openstack
/
openstack-ansible
Code Issues Proposed changes

Implement separated haproxy service config 

All services placed behind haproxy include an additional playbook
responsible for creating their haproxy services.

Scope for some variables was changed to be more optimal.

Change-Id: I0eec358d982cc09dcb7e2c0045b9684c65876faf
This commit is contained in:
Damian Dabrowski 2023-03-29 21:44:20 +02:00
parent d2b3deca77
commit 930236d7d2
68 changed files with 1301 additions and 608 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
inventory/group_vars/adjutant_all.yml Normal file
View File

@ -0,0 +1,29 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_adjutant_api_service:
haproxy_service_name: adjutant_api
haproxy_backend_nodes: "{{ groups['adjutant_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 5050
haproxy_balance_type: http
haproxy_balance_alg: source
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['adjutant_api'] is defined and groups['adjutant_api'] | length > 0 }}"
adjutant_haproxy_services:
- "{{ haproxy_adjutant_api_service | combine(haproxy_adjutant_api_service_overrides | default({})) }}"

35
inventory/group_vars/all/haproxy.yml Normal file
View File

@ -0,0 +1,35 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_ssl: true
haproxy_ssl_all_vips: false
haproxy_allowlist_networks:
- 192.168.0.0/16
- 172.16.0.0/12
- 10.0.0.0/8
haproxy_stick_table_allowlist_networks: "{{ haproxy_allowlist_networks }}"
# haproxy default stick table
# returns 429 when more than 20 4xx responses per 10 second window
# from external IP addresses. Override as necessary.
openstack_haproxy_stick_table:
- "stick-table type ipv6 size 256k expire 10s store http_err_rate(10s)"
- "http-request track-sc0 src"
- "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"
# apply the stick table as default for all backends
haproxy_stick_table: "{{ openstack_haproxy_stick_table }}"

28
inventory/group_vars/aodh_all.yml Normal file
View File

@ -0,0 +1,28 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_aodh_api_service:
haproxy_service_name: aodh_api
haproxy_backend_nodes: "{{ groups['aodh_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8042
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['aodh_api'] is defined and groups['aodh_api'] | length > 0 }}"
aodh_haproxy_services:
- "{{ haproxy_aodh_api_service | combine(haproxy_aodh_api_service_overrides | default({})) }}"

28
inventory/group_vars/barbican_all.yml Normal file
View File

@ -0,0 +1,28 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_barbican_service:
haproxy_service_name: barbican
haproxy_backend_nodes: "{{ groups['barbican_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9311
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['barbican_api'] is defined and groups['barbican_api'] | length > 0 }}"
barbican_haproxy_services:
- "{{ haproxy_barbican_service | combine(haproxy_barbican_service_overrides | default({})) }}"

30
inventory/group_vars/blazar_all.yml Normal file
View File

@ -0,0 +1,30 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_blazar_api_service:
haproxy_service_name: blazar_api
haproxy_backend_nodes: "{{ groups['blazar_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 1234
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_httpcheck_options:
- 'expect rstatus (200|401)'
haproxy_service_enabled: "{{ groups['blazar_api'] is defined and groups['blazar_api'] | length > 0 }}"
blazar_haproxy_services:
- "{{ haproxy_blazar_api_service | combine(haproxy_blazar_api_service_overrides | default({})) }}"

14
inventory/group_vars/cinder_all.yml
View File

@ -26,3 +26,17 @@ glance_default_store: "{{ ((groups['swift_all'] is defined) and (groups['swift_a
# cinder_backend_lvm_inuse: True if current host has an lvm backend
cinder_backend_lvm_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.lvm.LVMVolumeDriver") != -1 }}'
haproxy_cinder_api_service:
haproxy_service_name: cinder_api
haproxy_backend_nodes: "{{ groups['cinder_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8776
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['cinder_api'] is defined and groups['cinder_api'] | length > 0 }}"
cinder_haproxy_services:
- "{{ haproxy_cinder_api_service | combine(haproxy_cinder_api_service_overrides | default({})) }}"

29
inventory/group_vars/cloudkitty_all.yml Normal file
View File

@ -0,0 +1,29 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_cloudkitty_api_service:
haproxy_service_name: cloudkitty_api
haproxy_backend_nodes: "{{ groups['cloudkitty_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8089
haproxy_balance_type: http
haproxy_balance_alg: source
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['cloudkitty_api'] is defined and groups['cloudkitty_api'] | length > 0 }}"
cloudkitty_haproxy_services:
- "{{ haproxy_cloudkitty_api_service | combine(haproxy_cloudkitty_api_service_overrides | default({})) }}"

30
inventory/group_vars/designate_all.yml Normal file
View File

@ -0,0 +1,30 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_designate_api_service:
haproxy_service_name: designate_api
haproxy_backend_nodes: "{{ groups['designate_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9001
haproxy_balance_type: http
haproxy_backend_options:
- "forwardfor"
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
- "httplog"
haproxy_service_enabled: "{{ groups['designate_api'] is defined and groups['designate_api'] | length > 0 }}"
designate_haproxy_services:
- "{{ haproxy_designate_api_service | combine(haproxy_designate_api_service_overrides | default({})) }}"

23
inventory/group_vars/galera_all.yml
View File

@ -51,3 +51,26 @@ galera_server_proxy_protocol_networks: >-
# Galera sessions are long lived, so if we do endpoint maintenance we will
# force kill the sessions to force a failover to the active endpoint.
haproxy_shutdown_sessions: yes
haproxy_galera_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_galera_service:
haproxy_service_name: galera
haproxy_backend_nodes: "{{ (groups['galera_all'] | default([]))[:1] }}" # list expected
haproxy_backup_nodes: "{{ (groups['galera_all'] | default([]))[1:] }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: 3306
haproxy_check_port: 9200
haproxy_balance_type: tcp
haproxy_stick_table_enabled: False
haproxy_timeout_client: 5000s
haproxy_timeout_server: 5000s
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_server_options:
- "send-proxy-v2"
haproxy_allowlist_networks: "{{ haproxy_galera_allowlist_networks }}"
haproxy_service_enabled: "{{ groups['galera_all'] is defined and groups['galera_all'] | length > 0 }}"
galera_haproxy_services:
- "{{ haproxy_galera_service | combine(haproxy_galera_service_overrides | default({})) }}"

15
inventory/group_vars/glance_all.yml
View File

@ -22,3 +22,18 @@ glance_container_bind_mounts:
mount_path: "/openstack/{{ inventory_hostname }}"
- bind_dir_path: "/var/lib/glance/cache"
mount_path: "/openstack/{{ inventory_hostname }}"
haproxy_glance_api_service:
haproxy_service_name: glance_api
haproxy_backend_nodes: "{{ groups['glance_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9292
haproxy_balance_type: http
haproxy_balance_alg: source
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['glance_api'] is defined and groups['glance_api'] | length > 0 }}"
glance_haproxy_services:
- "{{ haproxy_glance_api_service | combine(haproxy_glance_api_service_overrides | default({})) }}"

14
inventory/group_vars/gnocchi_all.yml
View File

@ -17,3 +17,17 @@
gnocchi_container_bind_mounts:
- bind_dir_path: "/var/lib/gnocchi"
mount_path: "/openstack/{{ inventory_hostname }}"
haproxy_gnocchi_service:
haproxy_service_name: gnocchi
haproxy_backend_nodes: "{{ groups['gnocchi_all'] | default([]) }}"
haproxy_port: 8041
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['gnocchi_all'] is defined and groups['gnocchi_all'] | length > 0 }}"
gnocchi_haproxy_services:
- "{{ haproxy_gnocchi_service | combine(haproxy_gnocchi_service_overrides | default({})) }}"

