tripleo

Allow admin access for HAProxy socket

Bug #1716692 reported by Cédric Jeanneret deactivated on 2017-09-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Medium	Cédric Jeanneret deactivated	tripleo queens-1

Bug Description

Dear Stackers,

In order to get a working let's encrypt web validation, I need to be able to disable backends in HAProxy service so that only the one doing the request is enabled. This would allow the proof to be accessible.

The best way to do that is to send commands to HAProxy socket.

After a quick check, it seems the puppet-tripleo module manages haproxy configuration, at least regarding the socket:
https://github.com/openstack/puppet-tripleo/blob/master/manifests/haproxy.pp#L802

That line enforces a limited access to the socket (level user) - that level isn't sufficient for sending commends to HAProxy, and must be set to "admin".

Now, I understand that usage is an "advanced" one, and that "admin" access level shouldn't be "by default".
Hence, a new class parameter might be created, something like tripleo::haproxy::haproxy_socket_access_level, with a default to "user".

Would you consider a PR against that project for such a feature? If so, could you link me some doc so that I can make the PR on gerrit?

Thank you :)

Cheers,

Tags:

Steven Hardy (shardy) on 2017-09-12

Changed in tripleo:
milestone:	none → queens-1
importance:	Undecided → Medium
status:	New → Triaged

Cédric Jeanneret deactivated (cjeanneret-c2c-deactivated) on 2017-09-12

Changed in tripleo:
assignee:	nobody → Cédric Jeanneret (cjeanneret-c2c)
status:	Triaged → New

Emilien Macchi (emilienm) on 2017-09-12

Changed in tripleo:
status:	New → Triaged

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-12: Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/503029

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-14: Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/503029
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=33479418eec7c1a18d57d755be47eca800b918a6
Submitter: Jenkins
Branch: master

commit 33479418eec7c1a18d57d755be47eca800b918a6
Author: Cédric Jeanneret <email address hidden>
Date: Tue Sep 12 17:01:29 2017 +0200

Added new parameter for HAProxy configuration

    This allow to set the socket access level to admin instead of default
    "user".
    This "admin" access adds the capability to interact with HAproxy in
    order to manage its configuration, at least temporarly.

This changes keeps the default "user" access level, as "admin" might
break things if misused.

Change-Id: I1a4612b9f8aacc410b48a04dac3bf300bbb0e08e
Closes-bug: #1716692

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-14: Fix proposed to puppet-tripleo (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/504159

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-15: Fix merged to puppet-tripleo (stable/pike)

Reviewed: https://review.openstack.org/504159
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=4e484c40918f79686585aa0ad6c6d0a3b2b5482d
Submitter: Jenkins
Branch: stable/pike

commit 4e484c40918f79686585aa0ad6c6d0a3b2b5482d
Author: Cédric Jeanneret <email address hidden>
Date: Tue Sep 12 17:01:29 2017 +0200

Added new parameter for HAProxy configuration

This changes keeps the default "user" access level, as "admin" might
break things if misused.

    Change-Id: I1a4612b9f8aacc410b48a04dac3bf300bbb0e08e
    Closes-bug: #1716692
    (cherry picked from commit 33479418eec7c1a18d57d755be47eca800b918a6)