In cases when internal and external haproxy frontends should use
different, pre-generated certificates, it's not possible to define them
with haproxy_user_ssl_cert because it accepts only one certificate.
In this case, certificates can be placed manually in pki/ directory.
Unfortunately, with current logic, certificates creation with PKI role
is disabled only when haproxy_user_ssl_cert is defined.
Possibility of explicitly disabling certificates generation will be
really useful.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/915320/
Change-Id: I4eed4d797160b885d5b7187e6106e6ee0073722f
Some environments use a dedicated PKI for monitoring and metric collection.
This change allows to configure the serving certificate for stats independently
by setting `haproxy_stats_ssl_cert_path`, the default is to use the same cert.
Also client certificate authentication for stats can now be enabled by defining
a CA cert via `haproxy_stats_ssl_client_cert_ca`.
Change-Id: Ib8be6b7fc3dada9d20905b0f07d90ddce0335605
This patch implements extra variables/keys that can be used to
enable HTTP/2 protocol for frontends and backends.
With that patch does not add HTTP/2 support for any redirect frontends
since they can not be configured to use TLS and this it will
cause such redirect backends to be HTTP/2 only, which might break old
clients.
With that regular frontends, that are not terminating TLS can be
configured to be HTTP/2 only as well as TCP backends.
Change-Id: Ib14f031f3c61f31bf7aaf345a3ba635ca5fb9ff8
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I8c316dd62ac22ccd9578bb0199ab8f25c0104f9a
The security.txt RFC specifies a Content-Type of text/plain and
charset of utf-8 [1]. This adjusts the defaults so line breaks are
rendered correctly in a browser.
[1] https://datatracker.ietf.org/doc/html/rfc9116#section-3
Change-Id: I39c2dab5108a815ef966bab0d708d6300eb1a4d1
For historical reasons the ``haproxy_service_configs`` variable was
a list of nested mappings with only single valid key for the top
level mapping.
There have been no use-cases for extra keys, so this patch simplifies
the code by removing one level of nesting.
Change-Id: I50c17b7020a459ab8a88b004cc8828cac857f1c9
HAProxy supports the use of map files for selecting backends, or
a number of other functions. See [1] and [2].
This patch adds the key `maps` for each service definition allowing
fragments of a complete map to be defined across all the services,
with each service contributing some elements to the overall map file.
The service enabled/disabled and state flags are observed to add and
remove entries from the map file, and individual map entries can also
be marked as present/absent to make inclusion conditional.
[1] https://www.haproxy.com/blog/introduction-to-haproxy-maps/
[2] https://www.haproxy.com/documentation/hapee/latest/configuration/map-files/syntax/
Change-Id: I755c18a4d33ee69c42d68a50daa63614a2b2feb7
Currently default_backend for a service is always set to the
haproxy_service_name for a service, but this might not be what is
required for some configurations.
This patch allows haproxy_default_backend to be configured for
a service to customise the default_backend setting.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/876436
Change-Id: I9e2be37cb27a33350577a93f23b69e560493b320
Currently this must be configured on a per-frontend basis through
service.haproxy_frontend_raw. This patch adds a new role default
variable haproxy_frontend_extra_raw which will be combined with all
per service raw config lines.
Change-Id: I506d46d64df93bbb9e6d1ebfa3d3caa44c80fdd5
Haproxy config check(/usr/sbin/haproxy -c -f /etc/haproxy/haproxy.cfg)
returns 3 warnings:
1. keyword 'forceclose' is deprecated in favor of 'httpclose', and will
not be supported by future versions.
2. backend 'galera-back' : 'option tcplog' directive is ignored in
backends.
3. 'http-request' rules ignored for backend 'galera-back' as they
require HTTP mode.
This change fixes 1. and 2.
Fixing 3. will be a bit more tricky as it's a part of
`openstack_haproxy_stick_table` defined in
/opt/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml
Change-Id: Idaa4b5580039857435f90416924dee26a702deba
Currently there is no way of disabling SSL connection for stats frontend
as it implies more global variable. However, for some systems consuming
self-signed root certificate might be not an option and disabling
SSL verification tricky. Thus, we introduce new variable that allows to
nicely control if SSL should be served for stats frontend or not.
