* Update openstack-ansible-haproxy_server from branch 'master'
to 5da44774b313f36ead63477717d54b6c37c0c23c
- Merge "Do not resolve all host_vars when haproxy_backend_node is a mapping"
- Do not resolve all host_vars when haproxy_backend_node is a mapping
We do allow to supply haproxy_backend_nodes as list of mappings rather
the regular list, which supports `ip_addr`, `name` and `backend_port` keys.
However, we do verify hostvars[host_name] and try to set ip_addr regardless
if this needed or not.
During hostvars[host_name] request Ansible tries to fetch all host variables
and resolve some of them, which not always can be possible or preffered
in some scenarios.
Good example of that would be Mozilla SOPS [1] encrypted variables for
specific host or group, which can not be decrypted by some operators.
In the meanwhile they can be eligible to configure haproxy frontend/backend
for this service. So we should have a way to avoid asking for specific
hostvars when it's not needed, and backend_nodes are already contain
all required information.
[1] https://docs.ansible.com/ansible/latest/collections/community/sops/docsite/guide.html
Change-Id: I17a7f2421cd31b37bbda4f9c85971b1825e54891
* Update openstack-ansible-haproxy_server from branch 'master'
to 16d0395831a121215e9ef0dc714bcc07f938b0f2
- Merge "Imporove Jinja indentation for service templates"
- Imporove Jinja indentation for service templates
At the moment service templates are hardly readable, partially due to
complex logic, but incosistent presence of indetnation makes things
way worse, as there's no way to know if you're under some cycle
or condition for sure.
This patch aims to make indents correct which should improve template
readability overall.
Change-Id: Ie60ca87c044281104fbc8334d7254ac351d3d912
* Update openstack-ansible-haproxy_server from branch 'master'
to 3376636f4514896cfac53cffbf8b58853043ed5c
- reno: Update master for unmaintained/victoria
Update the victoria release notes configuration to build from
unmaintained/victoria.
Change-Id: I8420d1a72ebc16cc943c5f9aa683188e44460c83
* Update openstack-ansible-haproxy_server from branch 'master'
to ed981ce09ad7ea5dd82c7b620abe9ecce2c1d797
- Use correct permissions for haproxy log mount
With [1] a regression was introduced, where incorrect permissions were
applied to a bind mount corrupting access to /dev/log globally on hosts
where haproxy was running.
Default permissions are 0666 for /dev/log when it's managed by journald.
[1] https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/888143
Closes-Bug: #2055178
Change-Id: Ib8b9e4dea0ecd5d35f0e872dfaa0f2ec837a98f8
* Update openstack-ansible-haproxy_server from branch 'master'
to 16ab20815f449703a94923a8613bf3577bef2833
- Add httpchk option when httpcheck_options are defined
In order for http-check to work, option httpchk must be loaded first. Otherwise
regular L4 check will be issued and all `http-check` will be simply ignored.
Closes-Bug: #2046223
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/903488
Change-Id: Ie9ed322ab9c4a04d42cab4456567ac5d1f5c966b
* Update openstack-ansible-haproxy_server from branch 'master'
to 2cc2fceaf6369ccbdda048d8e26a276e90f818a1
- Fix haproxy_stats SSL path defenition
Neither `vip_interface` nor `vip_address` are defined or available in
the context they're being used.
Thus we need to refer to available variables in order to render base config
properly
Current version fail with "AnsibleUndefinedVariable: 'vip_interface' is undefined"
on "Drop base haproxy config" task.
This fix the issue that was introduced with [1] and backported back to Zed
[1] https://review.opendev.org/q/Ib8be6b7fc3dada9d20905b0f07d90ddce0335605
Change-Id: I4e52378d8c5b3eaa6863ecaf0d04554d082e3dc0
* Update openstack-ansible-haproxy_server from branch 'master'
to c321f39fc3cc2fc4bead0e5520cdc73acbc2e67c
- Merge "Enable stats to use dedicated server certificate and allow for client cert auth"
- Enable stats to use dedicated server certificate and allow for client cert auth
Some environments use a dedicated PKI for monitoring and metric collection.
This change allows to configure the serving certificate for stats independently
by setting `haproxy_stats_ssl_cert_path`, the default is to use the same cert.
Also client certificate authentication for stats can now be enabled by defining
a CA cert via `haproxy_stats_ssl_client_cert_ca`.
