Commit Graph

484 Commits

Author SHA1 Message Date
Zuul 5da44774b3 Merge "Do not resolve all host_vars when haproxy_backend_node is a mapping" 2024-03-23 13:05:43 +00:00
Zuul 16d0395831 Merge "Imporove Jinja indentation for service templates" 2024-03-22 15:00:58 +00:00
Dmitriy Rabotyagov 373b9bb0f2 Do not resolve all host_vars when haproxy_backend_node is a mapping
We do allow to supply haproxy_backend_nodes as list of mappings rather
the regular list, which supports `ip_addr`, `name` and `backend_port` keys.

However, we do verify hostvars[host_name] and try to set ip_addr regardless
if this needed or not.

During hostvars[host_name] request Ansible tries to fetch all host variables
and resolve some of them, which not always can be possible or preffered
in some scenarios.
Good example of that would be Mozilla SOPS [1] encrypted variables for
specific host or group, which can not be decrypted by some operators.
In the meanwhile they can be eligible to configure haproxy frontend/backend
for this service. So we should have a way to avoid asking for specific
hostvars when it's not needed, and backend_nodes are already contain
all required information.

[1] https://docs.ansible.com/ansible/latest/collections/community/sops/docsite/guide.html

Change-Id: I17a7f2421cd31b37bbda4f9c85971b1825e54891
2024-03-22 12:36:45 +01:00
Dmitriy Rabotyagov 9a1c483381 Imporove Jinja indentation for service templates
At the moment service templates are hardly readable, partially due to
complex logic, but incosistent presence of indetnation makes things
way worse, as there's no way to know if you're under some cycle
or condition for sure.

This patch aims to make indents correct which should improve template
readability overall.

Change-Id: Ie60ca87c044281104fbc8334d7254ac351d3d912
2024-03-21 20:05:08 +01:00
OpenStack Release Bot 3376636f45 reno: Update master for unmaintained/victoria
Update the victoria release notes configuration to build from
unmaintained/victoria.

Change-Id: I8420d1a72ebc16cc943c5f9aa683188e44460c83
2024-03-14 12:25:36 +00:00
Dmitriy Rabotyagov ed981ce09a Use correct permissions for haproxy log mount
With [1] a regression was introduced, where incorrect permissions were
applied to a bind mount corrupting access to /dev/log globally on hosts
where haproxy was running.

Default permissions are 0666 for /dev/log when it's managed by journald.

[1] https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/888143
Closes-Bug: #2055178

Change-Id: Ib8b9e4dea0ecd5d35f0e872dfaa0f2ec837a98f8
2024-02-27 19:46:08 +01:00
Dmitriy Rabotyagov 16ab20815f Add httpchk option when httpcheck_options are defined
In order for http-check to work, option httpchk must be loaded first. Otherwise
regular L4 check will be issued and all `http-check` will be simply ignored.

Closes-Bug: #2046223
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/903488
Change-Id: Ie9ed322ab9c4a04d42cab4456567ac5d1f5c966b
2023-12-12 11:20:24 +00:00
Dmitriy Rabotyagov 2cc2fceaf6 Fix haproxy_stats SSL path defenition
Neither `vip_interface` nor `vip_address` are defined or available in
the context they're being used.
Thus we need to refer to available variables in order to render base config
properly

Current version fail with "AnsibleUndefinedVariable: 'vip_interface' is undefined"
on "Drop base haproxy config" task.

This fix the issue that was introduced with [1] and backported back to Zed

[1] https://review.opendev.org/q/Ib8be6b7fc3dada9d20905b0f07d90ddce0335605

Change-Id: I4e52378d8c5b3eaa6863ecaf0d04554d082e3dc0
2023-11-27 18:23:11 +01:00
Zuul c321f39fc3 Merge "Enable stats to use dedicated server certificate and allow for client cert auth" 2023-10-17 04:39:05 +00:00
Zuul 07a5545693 Merge "Add tags to PKI include" 2023-10-09 13:24:30 +00:00
Zuul 9e122c2185 Merge "Apply haproxy-service-config tag on include" 2023-10-09 13:18:32 +00:00
Zuul 6eef4453ea Merge "Use netcat-openbsd on debian bookworm" 2023-10-08 01:51:01 +00:00
Dmitriy Rabotyagov 2d8fd9bfef [doc] Document usage of binding to interface
Change-Id: Iba1f4a284beaba8d2d7f020ca7ad2d78d6360161
2023-09-29 08:17:01 +00:00
Dmitriy Rabotyagov e937d08f2c Apply haproxy-service-config tag on include
Rather then applying tag for each task inside the haproxy_service_config
file, it's better to apply it to include. Also, this closes the bug,
when role fails due to fact being undefined,
since setting fact was not covered by the tag.

