In cases when internal and external haproxy frontends should use
different, pre-generated certificates, it's not possible to define them
with haproxy_user_ssl_cert because it accepts only one certificate.
In this case, certificates can be placed manually in pki/ directory.
Unfortunately, with current logic, certificates creation with PKI role
is disabled only when haproxy_user_ssl_cert is defined.
Possibility of explicitly disabling certificates generation will be
really useful.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/915320/
Change-Id: I4eed4d797160b885d5b7187e6106e6ee0073722f
``haproxy_static_files`` can be used to copy static files to target
hosts. These files may contain sensitive content that should not be
logged.
This patch disables logging for this task.
Change-Id: I8f1c01385d7aca8f17cc3f49aafcf2b7269fa554
With [1] a regression was introduced, where incorrect permissions were
applied to a bind mount corrupting access to /dev/log globally on hosts
where haproxy was running.
Default permissions are 0666 for /dev/log when it's managed by journald.
[1] https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/888143
Closes-Bug: #2055178
Change-Id: Ib8b9e4dea0ecd5d35f0e872dfaa0f2ec837a98f8
Rather then applying tag for each task inside the haproxy_service_config
file, it's better to apply it to include. Also, this closes the bug,
when role fails due to fact being undefined,
since setting fact was not covered by the tag.
Change-Id: I533070196dda5387a910f613cdd037fa36880cdb
When rotating certificates for HAProxy it's quite neat to have
tags that will allow to run specifically certificate rotation without
any extra steps.
Change-Id: If1b6d6e46a4b2941198b0f57c858d415fbbdc8d1
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I8c316dd62ac22ccd9578bb0199ab8f25c0104f9a
With current behavior, when haproxy role is imported multiple times in
the same playbook(by setup-openstack.yml as an example), variable
`_haproxy_service_configs_simplified` never gets purged so ansible just
keeps appending services this list.
To avoid this situation, `_haproxy_service_configs_simplified` has to be
explicitly defined as a blank list at the begining.
Change-Id: If62ec18842609957f09e0161a524fea88910ce9e
In [1] new, simplified haproxy_service_configs format was introduced.
Temporary conversion from old vormat was added but it doesn't cover map files.
This change adds format conversion also for map files feature.
[1] https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/871188
Change-Id: If9c57bb61d3ae8d50f69780fe54a26ac0d67656a
At the moment PKI and haproxy do listen for the same notify, which results in
haproxy trying to generate certs in inappropriate places. This patch starts
leveraging `pki_handler_cert_installed` variable that enables us to trigger
haproxy certificate assemble only when required and expected.
Co-Authored-By: Damian Dąbrowski <damian@dabrowski.cloud>
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/875757
Change-Id: I66f648e5c3104f71d6601a493b09f8cdcc3332fc
This change allows specific playbooks to configure their haproxy
service(s) separately by running the role and using tasks_from to
execute just the service template installation code path.
Change-Id: I88ce0eb92784b3d3a0d1a952e95a8eb1fa376e77
Co-Authored-By: Damian Dąbrowski <damian@dabrowski.cloud>
For historical reasons the ``haproxy_service_configs`` variable was
a list of nested mappings with only single valid key for the top
level mapping.
There have been no use-cases for extra keys, so this patch simplifies
the code by removing one level of nesting.
Change-Id: I50c17b7020a459ab8a88b004cc8828cac857f1c9
HAProxy supports the use of map files for selecting backends, or
a number of other functions. See [1] and [2].
This patch adds the key `maps` for each service definition allowing
fragments of a complete map to be defined across all the services,
with each service contributing some elements to the overall map file.
The service enabled/disabled and state flags are observed to add and
remove entries from the map file, and individual map entries can also
be marked as present/absent to make inclusion conditional.
[1] https://www.haproxy.com/blog/introduction-to-haproxy-maps/
[2] https://www.haproxy.com/documentation/hapee/latest/configuration/map-files/syntax/
Change-Id: I755c18a4d33ee69c42d68a50daa63614a2b2feb7
Currently the role will run against all target hosts, and it is
possible that the calling playbook runs with a serial: setting
to control how many hosts are targetted simultaneously.
However, this is not sufficient to guarantee that each potential
haproxy server requests a LetsEncrypt certificate sequentially.
It is only possible for the loadbalancer to direct the challenge
from the ACME server to one certbot instance at a time, so this
patch enforces serialisation of the initial certificate generation
regardless of the number of target hosts and setting of serial:
outside this role.
Change-Id: If8ae64bc01510d3570fa4c554463bd6121b21f86
We haven't specified tags for let's encrypt task which resulted in task
not being executed when using them.
Change-Id: I294e962bdb796190d1e7a2555708fbfaa8384a0a
Co-Authored-By: Damian Dąbrowski <damian@dabrowski.cloud>
haproxy_service_config.yml is not a valid place for selinux fix.
It should be moved to haproxy_post_install.yml.
Change-Id: Ice55e1cd9fdbac6e564c7f084dc1a020940a0da8
In case of using dns-01 challange deployers might want
to avoid using
standalone flag.
Change-Id: I3c6cfd7779e9ec9322e655cdda5bb6866bf695ca
Closes-Bug: #2006938
Add `haproxy_ssl_letsencrypt_domains` variable, which
contains a list (defaults to `external_lb_vip_address`)
for `--domains` certbot option.
