Merge "Allow haproxy to bind on the interface"
This commit is contained in:
commit
a502817a89
|
@ -237,6 +237,19 @@ haproxy_bind_external_lb_vip_address: "{{ external_lb_vip_address }}"
|
|||
# Option to override which address haproxy binds to for internal vip.
|
||||
haproxy_bind_internal_lb_vip_address: "{{ internal_lb_vip_address }}"
|
||||
|
||||
# Option to define if you need haproxy to bind on specific interface.
|
||||
haproxy_bind_external_lb_vip_interface:
|
||||
haproxy_bind_internal_lb_vip_interface:
|
||||
|
||||
# Option to override haproxy frontend binds
|
||||
# Example:
|
||||
# haproxy_tls_vip_binds:
|
||||
# - address: '*'
|
||||
# interface: bond0
|
||||
# - address: '192.168.0.10'
|
||||
|
||||
haproxy_tls_vip_binds: "{{ _haproxy_tls_vip_binds }}"
|
||||
|
||||
# Make the log socket available to the chrooted filesystem
|
||||
haproxy_log_socket: "/dev/log"
|
||||
haproxy_log_mount_point: "/var/lib/haproxy/dev/log"
|
||||
|
|
|
@ -17,9 +17,10 @@
|
|||
shell: >
|
||||
cat {{ item_base_path ~ '.crt' }} $(test -f {{ item_base_path ~ '-ca.crt' }} && echo {{ item_base_path ~ '-ca.crt' }}) {{ item_base_path ~ '.key' }} > {{ item_base_path ~ '.pem' }}
|
||||
notify: Reload haproxy
|
||||
with_items: "{{ _haproxy_tls_vip_binds }}"
|
||||
vars:
|
||||
item_base_path: "{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item }}"
|
||||
item_name: "{{ ('interface' in item and item['interface'] is truthy) | ternary(item['address'] ~ '-' ~ item['interface'], item['address']) }}"
|
||||
item_base_path: "{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item_name }}"
|
||||
with_items: "{{ haproxy_tls_vip_binds }}"
|
||||
listen:
|
||||
- cert installed
|
||||
|
||||
|
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
|
||||
features:
|
||||
- |
|
||||
Added variables ``haproxy_bind_external_lb_vip_interface`` and
|
||||
``haproxy_bind_internal_lb_vip_interface`` that allows deployer to bind
|
||||
haproxy on the specific interface only.
|
||||
- |
|
||||
Added variable ``haproxy_tls_vip_binds`` that allows to fully override
|
||||
haproxy bindings, that are generated by the role if some assumptions are
|
||||
not valid for some scenarios. It is list of mappings, that include address
|
||||
and interface. Interface key is optional and can be ommited.
|
|
@ -15,16 +15,23 @@
|
|||
{% if item.service.haproxy_bind is defined %}
|
||||
{% set vip_binds = item.service.haproxy_bind %}
|
||||
{% else %}
|
||||
{% set vip_binds = _haproxy_tls_vip_binds + extra_lb_vip_addresses %}
|
||||
{% set vip_binds = haproxy_tls_vip_binds + extra_lb_vip_addresses %}
|
||||
{% endif %}
|
||||
|
||||
{% if not item.service.haproxy_backend_only | default(false) %}
|
||||
{% for vip_bind in vip_binds %}
|
||||
{% if vip_bind is not string and vip_bind is mapping %}
|
||||
{% set vip_address = vip_bind['address'] %}
|
||||
{% set vip_interface = vip_bind['interface'] %}
|
||||
{% else %}
|
||||
{% set vip_address = vip_bind %}
|
||||
{% set vip_interface = '' %}
|
||||
{% endif %}
|
||||
{% if item.service.haproxy_redirect_http_port is defined and item.service.haproxy_ssl %}
|
||||
{% if (loop.index == 1 or item.service.haproxy_ssl_all_vips | default(false) | bool) %}
|
||||
|
||||
frontend {{ item.service.haproxy_service_name }}-redirect-front-{{ loop.index }}
|
||||
bind {{ vip_bind }}:{{ item.service.haproxy_redirect_http_port }}
|
||||
bind {{ vip_address }}:{{ item.service.haproxy_redirect_http_port }}{{ (vip_interface is truthy) | ternary(' interface ' ~ vip_interface, '') }}
|
||||
mode http
|
||||
redirect scheme {{ item.service.haproxy_redirect_scheme | default('https if !{ ssl_fc }') }}
|
||||
{% if item.service.haproxy_frontend_acls is defined %}
|
||||
|
@ -38,11 +45,11 @@ bind {{ vip_bind }}:{{ item.service.haproxy_redirect_http_port }}
|
|||
|
||||
{# TODO: remove if and section inside if after HTTPS upgrade #}
|
||||
{# During an upgrade of internal frontends from HTTP to HTTPS, need to accept both HTTP and HTTPS until client config has been changed #}
|
||||
{% if (item.service.haproxy_tcp_upgrade_frontend | default(false)) and not (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses) and (item.service.haproxy_ssl_all_vips | default(false)) %}
|
||||
{% if (item.service.haproxy_tcp_upgrade_frontend | default(false)) and not (loop.index == 1 or vip_address in extra_lb_tls_vip_addresses) and (item.service.haproxy_ssl_all_vips | default(false)) %}
|
||||