622
inventory/group_vars/haproxy/haproxy.yml
View File

@ -19,27 +19,19 @@ keepalived_selinux_compile_rules:
- keepalived_ping
- keepalived_haproxy_pid_file
haproxy_ssl_letsencrypt_enable: false
haproxy_ssl_letsencrypt_acl:
letsencrypt-acl:
rule: "path_beg /.well-known/acme-challenge/"
backend_name: letsencrypt
# Ensure that the package state matches the global setting
haproxy_package_state: "{{ package_state }}"
haproxy_allowlist_networks:
- 192.168.0.0/16
- 172.16.0.0/12
- 10.0.0.0/8
haproxy_galera_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_nova_metadata_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_rabbitmq_management_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_opendaylight_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_stick_table_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_ironic_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_ironic_inspector_allowlist_networks: "{{ haproxy_allowlist_networks }}"
# Variables to set security headers used by browsers
haproxy_security_headers_max_age: 31536000
# Set CSP headers to report only for testing
haproxy_security_headers_csp_report_only: False
# To override the CSP used by a specific service define a variable haproxy_<service name>_csp
haproxy_security_headers_csp: >
http-response set-header {{ haproxy_security_headers_csp_report_only | ternary('Content-Security-Policy-Report-Only', 'Content-Security-Policy') }} "
default-src 'self';
@ -62,28 +54,6 @@ haproxy_security_headers:
- 'http-response set-header Referrer-Policy "same-origin"'
- 'http-response set-header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(self), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(self), clipboard-write=(self), gamepad=(), speaker-selection=()"'
# haproxy default stick table
# returns 429 when more than 20 4xx responses per 10 second window
# from external IP addresses. Override as necessary.
openstack_haproxy_stick_table:
- "stick-table type ipv6 size 256k expire 10s store http_err_rate(10s)"
- "http-request track-sc0 src"
- "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"
# apply the stick table as default for all backends
haproxy_stick_table: "{{ openstack_haproxy_stick_table }}"
# special haproxy stick table for horizon
# returns 429 when more than 20 calls to /auth per 10 second window
# returns 429 when more than 20 4xx responses per 10 second window
# from external IP addresses. Override as necessary.
openstack_haproxy_horizon_stick_table:
- "stick-table type ipv6 size 256k expire 10s store http_req_rate(10s),http_err_rate(10s)"
- "http-request track-sc0 src"
- "http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 } { path_beg /auth } !{ src {{haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"
- "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"
haproxy_security_txt_service:
haproxy_backend_only: true
haproxy_service_name: security_txt
@ -120,53 +90,20 @@ haproxy_base_service:
entries:
- "#Regular expression map file - this comment is defined in the base frontend config"
haproxy_adjutant_api_service:
haproxy_service_name: adjutant_api
haproxy_backend_nodes: "{{ groups['adjutant_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 5050
# Handles LetsEncrypt HTTP-01 challenge
haproxy_letsencrypt_service:
haproxy_service_name: letsencrypt
haproxy_backend_nodes: "{{ groups['haproxy_all'] }}"
backend_rise: 1
backend_fall: 5
interval: 4000
haproxy_bind:
- 127.0.0.1
haproxy_port: "{{ haproxy_ssl_letsencrypt_certbot_backend_port }}"
haproxy_balance_type: http
haproxy_balance_alg: source
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['adjutant_api'] is defined and groups['adjutant_api'] | length > 0 }}"
haproxy_aodh_api_service:
haproxy_service_name: aodh_api
haproxy_backend_nodes: "{{ groups['aodh_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8042
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['aodh_api'] is defined and groups['aodh_api'] | length > 0 }}"
haproxy_barbican_service:
haproxy_service_name: barbican
haproxy_backend_nodes: "{{ groups['barbican_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9311
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['barbican_api'] is defined and groups['barbican_api'] | length > 0 }}"
haproxy_blazar_api_service:
haproxy_service_name: blazar_api
haproxy_backend_nodes: "{{ groups['blazar_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 1234
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_httpcheck_options:
- 'expect rstatus (200|401)'
haproxy_service_enabled: "{{ groups['blazar_api'] is defined and groups['blazar_api'] | length > 0 }}"
haproxy_service_enabled: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) }}"
# RGW backend is defined here as it might be referring to an external ceph cluster via 'ceph_rgws'
haproxy_ceph_rgw_service:
haproxy_service_name: ceph-rgw
haproxy_backend_nodes: "{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) | ternary(groups['ceph-rgw'], ceph_rgws) }}"
@ -181,523 +118,8 @@ haproxy_ceph_rgw_service:
- expect rstatus 200|405
haproxy_service_enabled: "{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) or (ceph_rgws | length > 0) }}"
haproxy_cinder_api_service:
haproxy_service_name: cinder_api
haproxy_backend_nodes: "{{ groups['cinder_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8776
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['cinder_api'] is defined and groups['cinder_api'] | length > 0 }}"
haproxy_cloudkitty_api_service:
haproxy_service_name: cloudkitty_api
haproxy_backend_nodes: "{{ groups['cloudkitty_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8089
haproxy_balance_type: http
haproxy_balance_alg: source
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['cloudkitty_api'] is defined and groups['cloudkitty_api'] | length > 0 }}"
haproxy_designate_api_service:
haproxy_service_name: designate_api
haproxy_backend_nodes: "{{ groups['designate_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9001
haproxy_balance_type: http
haproxy_backend_options:
- "forwardfor"
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
- "httplog"
haproxy_service_enabled: "{{ groups['designate_api'] is defined and groups['designate_api'] | length > 0 }}"
haproxy_galera_service:
haproxy_service_name: galera
haproxy_backend_nodes: "{{ (groups['galera_all'] | default([]))[:1] }}" # list expected
haproxy_backup_nodes: "{{ (groups['galera_all'] | default([]))[1:] }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: 3306
haproxy_check_port: 9200
haproxy_balance_type: tcp
haproxy_stick_table_enabled: False
haproxy_timeout_client: 5000s
haproxy_timeout_server: 5000s
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_server_options:
- "send-proxy-v2"
haproxy_allowlist_networks: "{{ haproxy_galera_allowlist_networks }}"
haproxy_service_enabled: "{{ groups['galera_all'] is defined and groups['galera_all'] | length > 0 }}"
haproxy_glance_api_service:
haproxy_service_name: glance_api
haproxy_backend_nodes: "{{ groups['glance_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9292
haproxy_balance_type: http
haproxy_balance_alg: source
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['glance_api'] is defined and groups['glance_api'] | length > 0 }}"
haproxy_gnocchi_service:
haproxy_service_name: gnocchi
haproxy_backend_nodes: "{{ groups['gnocchi_all'] | default([]) }}"
haproxy_port: 8041
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['gnocchi_all'] is defined and groups['gnocchi_all'] | length > 0 }}"
haproxy_heat_api_cfn_service:
haproxy_service_name: heat_api_cfn
haproxy_backend_nodes: "{{ groups['heat_api_cfn'] | default([]) }}"
haproxy_port: 8000
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['heat_api_cfn'] is defined and groups['heat_api_cfn'] | length > 0 }}"
haproxy_heat_api_service:
haproxy_service_name: heat_api
haproxy_backend_nodes: "{{ groups['heat_api'] | default([]) }}"
haproxy_port: 8004
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['heat_api'] is defined and groups['heat_api'] | length > 0 }}"
haproxy_horizon_service:
haproxy_backend_only: true #only describe the backends, frontend is in `base`
haproxy_service_name: horizon
haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}"
haproxy_backend_port: 80
haproxy_balance_type: http
haproxy_balance_alg: source
haproxy_backend_options:
- "httpchk HEAD /auth/login/ HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}"
haproxy_stick_table: "{{ openstack_haproxy_horizon_stick_table }}"
haproxy_map_entries:
- name: base_regex
order: 99
#match any requests to the horizon backend
entries:
