openstack/openstack-ansible-haproxy_server
Code Issues Proposed changes
Files
4ba235fc58e2a4623a2cd492104805b6768f13bb
openstack-ansible-haproxy_s…/vars/main.yml
Dmitriy Rabotyagov 711caf62e4 Add molecule testing to the role 
This adopts old functional tests to be launched with molecule.
Patch does not intend to extend or refactor set of existing tests,
but to provide a baseline to iterate on and ability to improve coverage
with important usecases.

Change-Id: Ia93b5adb313d5b930086ce90dafe6a63da092aba
Signed-off-by: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
2025-08-08 17:24:09 +00:00

103 lines
4.4 KiB
YAML
Raw Blame History

---
# Copyright 2021, City Network International AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
_haproxy_vip_binds: |
{% set vip_binds = [{'address': haproxy_bind_external_lb_vip_address, 'interface': haproxy_bind_external_lb_vip_interface, 'type': 'external'}] %}
{% if haproxy_bind_internal_lb_vip_address != haproxy_bind_external_lb_vip_address or
haproxy_bind_external_lb_vip_interface != haproxy_bind_internal_lb_vip_interface %}
{% set _ = vip_binds.append({'address': haproxy_bind_internal_lb_vip_address, 'interface': haproxy_bind_internal_lb_vip_interface, 'type': 'internal'}) %}
{% endif %}
{% for vip_address in extra_lb_tls_vip_addresses %}
{% set _ = vip_binds.append({'address': vip_address, 'type': 'external'}) %}
{% endfor %}
{{ vip_binds }}
_haproxy_pki_certificates: |
{% set _pki_certs = [] %}
{% for vip in haproxy_vip_binds %}
{% set _vip_interface = vip['interface'] | default('') %}
{% set san = ['DNS:' ~ ansible_facts['hostname'], 'DNS:' ~ ansible_facts['fqdn']] %}
{% if vip['address'] != '*' %}
{% set _ = san.append((vip['address'] | ansible.utils.ipaddr) | ternary('IP:', 'DNS:') ~ vip['address']) %}
{% endif %}
{% if vip['address'] == haproxy_bind_internal_lb_vip_address and not (internal_lb_vip_address | ansible.utils.ipaddr) %}
{% set _ = san.append('DNS:' ~ internal_lb_vip_address) %}
{% endif %}
{% if vip['address'] == haproxy_bind_external_lb_vip_address and not (external_lb_vip_address | ansible.utils.ipaddr) %}
{% set _ = san.append('DNS:' ~ external_lb_vip_address) %}
{% endif %}
{% for record in vip.get('pki_san_records', []) %}
{% set _ = san.append((record | ansible.utils.ipaddr) | ternary('IP:', 'DNS:') ~ record) %}
{% endfor %}
{% set _ = _pki_certs.append(
{
'name': 'haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (_vip_interface is truthy) | ternary(vip['address'] ~ '-' ~ _vip_interface, vip['address']),
'provider': 'ownca',
'cn': ansible_facts['hostname'],
'san': san | join(','),
'signed_by': haproxy_pki_intermediate_cert_name,
}
) %}
{% endfor %}
{{ _pki_certs }}
_haproxy_pki_install_certificates: |
{% set _pki_install = [] %}
{% for vip in haproxy_vip_binds %}
{% set _vip_interface = vip['interface'] | default('') %}
{% set _cert_basename = '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (_vip_interface is truthy) | ternary(
vip['address'] ~ '-' ~ _vip_interface, vip['address'])
%}
{% set _ = _pki_install.append(
{
'src': haproxy_user_ssl_cert | default(haproxy_pki_certs_path ~ _cert_basename ~ '.crt'),
'dest': haproxy_ssl_temp_path ~ _cert_basename ~ '.crt',
'owner': 'root',
'group': 'haproxy',
'mode': '0644'
}
)
%}
{% set _ = _pki_install.append(
{
'src': haproxy_user_ssl_key | default(haproxy_pki_keys_path ~ _cert_basename ~ '.key.pem'),
'dest': haproxy_ssl_temp_path ~ _cert_basename ~ '.key',
'owner': 'root',
'group': 'haproxy',
'mode': '0640'
}
)
%}
{# We need to put CA only when it's provided by user or internal CA is used and user certs are not provided #}
{% if (haproxy_user_ssl_cert is not defined and haproxy_user_ssl_key is not defined) or haproxy_user_ssl_ca_cert is defined %}
{% set _ = _pki_install.append(
{
'src': haproxy_user_ssl_ca_cert | default(haproxy_pki_intermediate_cert_path),
'dest': haproxy_ssl_temp_path ~ _cert_basename ~ '-ca.crt',
'owner': 'root',
'group': 'haproxy',
'mode': '0644'
})
%}
{% endif %}
{% endfor %}
{{ _pki_install }}
# In case CSP is enabled, on newer haproxy versions, header size
# fill more than bufsize-maxrewrite, which results in 500
# See: https://github.com/haproxy/haproxy/issues/1597
_haproxy_default_tuning_params:
tune.maxrewrite: 1280
View Git Blame Copy Permalink