Change-Id: I533070196dda5387a910f613cdd037fa36880cdb
2023-09-28 09:32:40 +00:00
Christian Rohmann 04a8f8532a Enable stats to use dedicated server certificate and allow for client cert auth
Some environments use a dedicated PKI for monitoring and metric collection.
This change allows to configure the serving certificate for stats independently
by setting `haproxy_stats_ssl_cert_path`, the default is to use the same cert.

Also client certificate authentication for stats can now be enabled by defining
a CA cert via `haproxy_stats_ssl_client_cert_ca`.

Change-Id: Ib8be6b7fc3dada9d20905b0f07d90ddce0335605
2023-09-28 09:32:22 +00:00
Dmitriy Rabotyagov 75092ec0a4 Add tags to PKI include
When rotating certificates for HAProxy it's quite neat to have
tags that will allow to run specifically certificate rotation without
any extra steps.

Change-Id: If1b6d6e46a4b2941198b0f57c858d415fbbdc8d1
2023-09-28 09:31:55 +00:00
Jonathan Rosser 90035459d0 Use netcat-openbsd on debian bookworm
The 'netcat' package is no longer installable directly.

    Package netcat is a virtual package provided by:
      netcat-openbsd 1.219-1
      netcat-traditional 1.10-47
    You should explicitly select one to install.
    E: Package 'netcat' has no installation candidate

Change-Id: Ic708a7fd2223d1ba40ccacbd2b6863187fad0da9
2023-09-28 09:31:33 +00:00
Dmitriy Rabotyagov cb4eb8b327 Fix example playbook linters
Change-Id: I7647f067ba33fb0329f6e5e7d40b641fd45cb062
2023-09-27 10:13:11 +02:00
Zuul 9cf2985ca5 Merge "Do not use notify inside handlers" 2023-08-31 10:03:02 +00:00
Zuul b2ea96d50c Merge "Fix linters issue and metadata" 2023-08-31 09:53:51 +00:00
Dmitriy Rabotyagov 67e19ebccd Add HTTP/2 support for frontends/backends
This patch implements extra variables/keys that can be used to
enable HTTP/2 protocol for frontends and backends.

With that patch does not add HTTP/2 support for any redirect frontends
since they can not be configured to use TLS and this it will
cause such redirect backends to be HTTP/2 only, which might break old
clients.

With that regular frontends, that are not terminating TLS can be
configured to be HTTP/2 only as well as TCP backends.

Change-Id: Ib14f031f3c61f31bf7aaf345a3ba635ca5fb9ff8
2023-08-23 13:24:43 +00:00
Dmitriy Rabotyagov b6e04fea1f Do not use notify inside handlers
Since latest ansible handlers are not triggered inside the same
handlers flush, which means that triggering mysql restart
the way we did does not work anymore. So instead of
notifying inside handlers, we add listen key to tasks
that are triggered by these newly produced notifications.

This could be due to the bug [1], but ansible-core version that has
backport included still shows inconsistent behaviour

[1] https://github.com/ansible/ansible/issues/80880

Change-Id: I0d97e0b90a8d18a7b69e880e4effa851238d51d1
2023-08-07 06:55:52 +00:00
Dmitriy Rabotyagov c0da2e5095 Fix linters issue and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Change-Id: I8c316dd62ac22ccd9578bb0199ab8f25c0104f9a
2023-08-07 06:55:22 +00:00
Andrew Bonney 97390e88e0 Correct default Content-Type for security.txt
The security.txt RFC specifies a Content-Type of text/plain and
charset of utf-8 [1]. This adjusts the defaults so line breaks are
rendered correctly in a browser.

[1] https://datatracker.ietf.org/doc/html/rfc9116#section-3

Change-Id: I39c2dab5108a815ef966bab0d708d6300eb1a4d1
2023-07-28 14:09:02 +01:00
Zuul b81dec169b Merge "Fix generating certificate SANs" 2023-07-19 08:41:49 +00:00
Zuul 2a60a55cee Merge "Add possibility to override haproxy_ssl_path" 2023-07-19 08:34:17 +00:00
Marc Gariepy 1d83177575 Add possibility to override haproxy_ssl_path
It's now possible to set ssl cert path in case you want to bind to
specific hostname via ``haproxy_bind`` and want to share a common
certificate. set ``haproxy_ssl_path`` to override per service.

