openstack/openstack-ansible-haproxy_server
Code Issues Proposed changes

Fix linters issue and metadata

Browse Source 
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Change-Id: I8c316dd62ac22ccd9578bb0199ab8f25c0104f9a
This commit is contained in:
Dmitriy Rabotyagov
2023-07-11 18:54:01 +02:00
committed by Dmitriy Rabotyagov
parent b81dec169b
commit c0da2e5095
11 changed files with 97 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
defaults/main.yml
View File

@@ -137,7 +137,8 @@ haproxy_ssl_cert_path: /etc/haproxy/ssl
haproxy_ssl_bind_options: "ssl-min-ver TLSv1.2 prefer-client-ciphers" haproxy_ssl_bind_options: "ssl-min-ver TLSv1.2 prefer-client-ciphers"
haproxy_ssl_server_options: "ssl-min-ver TLSv1.2" haproxy_ssl_server_options: "ssl-min-ver TLSv1.2"
# TLS v1.2 and below # TLS v1.2 and below
haproxy_ssl_cipher_suite_tls12: "{{ haproxy_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}" haproxy_ssl_cipher_suite_tls12: >-
{{ haproxy_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}
# TLS v1.3 # TLS v1.3
haproxy_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}" haproxy_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}"
@@ -190,7 +191,8 @@ haproxy_pki_install_ca:
haproxy_pki_keys_path: "{{ haproxy_pki_dir ~ '/certs/private/' }}" haproxy_pki_keys_path: "{{ haproxy_pki_dir ~ '/certs/private/' }}"
haproxy_pki_certs_path: "{{ haproxy_pki_dir ~ '/certs/certs/' }}" haproxy_pki_certs_path: "{{ haproxy_pki_dir ~ '/certs/certs/' }}"
haproxy_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('HAProxyIntermediate') }}" haproxy_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('HAProxyIntermediate') }}"
haproxy_pki_intermediate_cert_path: "{{ haproxy_pki_dir ~ '/roots/' ~ haproxy_pki_intermediate_cert_name ~ '/certs/' ~ haproxy_pki_intermediate_cert_name ~ '.crt' }}" haproxy_pki_intermediate_cert_path: >-
{{ haproxy_pki_dir ~ '/roots/' ~ haproxy_pki_intermediate_cert_name ~ '/certs/' ~ haproxy_pki_intermediate_cert_name ~ '.crt' }}
haproxy_pki_regen_cert: '' haproxy_pki_regen_cert: ''
haproxy_pki_certificates: "{{ _haproxy_pki_certificates }}" haproxy_pki_certificates: "{{ _haproxy_pki_certificates }}"

15
handlers/main.yml
View File

@@ -13,9 +13,10 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
- name: regen pem - name: Regen pem # noqa: no-changed-when
shell: > shell: >-
cat {{ item_base_path ~ '.crt' }} $(test -f {{ item_base_path ~ '-ca.crt' }} && echo {{ item_base_path ~ '-ca.crt' }}) {{ item_base_path ~ '.key' }} > {{ item_base_path ~ '.pem' }} cat {{ item_base_path ~ '.crt' }} $(test -f {{ item_base_path ~ '-ca.crt' }} &&
echo {{ item_base_path ~ '-ca.crt' }}) {{ item_base_path ~ '.key' }} > {{ item_base_path ~ '.pem' }}
notify: Reload haproxy notify: Reload haproxy
vars: vars:
item_interface: "{{ item['interface'] | default('') }}" item_interface: "{{ item['interface'] | default('') }}"
@@ -25,12 +26,15 @@
listen: listen:
- haproxy cert installed - haproxy cert installed
- name: regenerate maps - name: Regenerate maps
vars: vars:
all_changed_results: "{{ (map_create.results + map_delete.results) | select('changed') }}" all_changed_results: "{{ (map_create.results + map_delete.results) | select('changed') }}"
assemble: assemble:
src: "/etc/haproxy/map.conf.d/{{ item }}" src: "/etc/haproxy/map.conf.d/{{ item }}"
dest: "/etc/haproxy/{{ item }}.map" dest: "/etc/haproxy/{{ item }}.map"
mode: "0640"
owner: haproxy
group: haproxy
notify: Reload haproxy notify: Reload haproxy
with_items: "{{ all_changed_results | map(attribute='item') | flatten | selectattr('name', 'defined') | map(attribute='name') | unique }}" with_items: "{{ all_changed_results | map(attribute='item') | flatten | selectattr('name', 'defined') | map(attribute='name') | unique }}"
@@ -39,6 +43,9 @@
src: "/etc/haproxy/conf.d" src: "/etc/haproxy/conf.d"
dest: "/etc/haproxy/haproxy.cfg" dest: "/etc/haproxy/haproxy.cfg"
validate: /usr/sbin/haproxy -c -f %s validate: /usr/sbin/haproxy -c -f %s
mode: "0640"
owner: haproxy
group: haproxy
notify: Reload haproxy notify: Reload haproxy
tags: tags:
- haproxy-general-config - haproxy-general-config

