Add support for extra VIPs with TLS enabled

The existing extra_lb_vip_addresses parameter will add extra haproxy VIPs without TLS. This patch adds a new extra_lb_tls_vip_addresses parameter for adding VIPs with TLS enabled. Change-Id: Ib6f38200775d31633d57a680fae475dbf7abc6c9
2020-01-31 15:38:22 +01:00 · 2020-01-31 15:38:22 +01:00 · b7834dd051
parent 826741f1f1
commit b7834dd051
3 changed files with 18 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -124,6 +124,9 @@ haproxy_maxconn: 4096
 #  ssl_cachesize: 20000
 #  ssl_lifetime: 300

+# Add extra TLS VIPs to all servics
+extra_lb_tls_vip_addresses: []
+
 # Make the log socket available to the chrooted filesystem
 haproxy_log_socket: "/dev/log"
 haproxy_log_mount_point: "/var/lib/haproxy/dev/log"
--- a/doc/source/configure-haproxy.rst
+++ b/doc/source/configure-haproxy.rst
@ -210,14 +210,13 @@ in the Ansible inventory by manually specifying their hostnames/IP Addresses:
          haproxy_port: 10001
          haproxy_balance_type: http

-
 Adding additional global VIP addresses
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 In some cases, you might need to add additional internal VIP addresses
 to the load balancer front end. You can use the HAProxy role to add
 additional VIPs to all front ends by setting them in the
-``extra_lb_vip_addresses`` variable.
+``extra_lb_vip_addresses`` or ``extra_lb_tls_vip_addresses`` variables.

 The following example shows extra VIP addresses defined in the
 ``user_variables.yml`` file:
@ -228,6 +227,15 @@ The following example shows extra VIP addresses defined in the
     - 10.0.0.10
     - 192.168.0.10

+The following example shows extra VIP addresses with TLS enabled
+defined in the ``user_variables.yml`` file:
+
+.. code-block:: yaml
+
+   extra_lb_tls_vip_addresses:
+     - 10.0.0.10
+     - 192.168.0.10
+
 Adding Access Control Lists to HAProxy front end
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- a/templates/service.j2
+++ b/templates/service.j2
@ -23,6 +23,10 @@
 {% endfor %}
 {% endif -%}

+{% for vip_address in extra_lb_tls_vip_addresses %}
+  {% set _ = vip_binds.append(vip_address) %}
+{% endfor %}
+
 {%- if item.service.haproxy_bind is defined %}
  {% set vip_binds = item.service.haproxy_bind %}
 {% endif -%}
@ -39,7 +43,7 @@ bind {{ vip_bind }}:{{ item.service.haproxy_redirect_http_port }}
 {% endif %}

 frontend {{ item.service.haproxy_service_name }}-front-{{ loop.index }}
-    bind {{ vip_bind }}:{{ item.service.haproxy_port }} {% if (item.service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or item.service.haproxy_ssl_all_vips | default(false) | bool) %}ssl crt {{ haproxy_ssl_pem }} ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
+    bind {{ vip_bind }}:{{ item.service.haproxy_port }} {% if (item.service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or item.service.haproxy_ssl_all_vips | default(false) | bool) %}ssl crt {{ haproxy_ssl_pem }} ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}

 {% if request_option == "http" %}
    option httplog