Change-Id: Ib517f52c0edbc4ac8d0df2a2ae078c9138141aae
2023-07-13 15:10:46 -04:00
Marc Gariepy 4513bc84ae Add ability to have different backend port.
Add the possibility to have multiple backend services running on
differents ports.

Change-Id: I1748bfc15bdf879f78aa06c385af7b6c45bde7ff
2023-07-13 13:18:19 -04:00
Danila Balagansky 3c5d984f27 Fix generating certificate SANs
With `haproxy_bind_*_lb_vip_address` set, use `*_lb_vip_address` for SAN
instead.

Change-Id: I33fc820be583bfaf7f9bee5233f0e0b99805144a
2023-07-07 11:08:45 +03:00
Danila Balagansky 848e316ef5 Fix `regen pem` with `extra_lb_tls_vip_addresses`
`extra_lb_tls_vip_addresses` is list of additional internal VIP
addresses, which gets parsed into `haproxy_tls_vip_binds` without
`interface` attribute.

Change-Id: I184021b65d6f3f28526c9fa09bea90a2baef77b2
2023-07-04 11:24:37 +03:00
Damian Dabrowski c1be49a95c Fix service-redirect.j2 template
This change fixes service-redirect.j2 template that was not working so
far, mainly by replacing:
- 'vip_bind' with 'vip_addres'
- 'item' with 'service'

Additionally, I removed `haproxy_tcp_upgrade_backend` support because
it's not really needed after haproxy separated service config was
implemented.

I also changed variable name `haproxy_tcp_upgrade_frontend` to
`haproxy_accept_both_protocols` to better describe what exactly it does.
Release note is not needed as ``haproxy_tcp_upgrade_frontend` was not
working properly before.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/884445

Change-Id: Iba9156c5b909f7b18599638db4471bab12794f0e
2023-05-26 00:37:21 +02:00
Zuul d721633081 Merge "Fix use of haproxy_backend_ssl when haproxy_backend_ca is not defined" 2023-05-19 21:01:15 +00:00
Damian Dabrowski 8168af6635 Deprecate certbot-auto
Certbot-auto is deprecated since 2020[1] and it is no longer available
under https://dl.eff.org/certbot-auto.
This change removes certbot-auto from haproxy_server role leaving
distro method as the only available option.

[1] https://community.letsencrypt.org/t/certbot-auto-deprecated-explanation-and-solutions/139821

Change-Id: Ibe0f13fc7308359d337fb382cb72998befb90d84
2023-04-26 16:47:58 +02:00
Damian Dabrowski 7f76625f9d Define blank _haproxy_service_configs_simplified
With current behavior, when haproxy role is imported multiple times in
the same playbook(by setup-openstack.yml as an example), variable
`_haproxy_service_configs_simplified` never gets purged so ansible just
keeps appending services this list.

To avoid this situation, `_haproxy_service_configs_simplified` has to be
explicitly defined as a blank list at the begining.

Change-Id: If62ec18842609957f09e0161a524fea88910ce9e
2023-04-18 22:17:16 +02:00
Damian Dabrowski 0f7b091244 Allow haproxy role to create security.txt file
This patch allows haproxy role to create security.txt file.

Change-Id: Ided790a5a89a2298b3b758d4484b25091b92945b
2023-04-12 20:38:15 +02:00
Zuul 0dd2a4dc8c Merge "Fix haproxy_service_configs format conversion" 2023-04-05 23:19:51 +00:00
Zuul 35e45a66b1 Merge "Provide custom handler name to PKI role" 2023-04-05 23:19:49 +00:00
Zuul 3125313653 Merge "Add tasks to configure external services only" 2023-04-04 17:07:10 +00:00
Damian Dabrowski e6f7f2ce0c Fix haproxy_service_configs format conversion
In [1] new, simplified haproxy_service_configs format was introduced.
Temporary conversion from old vormat was added but it doesn't cover map files.

This change adds format conversion also for map files feature.