Change-Id: Ib8be6b7fc3dada9d20905b0f07d90ddce0335605
* Update openstack-ansible-haproxy_server from branch 'master'
to 07a55456938fe86f44005e032d42cfec9f4cedfc
- Merge "Add tags to PKI include"
- Add tags to PKI include
When rotating certificates for HAProxy it's quite neat to have
tags that will allow to run specifically certificate rotation without
any extra steps.
Change-Id: If1b6d6e46a4b2941198b0f57c858d415fbbdc8d1
* Update openstack-ansible-haproxy_server from branch 'master'
to 9e122c2185d5f8c7f57ddff7b15b0b9f2aad1b2a
- Merge "Apply haproxy-service-config tag on include"
- Apply haproxy-service-config tag on include
Rather then applying tag for each task inside the haproxy_service_config
file, it's better to apply it to include. Also, this closes the bug,
when role fails due to fact being undefined,
since setting fact was not covered by the tag.
Change-Id: I533070196dda5387a910f613cdd037fa36880cdb
* Update openstack-ansible-haproxy_server from branch 'master'
to 6eef4453eafe26631850c8b24aafd10244b4f87c
- Merge "Use netcat-openbsd on debian bookworm"
- Use netcat-openbsd on debian bookworm
The 'netcat' package is no longer installable directly.
Package netcat is a virtual package provided by:
netcat-openbsd 1.219-1
netcat-traditional 1.10-47
You should explicitly select one to install.
E: Package 'netcat' has no installation candidate
Change-Id: Ic708a7fd2223d1ba40ccacbd2b6863187fad0da9
* Update openstack-ansible-haproxy_server from branch 'master'
to 2d8fd9bfef2d7da9c6fd75a55e9ebcb4ad8113b8
- [doc] Document usage of binding to interface
Change-Id: Iba1f4a284beaba8d2d7f020ca7ad2d78d6360161
* Update openstack-ansible-haproxy_server from branch 'master'
to cb4eb8b327fcff38fd4d07f2f387f5f25371559f
- Fix example playbook linters
Change-Id: I7647f067ba33fb0329f6e5e7d40b641fd45cb062
* Update openstack-ansible-haproxy_server from branch 'master'
to 9cf2985ca50bd8ea537f0af200a17049d206a001
- Merge "Do not use notify inside handlers"
- Do not use notify inside handlers
Since latest ansible handlers are not triggered inside the same
handlers flush, which means that triggering mysql restart
the way we did does not work anymore. So instead of
notifying inside handlers, we add listen key to tasks
that are triggered by these newly produced notifications.
This could be due to the bug [1], but ansible-core version that has
backport included still shows inconsistent behaviour
[1] https://github.com/ansible/ansible/issues/80880
Change-Id: I0d97e0b90a8d18a7b69e880e4effa851238d51d1
* Update openstack-ansible-haproxy_server from branch 'master'
to b2ea96d50c24bae44658de2de4a40c59179918e7
- Merge "Fix linters issue and metadata"
- Fix linters issue and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I8c316dd62ac22ccd9578bb0199ab8f25c0104f9a
* Update openstack-ansible-haproxy_server from branch 'master'
to 67e19ebccd67d582e8770b1608307430d1ce5570
- Add HTTP/2 support for frontends/backends
This patch implements extra variables/keys that can be used to
enable HTTP/2 protocol for frontends and backends.
With that patch does not add HTTP/2 support for any redirect frontends
since they can not be configured to use TLS and this it will
cause such redirect backends to be HTTP/2 only, which might break old
clients.
With that regular frontends, that are not terminating TLS can be
configured to be HTTP/2 only as well as TCP backends.
Change-Id: Ib14f031f3c61f31bf7aaf345a3ba635ca5fb9ff8
* Update openstack-ansible-haproxy_server from branch 'master'
to 97390e88e06557f3bafd68661c960ff5f94e024d
- Correct default Content-Type for security.txt
The security.txt RFC specifies a Content-Type of text/plain and
charset of utf-8 [1]. This adjusts the defaults so line breaks are
rendered correctly in a browser.
[1] https://datatracker.ietf.org/doc/html/rfc9116#section-3
Change-Id: I39c2dab5108a815ef966bab0d708d6300eb1a4d1
* Update openstack-ansible-haproxy_server from branch 'master'
to b81dec169b7f8bb966c6304a25cd5b846a91093f
- Merge "Fix generating certificate SANs"
- Fix generating certificate SANs
With `haproxy_bind_*_lb_vip_address` set, use `*_lb_vip_address` for SAN
instead.