12
meta/main.yml
View File

@@ -16,21 +16,23 @@
galaxy_info: galaxy_info:
author: rcbops author: rcbops
description: Installation and setup of HAProxy description: Installation and setup of HAProxy
role_name: haproxy_server
namespace: openstack
company: Rackspace company: Rackspace
license: Apache2 license: Apache2
min_ansible_version: 2.2 min_ansible_version: "2.10"
platforms: platforms:
- name: Debian - name: Debian
versions: versions:
- buster - bullseye
- name: Ubuntu - name: Ubuntu
versions: versions:
- bionic
- focal - focal
- jammy
- name: EL - name: EL
versions: versions:
- 8 - "9"
categories: galaxy_tags:
- cloud - cloud
- python - python
- development - development

5
tasks/haproxy_install.yml
View File

@@ -30,6 +30,7 @@
file: file:
path: "{{ haproxy_hatop_download_path }}/{{ haproxy_hatop_download_url | basename | replace('.tar.gz', '') }}" path: "{{ haproxy_hatop_download_path }}/{{ haproxy_hatop_download_url | basename | replace('.tar.gz', '') }}"
state: directory state: directory
mode: "0755"
- name: Download hatop package - name: Download hatop package
get_url: get_url:
@@ -37,6 +38,7 @@
dest: "{{ haproxy_hatop_download_path }}/{{ haproxy_hatop_download_url | basename }}" dest: "{{ haproxy_hatop_download_path }}/{{ haproxy_hatop_download_url | basename }}"
validate_certs: "{{ haproxy_hatop_download_validate_certs }}" validate_certs: "{{ haproxy_hatop_download_validate_certs }}"
checksum: "{{ haproxy_hatop_download_checksum }}" checksum: "{{ haproxy_hatop_download_checksum }}"
mode: "0644"
register: fetch_url register: fetch_url
until: fetch_url is success until: fetch_url is success
retries: 3 retries: 3
@@ -54,7 +56,6 @@
copy: copy:
src: "{{ haproxy_hatop_download_path }}/{{ haproxy_hatop_download_url | basename | replace('.tar.gz', '') }}/bin/hatop" src: "{{ haproxy_hatop_download_path }}/{{ haproxy_hatop_download_url | basename | replace('.tar.gz', '') }}/bin/hatop"
dest: /usr/local/bin/hatop dest: /usr/local/bin/hatop
mode: 0755 mode: "0755"
remote_src: yes remote_src: yes
when: haproxy_hatop_install | bool when: haproxy_hatop_install | bool

