openstack/openstack-ansible-haproxy_server
Code Issues Proposed changes
Files
a51f8b347ffed85d48b1448f9718b137330a7324
openstack-ansible-haproxy_s…/vars/main.yml
Dmitriy Rabotyagov c0da2e5095 Fix linters issue and metadata 
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Change-Id: I8c316dd62ac22ccd9578bb0199ab8f25c0104f9a
2023-08-07 06:55:22 +00:00

98 lines
4.1 KiB
YAML
Raw Blame History

---
# Copyright 2021, City Network International AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
_haproxy_tls_vip_binds: |
{% set vip_binds = [{'address': haproxy_bind_external_lb_vip_address, 'interface': haproxy_bind_external_lb_vip_interface}] %}
{% if haproxy_bind_internal_lb_vip_address != haproxy_bind_external_lb_vip_address or
haproxy_bind_external_lb_vip_interface != haproxy_bind_internal_lb_vip_interface %}
{% set _ = vip_binds.append({'address': haproxy_bind_internal_lb_vip_address, 'interface': haproxy_bind_internal_lb_vip_interface}) %}
{% endif %}
{% for vip_address in extra_lb_tls_vip_addresses %}
{% set _ = vip_binds.append({'address': vip_address}) %}
{% endfor %}
{{ vip_binds }}
_haproxy_pki_certificates: |
{% set _pki_certs = [] %}
{% for vip in haproxy_tls_vip_binds %}
{% set _vip_interface = vip['interface'] | default('') %}
{% set san = 'DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['fqdn'] ~ ',' ~ (
vip['address'] | ansible.utils.ipaddr) | ternary('IP:', 'DNS:') ~ vip['address'] %}
{% if vip['address'] == haproxy_bind_internal_lb_vip_address %}
{% set san = san ~ (internal_lb_vip_address | ansible.utils.ipaddr) | ternary('', ',DNS:' ~ internal_lb_vip_address) %}
{% endif %}
{% if vip['address'] == haproxy_bind_external_lb_vip_address %}
{% set san = san ~ (external_lb_vip_address | ansible.utils.ipaddr) | ternary('', ',DNS:' ~ external_lb_vip_address) %}
{% endif %}
{% set _ = _pki_certs.append(
{
'name': 'haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (_vip_interface is truthy) | ternary(vip['address'] ~ '-' ~ _vip_interface, vip['address']),
'provider': 'ownca',
'cn': ansible_facts['hostname'],
'san': san,
'signed_by': haproxy_pki_intermediate_cert_name,
}
) %}
{% endfor %}
{{ _pki_certs }}
_haproxy_pki_install_certificates: |
{% set _pki_install = [] %}
{% for vip in haproxy_tls_vip_binds %}
{% set _vip_interface = vip['interface'] | default('') %}
{% set _cert_basename = '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (_vip_interface is truthy) | ternary(
vip['address'] ~ '-' ~ _vip_interface, vip['address'])
%}
{% set _ = _pki_install.append(
{
'src': haproxy_user_ssl_cert | default(haproxy_pki_certs_path ~ _cert_basename ~ '.crt'),
'dest': haproxy_ssl_cert_path ~ _cert_basename ~ '.crt',
'owner': 'root',
'group': 'root',
'mode': '0644'
}
)
%}
{% set _ = _pki_install.append(
{
'src': haproxy_user_ssl_key | default(haproxy_pki_keys_path ~ _cert_basename ~ '.key.pem'),
'dest': haproxy_ssl_cert_path ~ _cert_basename ~ '.key',
'owner': 'root',
'group': 'root',
'mode': '0644'
}
)
%}
{# We need to put CA only when it's provided by user or internal CA is used and user certs are not provided #}
{% if (haproxy_user_ssl_cert is not defined and haproxy_user_ssl_key is not defined) or haproxy_user_ssl_ca_cert is defined %}
{% set _ = _pki_install.append(
{
'src': haproxy_user_ssl_ca_cert | default(haproxy_pki_intermediate_cert_path),
'dest': haproxy_ssl_cert_path ~ _cert_basename ~ '-ca.crt',
'owner': 'root',
'group': 'root',
'mode': '0644'
})
%}
{% endif %}
{% endfor %}
{{ _pki_install }}
# In case CSP is enabled, on newer haproxy versions, header size
# fill more than bufsize-maxrewrite, which results in 500
# See: https://github.com/haproxy/haproxy/issues/1597
_haproxy_default_tuning_params:
tune.maxrewrite: 1280
View Git Blame Copy Permalink