openstack/openstack-ansible-haproxy_server
Code Issues Proposed changes
Files
240d109cc84f142a6ef50c150aa79af936074b44
openstack-ansible-haproxy_s…/vars/main.yml
Dmitriy Rabotyagov 65e53499f5 Use haproxy_vip_binds stanza for Let's Encrypt 
Currently Let's Encrypt is using `haproxy_bind_external_lb_vip_address`
to identify naming of resulting certificate which might not match with
expectations, as all other parts of code already do use
`haproxy_vip_binds`
for calculating resulting TLS path.

This patch introduces `type` key for `haproxy_vip_binds` which is used
to identify for which frontends Let's Encrypt certificate should be used
as in most scenarios it's not gonna be issued for "internal" VIPs anyway
due to dns-01 requirement.

Also moving to single "source of truth" for VIP bindings allows to
override and have control over this behaviour.

Change-Id: Id07d9a0ea270d613b37b6adfa373d01a47f7421f
2024-11-10 18:23:43 +01:00

103 lines
4.4 KiB
YAML
Raw Blame History

---
# Copyright 2021, City Network International AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
_haproxy_vip_binds: |
{% set vip_binds = [{'address': haproxy_bind_external_lb_vip_address, 'interface': haproxy_bind_external_lb_vip_interface, 'type': 'external'}] %}
{% if haproxy_bind_internal_lb_vip_address != haproxy_bind_external_lb_vip_address or
haproxy_bind_external_lb_vip_interface != haproxy_bind_internal_lb_vip_interface %}
{% set _ = vip_binds.append({'address': haproxy_bind_internal_lb_vip_address, 'interface': haproxy_bind_internal_lb_vip_interface, 'type': 'internal'}) %}
{% endif %}
{% for vip_address in extra_lb_tls_vip_addresses %}
{% set _ = vip_binds.append({'address': vip_address, 'type': 'external'}) %}
{% endfor %}
{{ vip_binds }}
_haproxy_pki_certificates: |
{% set _pki_certs = [] %}
{% for vip in haproxy_vip_binds %}
{% set _vip_interface = vip['interface'] | default('') %}
{% set san = ['DNS:' ~ ansible_facts['hostname'], 'DNS:' ~ ansible_facts['fqdn']] %}
{% if vip['address'] != '*' %}
{% set _ = san.append((vip['address'] | ansible.utils.ipaddr) | ternary('IP:', 'DNS:') ~ vip['address']) %}
{% endif %}
{% if vip['address'] == haproxy_bind_internal_lb_vip_address and not (internal_lb_vip_address | ansible.utils.ipaddr) %}
{% set _ = san.append('DNS:' ~ internal_lb_vip_address) %}
{% endif %}
{% if vip['address'] == haproxy_bind_external_lb_vip_address and not (external_lb_vip_address | ansible.utils.ipaddr) %}
{% set _ = san.append('DNS:' ~ external_lb_vip_address) %}
{% endif %}
{% for record in vip.get('pki_san_records', []) %}
{% set _ = san.append((record | ansible.utils.ipaddr) | ternary('IP:', 'DNS:') ~ record) %}
{% endfor %}
{% set _ = _pki_certs.append(
{
'name': 'haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (_vip_interface is truthy) | ternary(vip['address'] ~ '-' ~ _vip_interface, vip['address']),
'provider': 'ownca',
'cn': ansible_facts['hostname'],
'san': san | join(','),
'signed_by': haproxy_pki_intermediate_cert_name,
}
) %}
{% endfor %}
{{ _pki_certs }}
_haproxy_pki_install_certificates: |
{% set _pki_install = [] %}
{% for vip in haproxy_vip_binds %}
{% set _vip_interface = vip['interface'] | default('') %}
{% set _cert_basename = '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (_vip_interface is truthy) | ternary(
vip['address'] ~ '-' ~ _vip_interface, vip['address'])
%}
{% set _ = _pki_install.append(
{
'src': haproxy_user_ssl_cert | default(haproxy_pki_certs_path ~ _cert_basename ~ '.crt'),
'dest': haproxy_ssl_cert_path ~ _cert_basename ~ '.crt',
'owner': 'root',
'group': 'root',
'mode': '0644'
}
)
%}
{% set _ = _pki_install.append(
{
'src': haproxy_user_ssl_key | default(haproxy_pki_keys_path ~ _cert_basename ~ '.key.pem'),
'dest': haproxy_ssl_cert_path ~ _cert_basename ~ '.key',
'owner': 'root',
'group': 'root',
'mode': '0644'
}
)
%}
{# We need to put CA only when it's provided by user or internal CA is used and user certs are not provided #}
{% if (haproxy_user_ssl_cert is not defined and haproxy_user_ssl_key is not defined) or haproxy_user_ssl_ca_cert is defined %}
{% set _ = _pki_install.append(
{
'src': haproxy_user_ssl_ca_cert | default(haproxy_pki_intermediate_cert_path),
'dest': haproxy_ssl_cert_path ~ _cert_basename ~ '-ca.crt',
'owner': 'root',
'group': 'root',
'mode': '0644'
})
%}
{% endif %}
{% endfor %}
{{ _pki_install }}
# In case CSP is enabled, on newer haproxy versions, header size
# fill more than bufsize-maxrewrite, which results in 500
# See: https://github.com/haproxy/haproxy/issues/1597
_haproxy_default_tuning_params:
tune.maxrewrite: 1280
View Git Blame Copy Permalink