Change-Id: I33fc820be583bfaf7f9bee5233f0e0b99805144a
* Update openstack-ansible-haproxy_server from branch 'master'
to 2a60a55cee852f4cfa40212f6cedd7bdb9a96f54
- Merge "Add possibility to override haproxy_ssl_path"
- Add possibility to override haproxy_ssl_path
It's now possible to set ssl cert path in case you want to bind to
specific hostname via ``haproxy_bind`` and want to share a common
certificate. set ``haproxy_ssl_path`` to override per service.
Change-Id: Ib517f52c0edbc4ac8d0df2a2ae078c9138141aae
* Update openstack-ansible-haproxy_server from branch 'master'
to 4513bc84ae351f0bb51b8b0106bbf2e5269f8649
- Add ability to have different backend port.
Add the possibility to have multiple backend services running on
differents ports.
Change-Id: I1748bfc15bdf879f78aa06c385af7b6c45bde7ff
* Update openstack-ansible-haproxy_server from branch 'master'
to 848e316ef5066cc0937ec9a91e215382373ae243
- Fix `regen pem` with `extra_lb_tls_vip_addresses`
`extra_lb_tls_vip_addresses` is list of additional internal VIP
addresses, which gets parsed into `haproxy_tls_vip_binds` without
`interface` attribute.
Change-Id: I184021b65d6f3f28526c9fa09bea90a2baef77b2
* Update openstack-ansible-haproxy_server from branch 'master'
to c1be49a95c1ce4ad0122c7d97e48d8c143d10d0e
- Fix service-redirect.j2 template
This change fixes service-redirect.j2 template that was not working so
far, mainly by replacing:
- 'vip_bind' with 'vip_addres'
- 'item' with 'service'
Additionally, I removed `haproxy_tcp_upgrade_backend` support because
it's not really needed after haproxy separated service config was
implemented.
I also changed variable name `haproxy_tcp_upgrade_frontend` to
`haproxy_accept_both_protocols` to better describe what exactly it does.
Release note is not needed as ``haproxy_tcp_upgrade_frontend` was not
working properly before.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/884445
Change-Id: Iba9156c5b909f7b18599638db4471bab12794f0e
* Update openstack-ansible-haproxy_server from branch 'master'
to d7216330818297734dc1bfbe2a7b130698de7022
- Merge "Fix use of haproxy_backend_ssl when haproxy_backend_ca is not defined"
- Fix use of haproxy_backend_ssl when haproxy_backend_ca is not defined
For certificates from widely trusted CA there is no need to provide
a specific CA file for an ssl backend, but the code fails with
undefined variable if only haproxy_backend_ssl is enabled.
A workaround is to set `haproxy_backend_ca: false` but this patch
allows haproxy_backend_ssl to be used on it's own.
Change-Id: I7c87317433acb4ed73070a2252240737b22dccfc
* Update openstack-ansible-haproxy_server from branch 'master'
to 8168af663584e3487bb6ba92cc4f9f93bce18abd
- Deprecate certbot-auto
Certbot-auto is deprecated since 2020[1] and it is no longer available
under https://dl.eff.org/certbot-auto.
This change removes certbot-auto from haproxy_server role leaving
distro method as the only available option.
[1] https://community.letsencrypt.org/t/certbot-auto-deprecated-explanation-and-solutions/139821
Change-Id: Ibe0f13fc7308359d337fb382cb72998befb90d84
* Update openstack-ansible-haproxy_server from branch 'master'
to 7f76625f9dc61050bb97afa255c2de29e1219ab5
- Define blank _haproxy_service_configs_simplified
With current behavior, when haproxy role is imported multiple times in
the same playbook(by setup-openstack.yml as an example), variable
`_haproxy_service_configs_simplified` never gets purged so ansible just
keeps appending services this list.
To avoid this situation, `_haproxy_service_configs_simplified` has to be
explicitly defined as a blank list at the begining.
Change-Id: If62ec18842609957f09e0161a524fea88910ce9e
* Update openstack-ansible-haproxy_server from branch 'master'
to 0f7b0912440f0d24b034041f04c6c13309c4bc60
- Allow haproxy role to create security.txt file
This patch allows haproxy role to create security.txt file.