- '.* horizon-back'
haproxy_ironic_api_service:
haproxy_service_name: ironic_api
haproxy_backend_nodes: "{{ groups['ironic_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 6385
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_arguments:
- "http-request deny if { path_beg /v1/lookup } !{ src {{haproxy_ironic_allowlist_networks | join(' } !{ src ') }} }"
- "http-request deny if { path_beg /v1/heartbeat } !{ src {{haproxy_ironic_allowlist_networks | join(' } !{ src ') }} }"
haproxy_service_enabled: "{{ groups['ironic_api'] is defined and groups['ironic_api'] | length > 0 }}"
haproxy_ironic_inspector_service:
haproxy_service_name: ironic_inspector
haproxy_backend_nodes: "{{ groups['ironic_inspector'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 5050
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_arguments:
- "http-request deny if { path_beg /v1/continue } !{ src {{haproxy_ironic_inspector_allowlist_networks | join(' } !{ src ') }} }"
haproxy_service_enabled: "{{ groups['ironic_inspector'] is defined and groups['ironic_inspector'] | length > 0 }}"
haproxy_keystone_service:
haproxy_service_name: keystone_service
haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}"
haproxy_port: 5000
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: "http"
haproxy_backend_options:
- "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['keystone_all'] is defined and groups['keystone_all'] | length > 0 }}"
haproxy_letsencrypt_service:
haproxy_service_name: letsencrypt
haproxy_backend_nodes: "{{ groups['haproxy_all'] }}"
backend_rise: 1
backend_fall: 5
interval: 4000
haproxy_bind:
- 127.0.0.1
haproxy_port: "{{ haproxy_ssl_letsencrypt_certbot_backend_port }}"
haproxy_balance_type: http
haproxy_service_enabled: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) }}"
haproxy_magnum_service:
haproxy_service_name: magnum
haproxy_backend_nodes: "{{ groups['magnum_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9511
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['magnum_all'] is defined and groups['magnum_all'] | length > 0 }}"
haproxy_manila_service:
haproxy_service_name: manila
haproxy_backend_nodes: "{{ groups['manila_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8786
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['manila_api'] is defined and groups['manila_api'] | length > 0 }}"
haproxy_masakari_api_service:
haproxy_service_name: masakari_api
haproxy_backend_nodes: "{{ groups['masakari_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 15868
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['masakari_api'] is defined and groups['masakari_api'] | length > 0 }}"
haproxy_mistral_service:
haproxy_service_name: mistral
haproxy_backend_nodes: "{{ groups['mistral_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8989
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['mistral_all'] is defined and groups['mistral_all'] | length > 0 }}"
haproxy_murano_service:
haproxy_service_name: murano
haproxy_backend_nodes: "{{ groups['murano_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8082
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /v1 HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_httpcheck_options:
- "expect status 401"
haproxy_service_enabled: "{{ groups['murano_all'] is defined and groups['murano_all'] | length > 0 }}"
haproxy_neutron_server_service:
haproxy_service_name: neutron_server
haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
haproxy_port: 9696
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['neutron_server'] is defined and groups['neutron_server'] | length > 0 }}"
haproxy_nova_api_metadata_service:
haproxy_service_name: nova_api_metadata
haproxy_backend_nodes: "{{ groups['nova_api_metadata'] | default([]) }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: 8775
haproxy_ssl: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_allowlist_networks: "{{ haproxy_nova_metadata_allowlist_networks }}"
haproxy_service_enabled: "{{ groups['nova_api_metadata'] is defined and groups['nova_api_metadata'] | length > 0 }}"
haproxy_nova_api_compute_service:
haproxy_service_name: nova_api_os_compute
haproxy_backend_nodes: "{{ groups['nova_api_os_compute'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8774
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['nova_api_os_compute'] is defined and groups['nova_api_os_compute'] | length > 0 }}"
# By default the nova console service on HAProxy is configured in HTTP mode to
# allow for more fine grained control. But if the SSL connection is terminated
# on the nova console container it has to be run in TCP mode.
haproxy_nova_console_http_mode: "{{ not (nova_console_user_ssl_cert is defined
and nova_console_user_ssl_key is defined) }}"
haproxy_nova_spice_console_service:
haproxy_service_name: nova_spice_console
haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: "{{ nova_spice_html5proxy_base_port | default('6082') }}"
haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}"
haproxy_timeout_client: 60m
haproxy_timeout_server: 60m
haproxy_balance_alg: source
haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD /spice_auto.html HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}"
haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}"
haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'spice' }}"
haproxy_nova_serial_console_service:
haproxy_service_name: nova_serial_console
haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) + ((ironic_console_type == 'serialconsole') | ternary(groups['ironic_console'] | default([]), [])) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: "{{ nova_serialconsoleproxy_port | default('6083') }}"
haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}"
haproxy_timeout_client: 60m
haproxy_timeout_server: 60m
haproxy_balance_alg: source
haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}"
haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}"
haproxy_service_enabled: "{{ (groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'serial') or
(groups['ironic_console'] is defined and groups['ironic_console'] | length > 0 and ironic_console_type == 'serial') }}"
haproxy_nova_novnc_console_service:
haproxy_service_name: nova_novnc_console
haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: "{{ nova_novncproxy_port | default('6080') }}"
haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}"
haproxy_timeout_client: 60m
haproxy_timeout_server: 60m
haproxy_balance_alg: source
haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD /vnc.html HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}"
haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}"
haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'novnc' }}"
# NOTE(jrosser) Clean up legacy console haproxy configs from previous releases
haproxy_nova_console_service:
haproxy_service_name: nova_console
haproxy_service_enabled: False
haproxy_nova_ironic_console_service:
haproxy_service_name: nova_ironic_console
haproxy_service_enabled: False
haproxy_octavia_service:
haproxy_service_name: octavia
haproxy_backend_nodes: "{{ groups['octavia_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9876
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['octavia_all'] is defined and groups['octavia_all'] | length > 0 }}"
haproxy_opendaylight_neutron_service:
haproxy_service_name: opendaylight-neutron
haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: 8180
haproxy_balance_type: tcp
haproxy_timeout_client: 5000s
haproxy_timeout_server: 5000s
haproxy_allowlist_networks: "{{ haproxy_opendaylight_allowlist_networks }}"
haproxy_service_enabled: "{{ (neutron_plugin_type | default('ml2.ovn') == 'ml2.opendaylight') }}"
haproxy_opendaylight_websocket_service:
haproxy_service_name: opendaylight-websocket
haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: 8185
haproxy_balance_type: tcp
haproxy_timeout_client: 5000s
haproxy_timeout_server: 5000s
haproxy_allowlist_networks: "{{ haproxy_opendaylight_allowlist_networks }}"
haproxy_service_enabled: "{{ (neutron_plugin_type | default('ml2.ovn') == 'ml2.opendaylight') }}"
haproxy_placement_service:
haproxy_service_name: placement
haproxy_backend_nodes: "{{ groups['placement_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8780
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['placement_all'] is defined and groups['placement_all'] | length > 0 }}"
haproxy_rabbitmq_service:
haproxy_service_name: rabbitmq_mgmt
haproxy_backend_nodes: "{{ groups['rabbitmq'] | default([]) }}"
haproxy_ssl: "{{ rabbitmq_management_ssl | bool }}"
