SSL support for haproxy
This change adds support for SSL to the haproxy role. When enabled, this implements/upgrades haproxy to v1.5.x from a PPA. * A new boolean variable called 'haproxy_ssl' enables/disables the configuration of SSL for the haproxy service. * A new variable called 'haproxy_ssl_self_signed_subject' has been implemented to allow the user to override the certificate properties, such as the CN and subjectAltName. * A new variable called 'haproxy_cert_regen' has been implemented to allow the user to regenerate the self-signed certificate used for the SSL endpoint. * SSL will only be enabled for a load balanced service if haproxy_ssl is true in the service vars. This has only been implemented for the Keystone service endpoints in this patch. * The keystone admin service endpoint will only have SSL enabled if keystone_service_adminuri_proto == 'https'. * The keystone internal/public service endpoint will only have SSL enabled if keystone_service_publicuri_proto == 'https'. Implements: blueprint keystone-federation Change-Id: I069f1a0f928feb754816b7d450929fb62df66244
This commit is contained in:
parent
8cb06d4412
commit
36640a8f43
|
@ -140,12 +140,17 @@ keystone_service_port: 5000
|
||||||
keystone_service_proto: http
|
keystone_service_proto: http
|
||||||
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
|
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
|
||||||
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
|
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
|
||||||
|
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
|
||||||
keystone_service_user_name: keystone
|
keystone_service_user_name: keystone
|
||||||
keystone_service_tenant_name: service
|
keystone_service_tenant_name: service
|
||||||
|
keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
|
||||||
|
keystone_service_publicurl: "{{ keystone_service_publicuri }}/v2.0"
|
||||||
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
|
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
|
||||||
keystone_service_internalurl: "{{ keystone_service_internaluri }}/v2.0"
|
keystone_service_internalurl: "{{ keystone_service_internaluri }}/v2.0"
|
||||||
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
|
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
|
||||||
keystone_service_adminurl: "{{ keystone_service_adminuri }}/v2.0"
|
keystone_service_adminurl: "{{ keystone_service_adminuri }}/v2.0"
|
||||||
|
keystone_service_publicuri_v3: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
|
||||||
|
keystone_service_publicurl_v3: "{{ keystone_service_publicuri_v3 }}/v3"
|
||||||
keystone_service_internaluri_v3: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
|
keystone_service_internaluri_v3: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
|
||||||
keystone_service_internalurl_v3: "{{ keystone_service_adminuri_v3 }}/v3"
|
keystone_service_internalurl_v3: "{{ keystone_service_adminuri_v3 }}/v3"
|
||||||
keystone_service_adminuri_v3: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
|
keystone_service_adminuri_v3: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
|
||||||
|
|
|
@ -17,9 +17,38 @@
|
||||||
hosts: haproxy_hosts
|
hosts: haproxy_hosts
|
||||||
max_fail_percentage: 20
|
max_fail_percentage: 20
|
||||||
user: root
|
user: root
|
||||||
|
pre_tasks:
|
||||||
|
- name: Remove legacy haproxy configuration files
|
||||||
|
file:
|
||||||
|
dest: "/etc/haproxy/conf.d/{{ item }}"
|
||||||
|
state: "absent"
|
||||||
|