Change-Id: Ic4bc4393ec89469876e9e95b12bb9c4069972713
Add `haproxy_ssl_letsencrypt_domains` variable, which
contains a list (defaults to `external_lb_vip_address`)
for `--domains` certbot option.
Change-Id: I2ebfff9eeb5279a3964b8578a6e66aa132d763f5
In some user scenarious (like implementing DNS RR) it might be useful to
bind on 0.0.0.0 but at the same time do not conflict with other services
that are binded to the same ports. For that, we can specify a specific
interface, on which haproxy will be binded to 0.0.0.0.
In netstat it would be represented like `0.0.0.0%br-mgmt:5000`.
With that we also allow to fully override `vip_binds` if assumtions
that role make are not valid for some reason.
Change-Id: Ic4c58ef53abc5f454b6fbebbd87292a932d173ae
A new variable "haproxy_stick_table" is added which allows a custom
stick-table to be supplied that is used as the default stick-table
for all haproxy back-ends.
In addition, the variable service.haproxy_stick_table can be defined
for each service to allow a unique stick-table to be supplied for
a particular service.
The old default stick-table definition is removed as there was no
use case defined for it in this role before. An example is added
to defaults/main.yml to show how the custom stick-table can be used
to rate-limit requests that generate 4xx responses which commonly
occur during vulnerability scanning or credential stuffing attacks.
There are many other uses for stick-tables, consult the HAProxy
documentation for details.
Change-Id: I50daba08c10f071157d6450ea2fa97df448f99ec
Instead of hardcoding specific supported tunable options, we
just pass key as an option to haproxy config.
This change might break deployments during upgrades, since format of
values in variable has changed, but appropriate release note was written
We also increase maxrewrite by default, as otherwise usage of CSP leads
to 500 error.
Change-Id: I949960420ed5dbd6d58f0de7dae0ac629a85b7fc
Related-Bug: https://github.com/haproxy/haproxy/issues/1597
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/844815
This adds TLS v1.3 support to the HAProxy role by default, along
with a new variable to manage cipher suites.
The old variable for TLS v1.2 and below ciphers is renamed for
consistency, but is still supported as a default where overridden
by deployments.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823943
Change-Id: Iaf9709ac5f5ac8db281a9ec7278cef274186ba15
This could be achieved using the
haproxy_ssl_letsencrypt_setup_extra_params variable, but this
makes it a bit neater.
Change-Id: Iee2d5a10e1762b23fcb3f3140950c76a754743b7
HAProxy added native Prometheus support from v2.0. This can be
enabled using the existing stats endpoint via an additional
/metrics path.
Change-Id: If9528969c7915db06138c0746dc419d8302f0e7c
We're providing an option to have an IP address per VIP
address. Currently it's used only for creating self-signed
SSLs signed with internal CA per each VIP. With follow-up
patches that will also allow to provide user certificates
per VIP, making possible to cover internal and external
endpoints with different non-wildcard certs.
Change-Id: I0a9eb7689eb42b50daf5c94c874bb7429b271efe
The external PKI role can generate a self signed CA and Intermediate
certificate, and then create a server certificate for haproxy if
no defaults are overridden.
The new openstack_pki_* settings allow an external self signed CA
to be used, but still create valid haproxy server certificates from
that external CA in an openstack-ansible deployment.
The original beheviour providing user supplied certificates in the
haproxy_user_ssl_* variables will still work, disabling the generation
of certificates but using the external PKI role to just install the
supplied certs and keys.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/788031
Change-Id: I7482f55e991bacd9dccd2748c236dcd9d01124f3
When HAProxy is run in multi-process mode, the single stats page
shows metrics for one of the processes at a time, with a random
selection made on page reload.
Whilst a more complete solution may be to enable a stats page for
each process, this is a little cumbersome. This addition allows
the stats page to be pinned to one process, providing a partial
snapshot of the state of the instance.
Change-Id: Id9314e5b267aafeaf34c82874eb8bfe0713dfac3
There's no real need in asking user to manually provide http-01 port and
address when we already have corresponding variables we rely on.