Change-Id: Ided790a5a89a2298b3b758d4484b25091b92945b
* Update openstack-ansible-haproxy_server from branch 'master'
to 0dd2a4dc8c69a36607ee683ed37d68ce8d74fa70
- Merge "Fix haproxy_service_configs format conversion"
- Fix haproxy_service_configs format conversion
In [1] new, simplified haproxy_service_configs format was introduced.
Temporary conversion from old vormat was added but it doesn't cover map files.
This change adds format conversion also for map files feature.
[1] https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/871188
Change-Id: If9c57bb61d3ae8d50f69780fe54a26ac0d67656a
* Update openstack-ansible-haproxy_server from branch 'master'
to 35e45a66b168d3311a7227705f81f5f2cd146f08
- Merge "Provide custom handler name to PKI role"
- Provide custom handler name to PKI role
At the moment PKI and haproxy do listen for the same notify, which results in
haproxy trying to generate certs in inappropriate places. This patch starts
leveraging `pki_handler_cert_installed` variable that enables us to trigger
haproxy certificate assemble only when required and expected.
Co-Authored-By: Damian Dąbrowski <damian@dabrowski.cloud>
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/875757
Change-Id: I66f648e5c3104f71d6601a493b09f8cdcc3332fc
* Update openstack-ansible-haproxy_server from branch 'master'
to 31253136538bff91cbcee779f175044fb53f5afc
- Merge "Add tasks to configure external services only"
- Add tasks to configure external services only
This change allows specific playbooks to configure their haproxy
service(s) separately by running the role and using tasks_from to
execute just the service template installation code path.
Change-Id: I88ce0eb92784b3d3a0d1a952e95a8eb1fa376e77
Co-Authored-By: Damian Dąbrowski <damian@dabrowski.cloud>
* Update openstack-ansible-haproxy_server from branch 'master'
to a5f285c51eab07b70f6f709f1f93d047b09b17f6
- Simplify haproxy_service_configs structure
For historical reasons the ``haproxy_service_configs`` variable was
a list of nested mappings with only single valid key for the top
level mapping.
There have been no use-cases for extra keys, so this patch simplifies
the code by removing one level of nesting.
Change-Id: I50c17b7020a459ab8a88b004cc8828cac857f1c9
* Update openstack-ansible-haproxy_server from branch 'master'
to d548b7e5ff8ea377d8640fee8e4ab41cbdede2b6
- Add support for haproxy map files
HAProxy supports the use of map files for selecting backends, or
a number of other functions. See [1] and [2].
This patch adds the key `maps` for each service definition allowing
fragments of a complete map to be defined across all the services,
with each service contributing some elements to the overall map file.
The service enabled/disabled and state flags are observed to add and
remove entries from the map file, and individual map entries can also
be marked as present/absent to make inclusion conditional.
[1] https://www.haproxy.com/blog/introduction-to-haproxy-maps/
[2] https://www.haproxy.com/documentation/hapee/latest/configuration/map-files/syntax/
Change-Id: I755c18a4d33ee69c42d68a50daa63614a2b2feb7
* Update openstack-ansible-haproxy_server from branch 'master'
to 56fef3de83bded3a5539faf428b4f94cfee1b824
- Merge "Allow default_backend to be specified"
- Allow default_backend to be specified
Currently default_backend for a service is always set to the
haproxy_service_name for a service, but this might not be what is
required for some configurations.
This patch allows haproxy_default_backend to be configured for
a service to customise the default_backend setting.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/876436
Change-Id: I9e2be37cb27a33350577a93f23b69e560493b320
* Update openstack-ansible-haproxy_server from branch 'master'
to 0c69464fa1fb7c6e14bf97fe7940e5a15785061a
- Merge "Serialise initial issuing of LetsEncrypt certificates"
- Serialise initial issuing of LetsEncrypt certificates
Currently the role will run against all target hosts, and it is
possible that the calling playbook runs with a serial: setting
to control how many hosts are targetted simultaneously.
However, this is not sufficient to guarantee that each potential
haproxy server requests a LetsEncrypt certificate sequentially.
It is only possible for the loadbalancer to direct the challenge
from the ACME server to one certbot instance at a time, so this
patch enforces serialisation of the initial certificate generation
regardless of the number of target hosts and setting of serial:
outside this role.
