Use a TCP proxy in GCE rather than an SSL proxy

One less intermediary
openshift · Aug 17, 2017 · d27a5ae · d27a5ae
1 parent b0f9c44
commit d27a5ae
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 25 deletions.
diff --git a/playbooks/roles/deprovision/templates/deprovision.j2.sh b/playbooks/roles/deprovision/templates/deprovision.j2.sh
@@ -104,8 +104,7 @@ teardown "{{ provision_prefix }}master-network-lb-ip" compute addresses --region
 (
 # Master SSL network rules
 teardown "{{ provision_prefix }}master-ssl-lb-rule" compute forwarding-rules --global
-teardown "{{ provision_prefix }}master-ssl-lb-target" compute target-ssl-proxies
-teardown "{{ provision_prefix }}master-ssl-lb-cert" compute ssl-certificates
+teardown "{{ provision_prefix }}master-ssl-lb-target" compute target-tcp-proxies
 teardown "{{ provision_prefix }}master-ssl-lb-ip" compute addresses --global
 teardown "{{ provision_prefix }}master-ssl-lb-backend" compute backend-services --global
 teardown "{{ provision_prefix }}master-ssl-lb-health-check" compute health-checks

diff --git a/playbooks/roles/provision/templates/provision.j2.sh b/playbooks/roles/provision/templates/provision.j2.sh
@@ -218,45 +218,27 @@ fi
 
 # Master backend service
 if ! gcloud --project "{{ gce_project_id }}" compute backend-services describe "{{ provision_prefix }}master-ssl-lb-backend" --global &>/dev/null; then
-    gcloud --project "{{ gce_project_id }}" compute backend-services create "{{ provision_prefix }}master-ssl-lb-backend" --health-checks "{{ provision_prefix }}master-ssl-lb-health-check" --port-name "{{ provision_prefix }}-port-name-master" --protocol "SSL" --global --timeout="{{ provision_gce_master_https_timeout | default('2m') }}"
+    gcloud --project "{{ gce_project_id }}" compute backend-services create "{{ provision_prefix }}master-ssl-lb-backend" --health-checks "{{ provision_prefix }}master-ssl-lb-health-check" --port-name "{{ provision_prefix }}-port-name-master" --protocol "TCP" --global --timeout="{{ provision_gce_master_https_timeout | default('2m') }}"
     gcloud --project "{{ gce_project_id }}" compute backend-services add-backend "{{ provision_prefix }}master-ssl-lb-backend" --instance-group "{{ provision_prefix }}ig-m" --global --instance-group-zone "{{ gce_zone_name }}"
 else
     echo "Backend service '{{ provision_prefix }}master-ssl-lb-backend' already exists"
 fi
 ) &
 
-# Master Certificate
-( if ! gcloud --project "{{ gce_project_id }}" compute ssl-certificates describe "{{ provision_prefix }}master-ssl-lb-cert" &>/dev/null; then
-    if [ -z "{{ provision_master_https_key_file }}" ] || [ -z "{{ provision_master_https_cert_file }}" ]; then
-        KEY='/tmp/ocp-ssl.key'
-        CERT='/tmp/ocp-ssl.crt'
-        openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -subj "/C=US/L=Raleigh/O={{ public_hosted_zone }}/CN={{ openshift_master_cluster_public_hostname }}" -keyout "$KEY" -out "$CERT"
-    else
-        KEY="{{ provision_master_https_key_file }}"
-        CERT="{{ provision_master_https_cert_file }}"
-    fi
-    gcloud --project "{{ gce_project_id }}" compute ssl-certificates create "{{ provision_prefix }}master-ssl-lb-cert" --private-key "$KEY" --certificate "$CERT"
-    if [ -z "{{ provision_master_https_key_file }}" ] || [ -z "{{ provision_master_https_cert_file }}" ]; then
-        rm -fv "$KEY" "$CERT"
-    fi
-else
-    echo "Certificate '{{ provision_prefix }}master-ssl-lb-cert' already exists"
-fi ) &
-
 for i in `jobs -p`; do wait $i; done
 
 (
-# Master ssl proxy target
-if ! gcloud --project "{{ gce_project_id }}" compute target-ssl-proxies describe "{{ provision_prefix }}master-ssl-lb-target" &>/dev/null; then
-    gcloud --project "{{ gce_project_id }}" compute target-ssl-proxies create "{{ provision_prefix }}master-ssl-lb-target" --backend-service "{{ provision_prefix }}master-ssl-lb-backend" --ssl-certificate "{{ provision_prefix }}master-ssl-lb-cert"
+# Master tcp proxy target
+if ! gcloud --project "{{ gce_project_id }}" compute target-tcp-proxies describe "{{ provision_prefix }}master-ssl-lb-target" &>/dev/null; then
+    gcloud --project "{{ gce_project_id }}" compute target-tcp-proxies create "{{ provision_prefix }}master-ssl-lb-target" --backend-service "{{ provision_prefix }}master-ssl-lb-backend"
 else
     echo "Proxy target '{{ provision_prefix }}master-ssl-lb-target' already exists"
 fi
 
 # Master forwarding rule
 if ! gcloud --project "{{ gce_project_id }}" compute forwarding-rules describe "{{ provision_prefix }}master-ssl-lb-rule" --global &>/dev/null; then
     IP=$(gcloud --project "{{ gce_project_id }}" compute addresses describe "{{ provision_prefix }}master-ssl-lb-ip" --global --format='value(address)')
-    gcloud --project "{{ gce_project_id }}" compute forwarding-rules create "{{ provision_prefix }}master-ssl-lb-rule" --address "$IP" --global --ports "{{ console_port }}" --target-ssl-proxy "{{ provision_prefix }}master-ssl-lb-target"
+    gcloud --project "{{ gce_project_id }}" compute forwarding-rules create "{{ provision_prefix }}master-ssl-lb-rule" --address "$IP" --global --ports "{{ console_port }}" --target-tcp-proxy "{{ provision_prefix }}master-ssl-lb-target"
 else
     echo "Forwarding rule '{{ provision_prefix }}master-ssl-lb-rule' already exists"
 fi