Merge "Fix linters issue and metadata"

defaults/main.yml

@@ -145,7 +145,8 @@ haproxy_ssl_cert_path: /etc/haproxy/ssl
 haproxy_ssl_bind_options: "ssl-min-ver TLSv1.2 prefer-client-ciphers"
 haproxy_ssl_server_options: "ssl-min-ver TLSv1.2"
 # TLS v1.2 and below
-haproxy_ssl_cipher_suite_tls12: "{{ haproxy_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}"
+haproxy_ssl_cipher_suite_tls12: >-
+  {{ haproxy_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}
 # TLS v1.3
 haproxy_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}"
 
@@ -198,7 +199,8 @@ haproxy_pki_install_ca:
 haproxy_pki_keys_path: "{{ haproxy_pki_dir ~ '/certs/private/' }}"
 haproxy_pki_certs_path: "{{ haproxy_pki_dir ~ '/certs/certs/' }}"
 haproxy_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('HAProxyIntermediate') }}"
-haproxy_pki_intermediate_cert_path: "{{ haproxy_pki_dir ~ '/roots/' ~ haproxy_pki_intermediate_cert_name ~ '/certs/' ~ haproxy_pki_intermediate_cert_name ~ '.crt' }}"
+haproxy_pki_intermediate_cert_path: >-
+  {{ haproxy_pki_dir ~ '/roots/' ~ haproxy_pki_intermediate_cert_name ~ '/certs/' ~ haproxy_pki_intermediate_cert_name ~ '.crt' }}
 haproxy_pki_regen_cert: ''
 haproxy_pki_certificates: "{{ _haproxy_pki_certificates }}"
 

handlers/main.yml

@@ -13,9 +13,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: regen pem
+- name: Regen pem # noqa: no-changed-when
-  shell: >
+  shell: >-
-    cat {{ item_base_path ~ '.crt' }} $(test -f {{ item_base_path  ~ '-ca.crt' }} && echo {{ item_base_path  ~ '-ca.crt' }}) {{ item_base_path  ~ '.key' }} > {{ item_base_path  ~ '.pem' }}
+    cat {{ item_base_path ~ '.crt' }} $(test -f {{ item_base_path  ~ '-ca.crt' }} &&
+    echo {{ item_base_path  ~ '-ca.crt' }}) {{ item_base_path  ~ '.key' }} > {{ item_base_path  ~ '.pem' }}
   notify: Reload haproxy
   vars:
     item_interface: "{{ item['interface'] | default('') }}"
@@ -25,12 +26,15 @@
   listen:
     - haproxy cert installed
 
-- name: regenerate maps
+- name: Regenerate maps
   vars:
     all_changed_results: "{{ (map_create.results + map_delete.results) | select('changed') }}"
   assemble:
     src: "/etc/haproxy/map.conf.d/{{ item }}"
     dest: "/etc/haproxy/{{ item }}.map"
+    mode: "0640"
+    owner: haproxy
+    group: haproxy
   notify: Reload haproxy
   with_items: "{{ all_changed_results | map(attribute='item') | flatten | selectattr('name', 'defined') | map(attribute='name') | unique }}"
 
@@ -39,6 +43,9 @@
     src: "/etc/haproxy/conf.d"
     dest: "/etc/haproxy/haproxy.cfg"
     validate: /usr/sbin/haproxy -c -f %s
+    mode: "0640"
+    owner: haproxy
+    group: haproxy
   notify: Reload haproxy
   tags:
     - haproxy-general-config

meta/main.yml

@@ -16,21 +16,23 @@
 galaxy_info:
   author: rcbops
   description: Installation and setup of HAProxy
+  role_name: haproxy_server
+  namespace: openstack
   company: Rackspace
   license: Apache2
-  min_ansible_version: 2.2
+  min_ansible_version: "2.10"
   platforms:
     - name: Debian
       versions:
-        - buster
+        - bullseye
     - name: Ubuntu
       versions:
-        - bionic
         - focal
+        - jammy
     - name: EL
       versions:
-        - 8
+        - "9"
-  categories:
+  galaxy_tags:
     - cloud
     - python
     - development

tasks/haproxy_install.yml

@@ -30,6 +30,7 @@
       file:
         path: "{{ haproxy_hatop_download_path }}/{{ haproxy_hatop_download_url | basename | replace('.tar.gz', '') }}"
         state: directory
+        mode: "0755"
 
