Merge "Add functionality to accept both HTTP and HTTPS during upgrade"

templates/service-redirect.j2

@@ -0,0 +1,93 @@
+{% set haproxy_http_front_port = haproxy_backend_port + 10000 %}
+{% set haproxy_https_front_port = haproxy_backend_port + 20000 %}
+
+# Redirect to direct request to HTTP or HTTPS frontend
+frontend {{ item.service.haproxy_service_name }}-tcp-redirect-front-{{ loop.index }}
+    mode tcp
+    bind {{ vip_bind }}:{{ item.service.haproxy_port }}
+    tcp-request inspect-delay 2s
+    tcp-request content accept if HTTP
+    tcp-request content accept if { req.ssl_hello_type 1 }
+    use_backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-redirect-http-back-{{ loop.index }} if HTTP
+    default_backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-redirect-https-back-{{ loop.index }}
+
+backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-redirect-http-back-{{ loop.index }}
+    mode tcp
+    server  {{ value.backend_name | default(item.service.haproxy_service_name) }}-http {{ vip_bind }}:{{ haproxy_http_front_port }}
+
+backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-redirect-https-back-{{ loop.index }}
+    mode tcp
+    server  {{ value.backend_name | default(item.service.haproxy_service_name) }}-https {{ vip_bind }}:{{ haproxy_https_front_port }}
+
+frontend {{ item.service.haproxy_service_name }}-http-front-{{ loop.index }}
+    bind {{ vip_bind }}:{{ haproxy_http_front_port }}
+{% if request_option == "http" %}
+    option httplog
+    option forwardfor except 127.0.0.0/8
+{% if item.service.haproxy_http_keepalive_mode is defined %}
+    option {{ item.service.haproxy_http_keepalive_mode }}
+{% endif %}
+{% elif request_option == "tcp" %}
+    option tcplog
+{% endif %}
+{% if item.service.haproxy_timeout_client is defined %}
+    timeout client {{ item.service.haproxy_timeout_client }}
+{% endif %}
+{% if item.service.haproxy_allowlist_networks is defined %}
+    acl allow_list src 127.0.0.1/8 {{ item.service.haproxy_allowlist_networks | join(' ') }}
+    tcp-request content accept if allow_list
+    tcp-request content reject
+{% endif %}
+{% if item.service.haproxy_acls is defined %}
+{%   for key, value in item.service.haproxy_acls.items() %}
+    acl {{ key }} {{ value.rule }}
+{%     if not item.service.haproxy_frontend_only | default(false) %}
+    use_backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-back if {{ key }}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+    mode {{ item.service.haproxy_balance_type }}
+{% if not item.service.haproxy_frontend_only | default(false) %}
+    default_backend {{ item.service.haproxy_service_name }}-back
+{% endif %}
+{% for entry in item.service.haproxy_frontend_raw|default([]) %}
+    {{ entry }}
+{% endfor %}
+
+frontend {{ item.service.haproxy_service_name }}-https-front-{{ loop.index }}
+    bind {{ vip_bind }}:{{ haproxy_https_front_port }} ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ vip_bind }}.pem
+{% if request_option == "http" %}
+    option httplog
+    option forwardfor except 127.0.0.0/8
+{% if item.service.haproxy_http_keepalive_mode is defined %}
+    option {{ item.service.haproxy_http_keepalive_mode }}
+{% endif %}
+{% elif request_option == "tcp" %}
+    option tcplog
+{% endif %}
+{% if item.service.haproxy_timeout_client is defined %}
+    timeout client {{ item.service.haproxy_timeout_client }}
+{% endif %}
+{% if item.service.haproxy_allowlist_networks is defined %}
+    acl allow_list src 127.0.0.1/8 {{ item.service.haproxy_allowlist_networks | join(' ') }}
+    tcp-request content accept if allow_list
+    tcp-request content reject
+{% endif %}
+{% if item.service.haproxy_acls is defined %}
+{%   for key, value in item.service.haproxy_acls.items() %}
+    acl {{ key }} {{ value.rule }}
+{%     if not item.service.haproxy_frontend_only | default(false) %}
+    use_backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-back if {{ key }}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if (item.service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or (item.service.haproxy_ssl_all_vips | default(false) | bool and vip_bind not in extra_lb_vip_addresses)) %}
+    http-request add-header X-Forwarded-Proto https
+{% endif %}
+    mode {{ item.service.haproxy_balance_type }}
+{% if not item.service.haproxy_frontend_only | default(false) %}
+    default_backend {{ item.service.haproxy_service_name }}-back
+{% endif %}
+{% for entry in item.service.haproxy_frontend_raw|default([]) %}
+    {{ entry }}
+{% endfor %}

