From 4e07e042b74ba6c97ea921987021cf9030aac0ba Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Wed, 26 Jun 2024 09:58:16 +0200 Subject: [PATCH] Add internal VIP address to no_proxy Change-Id: I7a9aa9abf611cdaa47cc91f40a6753f23a7f187e Closes-Bug: #2087556 (cherry picked from commit 6fb47e2193d912f85c977923ba0e06aea9d6c689) --- ansible/inventory/group_vars/all/proxy | 1 + etc/kayobe/proxy.yml | 5 +++-- ...ternal-vip-to-no-proxy-cbb4db4ea3909185.yaml | 17 +++++++++++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/adds-internal-vip-to-no-proxy-cbb4db4ea3909185.yaml diff --git a/ansible/inventory/group_vars/all/proxy b/ansible/inventory/group_vars/all/proxy index eb791bbef..2941e3398 100644 --- a/ansible/inventory/group_vars/all/proxy +++ b/ansible/inventory/group_vars/all/proxy @@ -19,3 +19,4 @@ no_proxy: - "127.0.0.1" - "localhost" - "{{ ('http://' ~ docker_registry) | urlsplit('hostname') if docker_registry else '' }}" + - "{{ kolla_internal_vip_address }}" diff --git a/etc/kayobe/proxy.yml b/etc/kayobe/proxy.yml index 714b9dae5..d7df51e52 100644 --- a/etc/kayobe/proxy.yml +++ b/etc/kayobe/proxy.yml @@ -12,8 +12,9 @@ # List of domains, hostnames, IP addresses and networks for which no proxy is # used. Defaults to ["127.0.0.1", "localhost", "{{ ('http://' ~ -# docker_registry) | urlsplit('hostname') }}"] if docker_registry is set, or -# ["127.0.0.1", "localhost"] otherwise. This is configured only if either +# docker_registry) | urlsplit('hostname') }}","{{ kolla_internal_vip_address +# }}"] if docker_registry is set, or ["127.0.0.1", "localhost","{{ +# kolla_internal_vip_address }}"] otherwise. This is configured only if either # http_proxy or https_proxy is set. #no_proxy: diff --git a/releasenotes/notes/adds-internal-vip-to-no-proxy-cbb4db4ea3909185.yaml b/releasenotes/notes/adds-internal-vip-to-no-proxy-cbb4db4ea3909185.yaml new file mode 100644 index 000000000..d03f9f5d1 --- /dev/null +++ b/releasenotes/notes/adds-internal-vip-to-no-proxy-cbb4db4ea3909185.yaml @@ -0,0 +1,17 @@ +--- +features: + - | + Adds the internal VIP to the NOPROXY/noproxy environment variables. +security: + - | + When running API requests from a host configured with kayobe, traffic + destined for the internal VIP is sent via the default proxy. This can be a + security issue if not using TLS as the proxy will be able to intercept the + traffic. If using an untrusted proxy, with TLS disabled on the internal + VIP, it is recommended that you run ``kayobe overcloud host configure -t + proxy``, ``kayobe seed hypervisor host configure -t proxy``, ``kayobe seed + host configure -t proxy``, and ``kayobe infra vm host configure -t proxy``, + to add the internal VIP to the no proxy configuration. This is considered a + minor issue as traffic between containers will not use the proxy by + default. + `LP#2087556 `__