     - name: Download hatop package
       get_url:
@@ -37,6 +38,7 @@
         dest: "{{ haproxy_hatop_download_path }}/{{ haproxy_hatop_download_url | basename }}"
         validate_certs: "{{ haproxy_hatop_download_validate_certs }}"
         checksum: "{{ haproxy_hatop_download_checksum }}"
+        mode: "0644"
       register: fetch_url
       until: fetch_url is success
       retries: 3
@@ -54,7 +56,6 @@
       copy:
         src: "{{ haproxy_hatop_download_path }}/{{ haproxy_hatop_download_url | basename | replace('.tar.gz', '') }}/bin/hatop"
         dest: /usr/local/bin/hatop
-        mode: 0755
+        mode: "0755"
         remote_src: yes
   when: haproxy_hatop_install | bool
-

tasks/haproxy_post_install.yml

@@ -45,11 +45,15 @@
   template:
     src: "haproxy.cfg.j2"
     dest: "/etc/haproxy/conf.d/00-haproxy"
+    mode: "0640"
+    owner: haproxy
+    group: haproxy
   notify: Regenerate haproxy configuration
   tags:
     - haproxy-base-config
 
-- include_tasks: haproxy_service_config.yml
+- name: Including haproxy_service_config tasks
+  include_tasks: haproxy_service_config.yml
   tags:
     - haproxy-service-config
 
@@ -69,6 +73,7 @@
     path: "{{ haproxy_log_mount_point }}"
     access_time: preserve
     modification_time: preserve
+    mode: "0755"
 
 - name: Make log socket available to chrooted filesystem
   mount:

tasks/haproxy_pre_install.yml

@@ -48,6 +48,8 @@
     path: "{{ item }}"
     state: directory
     mode: "0755"
+    owner: haproxy
+    group: haproxy
   with_items:
     - /etc/haproxy/conf.d
     - "{{ haproxy_ssl_cert_path }}"
@@ -56,6 +58,9 @@
   copy:
     content: "{{ item.content }}"
     dest: "{{ item.dest }}"
+    mode: "0644"
+    owner: haproxy
+    group: haproxy
   when:
     - (item.condition | default(True))
   loop: "{{ haproxy_static_files }}"

tasks/haproxy_service_config.yml

@@ -32,6 +32,9 @@
   template:
     src: service.j2
     dest: "/etc/haproxy/conf.d/{{ service.haproxy_service_name }}"
+    owner: root
+    group: haproxy
+    mode: "0640"
 # NOTE(damiandabrowski): _haproxy_service_configs_simplified should be replaced
 # with haproxy_service_configs in 2024.1.
   loop: "{{ _haproxy_service_configs_simplified }}"
@@ -73,9 +76,16 @@
   file:
     state: directory
     path: "/etc/haproxy/map.conf.d/{{ item }}"
+    owner: root
+    group: haproxy
+    mode: "0750"
 # NOTE(damiandabrowski): _haproxy_service_configs_simplified should be replaced
 # with haproxy_service_configs in 2024.1.
-  loop: "{{ _haproxy_service_configs_simplified | selectattr('haproxy_map_entries', 'defined') | map(attribute='haproxy_map_entries') | flatten | map(attribute='name') | unique }}"
+  loop: >-
+    {{
+      _haproxy_service_configs_simplified | selectattr('haproxy_map_entries', 'defined') | map(attribute='haproxy_map_entries') | flatten |
+      map(attribute='name') | unique
+    }}
 
 # create map entries when the service is enabled and an existing map fragment is not absent
 - name: Create haproxy map files
@@ -84,6 +94,9 @@
   template:
     src: map.j2
     dest: "{{ map_file }}"
+    owner: root
+    group: haproxy
+    mode: "0640"
 # NOTE(damiandabrowski): _haproxy_service_configs_simplified should be replaced
 # with haproxy_service_configs in 2024.1.
   with_subelements:
@@ -92,7 +105,7 @@
   when:
     - (item.0.haproxy_service_enabled | default(True)) | bool
     - item.1.state | default('present') != 'absent'
-  notify: regenerate maps
+  notify: Regenerate maps
   register: map_create
 
 # remove map entries when the service is not enabled, the service is absent or the map is absent
@@ -109,5 +122,5 @@
   with_subelements:
     - "{{ _haproxy_service_configs_simplified | selectattr('haproxy_map_entries', 'defined') }}"
     - haproxy_map_entries
-  notify: regenerate maps
+  notify: Regenerate maps
   register: map_delete

tasks/haproxy_service_config_external.yml

@@ -26,7 +26,8 @@
       paths:
         - "{{ role_path }}/vars"
 
-- include_tasks: haproxy_service_config.yml
+- name: Including haproxy_service_config tasks
+  include_tasks: haproxy_service_config.yml
   args:
     apply:
       tags:

tasks/haproxy_ssl_letsencrypt.yml

@@ -48,7 +48,7 @@
   template:
     src: letsencrypt_pre_hook_certbot_distro.j2
     dest: /etc/letsencrypt/renewal-hooks/pre/haproxy-pre
-    mode: 0755
+    mode: "0755"
   when:
     - haproxy_ssl_letsencrypt_certbot_challenge == 'http-01'
 
