openstack/openstack-ansible-haproxy_server - openstack-ansible-haproxy_server - OpenDev: Free Software Needs Free Tools

This could be achieved using the
haproxy_ssl_letsencrypt_setup_extra_params variable, but this
makes it a bit neater.
Change-Id: Iee2d5a10e1762b23fcb3f3140950c76a754743b7

Change-Id: I74da6c27a7d0992a45103657cd0800dab8143c4f

With releasing PKI role we broke Let's Encrypt option because of
changing directories where certs should be located
and not reflecting these changes for let's encrypt. At the same time
we should not generate self-signed cert when let's encrypt path is used.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/811742
Closes-Bug: #1938961
Change-Id: I1a6701b171782528373bc1d0a39e70e6d1ef20ab

We have introduced variables to control CA/certificates regeneration
however never used them anywhere.
This patch fixes that, so that haproxy_pki_regen_cert and
haproxy_pki_regen_ca are respected now.
Change-Id: Id6d5395d5976ec9393a55be7fe9a946cf9ce745e

HAProxy added native Prometheus support from v2.0. This can be
enabled using the existing stats endpoint via an additional
/metrics path.
Change-Id: If9528969c7915db06138c0746dc419d8302f0e7c

In order to remove service currently we need to satisfy one of
conditions:
- haproxy_backend_nodes and haproxy_backup_nodes are empty and defined
but must be defined
- haproxy_service_enabled is False
- state is absent
There's big issue with logic regarding haproxy_backend_nodes and
haproxy_backup_nodes since they both should be defined and empy,
but in case haproxy_backup_nodes is not defined but haproxy_backend_nodes
is empty we should consider this as condition for removal as well.
But this will make it too complicated.
This change suggest consider rely only on haproxy_service_enabled and
state keys of haproxy_service_configs, as it's sufficient to
drop service based on these 2 options.
Change-Id: Ib37445ad852bcbd8d44d9eda9293565a4e52262b

We're providing an option to have an IP address per VIP
address. Currently it's used only for creating self-signed
SSLs signed with internal CA per each VIP. With follow-up
patches that will also allow to provide user certificates
per VIP, making possible to cover internal and external
endpoints with different non-wildcard certs.
Change-Id: I0a9eb7689eb42b50daf5c94c874bb7429b271efe

In some use cases you may want to define your own stick-table and
rules, this can be done using the backend_arguments variables.
As you can have only one stick-table per backend or frontend
the default stick-table needs to be disabled.
I am also not convinved the default stick-table is used for anything,
it just logs requests and never uses the logs, i think it could be
removed.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/797819
Change-Id: I54307c00673ababb277257f2bb0e456e3e011ac4

Change-Id: I568273d0ef1d5ee391a42981e66cc9895b9d71b6

The external PKI role can generate a self signed CA and Intermediate
certificate, and then create a server certificate for haproxy if
no defaults are overridden.
The new openstack_pki_* settings allow an external self signed CA
to be used, but still create valid haproxy server certificates from
that external CA in an openstack-ansible deployment.
The original beheviour providing user supplied certificates in the
haproxy_user_ssl_* variables will still work, disabling the generation
of certificates but using the external PKI role to just install the
supplied certs and keys.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/788031
Change-Id: I7482f55e991bacd9dccd2748c236dcd9d01124f3

This is needed for HAProxy 2.1 which is in Debian Bullseye
Change-Id: I912c6d810acc137c3b3e73dc40160d6376cb3884

Change-Id: Ie985d5140e0b9cf5f6248a66db057f67ba354fb1

Due to error during migration to journald [1], rsyslog config has
remained intact, which caused logs from journald being copied to
regular logfile, without proper logrotate.
Now we're fixing this and dropping rsyslog config as well.
This will affect only ppl that are upgrading their environments since
Stein
[1] https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/672039/4/tasks/haproxy_post_install.yml#b38
Change-Id: I01689bbb3f331b4d8d4afe9d096a4213072ad7c0

Do not use the dot notation.
Change-Id: Iab7c31624dc0e9b20ff70fd55bbd2bf1091ba857

