Commit Graph

167 Commits

Author SHA1 Message Date
Zuul 13c053dff9 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 5da44774b313f36ead63477717d54b6c37c0c23c
  - Merge "Do not resolve all host_vars when haproxy_backend_node is a mapping"
  - Do not resolve all host_vars when haproxy_backend_node is a mapping
    
    We do allow to supply haproxy_backend_nodes as list of mappings rather
    the regular list, which supports `ip_addr`, `name` and `backend_port` keys.
    
    However, we do verify hostvars[host_name] and try to set ip_addr regardless
    if this needed or not.
    
    During hostvars[host_name] request Ansible tries to fetch all host variables
    and resolve some of them, which not always can be possible or preffered
    in some scenarios.
    Good example of that would be Mozilla SOPS [1] encrypted variables for
    specific host or group, which can not be decrypted by some operators.
    In the meanwhile they can be eligible to configure haproxy frontend/backend
    for this service. So we should have a way to avoid asking for specific
    hostvars when it's not needed, and backend_nodes are already contain
    all required information.
    
    [1] https://docs.ansible.com/ansible/latest/collections/community/sops/docsite/guide.html
    
    Change-Id: I17a7f2421cd31b37bbda4f9c85971b1825e54891
2024-03-23 13:05:43 +00:00
Zuul 3d51d5bb60 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 16d0395831a121215e9ef0dc714bcc07f938b0f2
  - Merge "Imporove Jinja indentation for service templates"
  - Imporove Jinja indentation for service templates
    
    At the moment service templates are hardly readable, partially due to
    complex logic, but incosistent presence of indetnation makes things
    way worse, as there's no way to know if you're under some cycle
    or condition for sure.
    
    This patch aims to make indents correct which should improve template
    readability overall.
    
    Change-Id: Ie60ca87c044281104fbc8334d7254ac351d3d912
2024-03-22 15:00:58 +00:00
OpenStack Release Bot 85db9db093 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 3376636f4514896cfac53cffbf8b58853043ed5c
  - reno: Update master for unmaintained/victoria
    
    Update the victoria release notes configuration to build from
    unmaintained/victoria.
    
    Change-Id: I8420d1a72ebc16cc943c5f9aa683188e44460c83
2024-03-19 16:00:38 +00:00
Dmitriy Rabotyagov 6f6abe8b76 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to ed981ce09ad7ea5dd82c7b620abe9ecce2c1d797
  - Use correct permissions for haproxy log mount
    
    With [1] a regression was introduced, where incorrect permissions were
    applied to a bind mount corrupting access to /dev/log globally on hosts
    where haproxy was running.
    
    Default permissions are 0666 for /dev/log when it's managed by journald.
    
    [1] https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/888143
    Closes-Bug: #2055178
    
    Change-Id: Ib8b9e4dea0ecd5d35f0e872dfaa0f2ec837a98f8
2024-03-06 18:06:21 +00:00
Dmitriy Rabotyagov b238ea77f5 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 16ab20815f449703a94923a8613bf3577bef2833
  - Add httpchk option when httpcheck_options are defined
    
    In order for http-check to work, option httpchk must be loaded first. Otherwise
    regular L4 check will be issued and all `http-check` will be simply ignored.
    
    Closes-Bug: #2046223
    Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/903488
    Change-Id: Ie9ed322ab9c4a04d42cab4456567ac5d1f5c966b
2023-12-13 05:20:31 +00:00
Dmitriy Rabotyagov 3e5145e1a8 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 2cc2fceaf6369ccbdda048d8e26a276e90f818a1
  - Fix haproxy_stats SSL path defenition
    
    Neither `vip_interface` nor `vip_address` are defined or available in
    the context they're being used.
    Thus we need to refer to available variables in order to render base config
    properly
    
    Current version fail with "AnsibleUndefinedVariable: 'vip_interface' is undefined"
    on "Drop base haproxy config" task.
    