{% include 'service-redirect.j2' %}
|
||||
{% else %}
|
||||
frontend {{ item.service.haproxy_service_name }}-front-{{ loop.index }}
|
||||
bind {{ vip_bind }}:{{ item.service.haproxy_port }} {% if (item.service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or (item.service.haproxy_ssl_all_vips | default(false) | bool and vip_bind not in extra_lb_vip_addresses)) %}ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ vip_bind }}.pem {% endif %}
|
||||
bind {{ vip_address }}:{{ item.service.haproxy_port }}{{ (vip_interface is truthy) | ternary(' interface ' ~ vip_interface, '') }} {% if (item.service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or vip_address in extra_lb_tls_vip_addresses or (item.service.haproxy_ssl_all_vips | default(false) | bool and vip_address not in extra_lb_vip_addresses)) %}ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ (vip_interface is truthy) | ternary(vip_address ~ '-' ~ vip_interface, vip_address) }}.pem {% endif %}
|
||||
|
||||
{% if request_option == "http" %}
|
||||
option httplog
|
||||
|
@ -69,7 +76,7 @@ frontend {{ item.service.haproxy_service_name }}-front-{{ loop.index }}
|
|||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if (item.service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or (item.service.haproxy_ssl_all_vips | default(false) | bool and vip_bind not in extra_lb_vip_addresses)) %}
|
||||
{% if (item.service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or vip_address in extra_lb_tls_vip_addresses or (item.service.haproxy_ssl_all_vips | default(false) | bool and vip_address not in extra_lb_vip_addresses)) %}
|
||||
http-request add-header X-Forwarded-Proto https
|
||||
{% endif %}
|
||||
mode {{ item.service.haproxy_balance_type }}
|
||||
|
|
|
@ -14,24 +14,24 @@
|
|||
# limitations under the License.
|
||||
|
||||
_haproxy_tls_vip_binds: |
|
||||
{% set vip_binds = [haproxy_bind_external_lb_vip_address] %}
|
||||
{% if haproxy_bind_internal_lb_vip_address != haproxy_bind_external_lb_vip_address %}
|
||||
{% set _ = vip_binds.append(haproxy_bind_internal_lb_vip_address) %}
|
||||
{% set vip_binds = [{'address': haproxy_bind_external_lb_vip_address, 'interface': haproxy_bind_external_lb_vip_interface}] %}
|
||||
{% if haproxy_bind_internal_lb_vip_address != haproxy_bind_external_lb_vip_address or haproxy_bind_external_lb_vip_interface != haproxy_bind_internal_lb_vip_interface %}
|
||||
{% set _ = vip_binds.append({'address': haproxy_bind_internal_lb_vip_address, 'interface': haproxy_bind_internal_lb_vip_interface}) %}
|
||||
{% endif %}
|
||||
{% for vip_address in extra_lb_tls_vip_addresses %}
|
||||
{% set _ = vip_binds.append(vip_address) %}
|
||||
{% set _ = vip_binds.append({'address': vip_address}) %}
|
||||
{% endfor %}
|
||||
{{ vip_binds }}
|
||||
|
||||
_haproxy_pki_certificates: |
|
||||
{% set _pki_certs = [] %}
|
||||
{% for vip in _haproxy_tls_vip_binds %}
|
||||
{% for vip in haproxy_tls_vip_binds %}
|
||||
{% set _ = _pki_certs.append(
|
||||
{
|
||||
'name': 'haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip,
|
||||
'name': 'haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ ('interface' in vip and vip['interface'] is truthy) | ternary(vip['address'] ~ '-' ~ vip['interface'], vip['address']),
|
||||
'provider': 'ownca',
|
||||
'cn': ansible_facts['hostname'],
|
||||
'san': 'DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['fqdn'] ~ ',' ~ (vip | ansible.utils.ipaddr) | ternary('IP:', 'DNS:') ~ vip,
|
||||
'san': 'DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['fqdn'] ~ ',' ~ (vip['address'] | ansible.utils.ipaddr) | ternary('IP:', 'DNS:') ~ vip['address'],
|
||||
'signed_by': haproxy_pki_intermediate_cert_name,
|
||||
}
|
||||
) %}
|
||||
|
@ -40,8 +40,8 @@ _haproxy_pki_certificates: |
|
|||
|
||||
_haproxy_pki_install_certificates: |
|
||||
{% set _pki_install = [] %}
|
||||
{% for vip in _haproxy_tls_vip_binds %}
|
||||
{% set _cert_basename = '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ vip %}
|
||||
{% for vip in haproxy_tls_vip_binds %}
|
||||
{% set _cert_basename = '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ ('interface' in vip and vip['interface'] is truthy) | ternary(vip['address'] ~ '-' ~ vip['interface'], vip['address']) %}
|
||||
{% set _ = _pki_install.append(
|
||||
{
|
||||
'src': haproxy_user_ssl_cert | default(haproxy_pki_certs_path ~ _cert_basename ~ '.crt'),
|
||||
|
|
Loading…
Reference in New Issue