Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

metrics-for-apps:

Browse source 
- Updating apache proxy config to handle ocp4 CA cert
- place ocp4 CA cert on proxies
- add ocp4 stg ca cert to haproxy/files

Signed-off-by: David Kirwan <dkirwan@redhat.com>
This commit is contained in:
David Kirwan 2021-08-12 10:57:43 +09:00 committed by kevin
parent bd0683a453
commit 55185861c8
4 changed files with 34 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
playbooks/include/proxies-reverseproxy.yml
View file

@ -627,6 +627,7 @@
destname: ocp destname: ocp
balancer_name: ocp balancer_name: ocp
targettype: openshift targettype: openshift
ocp4: true
balancer_members: "{{ ocp_masters }}" balancer_members: "{{ ocp_masters }}"
keephost: true keephost: true
tags: tags:
@ -638,6 +639,7 @@
destname: apps.ocp destname: apps.ocp
balancer_name: apps-ocp balancer_name: apps-ocp
targettype: openshift targettype: openshift
ocp4: true
balancer_members: "{{ ocp_nodes }}" balancer_members: "{{ ocp_nodes }}"
keephost: true keephost: true
tags: tags:

25
roles/haproxy/files/ocp-stg-iad2.pem Normal file
View file

@ -0,0 +1,25 @@
-----BEGIN CERTIFICATE-----
MIIELDCCAxSgAwIBAgIIWzrJtBaToZgwDQYJKoZIhvcNAQELBQAwRDESMBAGA1UE
CxMJb3BlbnNoaWZ0MS4wLAYDVQQDEyVrdWJlLWFwaXNlcnZlci1zZXJ2aWNlLW5l
dHdvcmstc2lnbmVyMB4XDTIxMDgxMTAyNTgwOVoXDTIxMDkxMDAyNTgxMFowFTET
MBEGA1UEAxMKMTcyLjMwLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAK3O/vnK6Mu2OVWF3H/pfuU36yaSI3fHAe7XzKCGPruH/7FnwurUniIEqUXK
V2dBCH2pMeHYB5xcPIQ3qFXR6o0YxgrmeWRZcaFAarH/14k/kgX6lHera7rdDNZR
m9KV2VEn2iedqoll7DnPKU6T260bp/nvJLx55vbjK2StNSLYLHlWlwYQxAb/cJVB
wJx9CqU++9rcvKA2ROwqcoNaMQ9Ed9utHXAqr1ZoNhtwIqC6HQSio0Kkog28oLa+
WqkZjEA1dA+ed+tGsWjMtf8nuk2Oedt73kHsnwlZFac/q5h45DjLpOJVfIu8sB8p
Rijf+9QILURqHsIEBefnWJlFpe0CAwEAAaOCAU8wggFLMA4GA1UdDwEB/wQEAwIF
oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSE
ONCRMzuEEOCu4WODJnJzZu+QZDAfBgNVHSMEGDAWgBRZJLHFsIk9MDXRuxVF68To
0EUynzCB1QYDVR0RBIHNMIHKggprdWJlcm5ldGVzghJrdWJlcm5ldGVzLmRlZmF1
bHSCFmt1YmVybmV0ZXMuZGVmYXVsdC5zdmOCJGt1YmVybmV0ZXMuZGVmYXVsdC5z
dmMuY2x1c3Rlci5sb2NhbIIJb3BlbnNoaWZ0ghFvcGVuc2hpZnQuZGVmYXVsdIIV
b3BlbnNoaWZ0LmRlZmF1bHQuc3ZjgiNvcGVuc2hpZnQuZGVmYXVsdC5zdmMuY2x1
c3Rlci5sb2NhbIIKMTcyLjMwLjAuMYcErB4AATANBgkqhkiG9w0BAQsFAAOCAQEA
OtxOQDKqF9vzThF3zO+z90iscn3wFqdriUjQrnyRGozFZeHPJo4PBN/4j4Ju/J2N
aND2qZUdE0APv9VCdJ2xy3gv0GnwPaUT8QLuHbYVxclXM1N6EXTdlG44nKXshY19
6/hfeVD9Sh4Ey8mx5tE5n6oVPckmKLxVMfa6hK0eDAlXbmqq/f9AzjqVGUEWuTNE
kdG+9M56ynwjcIJ+Tnjdc7+0bLoNOLFaCulQmTNobqXTw4MlaaebrZ525YR1dgW+
ltKhX953E5zN59s+TzBLMDmiZnD5BOJXaVTN65t03QFgcpgyMkZI3GLcotivKW3U
14bRdDdzE4FZQchAwCrbAA==
-----END CERTIFICATE-----

1
roles/haproxy/tasks/main.yml
View file

@ -37,6 +37,7 @@
with_items: with_items:
- { file: "ipa.{{env}}-iad2.pem", dest: /etc/haproxy/ipa.pem } - { file: "ipa.{{env}}-iad2.pem", dest: /etc/haproxy/ipa.pem }
- { file: "os-master.{{env}}-iad2.pem", dest: /etc/haproxy/os-master.pem } - { file: "os-master.{{env}}-iad2.pem", dest: /etc/haproxy/os-master.pem }
- { file: "ocp.{{env}}-iad2.pem", dest: "/etc/haproxy/ocp-{{env}}.pem" }
tags: tags:
- haproxy - haproxy

6
roles/httpd/reverseproxy/templates/reversepassproxy.conf
View file

@ -23,7 +23,13 @@ SSLProxyEngine On
{% if targettype is defined and targettype == "openshift" %} {% if targettype is defined and targettype == "openshift" %}
SSLProxyVerify require SSLProxyVerify require
SSLProxyCheckPeerName Off SSLProxyCheckPeerName Off
{% if ocp4 and env == "production" %}
SSLProxyCACertificateFile "/etc/haproxy/ocp-prod.pem"
{% elif ocp4 and env == "staging" %}
SSLProxyCACertificateFile "/etc/haproxy/ocp-stg.pem"
{% else %}
SSLProxyCACertificateFile "/etc/haproxy/os-master.pem" SSLProxyCACertificateFile "/etc/haproxy/os-master.pem"
{% endif %}
{% endif %} {% endif %}
<Proxy "balancer://{{balancer_name}}-websocket"> <Proxy "balancer://{{balancer_name}}-websocket">