openstack/openstack-ansible-haproxy_server - openstack-ansible-haproxy_server - OpenDev: Free Software Needs Free Tools

We're providing an option to have an IP address per VIP
address. Currently it's used only for creating self-signed
SSLs signed with internal CA per each VIP. With follow-up
patches that will also allow to provide user certificates
per VIP, making possible to cover internal and external
endpoints with different non-wildcard certs.
Change-Id: I0a9eb7689eb42b50daf5c94c874bb7429b271efe

Change-Id: I568273d0ef1d5ee391a42981e66cc9895b9d71b6

The external PKI role can generate a self signed CA and Intermediate
certificate, and then create a server certificate for haproxy if
no defaults are overridden.
The new openstack_pki_* settings allow an external self signed CA
to be used, but still create valid haproxy server certificates from
that external CA in an openstack-ansible deployment.
The original beheviour providing user supplied certificates in the
haproxy_user_ssl_* variables will still work, disabling the generation
of certificates but using the external PKI role to just install the
supplied certs and keys.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/788031
Change-Id: I7482f55e991bacd9dccd2748c236dcd9d01124f3

This is needed for HAProxy 2.1 which is in Debian Bullseye
Change-Id: I912c6d810acc137c3b3e73dc40160d6376cb3884

Change-Id: Ie985d5140e0b9cf5f6248a66db057f67ba354fb1

Due to error during migration to journald [1], rsyslog config has
remained intact, which caused logs from journald being copied to
regular logfile, without proper logrotate.
Now we're fixing this and dropping rsyslog config as well.
This will affect only ppl that are upgrading their environments since
Stein
[1] https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/672039/4/tasks/haproxy_post_install.yml#b38
Change-Id: I01689bbb3f331b4d8d4afe9d096a4213072ad7c0

Do not use the dot notation.
Change-Id: Iab7c31624dc0e9b20ff70fd55bbd2bf1091ba857

When HAProxy is run in multi-process mode, the single stats page
shows metrics for one of the processes at a time, with a random
selection made on page reload.
Whilst a more complete solution may be to enable a stats page for
each process, this is a little cumbersome. This addition allows
the stats page to be pinned to one process, providing a partial
snapshot of the state of the instance.
Change-Id: Id9314e5b267aafeaf34c82874eb8bfe0713dfac3

This update matches changes in the openstack-ansible repo to
enable checks against both internal and external addresses.
Depends-On: https://review.opendev.org/782374
Change-Id: Iedbe887a3d75c240dffcc7998f25d1ee5a09c1e5

Change-Id: I3a5b19f348162931e5c1702eda5c60ddfbd4636b

All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: If9dfa6aaa1e90856c6a4c074fd33b8e49b57a5fc

Change-Id: Ie849053102ef75755a50d5bd20b1c9f7ad620026

See https://github.com/ansible/ansible/issues/73654
Change-Id: Id98f052df73587f209b9621da0874ce506899f9b

This replace include with imports where applicable and fixes
tags usage for include where it needs to be left.
Change-Id: Id7284431e9f97e5b4939472e0a07d573186440a6

Since we copy all release notes to the integrated repo there is not need
in publishing release notes for each repository. We should only verify their
validity and linting.
Change-Id: I441126861e4f35e6ae1c96d8acf643bf2c453ed3

Readjust hatop installtion method, removed haproxy_hatop_downloader and
deployment-host variables. added "haproxy_hatop_install | bool" condition.
Change-Id: I51423fff67e6e427f6c7d163d8d1aac6bcd82ca9

Add the lack of release information for Victoria, this patch added it.
Change-Id: I4b88f6aaa5841813994d606a7b171ab7fec8db0b

you can add prometheus metric exposed directly via haproxy if your
version is recent enough.
https://www.haproxy.com/blog/haproxy-exposes-a-prometheus-metrics-endpoint/
Change-Id: I10e7220071290301a85409a1f74fcbad2743d19d

New hatop package has python3 support.
Change-Id: I69c01f330feb67d92b6b01fea589a35969879da2

Change-Id: Id4c2b579bc0c9737d5353c992484f2c872b94151

Change-Id: I5d9d407dc031b86d592a0e56e9a6e4dc04873ad6

Change-Id: I7e99dc9b93e7faf3bc3d90f3c66af65b64f29c6a

There's no real need in asking user to manually provide http-01 port and
address when we already have corresponding variables we rely on.
Change-Id: Id0d2a73c863d9bbb8b6280ce42f918127baea354

Addition of a `haproxy_backend_only` flag to the service template
for instances in which a frontend service uses ACLs to propgate
requests to multiple backend services, and not all backend services
require a corresponding frontend. This should prevent the
proliferation of spurious frontend services.
Change-Id: I8c419be82cffd289ffcc5086afac923d6eb1a78a

This variable will allow to globally control if SSL should be also used
for internal/admin endpoints, or for public only
Change-Id: I1fa990bab5801a6e6fde7176b2011ab1977b30ae

Change-Id: I6b017720f933a06303916e8a1b437c3fb92b7ea6

Change-Id: I49a1b7790bf8c4cba9f0fc140c7282d50d18cb24

Change-Id: I9f579e378effa92ce42ca6219ad7ec09e7feaecb

ansible_python_interpreter is now set to auto in the tests repo.
it doesn't need to be overwritten in the test anymore.
Depends-On: https://review.opendev.org/735289
Depends-On: https://review.opendev.org/734676
Change-Id: I46f5ece04b82ff3131f27be2bb98aead2f07b04e

The certbot pre-hook is not used during initial setup of the cert,
only during renewal. This means that the same race condition exists
at initial configiuration as renewal. This patch uses the same
approach as used in the renewal pre-hook and applies it during
initialisation of certbot. This fixes race condition related failures
during initial provisioning of haproxy+letsencrypt.
Change-Id: Ica5ed5de24e3eb2fb5a743bb877d113ed0bb8a43

Change-Id: I2a5a353f006d5dfa9acc10d998fd57e69a25fab8

The sync from https://review.opendev.org/733244 updated to
openstackdocstheme 2.2.1 and reno 3.1.0 versions.
Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Change-Id: I208d5939ba7d881588947d51396085dcf6284431

Add file to the reno documentation build to show release notes for
stable/ussuri.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/ussuri.
Change-Id: Id8b8a6424ebdeb3c81eb50ee20a0662fdf73e054
Sem-Ver: feature

Change-Id: Ife4a2e11d1f77a62797ec19f64ee1898ddc29aeb

New version of openstackdocstheme (Victoria+) respects pygments_style.
Since this repo is using now Victoria (master) requirements but has
not branched for Ussuri yet, it uses the new version.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
Change-Id: I3643bb9d00bb4109ec133e072b889a72f5a3248e

This patch updates/adds the contributor documentation to follow
the guidelines of the Ussuri cycle community goal[1].
[1] https://governance.openstack.org/tc/goals/selected/ussuri/project-ptl-and-contrib-docs.html
Story: #2007236
Task: #38554
Change-Id: I13b475daf09ec54776db4b28f7ba08a8bbdd5e60

Task fails if the host/container does not have rsyslog present. We
can just skip the restart if it is not installed.
Change-Id: Ie4c9a42133c1f042c587cec48f53b4a87bd50952

Change-Id: Ie4a035efb07234241d22b2dda6b5d6da3f2bd15d

Change-Id: I7bbd51f6b693593be04f11c695b149fad1237bd3