7
tasks/haproxy_post_install.yml
View File

@@ -45,11 +45,15 @@
template: template:
src: "haproxy.cfg.j2" src: "haproxy.cfg.j2"
dest: "/etc/haproxy/conf.d/00-haproxy" dest: "/etc/haproxy/conf.d/00-haproxy"
mode: "0640"
owner: haproxy
group: haproxy
notify: Regenerate haproxy configuration notify: Regenerate haproxy configuration
tags: tags:
- haproxy-base-config - haproxy-base-config
- include_tasks: haproxy_service_config.yml - name: Including haproxy_service_config tasks
include_tasks: haproxy_service_config.yml
tags: tags:
- haproxy-service-config - haproxy-service-config
@@ -69,6 +73,7 @@
path: "{{ haproxy_log_mount_point }}" path: "{{ haproxy_log_mount_point }}"
access_time: preserve access_time: preserve
modification_time: preserve modification_time: preserve
mode: "0755"
- name: Make log socket available to chrooted filesystem - name: Make log socket available to chrooted filesystem
mount: mount:

5
tasks/haproxy_pre_install.yml
View File

@@ -48,6 +48,8 @@
path: "{{ item }}" path: "{{ item }}"
state: directory state: directory
mode: "0755" mode: "0755"
owner: haproxy
group: haproxy
with_items: with_items:
- /etc/haproxy/conf.d - /etc/haproxy/conf.d
- "{{ haproxy_ssl_cert_path }}" - "{{ haproxy_ssl_cert_path }}"
@@ -56,6 +58,9 @@
copy: copy:
content: "{{ item.content }}" content: "{{ item.content }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
mode: "0644"
owner: haproxy
group: haproxy
when: when:
- (item.condition | default(True)) - (item.condition | default(True))
loop: "{{ haproxy_static_files }}" loop: "{{ haproxy_static_files }}"

19
tasks/haproxy_service_config.yml
View File

@@ -32,6 +32,9 @@
template: template:
src: service.j2 src: service.j2
dest: "/etc/haproxy/conf.d/{{ service.haproxy_service_name }}" dest: "/etc/haproxy/conf.d/{{ service.haproxy_service_name }}"
owner: root
group: haproxy
mode: "0640"
# NOTE(damiandabrowski): _haproxy_service_configs_simplified should be replaced # NOTE(damiandabrowski): _haproxy_service_configs_simplified should be replaced
# with haproxy_service_configs in 2024.1. # with haproxy_service_configs in 2024.1.
loop: "{{ _haproxy_service_configs_simplified }}" loop: "{{ _haproxy_service_configs_simplified }}"
@@ -73,9 +76,16 @@
file: file:
state: directory state: directory
path: "/etc/haproxy/map.conf.d/{{ item }}" path: "/etc/haproxy/map.conf.d/{{ item }}"
owner: root
group: haproxy
mode: "0750"
# NOTE(damiandabrowski): _haproxy_service_configs_simplified should be replaced # NOTE(damiandabrowski): _haproxy_service_configs_simplified should be replaced
# with haproxy_service_configs in 2024.1. # with haproxy_service_configs in 2024.1.
loop: "{{ _haproxy_service_configs_simplified | selectattr('haproxy_map_entries', 'defined') | map(attribute='haproxy_map_entries') | flatten | map(attribute='name') | unique }}" loop: >-
{{
_haproxy_service_configs_simplified | selectattr('haproxy_map_entries', 'defined') | map(attribute='haproxy_map_entries') | flatten |
map(attribute='name') | unique
}}
# create map entries when the service is enabled and an existing map fragment is not absent # create map entries when the service is enabled and an existing map fragment is not absent
- name: Create haproxy map files - name: Create haproxy map files
@@ -84,6 +94,9 @@
template: template:
src: map.j2 src: map.j2
dest: "{{ map_file }}" dest: "{{ map_file }}"
owner: root
group: haproxy
mode: "0640"
# NOTE(damiandabrowski): _haproxy_service_configs_simplified should be replaced # NOTE(damiandabrowski): _haproxy_service_configs_simplified should be replaced
# with haproxy_service_configs in 2024.1. # with haproxy_service_configs in 2024.1.
with_subelements: with_subelements:
@@ -92,7 +105,7 @@
when: when:
- (item.0.haproxy_service_enabled | default(True)) | bool - (item.0.haproxy_service_enabled | default(True)) | bool
- item.1.state | default('present') != 'absent' - item.1.state | default('present') != 'absent'
notify: regenerate maps notify: Regenerate maps
register: map_create register: map_create
# remove map entries when the service is not enabled, the service is absent or the map is absent # remove map entries when the service is not enabled, the service is absent or the map is absent
@@ -109,5 +122,5 @@
with_subelements: with_subelements:
- "{{ _haproxy_service_configs_simplified | selectattr('haproxy_map_entries', 'defined') }}" - "{{ _haproxy_service_configs_simplified | selectattr('haproxy_map_entries', 'defined') }}"
- haproxy_map_entries - haproxy_map_entries
notify: regenerate maps notify: Regenerate maps
register: map_delete register: map_delete