with_items:
|
||||||
|
- "keystone_internal"
|
||||||
|
when: internal_lb_vip_address == external_lb_vip_address
|
||||||
|
tags:
|
||||||
|
- haproxy-service-config
|
||||||
|
post_tasks:
|
||||||
|
- name: Add keystone internal endpoint config
|
||||||
|
include: roles/haproxy_server/tasks/haproxy_service_config.yml
|
||||||
|
when: internal_lb_vip_address != external_lb_vip_address
|
||||||
|
vars:
|
||||||
|
haproxy_service_configs:
|
||||||
|
- service:
|
||||||
|
haproxy_service_name: keystone_internal
|
||||||
|
haproxy_backend_nodes: "{{ groups['keystone_all'] }}"
|
||||||
|
haproxy_bind: "{{ internal_lb_vip_address }}"
|
||||||
|
haproxy_port: 5000
|
||||||
|
haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_internaluri_proto == 'https' %}true{% else %}false{% endif %}"
|
||||||
|
haproxy_balance_type: http
|
||||||
|
haproxy_backend_options:
|
||||||
|
- "forwardfor"
|
||||||
|
- "httpchk"
|
||||||
|
- "httplog"
|
||||||
|
tags:
|
||||||
|
- haproxy-service-config
|
||||||
roles:
|
roles:
|
||||||
- { role: "haproxy_server", tags: [ "haproxy-server" ] }
|
- { role: "haproxy_server", tags: [ "haproxy-server" ] }
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/configs/haproxy_config.yml
|
- vars/configs/haproxy_config.yml
|
||||||
vars:
|
vars:
|
||||||
is_metal: "{{ properties.is_metal|default(false) }}"
|
is_metal: "{{ properties.is_metal|default(false) }}"
|
||||||
|
|
|
@ -16,6 +16,23 @@
|
||||||
# Defines that the role will be deployed on a host machine
|
# Defines that the role will be deployed on a host machine
|
||||||
is_metal: true
|
is_metal: true
|
||||||
|
|
||||||
|
haproxy_apt_repo_url: "http://ppa.launchpad.net/vbernat/haproxy-1.5/ubuntu"
|
||||||
|
haproxy_apt_repo:
|
||||||
|
repo: "deb {{ haproxy_apt_repo_url }} {{ ansible_distribution_release }} main"
|
||||||
|
state: "present"
|
||||||
|
|
||||||
|
# Haproxy GPG Keys
|
||||||
|
haproxy_gpg_keys:
|
||||||
|
- key_name: 'haproxy'
|
||||||
|
keyserver: 'hkp://keyserver.ubuntu.com:80'
|
||||||
|
fallback_keyserver: 'hkp://p80.pool.sks-keyservers.net:80'
|
||||||
|
hash_id: '0xcffb779aadc995e4f350a060505d97a41c61b9cd'
|
||||||
|
|
||||||
|
haproxy_pre_apt_packages:
|
||||||
|
- python-software-properties
|
||||||
|
- software-properties-common
|
||||||
|
- debconf-utils
|
||||||
|
|
||||||
haproxy_apt_packages:
|
haproxy_apt_packages:
|
||||||
- haproxy
|
- haproxy
|
||||||
- hatop
|
- hatop
|
||||||
|
@ -43,3 +60,11 @@ haproxy_backup_nodes: []
|
||||||
# - "httplog"
|
# - "httplog"
|
||||||
|
|
||||||
galera_monitoring_user: monitoring
|
galera_monitoring_user: monitoring
|
||||||
|
|
||||||
|
## haproxy SSL
|
||||||
|
haproxy_ssl: no
|
||||||
|
haproxy_cert_regen: no
|
||||||
|
haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert
|
||||||
|
haproxy_ssl_key: /etc/ssl/private/haproxy.key
|
||||||
|
haproxy_ssl_pem: /etc/ssl/private/haproxy.pem
|
||||||
|
haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
|
||||||
|
|
|
@ -0,0 +1,86 @@
|
||||||
|
---
|
||||||
|
# Copyright 2014, Rackspace US, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
- name: Update apt sources
|
||||||
|
apt:
|
||||||
|
update_cache: yes
|
||||||
|
cache_valid_time: 600
|
||||||
|
register: apt_update
|
||||||
|
until: apt_update|success
|
||||||
|
retries: 5
|
||||||
|
delay: 2
|
||||||
|
tags:
|
||||||
|
- haproxy-apt-packages
|
||||||
|
|
||||||
|
- name: Install haproxy pre packages
|
||||||
|
apt:
|
||||||
|
pkg: "{{ item }}"
|
||||||
|
state: latest
|
||||||
