openstack/openstack-ansible-haproxy_server
Code Issues Proposed changes
Files
e86139506d87e0c797f2449835dd5418571fde8f
openstack-ansible-haproxy_s…/defaults/main.yml
Kevin Carter e86139506d Enable SSL termination for all services 
This change makes it so that all services are expecting SSL termination
at the load balancer by default. This is more indicative of how a real
world deployment will be setup and is being added such that we can test
a more production like deployment system by default.

The AIO will now terminate SSL in HAProxy using a self-signed cert.

Depends-On: I63cfecd6793ba2b28c294d939c9b1c466940cbd1
Depends-On: Iba63636d733fa1eb095564b8bf33a8159d9c2a00
Depends-On: Ib31a48dd480ecb376a6a8c5b35b09dfa5d2e58f6
Depends-On: Ibdeb8b981ca770ce4f56beeae05afd3379964859
Change-Id: Id87fab39c929e0860abbc3755ad386aa6893b151
Co-Authored-By: Logan V <logan2211@gmail.com>
Signed-off-by: Logan V <logan2211@gmail.com>
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2016-04-27 18:36:07 +00:00

87 lines
2.6 KiB
YAML
Raw Blame History

---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Defines that the role will be deployed on a host machine
is_metal: true
## APT Cache options
cache_timeout: 600
haproxy_apt_repo_url: "http://ppa.launchpad.net/vbernat/haproxy-1.5/ubuntu"
haproxy_apt_repo:
repo: "deb {{ haproxy_apt_repo_url }} {{ ansible_distribution_release }} main"
state: "present"
# Haproxy GPG Keys
haproxy_gpg_keys:
- key_name: 'haproxy'
keyserver: 'hkp://keyserver.ubuntu.com:80'
fallback_keyserver: 'hkp://p80.pool.sks-keyservers.net:80'
hash_id: '0xcffb779aadc995e4f350a060505d97a41c61b9cd'
haproxy_pre_apt_packages:
- python-software-properties
- software-properties-common
- debconf-utils
haproxy_apt_packages:
- haproxy
- hatop
- rsyslog # Used for local logging
- vim-haproxy
- psmisc
## Haproxy Configuration
haproxy_rise: 3
haproxy_fall: 3
haproxy_interval: 12000
## Haproxy Stats
haproxy_stats_enabled: False
haproxy_stats_bind_address: 127.0.0.1
haproxy_stats_port: 1936
haproxy_username: admin
haproxy_stats_password: secrete
# Default haproxy backup nodes to empty list so this doesn't have to be
# defined for each service.
haproxy_backup_nodes: []
# haproxy_service_configs:
# - service:
# hap_service_name: haproxy_all
# hap_backend_nodes: "{{ groups['haproxy_all'][0] }}"
# # hap_backup_nodes: "{{ groups['haproxy_all'][1:] }}"
# hap_port: 80
# hap_balance_type: http
# hap_backend_options:
# - "forwardfor"
# - "httpchk"
# - "httplog"
galera_monitoring_user: monitoring
haproxy_bind_on_non_local: False
## haproxy SSL
haproxy_ssl: true
haproxy_ssl_dh_param: 2048
haproxy_ssl_self_signed_regen: no
haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert
haproxy_ssl_key: /etc/ssl/private/haproxy.key
haproxy_ssl_pem: /etc/ssl/private/haproxy.pem
haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem
haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
View Git Blame Copy Permalink