    This fix the issue that was introduced with [1] and backported back to Zed
    
    [1] https://review.opendev.org/q/Ib8be6b7fc3dada9d20905b0f07d90ddce0335605
    
    Change-Id: I4e52378d8c5b3eaa6863ecaf0d04554d082e3dc0
2023-12-04 12:24:44 +00:00
Zuul d5d328c889 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to c321f39fc3cc2fc4bead0e5520cdc73acbc2e67c
  - Merge "Enable stats to use dedicated server certificate and allow for client cert auth"
  - Enable stats to use dedicated server certificate and allow for client cert auth
    
    Some environments use a dedicated PKI for monitoring and metric collection.
    This change allows to configure the serving certificate for stats independently
    by setting `haproxy_stats_ssl_cert_path`, the default is to use the same cert.
    
    Also client certificate authentication for stats can now be enabled by defining
    a CA cert via `haproxy_stats_ssl_client_cert_ca`.
    
    Change-Id: Ib8be6b7fc3dada9d20905b0f07d90ddce0335605
2023-10-17 04:39:06 +00:00
Zuul e4f41b955f Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 07a55456938fe86f44005e032d42cfec9f4cedfc
  - Merge "Add tags to PKI include"
  - Add tags to PKI include
    
    When rotating certificates for HAProxy it's quite neat to have
    tags that will allow to run specifically certificate rotation without
    any extra steps.
    
    Change-Id: If1b6d6e46a4b2941198b0f57c858d415fbbdc8d1
2023-10-09 13:24:30 +00:00
Zuul d62703acf0 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 9e122c2185d5f8c7f57ddff7b15b0b9f2aad1b2a
  - Merge "Apply haproxy-service-config tag on include"
  - Apply haproxy-service-config tag on include
    
    Rather then applying tag for each task inside the haproxy_service_config
    file, it's better to apply it to include. Also, this closes the bug,
    when role fails due to fact being undefined,
    since setting fact was not covered by the tag.
    
    Change-Id: I533070196dda5387a910f613cdd037fa36880cdb
2023-10-09 13:18:32 +00:00
Zuul 3ce06cc29e Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 6eef4453eafe26631850c8b24aafd10244b4f87c
  - Merge "Use netcat-openbsd on debian bookworm"
  - Use netcat-openbsd on debian bookworm
    
    The 'netcat' package is no longer installable directly.
    
        Package netcat is a virtual package provided by:
          netcat-openbsd 1.219-1
          netcat-traditional 1.10-47
        You should explicitly select one to install.
        E: Package 'netcat' has no installation candidate
    
    Change-Id: Ic708a7fd2223d1ba40ccacbd2b6863187fad0da9
2023-10-08 01:51:01 +00:00
Dmitriy Rabotyagov 6c2a9b3f3e Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 2d8fd9bfef2d7da9c6fd75a55e9ebcb4ad8113b8
  - [doc] Document usage of binding to interface
    
    Change-Id: Iba1f4a284beaba8d2d7f020ca7ad2d78d6360161
2023-10-05 14:09:27 +00:00
Dmitriy Rabotyagov ff2fe6943a Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to cb4eb8b327fcff38fd4d07f2f387f5f25371559f
  - Fix example playbook linters
    
    Change-Id: I7647f067ba33fb0329f6e5e7d40b641fd45cb062
2023-10-05 14:09:25 +00:00
Zuul 87d190dac3 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 9cf2985ca50bd8ea537f0af200a17049d206a001
  - Merge "Do not use notify inside handlers"
  - Do not use notify inside handlers
    
    Since latest ansible handlers are not triggered inside the same
    handlers flush, which means that triggering mysql restart
    the way we did does not work anymore. So instead of
    notifying inside handlers, we add listen key to tasks
    that are triggered by these newly produced notifications.
    
    This could be due to the bug [1], but ansible-core version that has
    backport included still shows inconsistent behaviour
    
    [1] https://github.com/ansible/ansible/issues/80880
    
    Change-Id: I0d97e0b90a8d18a7b69e880e4effa851238d51d1
2023-08-31 10:03:02 +00:00
Zuul 632aafad2d Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to b2ea96d50c24bae44658de2de4a40c59179918e7
  - Merge "Fix linters issue and metadata"
  - Fix linters issue and metadata
    
    With update of ansible-lint to version >=6.0.0 a lot of new
    linters were added, that enabled by default. In order to comply
    with linter rules we're applying changes to the role.
    
    With that we also update metdata to reflect current state.
    