haproxy_backend_ssl: "{{ rabbitmq_management_ssl | bool }}"
haproxy_backend_ca: False
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: "{{ (rabbitmq_management_ssl | bool) | ternary(15671, 15672) }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_allowlist_networks: "{{ haproxy_rabbitmq_management_allowlist_networks }}"
haproxy_service_enabled: "{{ groups['rabbitmq'] is defined and groups['rabbitmq'] | length > 0 }}"
haproxy_repo_service:
haproxy_service_name: repo_all
haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: 8181
haproxy_ssl: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /constraints/upper_constraints_cached.txt HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_httpcheck_options:
- "expect status 200"
haproxy_service_enabled: "{{ groups['repo_all'] is defined and groups['repo_all'] | length > 0 }}"
haproxy_sahara_api_service:
haproxy_service_name: sahara_api
haproxy_backend_nodes: "{{ groups['sahara_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_alg: source
haproxy_port: 8386
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['sahara_api'] is defined and groups['sahara_api'] | length > 0 }}"
haproxy_senlin_api_service:
haproxy_service_name: senlin_api
haproxy_backend_nodes: "{{ groups['senlin_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8778
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['senlin_api'] is defined and groups['senlin_api'] | length > 0 }}"
haproxy_swift_proxy_service:
haproxy_service_name: swift_proxy
haproxy_backend_nodes: "{{ groups['swift_proxy'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_alg: source
haproxy_port: 8080
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['swift_proxy'] is defined and groups['swift_proxy'] | length > 0 }}"
haproxy_tacker_service:
haproxy_service_name: tacker
haproxy_backend_nodes: "{{ groups['tacker_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9890
haproxy_balance_type: http
haproxy_backend_options:
- "forwardfor"
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
- "httplog"
haproxy_service_enabled: "{{ groups['tacker_all'] is defined and groups['tacker_all'] | length > 0 }}"
haproxy_trove_service:
haproxy_service_name: trove
haproxy_backend_nodes: "{{ groups['trove_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8779
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['trove_api'] is defined and groups['trove_api'] | length > 0 }}"
haproxy_zun_api_service:
haproxy_service_name: zun_api
haproxy_backend_nodes: "{{ groups['zun_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9517
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['zun_api'] is defined and groups['zun_api'] | length > 0 }}"
haproxy_zun_console_service:
haproxy_service_name: zun_console
haproxy_backend_nodes: "{{ groups['zun_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 6784
haproxy_balance_type: http
haproxy_timeout_client: 60m
haproxy_timeout_server: 60m
haproxy_balance_alg: source
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_httpcheck_options:
- "expect status 405"
haproxy_service_enabled: "{{ groups['zun_api'] is defined and groups['zun_api'] | length > 0 }}"
haproxy_default_services:
- service: "{{ haproxy_security_txt_service | combine(haproxy_security_txt_service_overrides | default({})) }}"
- service: "{{ haproxy_base_service | combine(haproxy_base_service_overrides | default({})) }}"
- service: "{{ haproxy_adjutant_api_service | combine(haproxy_adjutant_api_service_overrides | default({})) }}"
- service: "{{ haproxy_aodh_api_service | combine(haproxy_aodh_api_service_overrides | default({})) }}"
- service: "{{ haproxy_barbican_service | combine(haproxy_barbican_service_overrides | default({})) }}"
- service: "{{ haproxy_blazar_api_service | combine(haproxy_blazar_api_service_overrides | default({})) }}"
- service: "{{ haproxy_ceph_rgw_service | combine(haproxy_ceph_rgw_service_overrides | default({})) }}"
- service: "{{ haproxy_cinder_api_service | combine(haproxy_cinder_api_service_overrides | default({})) }}"
- service: "{{ haproxy_cloudkitty_api_service | combine(haproxy_cloudkitty_api_service_overrides | default({})) }}"
- service: "{{ haproxy_designate_api_service | combine(haproxy_designate_api_service_overrides | default({})) }}"
- service: "{{ haproxy_galera_service | combine(haproxy_galera_service_overrides | default({})) }}"
- service: "{{ haproxy_glance_api_service | combine(haproxy_glance_api_service_overrides | default({})) }}"
- service: "{{ haproxy_gnocchi_service | combine(haproxy_gnocchi_service_overrides | default({})) }}"
- service: "{{ haproxy_heat_api_cfn_service | combine(haproxy_heat_api_cfn_service_overrides | default({})) }}"
- service: "{{ haproxy_heat_api_service | combine(haproxy_heat_api_service_overrides | default({})) }}"
- service: "{{ haproxy_horizon_service | combine(haproxy_horizon_service_overrides | default({})) }}"
- service: "{{ haproxy_ironic_api_service | combine(haproxy_ironic_api_service_overrides | default({})) }}"
- service: "{{ haproxy_ironic_inspector_service | combine(haproxy_ironic_inspector_service_overrides | default({})) }}"
- service: "{{ haproxy_keystone_service | combine(haproxy_keystone_service_overrides | default({})) }}"
- service: "{{ haproxy_letsencrypt_service | combine(haproxy_letsencrypt_service_overrides | default({})) }}"
- service: "{{ haproxy_magnum_service | combine(haproxy_magnum_service_overrides | default({})) }}"
- service: "{{ haproxy_manila_service | combine(haproxy_manila_service_overrides | default({})) }}"
- service: "{{ haproxy_masakari_api_service | combine(haproxy_masakari_api_service_overrides | default({})) }}"
- service: "{{ haproxy_mistral_service | combine(haproxy_mistral_service_overrides | default({})) }}"
- service: "{{ haproxy_murano_service | combine(haproxy_murano_service_overrides | default({})) }}"
- service: "{{ haproxy_neutron_server_service | combine(haproxy_neutron_server_service_overrides | default({})) }}"
- service: "{{ haproxy_nova_api_metadata_service | combine(haproxy_nova_api_metadata_service_overrides | default({})) }}"
- service: "{{ haproxy_nova_api_compute_service | combine(haproxy_nova_api_compute_service_overrides | default({})) }}"
- service: "{{ haproxy_nova_spice_console_service | combine(haproxy_nova_spice_console_service_overrides | default({})) }}"
- service: "{{ haproxy_nova_novnc_console_service | combine(haproxy_nova_novnc_console_service_overrides | default({})) }}"
- service: "{{ haproxy_nova_serial_console_service | combine(haproxy_nova_serial_console_service_overrides | default({})) }}"
- service: "{{ haproxy_nova_console_service | combine(haproxy_nova_console_service_overrides | default({})) }}"
- service: "{{ haproxy_nova_ironic_console_service | combine(haproxy_nova_ironic_console_service_overrides | default({})) }}"
- service: "{{ haproxy_octavia_service | combine(haproxy_octavia_service_overrides | default({})) }}"
- service: "{{ haproxy_opendaylight_neutron_service | combine(haproxy_opendaylight_neutron_service_overrides | default({})) }}"
- service: "{{ haproxy_opendaylight_websocket_service | combine(haproxy_opendaylight_websocket_service_overrides | default({})) }}"
- service: "{{ haproxy_placement_service | combine(haproxy_placement_service_overrides | default({})) }}"
- service: "{{ haproxy_rabbitmq_service | combine(haproxy_rabbitmq_service_overrides | default({})) }}"
- service: "{{ haproxy_repo_service | combine(haproxy_repo_service_overrides | default({})) }}"
- service: "{{ haproxy_sahara_api_service | combine(haproxy_sahara_api_service_overrides | default({})) }}"
- service: "{{ haproxy_senlin_api_service | combine(haproxy_senlin_api_service_overrides | default({})) }}"
- service: "{{ haproxy_swift_proxy_service | combine(haproxy_swift_proxy_service_overrides | default({})) }}"
- service: "{{ haproxy_tacker_service | combine(haproxy_tacker_service_overrides | default({})) }}"
- service: "{{ haproxy_trove_service | combine(haproxy_trove_service_overrides | default({})) }}"
- service: "{{ haproxy_zun_api_service | combine(haproxy_zun_api_service_overrides | default({})) }}"
- service: "{{ haproxy_zun_console_service | combine(haproxy_zun_console_service_overrides | default({})) }}"
- "{{ haproxy_security_txt_service | combine(haproxy_security_txt_service_overrides | default({})) }}"
- "{{ haproxy_base_service | combine(haproxy_base_service_overrides | default({})) }}"
- "{{ haproxy_letsencrypt_service | combine(haproxy_letsencrypt_service_overrides | default({})) }}"
- "{{ haproxy_ceph_rgw_service | combine(haproxy_ceph_rgw_service_overrides | default({})) }}"