|
register: install_packages
|
||||||
|
until: install_packages|success
|
||||||
|
retries: 5
|
||||||
|
delay: 2
|
||||||
|
with_items: haproxy_pre_apt_packages
|
||||||
|
tags:
|
||||||
|
- haproxy-pre-apt-packages
|
||||||
|
|
||||||
|
- name: Add haproxy apt-keys
|
||||||
|
apt_key:
|
||||||
|
id: "{{ item.hash_id }}"
|
||||||
|
keyserver: "{{ item.keyserver }}"
|
||||||
|
state: "present"
|
||||||
|
register: add_keys
|
||||||
|
until: add_keys|success
|
||||||
|
ignore_errors: True
|
||||||
|
retries: 5
|
||||||
|
delay: 2
|
||||||
|
with_items: haproxy_gpg_keys
|
||||||
|
tags:
|
||||||
|
- haproxy-apt-keys
|
||||||
|
|
||||||
|
- name: Add haproxy apt-keys using fallback keyserver
|
||||||
|
apt_key:
|
||||||
|
id: "{{ item.hash_id }}"
|
||||||
|
keyserver: "{{ item.fallback_keyserver }}"
|
||||||
|
state: "present"
|
||||||
|
register: add_keys_fallback
|
||||||
|
until: add_keys_fallback|success
|
||||||
|
retries: 5
|
||||||
|
delay: 2
|
||||||
|
with_items: haproxy_gpg_keys
|
||||||
|
when: add_keys|failed and item.fallback_keyserver is defined
|
||||||
|
tags:
|
||||||
|
- haproxy-apt-keys
|
||||||
|
|
||||||
|
- name: Drop haproxy repo pin
|
||||||
|
template:
|
||||||
|
src: "haproxy_pin.pref.j2"
|
||||||
|
dest: "/etc/apt/preferences.d/haproxy_pin.pref"
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
|
mode: "0644"
|
||||||
|
tags:
|
||||||
|
- haproxy-repo-pin
|
||||||
|
|
||||||
|
- name: Add haproxy repo(s)
|
||||||
|
apt_repository:
|
||||||
|
repo: "{{ haproxy_apt_repo.repo }}"
|
||||||
|
state: "{{ haproxy_apt_repo.state }}"
|
||||||
|
register: add_repos
|
||||||
|
until: add_repos|success
|
||||||
|
retries: 5
|
||||||
|
delay: 2
|
||||||
|
tags:
|
||||||
|
- haproxy-repos
|
|
@ -23,11 +23,4 @@
|
||||||
tags:
|
tags:
|
||||||
- haproxy-base-config
|
- haproxy-base-config
|
||||||
|
|
||||||
- name: "Create haproxy service config files"
|
- include: haproxy_service_config.yml
|
||||||
template:
|
|
||||||
src: service.j2
|
|
||||||
dest: "/etc/haproxy/conf.d/{{ item.service.haproxy_service_name }}"
|
|
||||||
with_items: haproxy_service_configs
|
|
||||||
notify: Restart haproxy
|
|
||||||
tags:
|
|
||||||
- haproxy-service-config
|
|
||||||
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
---
|
||||||
|
# Copyright 2014, Rackspace US, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
- name: "Create haproxy service config files"
|
||||||
|
template:
|
||||||
|
src: service.j2
|
||||||
|
dest: "/etc/haproxy/conf.d/{{ item.service.haproxy_service_name }}"
|
||||||
|
with_items: haproxy_service_configs
|
||||||
|
notify: Restart haproxy
|
||||||
|
tags:
|
||||||
|
- haproxy-service-config
|
|
@ -0,0 +1,43 @@
|
||||||
|
---
|
||||||
|
# Copyright 2014, Rackspace US, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
- name: Remove self signed cert for regen
|
||||||
|
file:
|
||||||
|
dest: "{{ haproxy_ssl_cert }}"
|
||||||
|
state: "absent"
|
||||||
|
with_items:
|
||||||
|
- "{{ haproxy_ssl_pem }}"
|
||||||
|
- "{{ haproxy_ssl_key }}"
|
||||||
|
- "{{ haproxy_ssl_cert }}"
|
||||||
|
when: haproxy_cert_regen | bool
|
||||||
|
|
||||||
|
- name: Create self-signed ssl cert
|
||||||
|
command: >
|
||||||
|
openssl req -new -nodes -sha256 -x509 -subj
|
||||||
|
"{{ haproxy_ssl_self_signed_subject }}"
|
||||||
|
-days 3650
|
||||||
|
-keyout {{ haproxy_ssl_key }}
|
||||||
|
-out {{ haproxy_ssl_cert }}
|
||||||
|
-extensions v3_ca
|
||||||
|
creates={{ haproxy_ssl_cert }}
|
||||||
|
notify: Restart haproxy