    Change-Id: I8c316dd62ac22ccd9578bb0199ab8f25c0104f9a
2023-08-31 09:53:52 +00:00
Dmitriy Rabotyagov 3d0fd21c18 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 67e19ebccd67d582e8770b1608307430d1ce5570
  - Add HTTP/2 support for frontends/backends
    
    This patch implements extra variables/keys that can be used to
    enable HTTP/2 protocol for frontends and backends.
    
    With that patch does not add HTTP/2 support for any redirect frontends
    since they can not be configured to use TLS and this it will
    cause such redirect backends to be HTTP/2 only, which might break old
    clients.
    
    With that regular frontends, that are not terminating TLS can be
    configured to be HTTP/2 only as well as TCP backends.
    
    Change-Id: Ib14f031f3c61f31bf7aaf345a3ba635ca5fb9ff8
2023-08-31 09:37:18 +00:00
Andrew Bonney 0a60d86ddb Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 97390e88e06557f3bafd68661c960ff5f94e024d
  - Correct default Content-Type for security.txt
    
    The security.txt RFC specifies a Content-Type of text/plain and
    charset of utf-8 [1]. This adjusts the defaults so line breaks are
    rendered correctly in a browser.
    
    [1] https://datatracker.ietf.org/doc/html/rfc9116#section-3
    
    Change-Id: I39c2dab5108a815ef966bab0d708d6300eb1a4d1
2023-07-28 20:26:37 +00:00
Zuul e647ac7bdc Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to b81dec169b7f8bb966c6304a25cd5b846a91093f
  - Merge "Fix generating certificate SANs"
  - Fix generating certificate SANs
    
    With `haproxy_bind_*_lb_vip_address` set, use `*_lb_vip_address` for SAN
    instead.
    
    Change-Id: I33fc820be583bfaf7f9bee5233f0e0b99805144a
2023-07-19 08:41:50 +00:00
Zuul 3c05b03a10 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 2a60a55cee852f4cfa40212f6cedd7bdb9a96f54
  - Merge "Add possibility to override haproxy_ssl_path"
  - Add possibility to override haproxy_ssl_path
    
    It's now possible to set ssl cert path in case you want to bind to
    specific hostname via ``haproxy_bind`` and want to share a common
    certificate. set ``haproxy_ssl_path`` to override per service.
    
    Change-Id: Ib517f52c0edbc4ac8d0df2a2ae078c9138141aae
2023-07-19 08:34:18 +00:00
Marc Gariepy 08ef12b1dd Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 4513bc84ae351f0bb51b8b0106bbf2e5269f8649
  - Add ability to have different backend port.
    
    Add the possibility to have multiple backend services running on
    differents ports.
    
    Change-Id: I1748bfc15bdf879f78aa06c385af7b6c45bde7ff
2023-07-18 22:18:24 +00:00
Danila Balagansky 7be01d75d3 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 848e316ef5066cc0937ec9a91e215382373ae243
  - Fix `regen pem` with `extra_lb_tls_vip_addresses`
    
    `extra_lb_tls_vip_addresses` is list of additional internal VIP
    addresses, which gets parsed into `haproxy_tls_vip_binds` without
    `interface` attribute.
    
    Change-Id: I184021b65d6f3f28526c9fa09bea90a2baef77b2
2023-07-10 20:04:11 +00:00
Damian Dabrowski 0e71d28072 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to c1be49a95c1ce4ad0122c7d97e48d8c143d10d0e
  - Fix service-redirect.j2 template
    
    This change fixes service-redirect.j2 template that was not working so
    far, mainly by replacing:
    - 'vip_bind' with 'vip_addres'
    - 'item' with 'service'
    
    Additionally, I removed `haproxy_tcp_upgrade_backend` support because
    it's not really needed after haproxy separated service config was
    implemented.
    
    I also changed variable name `haproxy_tcp_upgrade_frontend` to
    `haproxy_accept_both_protocols` to better describe what exactly it does.
    Release note is not needed as ``haproxy_tcp_upgrade_frontend` was not
    working properly before.
    
    Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/884445
    
    Change-Id: Iba9156c5b909f7b18599638db4471bab12794f0e
2023-05-28 08:53:26 +00:00
Zuul 32d7864562 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to d7216330818297734dc1bfbe2a7b130698de7022
  - Merge "Fix use of haproxy_backend_ssl when haproxy_backend_ca is not defined"
  - Fix use of haproxy_backend_ssl when haproxy_backend_ca is not defined
    
    For certificates from widely trusted CA there is no need to provide
    a specific CA file for an ssl backend, but the code fails with
    undefined variable if only haproxy_backend_ssl is enabled.
    
    A workaround is to set `haproxy_backend_ca: false` but this patch
    allows haproxy_backend_ssl to be used on it's own.
    
    Change-Id: I7c87317433acb4ed73070a2252240737b22dccfc
2023-05-19 21:01:15 +00:00
Damian Dabrowski df9453198f Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 8168af663584e3487bb6ba92cc4f9f93bce18abd
  - Deprecate certbot-auto
    
    Certbot-auto is deprecated since 2020[1] and it is no longer available
    under https://dl.eff.org/certbot-auto.
    This change removes certbot-auto from haproxy_server role leaving
    distro method as the only available option.
    
    [1] https://community.letsencrypt.org/t/certbot-auto-deprecated-explanation-and-solutions/139821
    
    Change-Id: Ibe0f13fc7308359d337fb382cb72998befb90d84
2023-05-05 21:49:41 +00:00
Damian Dabrowski 667434ee84 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 7f76625f9dc61050bb97afa255c2de29e1219ab5
  - Define blank _haproxy_service_configs_simplified
    
    With current behavior, when haproxy role is imported multiple times in
    the same playbook(by setup-openstack.yml as an example), variable
    `_haproxy_service_configs_simplified` never gets purged so ansible just
    keeps appending services this list.
    
    To avoid this situation, `_haproxy_service_configs_simplified` has to be
    explicitly defined as a blank list at the begining.
    
    Change-Id: If62ec18842609957f09e0161a524fea88910ce9e
2023-04-21 21:44:39 +00:00
Damian Dabrowski 9be3ae2bca Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 0f7b0912440f0d24b034041f04c6c13309c4bc60
  - Allow haproxy role to create security.txt file
    
    This patch allows haproxy role to create security.txt file.
    
    Change-Id: Ided790a5a89a2298b3b758d4484b25091b92945b
2023-04-12 23:11:26 +00:00
Zuul ef4447fc1f Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 0dd2a4dc8c69a36607ee683ed37d68ce8d74fa70
  - Merge "Fix haproxy_service_configs format conversion"
  - Fix haproxy_service_configs format conversion
    
    In [1] new, simplified haproxy_service_configs format was introduced.
    Temporary conversion from old vormat was added but it doesn't cover map files.
    
    This change adds format conversion also for map files feature.
    
    [1] https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/871188
    
    Change-Id: If9c57bb61d3ae8d50f69780fe54a26ac0d67656a
2023-04-05 23:19:51 +00:00
Zuul d8623a3225 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 35e45a66b168d3311a7227705f81f5f2cd146f08
  - Merge "Provide custom handler name to PKI role"
  - Provide custom handler name to PKI role
    
    At the moment PKI and haproxy do listen for the same notify, which results in
    haproxy trying to generate certs in inappropriate places. This patch starts
    leveraging `pki_handler_cert_installed` variable that enables us to trigger
    haproxy certificate assemble only when required and expected.
    
    
    Co-Authored-By: Damian Dąbrowski <damian@dabrowski.cloud>
    
    Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/875757
    Change-Id: I66f648e5c3104f71d6601a493b09f8cdcc3332fc
2023-04-05 23:19:50 +00:00
Zuul 286f1b3c41 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 31253136538bff91cbcee779f175044fb53f5afc
  - Merge "Add tasks to configure external services only"
  - Add tasks to configure external services only
    
    This change allows specific playbooks to configure their haproxy
    service(s) separately by running the role and using tasks_from to
    execute just the service template installation code path.
    
    Change-Id: I88ce0eb92784b3d3a0d1a952e95a8eb1fa376e77
    Co-Authored-By: Damian Dąbrowski <damian@dabrowski.cloud>
2023-04-04 17:07:10 +00:00
Damian Dabrowski 4a24705854 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to a5f285c51eab07b70f6f709f1f93d047b09b17f6
  - Simplify haproxy_service_configs structure
    
    For historical reasons the ``haproxy_service_configs`` variable was
    a list of nested mappings with only single valid key for the top
    level mapping.
    