26
inventory/group_vars/heat_all.yml
View File

@ -16,3 +16,29 @@
# Only enable the heat cinder backups functionality if the cinder backup
# service is enabled.
heat_cinder_backups_enabled: "{{ hostvars['localhost']['cinder_service_backup_program_enabled'] }}"
haproxy_heat_api_service:
haproxy_service_name: heat_api
haproxy_backend_nodes: "{{ groups['heat_api'] | default([]) }}"
haproxy_port: 8004
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['heat_api'] is defined and groups['heat_api'] | length > 0 }}"
haproxy_heat_api_cfn_service:
haproxy_service_name: heat_api_cfn
haproxy_backend_nodes: "{{ groups['heat_api_cfn'] | default([]) }}"
haproxy_port: 8000
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['heat_api_cfn'] is defined and groups['heat_api_cfn'] | length > 0 }}"
heat_haproxy_services:
- "{{ haproxy_heat_api_cfn_service | combine(haproxy_heat_api_cfn_service_overrides | default({})) }}"
- "{{ haproxy_heat_api_service | combine(haproxy_heat_api_service_overrides | default({})) }}"

31
inventory/group_vars/horizon_all.yml
View File

@ -15,3 +15,34 @@
horizon_enable_cinder_backup: "{{ hostvars['localhost']['cinder_service_backup_program_enabled'] }}"
horizon_enable_ha_router: "{{ groups['neutron_l3_agent'] | length >= 2 }}"
# special haproxy stick table for horizon
# returns 429 when more than 20 calls to /auth per 10 second window
# returns 429 when more than 20 4xx responses per 10 second window
# from external IP addresses. Override as necessary.
openstack_haproxy_horizon_stick_table:
- "stick-table type ipv6 size 256k expire 10s store http_req_rate(10s),http_err_rate(10s)"
- "http-request track-sc0 src"
- "http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 } { path_beg /auth } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"
- "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"
haproxy_horizon_service:
haproxy_backend_only: true #only describe the backends, frontend is in `base` via haproxy_all group vars
haproxy_service_name: horizon
haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}"
haproxy_backend_port: 80
haproxy_balance_type: http
haproxy_balance_alg: source
haproxy_backend_options:
- "httpchk HEAD /auth/login/ HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}"
haproxy_stick_table: "{{ openstack_haproxy_horizon_stick_table }}"
haproxy_map_entries:
- name: base_regex
order: 99
#match any requests to the horizon backend
entries:
- '.* horizon-back'
horizon_haproxy_services:
- "{{ haproxy_horizon_service | combine(haproxy_horizon_service_overrides | default({})) }}"

48
inventory/group_vars/ironic_all.yml Normal file
View File

@ -0,0 +1,48 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_ironic_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_ironic_inspector_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_ironic_api_service:
haproxy_service_name: ironic_api
haproxy_backend_nodes: "{{ groups['ironic_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 6385
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_arguments:
- "http-request deny if { path_beg /v1/lookup } !{ src {{ haproxy_ironic_allowlist_networks | join(' } !{ src ') }} }"
- "http-request deny if { path_beg /v1/heartbeat } !{ src {{ haproxy_ironic_allowlist_networks | join(' } !{ src ') }} }"
haproxy_service_enabled: "{{ groups['ironic_api'] is defined and groups['ironic_api'] | length > 0 }}"
haproxy_ironic_inspector_service:
haproxy_service_name: ironic_inspector
haproxy_backend_nodes: "{{ groups['ironic_inspector'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 5050
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_arguments:
- "http-request deny if { path_beg /v1/continue } !{ src {{ haproxy_ironic_inspector_allowlist_networks | join(' } !{ src ') }} }"
haproxy_service_enabled: "{{ groups['ironic_inspector'] is defined and groups['ironic_inspector'] | length > 0 }}"
ironic_haproxy_services:
- "{{ haproxy_ironic_api_service | combine(haproxy_ironic_api_service_overrides | default({})) }}"
- "{{ haproxy_ironic_inspector_service | combine(haproxy_ironic_inspector_service_overrides | default({})) }}"

14
inventory/group_vars/keystone_all.yml
View File

@ -18,3 +18,17 @@
# Hosts allowed to override remote IP with X-Forwarded-For
keystone_set_real_ip_from: "{{ groups['haproxy'] | map('extract', hostvars, 'container_address') | list }}"
haproxy_keystone_service:
haproxy_service_name: keystone_service
haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}"
haproxy_port: 5000
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: "http"
haproxy_backend_options:
- "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['keystone_all'] is defined and groups['keystone_all'] | length > 0 }}"
keystone_haproxy_services:
- "{{ haproxy_keystone_service | combine(haproxy_keystone_service_overrides | default({})) }}"

28
inventory/group_vars/magnum_all.yml Normal file
View File

@ -0,0 +1,28 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_magnum_service:
haproxy_service_name: magnum
haproxy_backend_nodes: "{{ groups['magnum_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9511
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['magnum_all'] is defined and groups['magnum_all'] | length > 0 }}"
magnum_haproxy_services:
- "{{ haproxy_magnum_service | combine(haproxy_magnum_service_overrides | default({})) }}"

28
inventory/group_vars/manila_all.yml Normal file
View File

@ -0,0 +1,28 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_manila_service:
haproxy_service_name: manila
haproxy_backend_nodes: "{{ groups['manila_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8786
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['manila_api'] is defined and groups['manila_api'] | length > 0 }}"
manila_haproxy_services:
- "{{ haproxy_manila_service | combine(haproxy_manila_service_overrides | default({})) }}"

28
inventory/group_vars/masakari_all.yml Normal file
View File

@ -0,0 +1,28 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_masakari_api_service:
haproxy_service_name: masakari_api
haproxy_backend_nodes: "{{ groups['masakari_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 15868
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['masakari_api'] is defined and groups['masakari_api'] | length > 0 }}"
masakari_haproxy_services:
- "{{ haproxy_masakari_api_service | combine(haproxy_masakari_api_service_overrides | default({})) }}"

28
inventory/group_vars/mistral_all.yml Normal file
View File

@ -0,0 +1,28 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_mistral_service:
haproxy_service_name: mistral
haproxy_backend_nodes: "{{ groups['mistral_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8989
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['mistral_all'] is defined and groups['mistral_all'] | length > 0 }}"
mistral_haproxy_services:
- "{{ haproxy_mistral_service | combine(haproxy_mistral_service_overrides | default({})) }}"

