Merge "Fix linters issue and metadata"
This commit is contained in:
11 changed files with 97 additions and 49 deletions
@@ -145,7 +145,8 @@ haproxy_ssl_cert_path: /etc/haproxy/ssl
haproxy_ssl_bind_options:"ssl-min-ver TLSv1.2 prefer-client-ciphers"
haproxy_ssl_server_options:"ssl-min-ver TLSv1.2"
# TLS v1.2 and below
haproxy_ssl_cipher_suite_tls12:"{{ haproxy_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}"
haproxy_ssl_cipher_suite_tls12:>-
{{ haproxy_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}
# TLS v1.3
haproxy_ssl_cipher_suite_tls13:"{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}"
@@ -198,7 +199,8 @@ haproxy_pki_install_ca:
haproxy_pki_keys_path:"{{ haproxy_pki_dir ~ '/certs/private/' }}"
haproxy_pki_certs_path:"{{ haproxy_pki_dir ~ '/certs/certs/' }}"
haproxy_pki_intermediate_cert_name:"{{ openstack_pki_service_intermediate_cert_name | default('HAProxyIntermediate') }}"
haproxy_pki_intermediate_cert_path:"{{ haproxy_pki_dir ~ '/roots/' ~ haproxy_pki_intermediate_cert_name ~ '/certs/' ~ haproxy_pki_intermediate_cert_name ~ '.crt' }}"
haproxy_pki_intermediate_cert_path:>-
{{ haproxy_pki_dir ~ '/roots/' ~ haproxy_pki_intermediate_cert_name ~ '/certs/' ~ haproxy_pki_intermediate_cert_name ~ '.crt' }}
haproxy_pki_regen_cert:''
haproxy_pki_certificates:"{{ _haproxy_pki_certificates }}"
@@ -255,15 +257,15 @@ haproxy_keepalive_mode: 'httpclose'
haproxy_maxconn:4096
# Parameters below should only be specified if necessary, defaults are programmed in the template
#haproxy_tuning_params:
# nbproc: 1
# tune.bufsize: 384000
# tune.chksize: 16384
# tune.comp_maxlevel: 1
# tune.http_maxhdr: 101
# tune.maxaccept: 64
# tune.ssl_cachesize: 20000
# tune.ssl_lifetime: 300
#haproxy_tuning_params:
# nbproc: 1
# tune.bufsize: 384000
# tune.chksize: 16384
# tune.comp_maxlevel: 1
# tune.http_maxhdr: 101
# tune.maxaccept: 64
# tune.ssl_cachesize: 20000
# tune.ssl_lifetime: 300
haproxy_tuning_params:{}
# Add extra VIPs to all services
@@ -13,9 +13,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name:regen pem
shell:>
cat {{ item_base_path ~ '.crt' }} $(test -f {{ item_base_path ~ '-ca.crt' }} && echo {{ item_base_path ~ '-ca.crt' }}) {{ item_base_path ~ '.key' }} > {{ item_base_path ~ '.pem' }}
- name: Regen pem # noqa:no-changed-when
shell:>-
cat {{ item_base_path ~ '.crt' }} $(test -f {{ item_base_path ~ '-ca.crt' }} &&
echo {{ item_base_path ~ '-ca.crt' }}) {{ item_base_path ~ '.key' }} > {{ item_base_path ~ '.pem' }}
notify:Reload haproxy
vars:
item_interface:"{{ item['interface'] | default('') }}"
@@ -25,12 +26,15 @@
listen:
- haproxy cert installed
- name:regenerate maps
- name:Regenerate maps
vars:
all_changed_results:"{{ (map_create.results + map_delete.results) | select('changed') }}"
assemble:
src:"/etc/haproxy/map.conf.d/{{ item }}"
dest:"/etc/haproxy/{{ item }}.map"
mode:"0640"
owner:haproxy
group:haproxy
notify:Reload haproxy
with_items:"{{ all_changed_results | map(attribute='item') | flatten | selectattr('name', 'defined') | map(attribute='name') | unique }}"
@@ -39,6 +43,9 @@
src:"/etc/haproxy/conf.d"
dest:"/etc/haproxy/haproxy.cfg"
validate:/usr/sbin/haproxy -c -f %s
mode:"0640"
owner:haproxy
group:haproxy
notify:Reload haproxy
tags:
- haproxy-general-config
@@ -16,21 +16,23 @@
galaxy_info:
author:rcbops
description:Installation and setup of HAProxy
role_name:haproxy_server
namespace:openstack
company:Rackspace
license:Apache2