[1] https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/871188

Change-Id: If9c57bb61d3ae8d50f69780fe54a26ac0d67656a
2023-04-04 13:57:13 +00:00
Jonathan Rosser 79bef8773a Fix use of haproxy_backend_ssl when haproxy_backend_ca is not defined
For certificates from widely trusted CA there is no need to provide
a specific CA file for an ssl backend, but the code fails with
undefined variable if only haproxy_backend_ssl is enabled.

A workaround is to set `haproxy_backend_ca: false` but this patch
allows haproxy_backend_ssl to be used on it's own.

Change-Id: I7c87317433acb4ed73070a2252240737b22dccfc
2023-04-04 13:56:46 +01:00
Dmitriy Rabotyagov 47515d4b7c Provide custom handler name to PKI role
At the moment PKI and haproxy do listen for the same notify, which results in
haproxy trying to generate certs in inappropriate places. This patch starts
leveraging `pki_handler_cert_installed` variable that enables us to trigger
haproxy certificate assemble only when required and expected.


Co-Authored-By: Damian Dąbrowski <damian@dabrowski.cloud>

Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/875757
Change-Id: I66f648e5c3104f71d6601a493b09f8cdcc3332fc
2023-04-04 09:27:37 +00:00
Dmitriy Rabotyagov 2476ad1c53 Add tasks to configure external services only
This change allows specific playbooks to configure their haproxy
service(s) separately by running the role and using tasks_from to
execute just the service template installation code path.

Change-Id: I88ce0eb92784b3d3a0d1a952e95a8eb1fa376e77
Co-Authored-By: Damian Dąbrowski <damian@dabrowski.cloud>
2023-03-21 17:31:20 +01:00
Damian Dabrowski a5f285c51e Simplify haproxy_service_configs structure
For historical reasons the ``haproxy_service_configs`` variable was
a list of nested mappings with only single valid key for the top
level mapping.

There have been no use-cases for extra keys, so this patch simplifies
the code by removing one level of nesting.

Change-Id: I50c17b7020a459ab8a88b004cc8828cac857f1c9
2023-03-16 14:19:22 +01:00
Jonathan Rosser d548b7e5ff Add support for haproxy map files
HAProxy supports the use of map files for selecting backends, or
a number of other functions. See [1] and [2].

This patch adds the key `maps` for each service definition allowing
fragments of a complete map to be defined across all the services,
with each service contributing some elements to the overall map file.

The service enabled/disabled and state flags are observed to add and
remove entries from the map file, and individual map entries can also
be marked as present/absent to make inclusion conditional.

[1] https://www.haproxy.com/blog/introduction-to-haproxy-maps/
[2] https://www.haproxy.com/documentation/hapee/latest/configuration/map-files/syntax/

Change-Id: I755c18a4d33ee69c42d68a50daa63614a2b2feb7
2023-03-16 13:17:39 +01:00
Zuul 56fef3de83 Merge "Allow default_backend to be specified" 2023-03-15 18:07:58 +00:00
Zuul 0c69464fa1 Merge "Serialise initial issuing of LetsEncrypt certificates" 2023-03-07 18:12:25 +00:00
Zuul 23b18f89da Merge "Fix tags usage for letsencrypt setup" 2023-03-07 17:40:42 +00:00
Jonathan Rosser 42d80464af Allow default_backend to be specified
Currently default_backend for a service is always set to the
haproxy_service_name for a service, but this might not be what is
required for some configurations.

This patch allows haproxy_default_backend to be configured for
a service to customise the default_backend setting.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/876436
Change-Id: I9e2be37cb27a33350577a93f23b69e560493b320
2023-03-06 11:56:51 +00:00
Zuul 044d65e9bb Merge "Accept both HTTP and HTTPS also for external VIP during upgrade" 2023-03-01 00:27:41 +00:00
Jonathan Rosser 34f153b139 Serialise initial issuing of LetsEncrypt certificates
Currently the role will run against all target hosts, and it is
possible that the calling playbook runs with a serial: setting
to control how many hosts are targetted simultaneously.

However, this is not sufficient to guarantee that each potential
haproxy server requests a LetsEncrypt certificate sequentially.
It is only possible for the loadbalancer to direct the challenge
from the ACME server to one certbot instance at a time, so this
patch enforces serialisation of the initial certificate generation
regardless of the number of target hosts and setting of serial:
outside this role.

Change-Id: If8ae64bc01510d3570fa4c554463bd6121b21f86
2023-02-28 18:40:01 +00:00