30
inventory/group_vars/murano_all.yml Normal file
View File

@ -0,0 +1,30 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_murano_service:
haproxy_service_name: murano
haproxy_backend_nodes: "{{ groups['murano_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8082
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /v1 HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_httpcheck_options:
- "expect status 401"
haproxy_service_enabled: "{{ groups['murano_all'] is defined and groups['murano_all'] | length > 0 }}"
murano_haproxy_services:
- "{{ haproxy_murano_service | combine(haproxy_murano_service_overrides | default({})) }}"

54
inventory/group_vars/neutron_all.yml Normal file
View File

@ -0,0 +1,54 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_opendaylight_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_neutron_server_service:
haproxy_service_name: neutron_server
haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
haproxy_port: 9696
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['neutron_server'] is defined and groups['neutron_server'] | length > 0 }}"
haproxy_opendaylight_neutron_service:
haproxy_service_name: opendaylight-neutron
haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: 8180
haproxy_balance_type: tcp
haproxy_timeout_client: 5000s
haproxy_timeout_server: 5000s
haproxy_allowlist_networks: "{{ haproxy_opendaylight_allowlist_networks }}"
haproxy_service_enabled: "{{ (neutron_plugin_type | default('ml2.ovn') == 'ml2.opendaylight') }}"
haproxy_opendaylight_websocket_service:
haproxy_service_name: opendaylight-websocket
haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: 8185
haproxy_balance_type: tcp
haproxy_timeout_client: 5000s
haproxy_timeout_server: 5000s
haproxy_allowlist_networks: "{{ haproxy_opendaylight_allowlist_networks }}"
haproxy_service_enabled: "{{ (neutron_plugin_type | default('ml2.ovn') == 'ml2.opendaylight') }}"
neutron_haproxy_services:
- "{{ haproxy_neutron_server_service | combine(haproxy_neutron_server_service_overrides | default({})) }}"
- "{{ haproxy_opendaylight_neutron_service | combine(haproxy_opendaylight_neutron_service_overrides | default({})) }}"
- "{{ haproxy_opendaylight_websocket_service | combine(haproxy_opendaylight_websocket_service_overrides | default({})) }}"

92
inventory/group_vars/nova_all.yml
View File

@ -14,3 +14,95 @@
# limitations under the License.
nova_ceph_client_uuid: '{{ cinder_ceph_client_uuid | default() }}'
# By default the nova console service on HAProxy is configured in HTTP mode to
# allow for more fine grained control. But if the SSL connection is terminated
# on the nova console container it has to be run in TCP mode.
haproxy_nova_console_http_mode: "{{ not (nova_console_user_ssl_cert is defined
and nova_console_user_ssl_key is defined) }}"
haproxy_nova_metadata_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_nova_api_metadata_service:
haproxy_service_name: nova_api_metadata
haproxy_backend_nodes: "{{ groups['nova_api_metadata'] | default([]) }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: 8775
haproxy_ssl: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_allowlist_networks: "{{ haproxy_nova_metadata_allowlist_networks }}"
haproxy_service_enabled: "{{ groups['nova_api_metadata'] is defined and groups['nova_api_metadata'] | length > 0 }}"
haproxy_nova_api_compute_service:
haproxy_service_name: nova_api_os_compute
haproxy_backend_nodes: "{{ groups['nova_api_os_compute'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8774
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['nova_api_os_compute'] is defined and groups['nova_api_os_compute'] | length > 0 }}"
haproxy_nova_spice_console_service:
haproxy_service_name: nova_spice_console
haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: "{{ nova_spice_html5proxy_base_port | default('6082') }}"
haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}"
haproxy_timeout_client: 60m
haproxy_timeout_server: 60m
haproxy_balance_alg: source
haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD /spice_auto.html HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}"
haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}"
haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'spice' }}"
haproxy_nova_serial_console_service:
haproxy_service_name: nova_serial_console
haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) + ((ironic_console_type == 'serialconsole') | ternary(groups['ironic_console'] | default([]), [])) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: "{{ nova_serialconsoleproxy_port | default('6083') }}"
haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}"
haproxy_timeout_client: 60m
haproxy_timeout_server: 60m
haproxy_balance_alg: source
haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}"
haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}"
haproxy_service_enabled: "{{ (groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'serial') or
(groups['ironic_console'] is defined and groups['ironic_console'] | length > 0 and ironic_console_type == 'serial') }}"
haproxy_nova_novnc_console_service:
haproxy_service_name: nova_novnc_console
haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: "{{ nova_novncproxy_port | default('6080') }}"
haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}"
haproxy_timeout_client: 60m
haproxy_timeout_server: 60m
haproxy_balance_alg: source
haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD /vnc.html HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}"
haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}"
haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'novnc' }}"
# NOTE(jrosser) Clean up legacy console haproxy configs from previous releases
haproxy_nova_console_service:
haproxy_service_name: nova_console
haproxy_service_enabled: False
haproxy_nova_ironic_console_service:
haproxy_service_name: nova_ironic_console
haproxy_service_enabled: False
nova_haproxy_services:
- "{{ haproxy_nova_api_metadata_service | combine(haproxy_nova_api_metadata_service_overrides | default({})) }}"
- "{{ haproxy_nova_api_compute_service | combine(haproxy_nova_api_compute_service_overrides | default({})) }}"
- "{{ haproxy_nova_spice_console_service | combine(haproxy_nova_spice_console_service_overrides | default({})) }}"
- "{{ haproxy_nova_novnc_console_service | combine(haproxy_nova_novnc_console_service_overrides | default({})) }}"
- "{{ haproxy_nova_serial_console_service | combine(haproxy_nova_serial_console_service_overrides | default({})) }}"
- "{{ haproxy_nova_console_service | combine(haproxy_nova_console_service_overrides | default({})) }}"
- "{{ haproxy_nova_ironic_console_service | combine(haproxy_nova_ironic_console_service_overrides | default({})) }}"

28
inventory/group_vars/octavia_all.yml Normal file
View File

@ -0,0 +1,28 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_octavia_service:
haproxy_service_name: octavia
haproxy_backend_nodes: "{{ groups['octavia_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9876
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['octavia_all'] is defined and groups['octavia_all'] | length > 0 }}"
octavia_haproxy_services:
- "{{ haproxy_octavia_service | combine(haproxy_octavia_service_overrides | default({})) }}"

28
inventory/group_vars/placement_all.yml Normal file
View File

@ -0,0 +1,28 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_placement_service:
haproxy_service_name: placement
haproxy_backend_nodes: "{{ groups['placement_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8780
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['placement_all'] is defined and groups['placement_all'] | length > 0 }}"
placement_haproxy_services:
- "{{ haproxy_placement_service | combine(haproxy_placement_service_overrides | default({})) }}"

19
inventory/group_vars/rabbitmq_all.yml
View File

@ -32,3 +32,22 @@ rabbitmq_package_state: "{{ rabbitmq_upgrade | default(False) | bool | ternary('
# Ensure that all rabbitmq containers get a fixed mac address
lxc_container_fixed_mac: true
haproxy_rabbitmq_management_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_rabbitmq_service:
haproxy_service_name: rabbitmq_mgmt
haproxy_backend_nodes: "{{ groups['rabbitmq'] | default([]) }}"
haproxy_ssl: "{{ rabbitmq_management_ssl | bool }}"
haproxy_backend_ssl: "{{ rabbitmq_management_ssl | bool }}"
haproxy_backend_ca: False
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: "{{ (rabbitmq_management_ssl | bool) | ternary(15671, 15672) }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_allowlist_networks: "{{ haproxy_rabbitmq_management_allowlist_networks }}"
haproxy_service_enabled: "{{ groups['rabbitmq'] is defined and groups['rabbitmq'] | length > 0 }}"
rabbitmq_haproxy_services:
- "{{ haproxy_rabbitmq_service | combine(haproxy_rabbitmq_service_overrides | default({})) }}"