Change-Id: If8ae64bc01510d3570fa4c554463bd6121b21f86
* Update openstack-ansible-haproxy_server from branch 'master'
to 23b18f89da818ccf4b1a0490a82571d05c852f4d
- Merge "Fix tags usage for letsencrypt setup"
- Fix tags usage for letsencrypt setup
We haven't specified tags for let's encrypt task which resulted in task
not being executed when using them.
Change-Id: I294e962bdb796190d1e7a2555708fbfaa8384a0a
Co-Authored-By: Damian Dąbrowski <damian@dabrowski.cloud>
* Update openstack-ansible-haproxy_server from branch 'master'
to 044d65e9bbbde1f90d09f2dbea73061dd106253f
- Merge "Accept both HTTP and HTTPS also for external VIP during upgrade"
- Accept both HTTP and HTTPS also for external VIP during upgrade
In change [1] we have added functionality to accept both HTTP and
HTTPS during an upgrade.
However it's only limited to internal VIP. I see no reason not to
implement this also for external VIP. Some people may find it useful.
[1] https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/829899
Change-Id: I672016b75d4b514d87dbb47119ff549bbc4e923e
* Update openstack-ansible-haproxy_server from branch 'master'
to 7dea60f263413be0ef0e21340c15a697602aaa63
- Merge "Move selinux fix to haproxy_post_install.yml"
- Move selinux fix to haproxy_post_install.yml
haproxy_service_config.yml is not a valid place for selinux fix.
It should be moved to haproxy_post_install.yml.
Change-Id: Ice55e1cd9fdbac6e564c7f084dc1a020940a0da8
* Update openstack-ansible-haproxy_server from branch 'master'
to 8514c0d77506ebcc1344ad82e86666ce7074cdd1
- Merge "Add a variable to allow extra raw config to be applied to all frontends"
- Add a variable to allow extra raw config to be applied to all frontends
Currently this must be configured on a per-frontend basis through
service.haproxy_frontend_raw. This patch adds a new role default
variable haproxy_frontend_extra_raw which will be combined with all
per service raw config lines.
Change-Id: I506d46d64df93bbb9e6d1ebfa3d3caa44c80fdd5
* Update openstack-ansible-haproxy_server from branch 'master'
to a9aee345b88f7497f033f1142bb54743106f1374
- Merge "Use let's encrypt standalone flag only for http-01"
- Use let's encrypt standalone flag only for http-01
In case of using dns-01 challange deployers might want
to avoid using
standalone flag.
Change-Id: I3c6cfd7779e9ec9322e655cdda5bb6866bf695ca
Closes-Bug: #2006938
* Update openstack-ansible-haproxy_server from branch 'master'
to 445b15f9c3776d8f88102934395076f92edfdb25
- Fix dict object key error when haproxy interfaces not defined
The ternary options appear to be getting evaluated whether they
are used or not, so item['interface'] is always accessed.
This patch aims to check for the key's presence before performing
ternary operations, or use Ansible variables to postpone evaluation
until absolutely necessary.
Change-Id: Ib1462c04d1a0820a37998f989e2ed16566f71f54
* Update openstack-ansible-haproxy_server from branch 'master'
to a5daa83172719631101323f5aad0eb7b6590797d
- Update tox.ini to work with 4.0
With tox release of 4.0, some parameters were deprecated and are ignored now
which causes tox failures. One of the most spread issues we have is using
`whitelist_externals` isntead of `allowlist_externals`
Change-Id: I73cad1846dd3fbcbf9e3317227c472d769d1e7b6
* Update openstack-ansible-haproxy_server from branch 'master'
to 289cfdac038efd6948ff69fcdff57df61085b29f
- Update master for stable/zed
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: I819c1252ed66a169de60dcd5f8e88e4bc94c22ab
* Update openstack-ansible-haproxy_server from branch 'master'
to fd3ba428d98e60fb29e4a311786a1a317c78abe6
- Merge "Fix warnings in haproxy config"
- Fix warnings in haproxy config
Haproxy config check(/usr/sbin/haproxy -c -f /etc/haproxy/haproxy.cfg)
returns 3 warnings:
1. keyword 'forceclose' is deprecated in favor of 'httpclose', and will
not be supported by future versions.
2. backend 'galera-back' : 'option tcplog' directive is ignored in
backends.