Change-Id: I2ebfff9eeb5279a3964b8578a6e66aa132d763f5
This line was introduced by Ib4f33185202b694b9611cc5fd6323c30a1c8d489
for multi-os support, but should since be covered by the
distribution_major_version line above, introduced at a later date.
Change-Id: I23a8e7aaa3858bce47dcf7610acf1ee58d9e1fc1
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.
This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.
Change-Id: I65564c23ff0003a575af984c709c1ae365292f35
This could be achieved using the
haproxy_ssl_letsencrypt_setup_extra_params variable, but this
makes it a bit neater.
Change-Id: Iee2d5a10e1762b23fcb3f3140950c76a754743b7
With releasing PKI role we broke Let's Encrypt option because of
changing directories where certs should be located
and not reflecting these changes for let's encrypt. At the same time
we should not generate self-signed cert when let's encrypt path is used.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/811742
Closes-Bug: #1938961
Change-Id: I1a6701b171782528373bc1d0a39e70e6d1ef20ab
We have introduced variables to control CA/certificates regeneration
however never used them anywhere.
This patch fixes that, so that haproxy_pki_regen_cert and
haproxy_pki_regen_ca are respected now.
Change-Id: Id6d5395d5976ec9393a55be7fe9a946cf9ce745e
In order to remove service currently we need to satisfy one of
conditions:
- haproxy_backend_nodes and haproxy_backup_nodes are empty and defined
but must be defined
- haproxy_service_enabled is False
- state is absent
There's big issue with logic regarding haproxy_backend_nodes and
haproxy_backup_nodes since they both should be defined and empy,
but in case haproxy_backup_nodes is not defined but haproxy_backend_nodes
is empty we should consider this as condition for removal as well.
But this will make it too complicated.
This change suggest consider rely only on haproxy_service_enabled and
state keys of haproxy_service_configs, as it's sufficient to
drop service based on these 2 options.
Change-Id: Ib37445ad852bcbd8d44d9eda9293565a4e52262b
We're providing an option to have an IP address per VIP
address. Currently it's used only for creating self-signed
SSLs signed with internal CA per each VIP. With follow-up
patches that will also allow to provide user certificates
per VIP, making possible to cover internal and external
endpoints with different non-wildcard certs.
Change-Id: I0a9eb7689eb42b50daf5c94c874bb7429b271efe
The external PKI role can generate a self signed CA and Intermediate
certificate, and then create a server certificate for haproxy if
no defaults are overridden.
The new openstack_pki_* settings allow an external self signed CA
to be used, but still create valid haproxy server certificates from
that external CA in an openstack-ansible deployment.
The original beheviour providing user supplied certificates in the
haproxy_user_ssl_* variables will still work, disabling the generation
of certificates but using the external PKI role to just install the
supplied certs and keys.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/788031
Change-Id: I7482f55e991bacd9dccd2748c236dcd9d01124f3
Due to error during migration to journald [1], rsyslog config has
remained intact, which caused logs from journald being copied to
regular logfile, without proper logrotate.
Now we're fixing this and dropping rsyslog config as well.
This will affect only ppl that are upgrading their environments since
Stein
[1] https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/672039/4/tasks/haproxy_post_install.yml#b38
Change-Id: I01689bbb3f331b4d8d4afe9d096a4213072ad7c0
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: If9dfa6aaa1e90856c6a4c074fd33b8e49b57a5fc
This replace include with imports where applicable and fixes
tags usage for include where it needs to be left.
Change-Id: Id7284431e9f97e5b4939472e0a07d573186440a6
There's no real need in asking user to manually provide http-01 port and
address when we already have corresponding variables we rely on.
Change-Id: Id0d2a73c863d9bbb8b6280ce42f918127baea354
The certbot pre-hook is not used during initial setup of the cert,
only during renewal. This means that the same race condition exists
at initial configiuration as renewal. This patch uses the same
approach as used in the renewal pre-hook and applies it during
initialisation of certbot. This fixes race condition related failures
during initial provisioning of haproxy+letsencrypt.
Change-Id: Ica5ed5de24e3eb2fb5a743bb877d113ed0bb8a43
If this role is used outside the context of openstack-ansible then the
self signed certificate distribution tasks will fail if the haproxy_all
group is not defined, even if self signed certificates are not being used.
Change-Id: Iebc4a293fa8e3566bc910de305e6519a25f2884f
We use the built in python3 http server to bring up a temporary backend
on the node which wants to renew a certificate. The timeout set so that
the haproxy health check has noticed the backend come up before certbot
runs.
There is otherwise a race condition between the haproxy healthcheck and
the certbot challenge request arriving at the acme-challenge endpoint.
Change-Id: I2f5f9457c43c68f2881bf9d44f43434ca7b43859
This patch changes the logic for generating a self signed certificate to
also run when letsencrypt is being used. This temporary self signed cert
is generated before haproxy is restarted with its full configuration, and
before certbot has been run to generate the initial LE cert.
This is necessary because haproxy will not start correctly if it is
configured to use an ssl certificate but none is present. This would
be the case with the previous code before certbot has run for the first
time.
This patch also removes the task which stops haproxy before running certbot.
It is no longer necessary to do this as haproxy is able to start correctly
using the initial self-signed cert.
Change-Id: I6591243737b3a1bb369393439e1c44929f2f945b