    There have been no use-cases for extra keys, so this patch simplifies
    the code by removing one level of nesting.
    
    Change-Id: I50c17b7020a459ab8a88b004cc8828cac857f1c9
2023-03-21 18:33:37 +00:00
Jonathan Rosser ee32ecd2e8 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to d548b7e5ff8ea377d8640fee8e4ab41cbdede2b6
  - Add support for haproxy map files
    
    HAProxy supports the use of map files for selecting backends, or
    a number of other functions. See [1] and [2].
    
    This patch adds the key `maps` for each service definition allowing
    fragments of a complete map to be defined across all the services,
    with each service contributing some elements to the overall map file.
    
    The service enabled/disabled and state flags are observed to add and
    remove entries from the map file, and individual map entries can also
    be marked as present/absent to make inclusion conditional.
    
    [1] https://www.haproxy.com/blog/introduction-to-haproxy-maps/
    [2] https://www.haproxy.com/documentation/hapee/latest/configuration/map-files/syntax/
    
    Change-Id: I755c18a4d33ee69c42d68a50daa63614a2b2feb7
2023-03-16 16:58:01 +00:00
Zuul b149f94b6f Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 56fef3de83bded3a5539faf428b4f94cfee1b824
  - Merge "Allow default_backend to be specified"
  - Allow default_backend to be specified
    
    Currently default_backend for a service is always set to the
    haproxy_service_name for a service, but this might not be what is
    required for some configurations.
    
    This patch allows haproxy_default_backend to be configured for
    a service to customise the default_backend setting.
    
    Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/876436
    Change-Id: I9e2be37cb27a33350577a93f23b69e560493b320
2023-03-15 18:07:58 +00:00
Zuul 86d3ae32f6 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 0c69464fa1fb7c6e14bf97fe7940e5a15785061a
  - Merge "Serialise initial issuing of LetsEncrypt certificates"
  - Serialise initial issuing of LetsEncrypt certificates
    
    Currently the role will run against all target hosts, and it is
    possible that the calling playbook runs with a serial: setting
    to control how many hosts are targetted simultaneously.
    
    However, this is not sufficient to guarantee that each potential
    haproxy server requests a LetsEncrypt certificate sequentially.
    It is only possible for the loadbalancer to direct the challenge
    from the ACME server to one certbot instance at a time, so this
    patch enforces serialisation of the initial certificate generation
    regardless of the number of target hosts and setting of serial:
    outside this role.
    
    Change-Id: If8ae64bc01510d3570fa4c554463bd6121b21f86
2023-03-07 18:12:25 +00:00
Zuul fab4374f7c Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 23b18f89da818ccf4b1a0490a82571d05c852f4d
  - Merge "Fix tags usage for letsencrypt setup"
  - Fix tags usage for letsencrypt setup
    
    We haven't specified tags for let's encrypt task which resulted in task
    not being executed when using them.
    
    Change-Id: I294e962bdb796190d1e7a2555708fbfaa8384a0a
    Co-Authored-By: Damian Dąbrowski <damian@dabrowski.cloud>
2023-03-07 17:40:42 +00:00
Zuul 7d35268b34 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 044d65e9bbbde1f90d09f2dbea73061dd106253f
  - Merge "Accept both HTTP and HTTPS also for external VIP during upgrade"
  - Accept both HTTP and HTTPS also for external VIP during upgrade
    
    In change [1] we have added functionality to accept both HTTP and
    HTTPS during an upgrade.
    However it's only limited to internal VIP. I see no reason not to
    implement this also for external VIP. Some people may find it useful.
    
    [1] https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/829899
    
    Change-Id: I672016b75d4b514d87dbb47119ff549bbc4e923e
2023-03-01 00:27:42 +00:00
Zuul 6e841a51f8 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 7dea60f263413be0ef0e21340c15a697602aaa63
  - Merge "Move selinux fix to haproxy_post_install.yml"
  - Move selinux fix to haproxy_post_install.yml
    
    haproxy_service_config.yml is not a valid place for selinux fix.
    It should be moved to haproxy_post_install.yml.
    