3. 'http-request' rules ignored for backend 'galera-back' as they
require HTTP mode.
This change fixes 1. and 2.
Fixing 3. will be a bit more tricky as it's a part of
`openstack_haproxy_stick_table` defined in
/opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml
Change-Id: Idaa4b5580039857435f90416924dee26a702deba
* Update openstack-ansible-haproxy_server from branch 'master'
to 6532898a3c253a6e066618a8537b061413822940
- Make use of haproxy_rise and haproxy_fall variables
At the moment for some reason we're not taking into account default
variables haproxy_rise/haproxy_fall but instead trying to count
based on amount of backends. This makes quite little sense to
depend amount of backend rechecks on amount of backends overall,
so we're chaning behaviour to pre-defined variables that already exist.
Change-Id: I1e53a997f6f443718ea2c6bdfbe8a0b98c44896d
* Update openstack-ansible-haproxy_server from branch 'master'
to 31e30e3fe0563f425148861750fe9e6d763e590e
- Merge "Allow do disable SSL only for stats frontend"
- Allow do disable SSL only for stats frontend
Currently there is no way of disabling SSL connection for stats frontend
as it implies more global variable. However, for some systems consuming
self-signed root certificate might be not an option and disabling
SSL verification tricky. Thus, we introduce new variable that allows to
nicely control if SSL should be served for stats frontend or not.
Change-Id: Ic4bc4393ec89469876e9e95b12bb9c4069972713
* Update openstack-ansible-haproxy_server from branch 'master'
to 9fc079a65d86ac9920ecd759eaa0f25957135855
- Validate haproxy conf after assemble
Right now we don't ensure haproxy conf validity and if it's incorrect
role will fail on attempt to reload haproxy. However it's really worth
adding validation step and do not proceed if configuration is wrong
Change-Id: I54717d4f7230b8d8dff2d293592831cc88c51d24
* Update openstack-ansible-haproxy_server from branch 'master'
to a502817a89db2cbc3022831dd24e2bacdee047dc
- Merge "Allow haproxy to bind on the interface"
- Allow haproxy to bind on the interface
In some user scenarious (like implementing DNS RR) it might be useful to
bind on 0.0.0.0 but at the same time do not conflict with other services
that are binded to the same ports. For that, we can specify a specific
interface, on which haproxy will be binded to 0.0.0.0.
In netstat it would be represented like `0.0.0.0%br-mgmt:5000`.
With that we also allow to fully override `vip_binds` if assumtions
that role make are not valid for some reason.
Change-Id: Ic4c58ef53abc5f454b6fbebbd87292a932d173ae
* Update openstack-ansible-haproxy_server from branch 'master'
to d41b3bd0ebe55c96f7293eab87dd9996558e8244
- Merge "Remove redundant vars line"
- Remove redundant vars line
This line was introduced by Ib4f33185202b694b9611cc5fd6323c30a1c8d489
for multi-os support, but should since be covered by the
distribution_major_version line above, introduced at a later date.
Change-Id: I23a8e7aaa3858bce47dcf7610acf1ee58d9e1fc1
* Update openstack-ansible-haproxy_server from branch 'master'
to c1df0a5b56affe8084237d4d1202a234f4997465
- Merge "Add variable for setting certbot `domains` option"
- Add variable for setting certbot `domains` option
Add `haproxy_ssl_letsencrypt_domains` variable, which
contains a list (defaults to `external_lb_vip_address`)
for `--domains` certbot option.
Change-Id: I2ebfff9eeb5279a3964b8578a6e66aa132d763f5
* Update openstack-ansible-haproxy_server from branch 'master'
to 23980cfe4e7c195d65ae6cab6a0e002cb3f29045
- Merge "Do not add cacert when it does not exist"
- Do not add cacert when it does not exist
Right now we assume, that ca-cert is always present. Though, it might
not be the case for user-provided certs or let's encrypt, as they
are already in ca-certificates.
Change-Id: I101f82c5e378596e76a160aacb34a9e1e7e0c123
* Update openstack-ansible-haproxy_server from branch 'master'
to 8dc0ff4e1f2f253ad5dbe01c937ea0cc30bcbbc3
- tls1.2: update ciphers to latest recommendations
Based upon usual recommendations from:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
Change-Id: I6e549ab3ffcacebe04e188cbf34d8707fb0fe05d