@@ -56,13 +56,16 @@
   template:
     src: letsencrypt_renew_certbot_distro.j2
     dest: /etc/letsencrypt/renewal-hooks/post/haproxy-renew
-    mode: 0755
+    mode: "0755"
 
 - name: Create new pem file for haproxy
   assemble:
     src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}"
     dest: "{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item  ~ '.pem' }}"
     regexp: '(privkey|fullchain).pem$'
+    owner: haproxy
+    group: haproxy
+    mode: "0640"
   with_items:
     - "{{ [haproxy_bind_external_lb_vip_address] + extra_lb_tls_vip_addresses }}"
   notify:

tasks/main.yml

@@ -28,11 +28,13 @@
   tags:
     - always
 
-- import_tasks: haproxy_pre_install.yml
+- name: Importing haproxy_pre_install tasks
+  import_tasks: haproxy_pre_install.yml
   tags:
     - haproxy_server-install
 
-- import_tasks: haproxy_install.yml
+- name: Importing haproxy_install tasks
+  import_tasks: haproxy_install.yml
   tags:
     - haproxy_server-install
 
@@ -56,14 +58,17 @@
   when:
     - haproxy_ssl | bool
 
-- import_tasks: haproxy_post_install.yml
+- name: Importing haproxy_post_install tasks
+  import_tasks: haproxy_post_install.yml
   tags:
     - haproxy_server-config
 
 # NOTE(jrosser) we must reload the haproxy config before doing the first time certbot setup to ensure the letsencypt backend is configured
-- meta: flush_handlers
+- name: Flush handlers
+  meta: flush_handlers
 
-- include_tasks: haproxy_ssl_letsencrypt.yml
+- name: Including haproxy_ssl_letsencrypt tasks
+  include_tasks: haproxy_ssl_letsencrypt.yml
   when:
     - haproxy_ssl | bool
     - haproxy_ssl_letsencrypt_enable | bool

vars/main.yml

@@ -15,7 +15,8 @@
 
 _haproxy_tls_vip_binds: |
   {% set vip_binds = [{'address': haproxy_bind_external_lb_vip_address, 'interface': haproxy_bind_external_lb_vip_interface}] %}
-  {% if haproxy_bind_internal_lb_vip_address != haproxy_bind_external_lb_vip_address or haproxy_bind_external_lb_vip_interface != haproxy_bind_internal_lb_vip_interface %}
+  {% if haproxy_bind_internal_lb_vip_address != haproxy_bind_external_lb_vip_address or
+      haproxy_bind_external_lb_vip_interface != haproxy_bind_internal_lb_vip_interface %}
   {%   set _ = vip_binds.append({'address': haproxy_bind_internal_lb_vip_address, 'interface': haproxy_bind_internal_lb_vip_interface}) %}
   {% endif %}
   {% for vip_address in extra_lb_tls_vip_addresses %}
@@ -27,7 +28,8 @@ _haproxy_pki_certificates: |
   {% set _pki_certs = [] %}
   {% for vip in haproxy_tls_vip_binds %}
   {% set _vip_interface = vip['interface'] | default('') %}
-  {% set san = 'DNS:' ~ ansible_facts['hostname'] ~  ',DNS:' ~ ansible_facts['fqdn'] ~ ',' ~ (vip['address'] | ansible.utils.ipaddr) | ternary('IP:', 'DNS:') ~ vip['address'] %}
+  {% set san = 'DNS:' ~ ansible_facts['hostname'] ~  ',DNS:' ~ ansible_facts['fqdn'] ~ ',' ~ (
+                vip['address'] | ansible.utils.ipaddr) | ternary('IP:', 'DNS:') ~ vip['address'] %}
   {% if vip['address'] == haproxy_bind_internal_lb_vip_address %}
   {%   set san = san ~ (internal_lb_vip_address | ansible.utils.ipaddr) | ternary('', ',DNS:' ~ internal_lb_vip_address) %}
   {% endif %}
@@ -50,7 +52,9 @@ _haproxy_pki_install_certificates: |
   {% set _pki_install = [] %}
   {% for vip in haproxy_tls_vip_binds %}
   {% set _vip_interface = vip['interface'] | default('') %}
-  {% set _cert_basename = '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (_vip_interface is truthy) | ternary(vip['address'] ~ '-' ~ _vip_interface, vip['address']) %}
+  {% set _cert_basename = '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (_vip_interface is truthy) | ternary(
+      vip['address'] ~ '-' ~ _vip_interface, vip['address'])
+  %}
   {% set _ = _pki_install.append(
       {
         'src': haproxy_user_ssl_cert | default(haproxy_pki_certs_path ~ _cert_basename ~ '.crt'),