openstack/openstack-ansible-haproxy_server - openstack-ansible-haproxy_server - OpenDev: Free Software Needs Free Tools

Change-Id: Ifc4feeffc951ec03745bf65d51db5e4917f1be29

Defaults to /etc/sysctl.conf to retain current behavior
Change-Id: Ie6a84a31f8281c0240519e92a217359234f1e1bb

Since ansible-core 2.10 it is recommended to use modules via FQCN
In order to align with recommendation, we perform migration
by applying suggestions made by `ansible-lint --fix=fqcn`
Change-Id: I9c3a86af107728cbddb4e2cdb778065001d66b93

In order to reduce divergance with ansible-lint rules, we apply
auto-fixing of violations.
In current patch we replace all kind of truthy variables with
`true` or `false` values to align with recommendations along with
alignment of used quotes.
Change-Id: I4a3107ce91b0eed15f3ab9aea4a1e6c4f967d0e0

The ansible 'ternery' filter is not a real (lazy) ternery operator meaning that
both branches are evaluated regardless of the input. Prior to this patch, this
would erroneously result in a crash if 'interface' was not specified.
Also includes unrelated linter-requested whitespace changes.
Change-Id: I483550527b37276a7742ca116b7366bbd0b05875

Change-Id: I604730f9b71357a1fc298f1d3c50d08fa58eb7dd

Currently Let's Encrypt is using `haproxy_bind_external_lb_vip_address`
to identify naming of resulting certificate which might not match with
expectations, as all other parts of code already do use
`haproxy_vip_binds`
for calculating resulting TLS path.
This patch introduces `type` key for `haproxy_vip_binds` which is used
to identify for which frontends Let's Encrypt certificate should be used
as in most scenarios it's not gonna be issued for "internal" VIPs anyway
due to dns-01 requirement.
Also moving to single "source of truth" for VIP bindings allows to
override and have control over this behaviour.
Change-Id: Id07d9a0ea270d613b37b6adfa373d01a47f7421f

Effectively haproxy_tls_vip_binds was influencing not only TLS-related
binds but also non-TLS ones. It's naming was picked in a misleading way
from start, as a lot of logic for the variable was around TLS
implementation. Though it has a global effect and this should be
reflected in it's name.
Change-Id: I2f28d0ab033eff96cc2bc09db917bedb387013e8

At the moment it is really tricky to extend list of domains for which
TLS certificates should be generated.
While this might be required for some cases, like domain-based endpoints
While this options does not provide opprotunity to pass user-created
certificates, it enables to leverage PKI role for generating ones.
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible/+/934536
Change-Id: I80691ad5e6b51181db44420b3b33967184589b68

In case frontend/backend are configured in TCP mode there is no reason
to supply a SSL configuration for such frontend.
With that we also align usage of `request_option` variable which is
anyway defined out of `service.haproxy_balance_type` but with provided
default value.
Change-Id: I5dff5aadc546d2984c1295e89b67b35a34254237

This transforms generation process from concatenating strings to a
list which is joined before passing to the PKI role.
It improves code redability and is more error-prone as we don't need to
pay close attention to presence of `,` separator while concatenating
strings.
It will also allow to pass only unique records to PKI role if we have a
need for that in the future.
Change-Id: I88f74c97592795704170b49bff56b23bc8145f5b

In a usecase, where HAProxy is binded to interface, *_lb_vip_address
might be set to a wildcard.
We should not be generating a SAN with a wildcard in it.
Change-Id: I45261b8fd572a68f1fc5a72f94653ffd2d302420

In case an interface is defined for haproxy to listen on, this affects
path for certificate to be installed to.
Seems that Let's Encrypt path was not respecting interfaces, thus once
it's defined, task was assembling certificates under wrong path, so
self-signed was used instead of LE.
Change-Id: Ie5e6671d7ab929d17766a53320f262dafface99a

Change-Id: Ibe2f259cb3ab2c0074a7fb388cecd6b710043075

This directive is deprecated in haproxy 2.5. See
https://docs.haproxy.org/2.5/configuration.html#3.1-stats%20bind-process
Change-Id: I600e6a07d14deb10823ebe005ac417a601930f68

HTX became the default in haproxy 2.0 and the config option
is now deprecated.
Change-Id: Id83ad286676cc51ba874f0ca860c778dbebc0be1

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/924474
Change-Id: I3d551c11a4b8fb25890f9db64ec6ec15be3a5240

Update the zed release notes configuration to build from
unmaintained/zed.
Change-Id: Id370b35484be8fe1ee5f51561cb7e1246640f936

In cases when internal and external haproxy frontends should use
different, pre-generated certificates, it's not possible to define them
with haproxy_user_ssl_cert because it accepts only one certificate.
In this case, certificates can be placed manually in pki/ directory.
Unfortunately, with current logic, certificates creation with PKI role
is disabled only when haproxy_user_ssl_cert is defined.
Possibility of explicitly disabling certificates generation will be
really useful.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/915320/
Change-Id: I4eed4d797160b885d5b7187e6106e6ee0073722f

``haproxy_static_files`` can be used to copy static files to target
hosts. These files may contain sensitive content that should not be
logged.
This patch disables logging for this task.
Change-Id: I8f1c01385d7aca8f17cc3f49aafcf2b7269fa554