min_ansible_version:2.2
min_ansible_version:"2.10"
platforms:
- name:Debian
versions:
- buster
- bullseye
- name:Ubuntu
versions:
- bionic
- focal
- jammy
- name:EL
versions:
- 8
categories:
- "9"
galaxy_tags:
- cloud
- python
- development
@@ -30,6 +30,7 @@
file:
path:"{{ haproxy_hatop_download_path }}/{{ haproxy_hatop_download_url | basename | replace('.tar.gz', '') }}"
state:directory
mode:"0755"
- name:Download hatop package
get_url:
@@ -37,6 +38,7 @@
dest:"{{ haproxy_hatop_download_path }}/{{ haproxy_hatop_download_url | basename }}"
validate_certs:"{{ haproxy_hatop_download_validate_certs }}"
checksum:"{{ haproxy_hatop_download_checksum }}"
mode:"0644"
register:fetch_url
until:fetch_url is success
retries:3
@@ -44,17 +46,16 @@
- name:Unarchive HATop
unarchive:
src:"{{ haproxy_hatop_download_path }}/{{ haproxy_hatop_download_url | basename }}"
dest:"{{ haproxy_hatop_download_path }}/{{ haproxy_hatop_download_url | basename | replace('.tar.gz', '') }}"
remote_src:yes
extra_opts:
- --strip-components=1
src:"{{ haproxy_hatop_download_path }}/{{ haproxy_hatop_download_url | basename }}"
dest:"{{ haproxy_hatop_download_path }}/{{ haproxy_hatop_download_url | basename | replace('.tar.gz', '') }}"
remote_src:yes
extra_opts:
- --strip-components=1
- name:Copy HATop binary
copy:
src:"{{ haproxy_hatop_download_path }}/{{ haproxy_hatop_download_url | basename | replace('.tar.gz', '') }}/bin/hatop"
dest:/usr/local/bin/hatop
mode:0755
mode:"0755"
remote_src:yes
when:haproxy_hatop_install | bool
@@ -45,11 +45,15 @@
template:
src:"haproxy.cfg.j2"
dest:"/etc/haproxy/conf.d/00-haproxy"
mode:"0640"
owner:haproxy
group:haproxy
notify:Regenerate haproxy configuration
tags:
- haproxy-base-config
- include_tasks:haproxy_service_config.yml
- name:Including haproxy_service_config tasks
include_tasks:haproxy_service_config.yml
tags:
- haproxy-service-config
@@ -61,14 +65,15 @@
owner:'haproxy'
group:'haproxy'
#NOTE(jrosser) The next task fails on Centos without this,
#an empty directory rather than a file is made and the bind mount fails
#NOTE(jrosser) The next task fails on Centos without this,
#an empty directory rather than a file is made and the bind mount fails
- name:Ensure empty file is availble to bind mount log socket
file:
state:touch
path:"{{ haproxy_log_mount_point }}"
access_time:preserve
modification_time:preserve
mode:"0755"
- name:Make log socket available to chrooted filesystem
mount:
@@ -48,6 +48,8 @@
path:"{{ item }}"
state:directory
mode:"0755"
owner:haproxy
group:haproxy
with_items:
- /etc/haproxy/conf.d
- "{{ haproxy_ssl_cert_path }}"
@@ -56,6 +58,9 @@
copy:
content:"{{ item.content }}"
dest:"{{ item.dest }}"
mode:"0644"
owner:haproxy
group:haproxy
when:
- (item.condition | default(True))
loop:"{{ haproxy_static_files }}"
@@ -21,7 +21,7 @@
- name:Append services to _haproxy_service_configs_simplified list
set_fact:
_haproxy_service_configs_simplified:"{{ _haproxy_service_configs_simplified + [(item.service is defined) | ternary(item.service, item)] }}"
_haproxy_service_configs_simplified:"{{ _haproxy_service_configs_simplified + [(item.service is defined) | ternary(item.service, item)] }}"
loop:"{{ haproxy_service_configs }}"
###########################################################################
@@ -32,6 +32,9 @@
template:
src:service.j2
dest:"/etc/haproxy/conf.d/{{ service.haproxy_service_name }}"
owner:root
group:haproxy
mode:"0640"
