From 72a0ad6d190ffb775ddccd3c26aa8bb72d088c2a Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Tue, 5 Jul 2022 16:13:47 +1000 Subject: [PATCH] gitea-lb: test ssl connections during testing too To make testing more like production, copy the OpenDev CA into the haproxy container configuration directory during Zuul runs. We then update the testing configuration to use SSL checking like production does with this cert. Change-Id: I1292bc1aa4948c8120dada0f0fd7dfc7ca619afd --- playbooks/roles/haproxy/tasks/main.yaml | 13 +++++++++++++ .../zuul/templates/group_vars/gitea-lb.yaml.j2 | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/playbooks/roles/haproxy/tasks/main.yaml b/playbooks/roles/haproxy/tasks/main.yaml index 5cfce31519..654b205d0a 100644 --- a/playbooks/roles/haproxy/tasks/main.yaml +++ b/playbooks/roles/haproxy/tasks/main.yaml @@ -27,6 +27,19 @@ mode: 0644 notify: Reload haproxy +# Copy in testing CA so the container can see it. When running under +# Zuul this CA is created by the test framework. We use it to +# validate the https check path +- name: Check for OpenDev Infra CA (test only) + stat: + path: /etc/opendev-ca/ca.crt + register: _opendev_ca_crt +- name: Copy in OpenDev Infra CA (test only) + copy: + src: /etc/opendev-ca/ca.crt + dest: /var/haproxy/etc/ + when: _opendev_ca_crt.stat.exists + - name: Ensure docker compose configuration directory file: path: /etc/haproxy-docker diff --git a/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2 b/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2 index ba08fccaae..04bd4b3a76 100644 --- a/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2 +++ b/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2 @@ -12,4 +12,4 @@ gitea_lb_listeners: servers: - name: "gitea99.opendev.org" address: "{{ (hostvars['gitea99.opendev.org'] | default({})).get('nodepool', {}).get('public_ipv4', '') }}:3081" - check_method: "check check-ssl verify none" + check_method: "check check-ssl ca-file /usr/local/etc/haproxy/ca.crt"