    Change-Id: Ice55e1cd9fdbac6e564c7f084dc1a020940a0da8
2023-02-21 23:12:39 +00:00
Zuul 3df97a39db Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 8514c0d77506ebcc1344ad82e86666ce7074cdd1
  - Merge "Add a variable to allow extra raw config to be applied to all frontends"
  - Add a variable to allow extra raw config to be applied to all frontends
    
    Currently this must be configured on a per-frontend basis through
    service.haproxy_frontend_raw. This patch adds a new role default
    variable haproxy_frontend_extra_raw which will be combined with all
    per service raw config lines.
    
    Change-Id: I506d46d64df93bbb9e6d1ebfa3d3caa44c80fdd5
2023-02-21 20:18:48 +00:00
Zuul 80f157d547 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to a9aee345b88f7497f033f1142bb54743106f1374
  - Merge "Use let's encrypt standalone flag only for http-01"
  - Use let's encrypt standalone flag only for http-01
    
    In case of using dns-01 challange deployers might want
    to avoid using
    standalone flag.
    
    Change-Id: I3c6cfd7779e9ec9322e655cdda5bb6866bf695ca
    Closes-Bug: #2006938
2023-02-21 20:11:10 +00:00
Jonathan Rosser 9eb2d74592 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 0d56cfe64bee51f5ec73d3a201a5b6a6f6112be3
  - Update hatop to latest release, 0.8.2
    
    Change-Id: I300206a79fcb9e809c1ae714f492583fb9d4e363
2023-02-21 19:53:31 +00:00
Andrew Bonney 63609b6954 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 445b15f9c3776d8f88102934395076f92edfdb25
  - Fix dict object key error when haproxy interfaces not defined
    
    The ternary options appear to be getting evaluated whether they
    are used or not, so item['interface'] is always accessed.
    
    This patch aims to check for the key's presence before performing
    ternary operations, or use Ansible variables to postpone evaluation
    until absolutely necessary.
    
    Change-Id: Ib1462c04d1a0820a37998f989e2ed16566f71f54
2023-01-11 20:27:43 +00:00
Dmitriy Rabotyagov 6a557da963 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to a5daa83172719631101323f5aad0eb7b6590797d
  - Update tox.ini to work with 4.0
    
    With tox release of 4.0, some parameters were deprecated and are ignored now
    which causes tox failures. One of the most spread issues we have is using
    `whitelist_externals` isntead of `allowlist_externals`
    
    
    Change-Id: I73cad1846dd3fbcbf9e3317227c472d769d1e7b6
2022-12-28 09:47:15 +00:00
OpenStack Release Bot 6ad4a7fc31 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 289cfdac038efd6948ff69fcdff57df61085b29f
  - Update master for stable/zed
    
    Add file to the reno documentation build to show release notes for
    stable/zed.
    
    Use pbr instruction to increment the minor version number
    automatically so that master versions are higher than the versions on
    stable/zed.
    
    Sem-Ver: feature
    Change-Id: I819c1252ed66a169de60dcd5f8e88e4bc94c22ab
2022-12-13 13:46:22 +00:00
Zuul 6af2a3e3e9 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to fd3ba428d98e60fb29e4a311786a1a317c78abe6
  - Merge "Fix warnings in haproxy config"
  - Fix warnings in haproxy config
    
    Haproxy config check(/usr/sbin/haproxy -c -f /etc/haproxy/haproxy.cfg)
    returns 3 warnings:
    
    1. keyword 'forceclose' is deprecated in favor of 'httpclose', and will
    not be supported by future versions.
    2. backend 'galera-back' : 'option tcplog' directive is ignored in
    backends.
    3. 'http-request' rules ignored for backend 'galera-back' as they
    require HTTP mode.
    
    This change fixes 1. and 2.
    Fixing 3. will be a bit more tricky as it's a part of
    `openstack_haproxy_stick_table` defined in
    /opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml
    
    Change-Id: Idaa4b5580039857435f90416924dee26a702deba
2022-12-10 12:16:23 +00:00
Dmitriy Rabotyagov d157e04ff8 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 6532898a3c253a6e066618a8537b061413822940
  - Make use of haproxy_rise and haproxy_fall variables
    
    At the moment for some reason we're not taking into account default
    variables haproxy_rise/haproxy_fall but instead trying to count
    based on amount of backends. This makes quite little sense to
    depend amount of backend rechecks on amount of backends overall,
    so we're chaning behaviour to pre-defined variables that already exist.
    