templates/service.j2

@@ -36,6 +36,11 @@ bind {{ vip_bind }}:{{ item.service.haproxy_redirect_http_port }}
 {% endif %}
 {% endif %}
 
+{# TODO: remove if and section inside if after HTTPS upgrade #}
+{# During an upgrade of internal frontends from HTTP to HTTPS, need to accept both HTTP and HTTPS until client config has been changed #}
+{% if (item.service.haproxy_tcp_upgrade_frontend | default(false)) and not (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses) and (item.service.haproxy_ssl_all_vips | default(false)) %}
+{% include 'service-redirect.j2' %}
+{% else %}
 frontend {{ item.service.haproxy_service_name }}-front-{{ loop.index }}
     bind {{ vip_bind }}:{{ item.service.haproxy_port }} {% if (item.service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or (item.service.haproxy_ssl_all_vips | default(false) | bool and vip_bind not in extra_lb_vip_addresses)) %}ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ vip_bind }}.pem {% endif %}
 
@@ -74,6 +79,7 @@ frontend {{ item.service.haproxy_service_name }}-front-{{ loop.index }}
 {% for entry in item.service.haproxy_frontend_raw|default([]) %}
     {{ entry }}
 {% endfor %}
+{% endif %}
 {% endfor %}
 {% endif %}
 
@@ -146,6 +152,32 @@ backend {{ item.service.haproxy_service_name }}-back
 {%  set _ = entry.append(option) %}
 {% endfor %}
     {{ entry | join(' ') }}
+{# TODO: remove if and section inside if after HTTPS upgrade #}
+{# During an upgrade of backends from HTTP to HTTPS, need to uses both HTTP and HTTPS backends until backends have been changed #}
+{% if item.service.haproxy_tcp_upgrade_backend | default(false) and item.service.haproxy_backend_ssl | default(false) %}
+{% set entry = [] %}
+{% set _ = entry.append("server") %}
+{% set _ = entry.append((host_name.name | default(host_name)) + "-http" | string) %}
+{% set _ = entry.append((host_name.ip_addr | default(ip_addr)) + ":" + haproxy_backend_port | string) %}
+{% set _ = entry.append("check") %}
+{% set _ = entry.append("port") %}
+{% set _ = entry.append(haproxy_check_port | string) %}
+{% set _ = entry.append("inter") %}
+{% set _ = entry.append(item.service.interval|default(haproxy_interval) | string) %}
+{% set _ = entry.append("rise") %}
+{% set _ = entry.append(item.service.backend_rise|default(item.service.haproxy_backend_nodes | count | string)) %}
+{% set _ = entry.append("fall") %}
+{% set _ = entry.append(item.service.backend_fall|default(item.service.haproxy_backend_nodes | count | string)) %}
+{% set backend_server_options = item.service.haproxy_backend_server_options|default([]) %}
+{% for option in backend_server_options %}
+{%  set _ = entry.append(option) %}
+{% endfor %}
+{% set backend_per_server_options = host_name.backend_server_options|default([]) %}
+{% for option in backend_per_server_options %}
+{%  set _ = entry.append(option) %}
+{% endfor %}
+    {{ entry | join(' ') }}
+{% endif %}
 {% endfor %}
 
 {% for host_name in item.service.haproxy_backup_nodes|default([]) %}