Run an haproxy load balancer for gitea

This runs an haproxy which is strikingly similar to the one we
currently run for git.openstack.org, but it is run in a docker
container.

Change-Id: I647ae8c02eb2cd4f3db2b203d61a181f7eb632d2

.zuul.yaml

@@ -509,6 +509,8 @@
       nodes:
         - name: bridge.openstack.org
           label: ubuntu-bionic
+        - name: gitea-lb01.opendev.org
+          label: ubuntu-bionic
         - name: gitea01.opendev.org
           label: ubuntu-bionic
     host-vars:
@@ -517,12 +519,19 @@
           '/var/gitea/conf': logs
           '/var/gitea/certs': logs
           '/var/gitea/logs': logs
+      gitea-lb01.opendev.org:
+        host_copy_output:
+          '/var/haproxy/etc': logs
     files:
       - .zuul.yaml
       - playbooks/group_vars/gitea.yaml
+      - playbooks/group_vars/gitea-lb.yaml
       - playbooks/zuul/templates/group_vars/gitea.yaml.j2
+      - playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2
       - playbooks/roles/gitea/
+      - playbooks/roles/haproxy/
       - testinfra/test_gitea.py
+      - testinfra/test_gitea_lb.py
 
 - job:
     name: infra-prod-playbook

inventory/groups.yaml

@@ -88,6 +88,8 @@ groups:
     - git[0-9]*.openstack.org
   gitea:
     - gitea[0-9]*.opendev.org
+  gitea-lb:
+    - gitea-lb[0-9]*.opendev.org
   grafana:
     - grafana[0-9]*.open*.org
   graphite:

playbooks/base.yaml

@@ -79,3 +79,9 @@
   roles:
     - install-docker
     - gitea
+
+- hosts: "gitea-lb:!disabled"
+  name: "Base: configure gitea load balancer"
+  roles:
+    - install-docker
+    - haproxy

playbooks/group_vars/gitea-lb.yaml

@@ -0,0 +1,16 @@
+haproxy_listeners:
+  - name: balance_git_http
+    bind:
+      - '*:80'
+    servers:
+      - name: 'gitea01.opendev.org'
+        address: '127.0.0.1:80'  # placeholder
+  - name: balance_git_https
+    bind:
+      - '*:443'
+    servers:
+      - name: 'gitea01.opendev.org'
+        address: '127.0.0.1:443'  # placeholder
+iptables_extra_public_tcp_ports:
+  - 443
+  - 80

playbooks/group_vars/gitea.yaml

@@ -1,2 +1,6 @@
 gitea_root_email: infra-root@openstack.org
 gitea_gerrit_public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVuhTMAz1H2Jr9AC3py9A0vlNna6Sdt4yrvZOayxukPqQ7GPZd+Mo7MVyypxLD479N2mA09JAdsbq1eTiPP8ksEkB+dNxZzw8mY1653R/IXSW6J9xPcoDa88HF2s/xHN24IWzgiDjNNe79AQ+sKleByEQZ++xXny3MRpy258hKUvAtjjOLOnM1PBs8JNOzBL+UPgWRgSX6GG0qywJZqjD1Qx5kvH9RTRLi+tcMhEi4laN7BYvn4csY0sYzTzPG4ZTu3ootIJoRlQGtQ0LmoFO1vSwyEJUags6/ZZGjgy3jl3kwcU/b8ZnFlF4MDw1OB1QqMb4r6bMHbXNIupp4zJbz gerrit-replication-2014-04-25
+iptables_extra_public_tcp_ports:
+  - 222
+  - 3000
+  - 3080

playbooks/roles/haproxy/README.rst

@@ -0,0 +1 @@
+Install, configure, and run a haproxy server.

playbooks/roles/haproxy/files/docker/docker-compose.yaml

@@ -0,0 +1,12 @@
+# Version 2 is the latest that is supported by docker-compose in
+# Ubuntu Xenial.
+version: '2'
+
+services:
+  haproxy:
+    restart: always
+    image: haproxy:latest
+    network_mode: host
+    volumes:
+      - /var/haproxy/etc:/usr/local/etc/haproxy
+      - /var/haproxy/run:/var/haproxy/run

playbooks/roles/haproxy/tasks/main.yaml

@@ -0,0 +1,26 @@
+- name: Synchronize docker-compose directory
+  synchronize:
+    src: docker/
+    dest: /etc/haproxy-docker/
+- name: Ensure registry volume directories exists
+  file:
+    state: directory
+    path: "/var/haproxy/{{ item }}"
+    owner: 1000
+    group: 1000
+  loop:
+    - etc
+    - run
+- name: Write haproxy config file
+  template:
+    src: haproxy.cfg.j2
+    dest: /var/haproxy/etc/haproxy.cfg
+- name: Install docker-compose
+  package:
+    name:
+      - docker-compose
+    state: present
+- name: Run docker-compose up
+  shell:
+    cmd: docker-compose up -d
+    chdir: /etc/haproxy-docker/

playbooks/roles/haproxy/templates/haproxy.cfg.j2

@@ -0,0 +1,34 @@
+global
+  uid  1000
+  gid  1000
+  log  127.0.0.1 local0
+  maxconn  4000
+  pidfile  /var/haproxy/run/haproxy.pid
+  stats  socket /var/haproxy/run/stats uid 1000 gid 1000 mode 0600 level admin
+
+defaults
+  log  global
+  maxconn  8000
+  option  redispatch
+  retries  3
+  stats  enable
+  timeout  http-request 10s
+  timeout  queue 1m
+  timeout  connect 10s
+  timeout  client 2m
+  timeout  server 2m
+  timeout  check 10s
+
+{% for listener in haproxy_listeners %}
+listen {{ listener.name }}
+  {% for bind in listener.bind %}
+  bind {{ bind }}
+  {% endfor %}
+  mode tcp
+  balance leastconn
+  option tcplog
+
+  {% for server in listener.servers %}
+  server {{ server.name }} {{ server.address }}
+  {% endfor %}
+{% endfor %}

playbooks/zuul/run-base.yaml

@@ -63,6 +63,7 @@
         - group_vars/ns.yaml
         - group_vars/registry.yaml
         - group_vars/gitea.yaml
+        - group_vars/gitea-lb.yaml
         - host_vars/bridge.openstack.org.yaml
     - name: Display group membership
       command: ansible localhost -m debug -a 'var=groups'

playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2

@@ -0,0 +1,13 @@
+haproxy_listeners:
+  - name: balance_git_http
+    bind:
+      - "*:80"
+    servers:
+      - name: "gitea01.opendev.org"
+        address: "{{ (hostvars['gitea01.opendev.org'] | default({})).get('nodepool', {}).get('public_ipv4', '') }}:3080"
+  - name: balance_git_https
+    bind:
+      - "*:443"
+    servers:
+      - name: "gitea01.opendev.org"
+        address: "{{ (hostvars['gitea01.opendev.org'] | default({})).get('nodepool', {}).get('public_ipv4', '') }}:3000"

testinfra/test_gitea_lb.py

@@ -0,0 +1,23 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+testinfra_hosts = ['gitea-lb01.opendev.org']
+
+
+def test_gitea_listening(host):
+    gitea_https = host.socket("tcp://0.0.0.0:443")
+    assert gitea_https.is_listening
+    gitea_http = host.socket("tcp://0.0.0.0:80")
+    assert gitea_http.is_listening