From 55185861c877f56edb7ef561b7e5b00d07eeae6f Mon Sep 17 00:00:00 2001 From: David Kirwan Date: Thu, 12 Aug 2021 10:57:43 +0900 Subject: [PATCH] metrics-for-apps: - Updating apache proxy config to handle ocp4 CA cert - place ocp4 CA cert on proxies - add ocp4 stg ca cert to haproxy/files Signed-off-by: David Kirwan --- playbooks/include/proxies-reverseproxy.yml | 2 ++ roles/haproxy/files/ocp-stg-iad2.pem | 25 +++++++++++++++++++ roles/haproxy/tasks/main.yml | 1 + .../templates/reversepassproxy.conf | 6 +++++ 4 files changed, 34 insertions(+) create mode 100644 roles/haproxy/files/ocp-stg-iad2.pem diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index be3cb8629f..fdc6ac25c1 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -627,6 +627,7 @@ destname: ocp balancer_name: ocp targettype: openshift + ocp4: true balancer_members: "{{ ocp_masters }}" keephost: true tags: @@ -638,6 +639,7 @@ destname: apps.ocp balancer_name: apps-ocp targettype: openshift + ocp4: true balancer_members: "{{ ocp_nodes }}" keephost: true tags: diff --git a/roles/haproxy/files/ocp-stg-iad2.pem b/roles/haproxy/files/ocp-stg-iad2.pem new file mode 100644 index 0000000000..f2a4efe6ef --- /dev/null +++ b/roles/haproxy/files/ocp-stg-iad2.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIIWzrJtBaToZgwDQYJKoZIhvcNAQELBQAwRDESMBAGA1UE +CxMJb3BlbnNoaWZ0MS4wLAYDVQQDEyVrdWJlLWFwaXNlcnZlci1zZXJ2aWNlLW5l +dHdvcmstc2lnbmVyMB4XDTIxMDgxMTAyNTgwOVoXDTIxMDkxMDAyNTgxMFowFTET +MBEGA1UEAxMKMTcyLjMwLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAK3O/vnK6Mu2OVWF3H/pfuU36yaSI3fHAe7XzKCGPruH/7FnwurUniIEqUXK +V2dBCH2pMeHYB5xcPIQ3qFXR6o0YxgrmeWRZcaFAarH/14k/kgX6lHera7rdDNZR +m9KV2VEn2iedqoll7DnPKU6T260bp/nvJLx55vbjK2StNSLYLHlWlwYQxAb/cJVB +wJx9CqU++9rcvKA2ROwqcoNaMQ9Ed9utHXAqr1ZoNhtwIqC6HQSio0Kkog28oLa+ +WqkZjEA1dA+ed+tGsWjMtf8nuk2Oedt73kHsnwlZFac/q5h45DjLpOJVfIu8sB8p +Rijf+9QILURqHsIEBefnWJlFpe0CAwEAAaOCAU8wggFLMA4GA1UdDwEB/wQEAwIF +oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSE +ONCRMzuEEOCu4WODJnJzZu+QZDAfBgNVHSMEGDAWgBRZJLHFsIk9MDXRuxVF68To +0EUynzCB1QYDVR0RBIHNMIHKggprdWJlcm5ldGVzghJrdWJlcm5ldGVzLmRlZmF1 +bHSCFmt1YmVybmV0ZXMuZGVmYXVsdC5zdmOCJGt1YmVybmV0ZXMuZGVmYXVsdC5z +dmMuY2x1c3Rlci5sb2NhbIIJb3BlbnNoaWZ0ghFvcGVuc2hpZnQuZGVmYXVsdIIV +b3BlbnNoaWZ0LmRlZmF1bHQuc3ZjgiNvcGVuc2hpZnQuZGVmYXVsdC5zdmMuY2x1 +c3Rlci5sb2NhbIIKMTcyLjMwLjAuMYcErB4AATANBgkqhkiG9w0BAQsFAAOCAQEA +OtxOQDKqF9vzThF3zO+z90iscn3wFqdriUjQrnyRGozFZeHPJo4PBN/4j4Ju/J2N +aND2qZUdE0APv9VCdJ2xy3gv0GnwPaUT8QLuHbYVxclXM1N6EXTdlG44nKXshY19 +6/hfeVD9Sh4Ey8mx5tE5n6oVPckmKLxVMfa6hK0eDAlXbmqq/f9AzjqVGUEWuTNE +kdG+9M56ynwjcIJ+Tnjdc7+0bLoNOLFaCulQmTNobqXTw4MlaaebrZ525YR1dgW+ +ltKhX953E5zN59s+TzBLMDmiZnD5BOJXaVTN65t03QFgcpgyMkZI3GLcotivKW3U +14bRdDdzE4FZQchAwCrbAA== +-----END CERTIFICATE----- diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index 5d0287b51c..666dd958d4 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -37,6 +37,7 @@ with_items: - { file: "ipa.{{env}}-iad2.pem", dest: /etc/haproxy/ipa.pem } - { file: "os-master.{{env}}-iad2.pem", dest: /etc/haproxy/os-master.pem } + - { file: "ocp.{{env}}-iad2.pem", dest: "/etc/haproxy/ocp-{{env}}.pem" } tags: - haproxy diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.conf index 28b72b0473..427d7ed368 100644 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.conf +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.conf @@ -23,7 +23,13 @@ SSLProxyEngine On {% if targettype is defined and targettype == "openshift" %} SSLProxyVerify require SSLProxyCheckPeerName Off + {% if ocp4 and env == "production" %} + SSLProxyCACertificateFile "/etc/haproxy/ocp-prod.pem" + {% elif ocp4 and env == "staging" %} + SSLProxyCACertificateFile "/etc/haproxy/ocp-stg.pem" + {% else %} SSLProxyCACertificateFile "/etc/haproxy/os-master.pem" + {% endif %} {% endif %}