From 6fb47e2193d912f85c977923ba0e06aea9d6c689 Mon Sep 17 00:00:00 2001
From: Michal Nasiadka <mnasiadka@gmail.com>
Date: Wed, 26 Jun 2024 09:58:16 +0200
Subject: [PATCH] Add internal VIP address to no_proxy

Change-Id: I7a9aa9abf611cdaa47cc91f40a6753f23a7f187e
Closes-Bug: #2087556
---
 ansible/inventory/group_vars/all/proxy          |  1 +
 etc/kayobe/proxy.yml                            |  5 +++--
 ...ternal-vip-to-no-proxy-cbb4db4ea3909185.yaml | 17 +++++++++++++++++
 3 files changed, 21 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/adds-internal-vip-to-no-proxy-cbb4db4ea3909185.yaml

diff --git a/ansible/inventory/group_vars/all/proxy b/ansible/inventory/group_vars/all/proxy
index eb791bbe..2941e339 100644
--- a/ansible/inventory/group_vars/all/proxy
+++ b/ansible/inventory/group_vars/all/proxy
@@ -19,3 +19,4 @@ no_proxy:
   - "127.0.0.1"
   - "localhost"
   - "{{ ('http://' ~ docker_registry) | urlsplit('hostname') if docker_registry else '' }}"
+  - "{{ kolla_internal_vip_address }}"
diff --git a/etc/kayobe/proxy.yml b/etc/kayobe/proxy.yml
index 714b9dae..d7df51e5 100644
--- a/etc/kayobe/proxy.yml
+++ b/etc/kayobe/proxy.yml
@@ -12,8 +12,9 @@
 
 # List of domains, hostnames, IP addresses and networks for which no proxy is
 # used. Defaults to ["127.0.0.1", "localhost", "{{ ('http://' ~
-# docker_registry) | urlsplit('hostname') }}"] if docker_registry is set, or
-# ["127.0.0.1", "localhost"] otherwise. This is configured only if either
+# docker_registry) | urlsplit('hostname') }}","{{ kolla_internal_vip_address
+# }}"] if docker_registry is set, or ["127.0.0.1", "localhost","{{
+# kolla_internal_vip_address }}"] otherwise. This is configured only if either
 # http_proxy or https_proxy is set.
 #no_proxy:
 
diff --git a/releasenotes/notes/adds-internal-vip-to-no-proxy-cbb4db4ea3909185.yaml b/releasenotes/notes/adds-internal-vip-to-no-proxy-cbb4db4ea3909185.yaml
new file mode 100644
index 00000000..d03f9f5d
--- /dev/null
+++ b/releasenotes/notes/adds-internal-vip-to-no-proxy-cbb4db4ea3909185.yaml
@@ -0,0 +1,17 @@
+---
+features:
+  - |
+    Adds the internal VIP to the NOPROXY/noproxy environment variables.
+security:
+  - |
+    When running API requests from a host configured with kayobe, traffic
+    destined for the internal VIP is sent via the default proxy. This can be a
+    security issue if not using TLS as the proxy will be able to intercept the
+    traffic. If using an untrusted proxy, with TLS disabled on the internal
+    VIP, it is recommended that you run ``kayobe overcloud host configure -t
+    proxy``, ``kayobe seed hypervisor host configure -t proxy``, ``kayobe seed
+    host configure -t proxy``, and ``kayobe infra vm host configure -t proxy``,
+    to add the internal VIP to the no proxy configuration. This is considered a
+    minor issue as traffic between containers will not use the proxy by
+    default.
+    `LP#2087556 <https://launchpad.net/bugs/2087556>`__
-- 
GitLab