20
inventory/group_vars/repo_all.yml
View File

@ -22,7 +22,7 @@ repo_server_enable_sync_manager: False
# Repo container default list of bind mounts
repo_container_bind_mounts:
- bind_dir_path: "/var/lib/glusterd"
mount_path: "/openstack/glusterd/{{inventory_hostname }}"
mount_path: "/openstack/glusterd/{{ inventory_hostname }}"
# Enable glusterfs mount
repo_server_systemd_mounts:
@ -31,5 +31,21 @@ repo_server_systemd_mounts:
type: glusterfs
state: 'started'
enabled: true
openstack_repo_server_enable_glusterfs: True
haproxy_repo_service:
haproxy_service_name: repo_all
haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: 8181
haproxy_ssl: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /constraints/upper_constraints_cached.txt HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_httpcheck_options:
- "expect status 200"
haproxy_service_enabled: "{{ groups['repo_all'] is defined and groups['repo_all'] | length > 0 }}"
repo_haproxy_services:
- "{{ haproxy_repo_service | combine(haproxy_repo_service_overrides | default({})) }}"

29
inventory/group_vars/sahara_all.yml Normal file
View File

@ -0,0 +1,29 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_sahara_api_service:
haproxy_service_name: sahara_api
haproxy_backend_nodes: "{{ groups['sahara_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_alg: source
haproxy_port: 8386
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['sahara_api'] is defined and groups['sahara_api'] | length > 0 }}"
sahara_haproxy_services:
- "{{ haproxy_sahara_api_service | combine(haproxy_sahara_api_service_overrides | default({})) }}"

28
inventory/group_vars/senlin_all.yml Normal file
View File

@ -0,0 +1,28 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_senlin_api_service:
haproxy_service_name: senlin_api
haproxy_backend_nodes: "{{ groups['senlin_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8778
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['senlin_api'] is defined and groups['senlin_api'] | length > 0 }}"
senlin_haproxy_services:
- "{{ haproxy_senlin_api_service | combine(haproxy_senlin_api_service_overrides | default({})) }}"

15
inventory/group_vars/swift_all.yml
View File

@ -18,3 +18,18 @@ swift_system_user_name: "{{ hostvars['localhost']['swift_system_user_name'] }}"
swift_system_shell: "{{ hostvars['localhost']['swift_system_shell'] }}"
swift_system_comment: "{{ hostvars['localhost']['swift_system_comment'] }}"
swift_system_home_folder: "{{ hostvars['localhost']['swift_system_home_folder'] }}"
haproxy_swift_proxy_service:
haproxy_service_name: swift_proxy
haproxy_backend_nodes: "{{ groups['swift_proxy'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_alg: source
haproxy_port: 8080
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['swift_proxy'] is defined and groups['swift_proxy'] | length > 0 }}"
swift_haproxy_services:
- "{{ haproxy_swift_proxy_service | combine(haproxy_swift_proxy_service_overrides | default({})) }}"

30
inventory/group_vars/tacker_all.yml Normal file
View File

@ -0,0 +1,30 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_tacker_service:
haproxy_service_name: tacker
haproxy_backend_nodes: "{{ groups['tacker_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9890
haproxy_balance_type: http
haproxy_backend_options:
- "forwardfor"
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
- "httplog"
haproxy_service_enabled: "{{ groups['tacker_all'] is defined and groups['tacker_all'] | length > 0 }}"
tacker_haproxy_services:
- "{{ haproxy_tacker_service | combine(haproxy_tacker_service_overrides | default({})) }}"

14
inventory/group_vars/trove_all.yml
View File

@ -14,3 +14,17 @@
# limitations under the License.
swift_proxy_port: "{{ hostvars['localhost']['swift_proxy_port'] }}"
haproxy_trove_service:
haproxy_service_name: trove
haproxy_backend_nodes: "{{ groups['trove_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8779
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['trove_api'] is defined and groups['trove_api'] | length > 0 }}"
trove_haproxy_services:
- "{{ haproxy_trove_service | combine(haproxy_trove_service_overrides | default({})) }}"

45
inventory/group_vars/zun_all.yml Normal file
View File

@ -0,0 +1,45 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_zun_api_service:
haproxy_service_name: zun_api
haproxy_backend_nodes: "{{ groups['zun_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9517
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['zun_api'] is defined and groups['zun_api'] | length > 0 }}"
haproxy_zun_console_service:
haproxy_service_name: zun_console
haproxy_backend_nodes: "{{ groups['zun_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 6784
haproxy_balance_type: http
haproxy_timeout_client: 60m
haproxy_timeout_server: 60m
haproxy_balance_alg: source
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_httpcheck_options:
- "expect status 405"
haproxy_service_enabled: "{{ groups['zun_api'] is defined and groups['zun_api'] | length > 0 }}"
zun_haproxy_services:
- "{{ haproxy_zun_api_service | combine(haproxy_zun_api_service_overrides | default({})) }}"
- "{{ haproxy_zun_console_service | combine(haproxy_zun_console_service_overrides | default({})) }}"

41
playbooks/common-playbooks/haproxy-service-config.yml Normal file
View File

@ -0,0 +1,41 @@
---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Haproxy service configs are stored in service group vars
# (for ex. `glance_haproxy_services` are stored in glance group vars).
# This is because they may refer to other variables in this group that are not
# used only for haproxy(like `glance_backend_ssl`).
# Group haproxy_all does not have access to service group vars by default.
# To solve this, haproxy_all hosts are temporarily added to `service_group`.
# After haproxy is configured, refresh_inventory is triggered to restore the
# original inventory state.
- hosts: "{{ service_group }}"
gather_facts: false
run_once: true
tasks:
- name: "Temporarily copy haproxy_service_configs value from {{ service_group }} to haproxy_all"
add_host:
name: "{{ item }}"
haproxy_service_configs: "{{ hostvars[inventory_hostname][service_variable] }}"
with_items: "{{ groups['haproxy_all'] }}"
- hosts: haproxy_all
serial: "{{ haproxy_serial | default('50%') }}"
tasks:
- name: Configure haproxy for the service
import_role:
name: haproxy_server
tasks_from: haproxy_service_config_external.yml

9
playbooks/galera-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: galera_all
service_variable: "galera_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install galera server
hosts: galera_all
gather_facts: false

5
playbooks/haproxy-install.yml
View File

@ -47,13 +47,16 @@
- "item.when | bool"
tags:
- haproxy-config # this tag is present because the task is ONLY a config task
roles:
- role: "keepalived"
when: haproxy_use_keepalived | bool
tags:
- keepalived
- role: "haproxy_server"
haproxy_service_configs: "{{ haproxy_default_services + haproxy_extra_services|default([]) }}"
haproxy_service_configs: "{{ haproxy_default_services + haproxy_extra_services | default([]) }}"
environment: "{{ deployment_environment_variables | default({}) }}"
tags:
- haproxy-config

9
playbooks/os-adjutant-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: adjutant_api
service_variable: "adjutant_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install adjutant services
hosts: adjutant_all
gather_facts: false

9
playbooks/os-aodh-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: aodh_api
service_variable: "aodh_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install the aodh components
hosts: aodh_all
gather_facts: false

9
playbooks/os-barbican-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: barbican_api
service_variable: "barbican_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Installation and setup of barbican
hosts: barbican_all
gather_facts: false