3
tasks/haproxy_service_config_external.yml
View File

@@ -26,7 +26,8 @@
paths: paths:
- "{{ role_path }}/vars" - "{{ role_path }}/vars"
- include_tasks: haproxy_service_config.yml - name: Including haproxy_service_config tasks
include_tasks: haproxy_service_config.yml
args: args:
apply: apply:
tags: tags:

7
tasks/haproxy_ssl_letsencrypt.yml
View File

@@ -48,7 +48,7 @@
template: template:
src: letsencrypt_pre_hook_certbot_distro.j2 src: letsencrypt_pre_hook_certbot_distro.j2
dest: /etc/letsencrypt/renewal-hooks/pre/haproxy-pre dest: /etc/letsencrypt/renewal-hooks/pre/haproxy-pre
mode: 0755 mode: "0755"
when: when:
- haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' - haproxy_ssl_letsencrypt_certbot_challenge == 'http-01'
@@ -56,13 +56,16 @@
template: template:
src: letsencrypt_renew_certbot_distro.j2 src: letsencrypt_renew_certbot_distro.j2
dest: /etc/letsencrypt/renewal-hooks/post/haproxy-renew dest: /etc/letsencrypt/renewal-hooks/post/haproxy-renew
mode: 0755 mode: "0755"
- name: Create new pem file for haproxy - name: Create new pem file for haproxy
assemble: assemble:
src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}" src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}"
dest: "{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item ~ '.pem' }}" dest: "{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item ~ '.pem' }}"
regexp: '(privkey|fullchain).pem$' regexp: '(privkey|fullchain).pem$'
owner: haproxy
group: haproxy
mode: "0640"
with_items: with_items:
- "{{ [haproxy_bind_external_lb_vip_address] + extra_lb_tls_vip_addresses }}" - "{{ [haproxy_bind_external_lb_vip_address] + extra_lb_tls_vip_addresses }}"
notify: notify:

15
tasks/main.yml
View File

@@ -28,11 +28,13 @@
tags: tags:
- always - always
- import_tasks: haproxy_pre_install.yml - name: Importing haproxy_pre_install tasks
import_tasks: haproxy_pre_install.yml
tags: tags:
- haproxy_server-install - haproxy_server-install
- import_tasks: haproxy_install.yml - name: Importing haproxy_install tasks
import_tasks: haproxy_install.yml
tags: tags:
- haproxy_server-install - haproxy_server-install
@@ -56,14 +58,17 @@
when: when:
- haproxy_ssl | bool - haproxy_ssl | bool
- import_tasks: haproxy_post_install.yml - name: Importing haproxy_post_install tasks
import_tasks: haproxy_post_install.yml
tags: tags:
- haproxy_server-config - haproxy_server-config
# NOTE(jrosser) we must reload the haproxy config before doing the first time certbot setup to ensure the letsencypt backend is configured # NOTE(jrosser) we must reload the haproxy config before doing the first time certbot setup to ensure the letsencypt backend is configured
- meta: flush_handlers - name: Flush handlers
meta: flush_handlers
- include_tasks: haproxy_ssl_letsencrypt.yml - name: Including haproxy_ssl_letsencrypt tasks
include_tasks: haproxy_ssl_letsencrypt.yml
when: when:
- haproxy_ssl | bool - haproxy_ssl | bool
- haproxy_ssl_letsencrypt_enable | bool - haproxy_ssl_letsencrypt_enable | bool