Change-Id: Id0d2a73c863d9bbb8b6280ce42f918127baea354
This variable will allow to globally control if SSL should be also used
for internal/admin endpoints, or for public only
Change-Id: I1fa990bab5801a6e6fde7176b2011ab1977b30ae
If this role is used outside the context of openstack-ansible then the
self signed certificate distribution tasks will fail if the haproxy_all
group is not defined, even if self signed certificates are not being used.
Change-Id: Iebc4a293fa8e3566bc910de305e6519a25f2884f
We use the built in python3 http server to bring up a temporary backend
on the node which wants to renew a certificate. The timeout set so that
the haproxy health check has noticed the backend come up before certbot
runs.
There is otherwise a race condition between the haproxy healthcheck and
the certbot challenge request arriving at the acme-challenge endpoint.
Change-Id: I2f5f9457c43c68f2881bf9d44f43434ca7b43859
Currently the only method is by downloading the certbot-auto script
and executing that. Some distros supply a so this patch sets up
an option for a future patch to add distro package support
Change-Id: Ie32e6f577c9aa898906ee76199fd0ebe75d5ae95
When setting up certbot for the first time, many extra parameters
are available. This new variable allows these to be passed. A typical
example is passing --staging in order to use the letsencrypt staging
endpoint rather than the production one.
Change-Id: I42f9e1f68c3a3533a3377f37063f4924cdf77bd6
This patch adds two new variables for a service:
* haproxy_redirect_scheme
This variable allows a custom string to be specified to override
the default condition used to redirect http to https.
* haproxy_frontend_acls
This variable works in the same way as haproxy_acls except it applies
the acl to the frontend rather than the backend configuration. This
can be required when some paths are not redirected to https but must
instead be handled by a specific backend.
Change-Id: I6b13375ba738d7659681ca773297d0b6b0fd7efb
Adding options to be able to override the default behaviour of
haproxy binding to external_lb_vip_address and internal_lb_vip_address.
The default behaviour stays the same after this change.
Change-Id: I76044aea498d73e97087719279ba0a37a9eb28e9
As extra_lb_tls_vip_addresses required a default due to how it's used
I'm also adding a default for extra_lb_vip_addresses and removing the if
defined for it for clarity.
Change-Id: If217f811dab9cfa2f459f5f50bc67bcf31ddbaaa
The existing extra_lb_vip_addresses parameter will add extra haproxy
VIPs without TLS. This patch adds a new extra_lb_tls_vip_addresses
parameter for adding VIPs with TLS enabled.
Change-Id: Ib6f38200775d31633d57a680fae475dbf7abc6c9
Had an issue where HAProxy logs could not be found.
The /dev/log socket was not available to the chrooted filesystem.
We need to mount the socket and persist it.
Change-Id: I2a1ce48f90c5f85b1238842f17ad2c9708333629
The HTTP keepalive mode is currently hardcoded to "http-server-close"
for all HTTP services. This disables keepalive for HAProxy to backend
connections, but leaves it enabled for client connections to HAProxy.
This is problematic especially for service to service calls (e.g.
nova-api to neutron). If a request is made at the same time the HAProxy
keepalive timeout expires, the result of the request is undefined. This
leads to code 500 error responses from the nova-api because the request
from nova-api to neutron failed. "Connection aborted" error messages in
the logs are an indication of this issue.
There is also a bug report[1] about the same issue in devstack which was
solved by disabling keepalive and a script[2] to reproduce the issue in
devstack.
This adds a default and per service variables to set the HTTP keepalive
mode used by HAProxy. The default value is changed to "forceclose" to
disable HTTP keepalive on the server and client side. With HTTP
keepalive disabled the issue can no longer be reproduced.
[1] https://bugs.launchpad.net/devstack/+bug/1630664
[2] https://github.com/JordanP/openstack-snippets/blob/master/keepalive-race/keep-alive-race.py
Change-Id: If819912873270f0568974925490023310f9cbd66
certbot-auto wants to install depedencies which are possibly
not fulfilled by the repo-server - so bypass installation here.
Use the venv bin later for the renew script.
Minor errors are also fixed.
Change-Id: I4087bbcb4fe6182cb090a5b6b85bea36768b4f4f
Damian Dabrowski