    Change-Id: I1e53a997f6f443718ea2c6bdfbe8a0b98c44896d
2022-12-10 04:11:14 +00:00
Zuul 248517198d Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 31e30e3fe0563f425148861750fe9e6d763e590e
  - Merge "Allow do disable SSL only for stats frontend"
  - Allow do disable SSL only for stats frontend
    
    Currently there is no way of disabling SSL connection for stats frontend
    as it implies more global variable. However, for some systems consuming
    self-signed root certificate might be not an option and disabling
    SSL verification tricky. Thus, we introduce new variable that allows to
    nicely control if SSL should be served for stats frontend or not.
    
    Change-Id: Ic4bc4393ec89469876e9e95b12bb9c4069972713
2022-10-07 09:29:58 +00:00
Dmitriy Rabotyagov 4adc9f16f4 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 9fc079a65d86ac9920ecd759eaa0f25957135855
  - Validate haproxy conf after assemble
    
    Right now we don't ensure haproxy conf validity and if it's incorrect
    role will fail on attempt to reload haproxy. However it's really worth
    adding validation step and do not proceed if configuration is wrong
    
    Change-Id: I54717d4f7230b8d8dff2d293592831cc88c51d24
2022-10-07 09:26:36 +00:00
Zuul c118db14ad Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to a502817a89db2cbc3022831dd24e2bacdee047dc
  - Merge "Allow haproxy to bind on the interface"
  - Allow haproxy to bind on the interface
    
    In some user scenarious (like implementing DNS RR) it might be useful to
    bind on 0.0.0.0 but at the same time do not conflict with other services
    that are binded to the same ports. For that, we can specify a specific
    interface, on which haproxy will be binded to 0.0.0.0.
    
    In netstat it would be represented like `0.0.0.0%br-mgmt:5000`.
    
    With that we also allow to fully override `vip_binds` if assumtions
    that role make are not valid for some reason.
    
    Change-Id: Ic4c58ef53abc5f454b6fbebbd87292a932d173ae
2022-09-27 21:11:49 +00:00
Zuul de27dfec8d Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to d41b3bd0ebe55c96f7293eab87dd9996558e8244
  - Merge "Remove redundant vars line"
  - Remove redundant vars line
    
    This line was introduced by Ib4f33185202b694b9611cc5fd6323c30a1c8d489
    for multi-os support, but should since be covered by the
    distribution_major_version line above, introduced at a later date.
    
    Change-Id: I23a8e7aaa3858bce47dcf7610acf1ee58d9e1fc1
2022-09-20 19:11:06 +00:00
Zuul ef90c9293f Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to c1df0a5b56affe8084237d4d1202a234f4997465
  - Merge "Add variable for setting certbot `domains` option"
  - Add variable for setting certbot `domains` option
    
    Add `haproxy_ssl_letsencrypt_domains` variable, which
    contains a list (defaults to `external_lb_vip_address`)
    for `--domains` certbot option.
    
    Change-Id: I2ebfff9eeb5279a3964b8578a6e66aa132d763f5
2022-09-20 16:03:26 +00:00
Zuul 7926f2079b Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 23980cfe4e7c195d65ae6cab6a0e002cb3f29045
  - Merge "Do not add cacert when it does not exist"
  - Do not add cacert when it does not exist
    
    Right now we assume, that ca-cert is always present. Though, it might
    not be the case for user-provided certs or let's encrypt, as they
    are already in ca-certificates.
    
    Change-Id: I101f82c5e378596e76a160aacb34a9e1e7e0c123
2022-08-29 23:37:04 +00:00
Andrew Bonney cd80678b64 Update git submodules
* Update openstack-ansible-haproxy_server from branch 'master'
  to 8dc0ff4e1f2f253ad5dbe01c937ea0cc30bcbbc3
  - tls1.2: update ciphers to latest recommendations
    
    Based upon usual recommendations from:
    https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    
    Change-Id: I6e549ab3ffcacebe04e188cbf34d8707fb0fe05d
2022-08-12 16:00:20 +00:00