# NOTE(damiandabrowski): _haproxy_service_configs_simplified should be replaced
# with haproxy_service_configs in 2024.1.
loop:"{{ _haproxy_service_configs_simplified }}"
@@ -73,9 +76,16 @@
file:
state:directory
path:"/etc/haproxy/map.conf.d/{{ item }}"
owner:root
group:haproxy
mode:"0750"
# NOTE(damiandabrowski): _haproxy_service_configs_simplified should be replaced
# with haproxy_service_configs in 2024.1.
loop:"{{ _haproxy_service_configs_simplified | selectattr('haproxy_map_entries', 'defined') | map(attribute='haproxy_map_entries') | flatten | map(attribute='name') | unique }}"
loop:>-
{{
_haproxy_service_configs_simplified | selectattr('haproxy_map_entries', 'defined') | map(attribute='haproxy_map_entries') | flatten |
map(attribute='name') | unique
}}
# create map entries when the service is enabled and an existing map fragment is not absent
- name:Create haproxy map files
@@ -84,6 +94,9 @@
template:
src:map.j2
dest:"{{ map_file }}"
owner:root
group:haproxy
mode:"0640"
# NOTE(damiandabrowski): _haproxy_service_configs_simplified should be replaced
# with haproxy_service_configs in 2024.1.
with_subelements:
@@ -92,7 +105,7 @@
when:
- (item.0.haproxy_service_enabled | default(True)) | bool
- item.1.state | default('present') != 'absent'
notify:regenerate maps
notify:Regenerate maps
register:map_create
# remove map entries when the service is not enabled, the service is absent or the map is absent
@@ -109,5 +122,5 @@
with_subelements:
- "{{ _haproxy_service_configs_simplified | selectattr('haproxy_map_entries', 'defined') }}"
- haproxy_map_entries
notify:regenerate maps
notify:Regenerate maps
register:map_delete
@@ -26,7 +26,8 @@
paths:
- "{{ role_path }}/vars"
- include_tasks:haproxy_service_config.yml
- name:Including haproxy_service_config tasks
include_tasks:haproxy_service_config.yml
args:
apply:
tags:
@@ -48,7 +48,7 @@
template:
src:letsencrypt_pre_hook_certbot_distro.j2
dest:/etc/letsencrypt/renewal-hooks/pre/haproxy-pre
mode:0755
mode:"0755"
when:
- haproxy_ssl_letsencrypt_certbot_challenge == 'http-01'
@@ -56,14 +56,17 @@
template:
src:letsencrypt_renew_certbot_distro.j2
dest:/etc/letsencrypt/renewal-hooks/post/haproxy-renew
mode:0755
mode:"0755"
- name:Create new pem file for haproxy
assemble:
src:"{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}"
dest:"{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item ~ '.pem' }}"
regexp:'(privkey|fullchain).pem$'
owner:haproxy
group:haproxy
mode:"0640"
with_items:
- "{{ [haproxy_bind_external_lb_vip_address] + extra_lb_tls_vip_addresses }}"
- "{{ [haproxy_bind_external_lb_vip_address] + extra_lb_tls_vip_addresses }}"
notify:
- Reload haproxy
@@ -28,19 +28,21 @@
tags:
- always
- import_tasks:haproxy_pre_install.yml
- name:Importing haproxy_pre_install tasks
import_tasks:haproxy_pre_install.yml
tags:
- haproxy_server-install
- import_tasks:haproxy_install.yml
- name:Importing haproxy_install tasks
import_tasks:haproxy_install.yml
tags:
- haproxy_server-install
#NOTE (jrosser) the self signed certificate is also needed for bootstrapping