When HAProxy is run in multi-process mode, the single stats page
shows metrics for one of the processes at a time, with a random
selection made on page reload.
Whilst a more complete solution may be to enable a stats page for
each process, this is a little cumbersome. This addition allows
the stats page to be pinned to one process, providing a partial
snapshot of the state of the instance.
Change-Id: Id9314e5b267aafeaf34c82874eb8bfe0713dfac3

This update matches changes in the openstack-ansible repo to
enable checks against both internal and external addresses.
Depends-On: https://review.opendev.org/782374
Change-Id: Iedbe887a3d75c240dffcc7998f25d1ee5a09c1e5

Change-Id: I3a5b19f348162931e5c1702eda5c60ddfbd4636b

All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: If9dfa6aaa1e90856c6a4c074fd33b8e49b57a5fc

Change-Id: Ie849053102ef75755a50d5bd20b1c9f7ad620026

See https://github.com/ansible/ansible/issues/73654
Change-Id: Id98f052df73587f209b9621da0874ce506899f9b

This replace include with imports where applicable and fixes
tags usage for include where it needs to be left.
Change-Id: Id7284431e9f97e5b4939472e0a07d573186440a6

Since we copy all release notes to the integrated repo there is not need
in publishing release notes for each repository. We should only verify their
validity and linting.
Change-Id: I441126861e4f35e6ae1c96d8acf643bf2c453ed3

Readjust hatop installtion method, removed haproxy_hatop_downloader and
deployment-host variables. added "haproxy_hatop_install | bool" condition.
Change-Id: I51423fff67e6e427f6c7d163d8d1aac6bcd82ca9

Add the lack of release information for Victoria, this patch added it.
Change-Id: I4b88f6aaa5841813994d606a7b171ab7fec8db0b

you can add prometheus metric exposed directly via haproxy if your
version is recent enough.
https://www.haproxy.com/blog/haproxy-exposes-a-prometheus-metrics-endpoint/
Change-Id: I10e7220071290301a85409a1f74fcbad2743d19d

New hatop package has python3 support.
Change-Id: I69c01f330feb67d92b6b01fea589a35969879da2

Change-Id: Id4c2b579bc0c9737d5353c992484f2c872b94151

Change-Id: I5d9d407dc031b86d592a0e56e9a6e4dc04873ad6

Change-Id: I7e99dc9b93e7faf3bc3d90f3c66af65b64f29c6a

There's no real need in asking user to manually provide http-01 port and
address when we already have corresponding variables we rely on.
Change-Id: Id0d2a73c863d9bbb8b6280ce42f918127baea354

Addition of a `haproxy_backend_only` flag to the service template
for instances in which a frontend service uses ACLs to propgate
requests to multiple backend services, and not all backend services
require a corresponding frontend. This should prevent the
proliferation of spurious frontend services.
Change-Id: I8c419be82cffd289ffcc5086afac923d6eb1a78a

This variable will allow to globally control if SSL should be also used
for internal/admin endpoints, or for public only
Change-Id: I1fa990bab5801a6e6fde7176b2011ab1977b30ae

Change-Id: I6b017720f933a06303916e8a1b437c3fb92b7ea6

Change-Id: I49a1b7790bf8c4cba9f0fc140c7282d50d18cb24

Change-Id: I9f579e378effa92ce42ca6219ad7ec09e7feaecb

ansible_python_interpreter is now set to auto in the tests repo.
it doesn't need to be overwritten in the test anymore.
Depends-On: https://review.opendev.org/735289
Depends-On: https://review.opendev.org/734676
Change-Id: I46f5ece04b82ff3131f27be2bb98aead2f07b04e

The certbot pre-hook is not used during initial setup of the cert,
only during renewal. This means that the same race condition exists
at initial configiuration as renewal. This patch uses the same
approach as used in the renewal pre-hook and applies it during
initialisation of certbot. This fixes race condition related failures
during initial provisioning of haproxy+letsencrypt.
Change-Id: Ica5ed5de24e3eb2fb5a743bb877d113ed0bb8a43

Change-Id: I2a5a353f006d5dfa9acc10d998fd57e69a25fab8