9
playbooks/os-blazar-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: blazar_api
service_variable: "blazar_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install blazar components
hosts: blazar_all
gather_facts: false

9
playbooks/os-cinder-install.yml
View File

@ -35,7 +35,14 @@
cinder_hosts: "cinder_backup:!cinder_volume:!cinder_scheduler:!cinder_api"
cinder_serial: "{{ cinder_backend_serial | default(['1', '100%']) }}"
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: cinder_api
service_variable: "cinder_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install cinder API services
import_playbook: common-playbooks/cinder.yml

9
playbooks/os-cloudkitty-install.yml
View File

@ -24,6 +24,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: cloudkitty_api
service_variable: "cloudkitty_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install cloudkitty services
hosts: cloudkitty_all
serial: "{{ cloudkitty_api_serial | default(['1', '100%']) }}"

9
playbooks/os-designate-install.yml
View File

@ -26,6 +26,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: designate_api
service_variable: "designate_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install designate server
hosts: designate_all
gather_facts: false

9
playbooks/os-glance-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: glance_api
service_variable: "glance_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install glance services
hosts: "glance_all"
serial: "{{ glance_api_serial | default(['1', '100%']) }}"

9
playbooks/os-gnocchi-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: gnocchi_api
service_variable: "gnocchi_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install Gnocchi components
hosts: gnocchi_all
gather_facts: false

9
playbooks/os-heat-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: heat_api
service_variable: "heat_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install heat server
hosts: heat_all
gather_facts: false

9
playbooks/os-horizon-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: horizon_all
service_variable: "horizon_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install horizon server
hosts: horizon_all
gather_facts: false

9
playbooks/os-ironic-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: ironic_api
service_variable: "ironic_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Installation and setup of Ironic
hosts: ironic_all
gather_facts: false

9
playbooks/os-keystone-install.yml
View File

@ -51,6 +51,15 @@
tags:
- keystone
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: keystone_all
service_variable: "keystone_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Installation and setup of Keystone
hosts: keystone_all
serial: "{{ keystone_serial | default(['1', '100%']) }}"

9
playbooks/os-magnum-install.yml
View File

@ -26,6 +26,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: magnum_all
service_variable: "magnum_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install magnum server
hosts: magnum_all
user: root

9
playbooks/os-manila-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: manila_api
service_variable: "manila_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install manila API services
hosts: manila_api:manila_scheduler
gather_facts: false

9
playbooks/os-masakari-install.yml
View File

@ -38,6 +38,15 @@
- role: "pacemaker_corosync"
tags: pacemaker-corosync
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: masakari_api
service_variable: "masakari_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install the masakari components
hosts: masakari_all
gather_facts: false

9
playbooks/os-mistral-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: mistral_api
service_variable: "mistral_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install mistral components
hosts: mistral_all
gather_facts: false

9
playbooks/os-murano-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: murano_api
service_variable: "murano_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install murano components
hosts: murano_all
gather_facts: false

9
playbooks/os-neutron-install.yml
View File

@ -25,7 +25,14 @@
dest_group: "neutron_l3_agent, neutron_metadata_agent"
group_when: "{{ (neutron_plugin_type | default('ml2.ovn') == 'ml2.ovs.dvr') }}"
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: neutron_server
service_variable: "neutron_haproxy_services"
when: groups[service_group]
tags:
- haproxy-service-config
- name: Install neutron server
import_playbook: common-playbooks/neutron.yml

13
playbooks/os-nova-install.yml
View File

@ -13,6 +13,19 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: "Config haproxy service"
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group:
- nova_api_os_compute
- nova_api_metadata
- nova_console
- nova_ironic_console
service_variable: "nova_haproxy_services"
when: groups['nova_all'] | length > 0
tags:
- haproxy-service-config
- name: Install nova-conductor services
import_playbook: common-playbooks/nova.yml
vars:

9
playbooks/os-octavia-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: octavia-api
service_variable: "octavia_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install octavia server
hosts: octavia_all
gather_facts: false

10
playbooks/os-placement-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: placement_api
service_variable: "placement_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install placement components
hosts: placement_all
gather_facts: false
@ -41,7 +50,6 @@
- include_tasks: common-tasks/unbound-clients.yml
when:
- hostvars['localhost']['resolvconf_enabled'] | bool
roles:
- role: "os_placement"
- role: "openstack.osa.system_crontab_coordination"

9
playbooks/os-sahara-install.yml
View File

@ -21,6 +21,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: sahara_api
service_variable: "sahara_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install sahara server
hosts: sahara_all
gather_facts: "{{ osa_gather_facts | default(True) }}"

9
playbooks/os-senlin-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: senlin_api
service_variable: "senlin_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install senlin services
hosts: senlin_all
gather_facts: false

9
playbooks/os-swift-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: swift_all
service_variable: "swift_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Installation and setup of Swift
hosts: swift_all:swift_remote_all
gather_facts: false

9
playbooks/os-tacker-install.yml
View File

@ -23,6 +23,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: tacker_server
service_variable: "tacker_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install the tacker components
hosts: tacker_all
gather_facts: false

9
playbooks/os-trove-install.yml
View File

@ -26,6 +26,15 @@
tags:
- always
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: trove_api
service_variable: "trove_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install trove server
hosts: trove_all
gather_facts: false

9
playbooks/os-zun-install.yml
View File

@ -36,6 +36,15 @@
- zun-install
- etcd-server
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: zun_api
service_variable: "zun_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install the zun components
hosts: zun_all
gather_facts: false

9
playbooks/rabbitmq-install.yml
View File

@ -53,6 +53,15 @@
state: "stopped"
when: rabbitmq_upgrade | default(false) | bool
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: rabbitmq_all
service_variable: "rabbitmq_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Install rabbitmq server
hosts: "{{ rabbitmq_host_group | default('rabbitmq_all') }}"
gather_facts: false

10
playbooks/repo-install.yml
View File

@ -55,6 +55,15 @@
- openstack_repo_server_enable_glusterfs | default(False)
environment: "{{ deployment_environment_variables | default({}) }}"
- name: Configure haproxy services
import_playbook: common-playbooks/haproxy-service-config.yml
vars:
service_group: repo_all
service_variable: "repo_haproxy_services"
when: groups[service_group] | length > 0
tags:
- haproxy-service-config
- name: Setup repo servers
hosts: repo_all
gather_facts: false
@ -62,7 +71,6 @@
user: root
roles:
- role: "repo_server"
vars_files:
- defaults/repo_packages/openstack_services.yml
- "defaults/{{ install_method }}_install.yml"

2
playbooks/setup-infrastructure.yml
View File

@ -14,8 +14,8 @@
# limitations under the License.
- import_playbook: unbound-install.yml
- import_playbook: repo-install.yml
- import_playbook: haproxy-install.yml
- import_playbook: repo-install.yml
- import_playbook: memcached-install.yml
- import_playbook: galera-install.yml
- import_playbook: qdrouterd-install.yml

16
releasenotes/notes/separated-haproxy-service-config-9ccecbcb286355ef.yaml Normal file
View File

@ -0,0 +1,16 @@
---
features:
- |
Haproxy services are now configured separately at the beginning of each
service playbook.
other:
- |
Haproxy service definitions(along with their overrides) are no longer
stored in haproxy group vars. They were moved to service variables,
so for example ``glance_haproxy_services`` are stored in glance_all
group variables.
- |
The structure of ``haproxy_default_services`` and
``haproxy_extra_services`` was simplified.
Now it's just a list of dicts.
It has the same format as ``haproxy_service_configs``.