|
||||||
|
tags:
|
||||||
|
- haproxy-ssl
|
||||||
|
|
||||||
|
- name: Create a .pem certificate file
|
||||||
|
shell: >
|
||||||
|
cat {{ haproxy_ssl_cert }} {{ haproxy_ssl_key }} > {{ haproxy_ssl_pem }}
|
||||||
|
args:
|
||||||
|
creates: "{{ haproxy_ssl_pem }}"
|
|
@ -13,5 +13,12 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
|
- include: haproxy_add_ppa_repo.yml
|
||||||
|
when: haproxy_ssl | bool
|
||||||
|
|
||||||
- include: haproxy_install.yml
|
- include: haproxy_install.yml
|
||||||
|
|
||||||
|
- include: haproxy_ssl_key_create.yml
|
||||||
|
when: haproxy_ssl | bool
|
||||||
|
|
||||||
- include: haproxy_post_install.yml
|
- include: haproxy_post_install.yml
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
Package: *
|
||||||
|
Pin: release o=LP-PPA-vbernat-haproxy-1.5
|
||||||
|
Pin-Priority: 1001
|
|
@ -1,16 +1,20 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
frontend {{ item.service.haproxy_service_name }}-front
|
frontend {{ item.service.haproxy_service_name }}-front
|
||||||
bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }}
|
bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }} {% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_pem }}{% endif %}
|
||||||
|
|
||||||
{% if item.service.haproxy_balance_type == "http" %}
|
{% if item.service.haproxy_balance_type == "http" %}
|
||||||
option httplog
|
option httplog
|
||||||
option forwardfor except 127.0.0.0/8
|
option forwardfor except 127.0.0.0/8
|
||||||
option http-server-close
|
option http-server-close
|
||||||
|
|
||||||
{% set request_option = "http" %}
|
{%- set request_option = "http" %}
|
||||||
{% else %}
|
{% else %}
|
||||||
option tcplog
|
option tcplog
|
||||||
{% set request_option = "tcp" %}
|
{%- set request_option = "tcp" %}
|
||||||
|
{% endif %}
|
||||||
|
{% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}
|
||||||
|
reqadd X-Forwarded-Proto:\ https
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if item.service.haproxy_timeout_client is defined %}
|
{% if item.service.haproxy_timeout_client is defined %}
|
||||||
|
|
|
@ -68,6 +68,7 @@ haproxy_service_configs:
|
||||||
haproxy_service_name: keystone_admin
|
haproxy_service_name: keystone_admin
|
||||||
haproxy_backend_nodes: "{{ groups['keystone_all'] }}"
|
haproxy_backend_nodes: "{{ groups['keystone_all'] }}"
|
||||||
haproxy_port: 35357
|
haproxy_port: 35357
|
||||||
|
haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_adminuri_proto == 'https' %}true{% else %}false{% endif %}"
|
||||||
haproxy_balance_type: http
|
haproxy_balance_type: http
|
||||||
haproxy_backend_options:
|
haproxy_backend_options:
|
||||||
- "forwardfor"
|
- "forwardfor"
|
||||||
|
@ -76,7 +77,9 @@ haproxy_service_configs:
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: keystone_service
|
haproxy_service_name: keystone_service
|
||||||
haproxy_backend_nodes: "{{ groups['keystone_all'] }}"
|
haproxy_backend_nodes: "{{ groups['keystone_all'] }}"
|
||||||
|
haproxy_bind: "{% if internal_lb_vip_address != external_lb_vip_address %}{{ external_lb_vip_address }}{% else %}*{% endif %}"
|
||||||
haproxy_port: 5000
|
haproxy_port: 5000
|
||||||
|
haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_publicuri_proto == 'https' %}true{% else %}false{% endif %}"
|
||||||
haproxy_balance_type: http
|
haproxy_balance_type: http
|
||||||
haproxy_backend_options:
|
haproxy_backend_options:
|
||||||
- "forwardfor"
|
- "forwardfor"
|
||||||
|
|
Loading…
Reference in New Issue