.conf index 06f913720f..8c4b47552d 100644 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.conf +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.conf @@ -20,6 +20,12 @@ ProxyPreserveHost On {% if balancer_name is defined %} SSLProxyEngine On +{% if targettype is defined and targettype == "openshift" %} + SSLProxyVerify require + SSLProxyCheckPeerName Off + SSLProxyCACertificateFile "/etc/haproxy/os-master.pem" +{% endif %} + {% for member in balancer_members %} BalancerMember "wss://{{ member }}"