#letsencrypt, as haproxy will not start with ssl config but a missing certificate
#NOTE (jrosser) the self signed certificate is also needed for bootstrapping
#letsencrypt, as haproxy will not start with ssl config but a missing certificate
- name:Create and install SSL certificates
include_role:
name:pki
name:pki
vars:
pki_setup_host:"{{ haproxy_pki_setup_host }}"
pki_dir:"{{ haproxy_pki_dir }}"
@@ -56,14 +58,17 @@
when:
- haproxy_ssl | bool
- import_tasks:haproxy_post_install.yml
- name:Importing haproxy_post_install tasks
import_tasks:haproxy_post_install.yml
tags:
- haproxy_server-config
# NOTE(jrosser) we must reload the haproxy config before doing the first time certbot setup to ensure the letsencypt backend is configured
- meta:flush_handlers
- name:Flushhandlers
meta:flush_handlers
- include_tasks:haproxy_ssl_letsencrypt.yml
- name:Including haproxy_ssl_letsencrypt tasks
include_tasks:haproxy_ssl_letsencrypt.yml
when:
- haproxy_ssl | bool
- haproxy_ssl_letsencrypt_enable | bool
@@ -15,7 +15,8 @@
_haproxy_tls_vip_binds:|
{% set vip_binds = [{'address': haproxy_bind_external_lb_vip_address, 'interface': haproxy_bind_external_lb_vip_interface}] %}
{% if haproxy_bind_internal_lb_vip_address != haproxy_bind_external_lb_vip_address or haproxy_bind_external_lb_vip_interface != haproxy_bind_internal_lb_vip_interface %}
{% if haproxy_bind_internal_lb_vip_address != haproxy_bind_external_lb_vip_address or
haproxy_bind_external_lb_vip_interface != haproxy_bind_internal_lb_vip_interface %}
{% set _ = vip_binds.append({'address': haproxy_bind_internal_lb_vip_address, 'interface': haproxy_bind_internal_lb_vip_interface}) %}
{% endif %}
{% for vip_address in extra_lb_tls_vip_addresses %}
@@ -27,7 +28,8 @@ _haproxy_pki_certificates: |
{% set _pki_certs = [] %}
{% for vip in haproxy_tls_vip_binds %}
{% set _vip_interface = vip['interface'] | default('') %}
{% set san = 'DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['fqdn'] ~ ',' ~ (vip['address'] | ansible.utils.ipaddr) | ternary('IP:', 'DNS:') ~ vip['address'] %}
{% set san = 'DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['fqdn'] ~ ',' ~ (
vip['address'] | ansible.utils.ipaddr) | ternary('IP:', 'DNS:') ~ vip['address'] %}
{% if vip['address'] == haproxy_bind_internal_lb_vip_address %}
{% set san = san ~ (internal_lb_vip_address | ansible.utils.ipaddr) | ternary('', ',DNS:' ~ internal_lb_vip_address) %}
{% endif %}
@@ -50,7 +52,9 @@ _haproxy_pki_install_certificates: |
{% set _pki_install = [] %}
{% for vip in haproxy_tls_vip_binds %}
{% set _vip_interface = vip['interface'] | default('') %}
{% set _cert_basename = '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (_vip_interface is truthy) | ternary(vip['address'] ~ '-' ~ _vip_interface, vip['address']) %}
{% set _cert_basename = '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (_vip_interface is truthy) | ternary(
vip['address'] ~ '-' ~ _vip_interface, vip['address'])
%}
{% set _ = _pki_install.append(
{
'src': haproxy_user_ssl_cert | default(haproxy_pki_certs_path ~ _cert_basename ~ '.crt'),
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.