We do allow to supply haproxy_backend_nodes as list of mappings rather
the regular list, which supports `ip_addr`, `name` and `backend_port` keys.
However, we do verify hostvars[host_name] and try to set ip_addr regardless
if this needed or not.
During hostvars[host_name] request Ansible tries to fetch all host variables
and resolve some of them, which not always can be possible or preffered
in some scenarios.
Good example of that would be Mozilla SOPS [1] encrypted variables for
specific host or group, which can not be decrypted by some operators.
In the meanwhile they can be eligible to configure haproxy frontend/backend
for this service. So we should have a way to avoid asking for specific
hostvars when it's not needed, and backend_nodes are already contain
all required information.
[1] https://docs.ansible.com/ansible/latest/collections/community/sops/docsite/guide.html
Change-Id: I17a7f2421cd31b37bbda4f9c85971b1825e54891

At the moment service templates are hardly readable, partially due to
complex logic, but incosistent presence of indetnation makes things
way worse, as there's no way to know if you're under some cycle
or condition for sure.
This patch aims to make indents correct which should improve template
readability overall.
Change-Id: Ie60ca87c044281104fbc8334d7254ac351d3d912

Update the victoria release notes configuration to build from
unmaintained/victoria.
Change-Id: I8420d1a72ebc16cc943c5f9aa683188e44460c83

With [1] a regression was introduced, where incorrect permissions were
applied to a bind mount corrupting access to /dev/log globally on hosts
where haproxy was running.
Default permissions are 0666 for /dev/log when it's managed by journald.
[1] https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/888143
Closes-Bug: #2055178
Change-Id: Ib8b9e4dea0ecd5d35f0e872dfaa0f2ec837a98f8

In order for http-check to work, option httpchk must be loaded first. Otherwise
regular L4 check will be issued and all `http-check` will be simply ignored.
Closes-Bug: #2046223
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/903488
Change-Id: Ie9ed322ab9c4a04d42cab4456567ac5d1f5c966b

Neither `vip_interface` nor `vip_address` are defined or available in
the context they're being used.
Thus we need to refer to available variables in order to render base config
properly
Current version fail with "AnsibleUndefinedVariable: 'vip_interface' is undefined"
on "Drop base haproxy config" task.
This fix the issue that was introduced with [1] and backported back to Zed
[1] https://review.opendev.org/q/Ib8be6b7fc3dada9d20905b0f07d90ddce0335605
Change-Id: I4e52378d8c5b3eaa6863ecaf0d04554d082e3dc0

Change-Id: Iba1f4a284beaba8d2d7f020ca7ad2d78d6360161

Rather then applying tag for each task inside the haproxy_service_config
file, it's better to apply it to include. Also, this closes the bug,
when role fails due to fact being undefined,
since setting fact was not covered by the tag.
Change-Id: I533070196dda5387a910f613cdd037fa36880cdb

Some environments use a dedicated PKI for monitoring and metric collection.
This change allows to configure the serving certificate for stats independently
by setting `haproxy_stats_ssl_cert_path`, the default is to use the same cert.
Also client certificate authentication for stats can now be enabled by defining
a CA cert via `haproxy_stats_ssl_client_cert_ca`.
Change-Id: Ib8be6b7fc3dada9d20905b0f07d90ddce0335605

When rotating certificates for HAProxy it's quite neat to have
tags that will allow to run specifically certificate rotation without
any extra steps.
Change-Id: If1b6d6e46a4b2941198b0f57c858d415fbbdc8d1

The 'netcat' package is no longer installable directly.
 Package netcat is a virtual package provided by:
 netcat-openbsd 1.219-1
 netcat-traditional 1.10-47
 You should explicitly select one to install.
 E: Package 'netcat' has no installation candidate
Change-Id: Ic708a7fd2223d1ba40ccacbd2b6863187fad0da9

Change-Id: I7647f067ba33fb0329f6e5e7d40b641fd45cb062

This patch implements extra variables/keys that can be used to
enable HTTP/2 protocol for frontends and backends.
With that patch does not add HTTP/2 support for any redirect frontends
since they can not be configured to use TLS and this it will
cause such redirect backends to be HTTP/2 only, which might break old
clients.
With that regular frontends, that are not terminating TLS can be
configured to be HTTP/2 only as well as TCP backends.
Change-Id: Ib14f031f3c61f31bf7aaf345a3ba635ca5fb9ff8

Since latest ansible handlers are not triggered inside the same
handlers flush, which means that triggering mysql restart
the way we did does not work anymore. So instead of
notifying inside handlers, we add listen key to tasks
that are triggered by these newly produced notifications.
This could be due to the bug [1], but ansible-core version that has
backport included still shows inconsistent behaviour
[1] https://github.com/ansible/ansible/issues/80880
Change-Id: I0d97e0b90a8d18a7b69e880e4effa851238d51d1

With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I8c316dd62ac22ccd9578bb0199ab8f25c0104f9a

The security.txt RFC specifies a Content-Type of text/plain and
charset of utf-8 [1]. This adjusts the defaults so line breaks are
rendered correctly in a browser.
[1] https://datatracker.ietf.org/doc/html/rfc9116#section-3
Change-Id: I39c2dab5108a815ef966bab0d708d6300eb1a4d1

It's now possible to set ssl cert path in case you want to bind to
specific hostname via ``haproxy_bind`` and want to share a common
certificate. set ``haproxy_ssl_path`` to override per service.
Change-Id: Ib517f52c0edbc4ac8d0df2a2ae078c9138141aae

Add the possibility to have multiple backend services running on
differents ports.
Change-Id: I1748bfc15bdf879f78aa06c385af7b6c45bde7ff

With `haproxy_bind_*_lb_vip_address` set, use `*_lb_vip_address` for SAN
instead.
Change-Id: I33fc820be583bfaf7f9bee5233f0e0b99805144a