10
vars/main.yml
View File

@@ -15,7 +15,8 @@
_haproxy_tls_vip_binds: | _haproxy_tls_vip_binds: |
{% set vip_binds = [{'address': haproxy_bind_external_lb_vip_address, 'interface': haproxy_bind_external_lb_vip_interface}] %} {% set vip_binds = [{'address': haproxy_bind_external_lb_vip_address, 'interface': haproxy_bind_external_lb_vip_interface}] %}
{% if haproxy_bind_internal_lb_vip_address != haproxy_bind_external_lb_vip_address or haproxy_bind_external_lb_vip_interface != haproxy_bind_internal_lb_vip_interface %} {% if haproxy_bind_internal_lb_vip_address != haproxy_bind_external_lb_vip_address or
haproxy_bind_external_lb_vip_interface != haproxy_bind_internal_lb_vip_interface %}
{% set _ = vip_binds.append({'address': haproxy_bind_internal_lb_vip_address, 'interface': haproxy_bind_internal_lb_vip_interface}) %} {% set _ = vip_binds.append({'address': haproxy_bind_internal_lb_vip_address, 'interface': haproxy_bind_internal_lb_vip_interface}) %}
{% endif %} {% endif %}
{% for vip_address in extra_lb_tls_vip_addresses %} {% for vip_address in extra_lb_tls_vip_addresses %}
@@ -27,7 +28,8 @@ _haproxy_pki_certificates: |
{% set _pki_certs = [] %} {% set _pki_certs = [] %}
{% for vip in haproxy_tls_vip_binds %} {% for vip in haproxy_tls_vip_binds %}
{% set _vip_interface = vip['interface'] | default('') %} {% set _vip_interface = vip['interface'] | default('') %}
{% set san = 'DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['fqdn'] ~ ',' ~ (vip['address'] | ansible.utils.ipaddr) | ternary('IP:', 'DNS:') ~ vip['address'] %} {% set san = 'DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['fqdn'] ~ ',' ~ (
vip['address'] | ansible.utils.ipaddr) | ternary('IP:', 'DNS:') ~ vip['address'] %}
{% if vip['address'] == haproxy_bind_internal_lb_vip_address %} {% if vip['address'] == haproxy_bind_internal_lb_vip_address %}
{% set san = san ~ (internal_lb_vip_address | ansible.utils.ipaddr) | ternary('', ',DNS:' ~ internal_lb_vip_address) %} {% set san = san ~ (internal_lb_vip_address | ansible.utils.ipaddr) | ternary('', ',DNS:' ~ internal_lb_vip_address) %}
{% endif %} {% endif %}
@@ -50,7 +52,9 @@ _haproxy_pki_install_certificates: |
{% set _pki_install = [] %} {% set _pki_install = [] %}
{% for vip in haproxy_tls_vip_binds %} {% for vip in haproxy_tls_vip_binds %}
{% set _vip_interface = vip['interface'] | default('') %} {% set _vip_interface = vip['interface'] | default('') %}
{% set _cert_basename = '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (_vip_interface is truthy) | ternary(vip['address'] ~ '-' ~ _vip_interface, vip['address']) %} {% set _cert_basename = '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (_vip_interface is truthy) | ternary(
vip['address'] ~ '-' ~ _vip_interface, vip['address'])
%}
{% set _ = _pki_install.append( {% set _ = _pki_install.append(
{ {
'src': haproxy_user_ssl_cert | default(haproxy_pki_certs_path ~ _cert_basename ~ '.crt'), 'src': haproxy_user_ssl_cert | default(haproxy_pki_certs_path ~ _cert_basename ~ '.crt'),