openstack/openstack-ansible
Code Issues Proposed changes

Merge "Add ironic serial console to haproxy"

Browse Source
This commit is contained in:
Zuul 2022-12-10 13:36:42 +00:00 committed by Gerrit Code Review
commit 4d9f9dc9d0
2 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
inventory/group_vars/all/ironic.yml Normal file
View File

@ -0,0 +1,2 @@
ironic_console_port: 6083
ironic_console_type: "disabled"

19
inventory/group_vars/haproxy/haproxy.yml
View File

@ -43,7 +43,7 @@ haproxy_security_headers_max_age: 31536000
# Set CSP headers to report only for testing
haproxy_security_headers_csp_report_only: False
# To override the CSP used by a specific service define a variable haproxy_<service name>_csp
haproxy_security_headers_csp: "http-response set-header {{ haproxy_security_headers_csp_report_only | ternary('Content-Security-Policy-Report-Only', 'Content-Security-Policy') }} \"default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; frame-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; connect-src 'self' {{ external_lb_vip_address }}:*; img-src 'self' data:; worker-src blob:;\""
haproxy_security_headers_csp: "http-response set-header {{ haproxy_security_headers_csp_report_only | ternary('Content-Security-Policy-Report-Only', 'Content-Security-Policy') }} \"default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; frame-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; connect-src 'self' {{ external_lb_vip_address }}:* wss://{{ external_lb_vip_address }}:{{ ironic_console_port }}; img-src 'self' data:; worker-src blob:;\""
# To disable security headers set to []
haproxy_security_headers:
- "http-response set-header Strict-Transport-Security \"max-age={{ haproxy_security_headers_max_age }}; includeSubDomains;\""
@ -382,7 +382,7 @@ haproxy_nova_console_http_mode: "{{ not (nova_console_user_ssl_cert is defined
and nova_console_user_ssl_key is defined) }}"
haproxy_nova_console_service:
haproxy_service_name: nova_console
haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}"
haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) + ((ironic_console_type == nova_console_type) | ternary(groups['ironic_console'], [])) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: "{{ nova_console_port }}"
@ -394,6 +394,20 @@ haproxy_nova_console_service:
haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}"
haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type != 'disabled' }}"
# run a seperate service for the ironic nova console proxy when then console type is not the same as the one used by
# nova-compute managed virtual machines
haproxy_nova_ironic_console_service:
haproxy_service_name: nova_ironic_console
haproxy_backend_nodes: "{{ groups['ironic_console'] }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: "{{ ironic_console_port }}"
haproxy_balance_type: http
haproxy_balance_alg: source
haproxy_timeout_client: 10m # see https://docs.openstack.org/ironic/latest/admin/console.html#configuring-ha
haproxy_timeout_server: 10m # ditto
haproxy_service_enabled: "{{ groups['ironic_console'] is defined and groups['ironic_console'] | length > 0 and ironic_console_type != nova_console_type }}"
haproxy_octavia_service:
haproxy_service_name: octavia
haproxy_backend_nodes: "{{ groups['octavia_all'] | default([]) }}"
@ -577,6 +591,7 @@ haproxy_default_services:
- service: "{{ haproxy_nova_api_metadata_service | combine(haproxy_nova_api_metadata_service_overrides | default({})) }}"
- service: "{{ haproxy_nova_api_compute_service | combine(haproxy_nova_api_compute_service_overrides | default({})) }}"
- service: "{{ haproxy_nova_console_service | combine(haproxy_nova_console_service_overrides | default({})) }}"
- service: "{{ haproxy_nova_ironic_console_service | combine(haproxy_nova_ironic_console_service_overrides | default({})) }}"
- service: "{{ haproxy_octavia_service | combine(haproxy_octavia_service_overrides | default({})) }}"
- service: "{{ haproxy_opendaylight_neutron_service | combine(haproxy_opendaylight_neutron_service_overrides | default({})) }}"
- service: "{{ haproxy_opendaylight_websocket_service | combine(haproxy_opendaylight_websocket_service_overrides | default({})) }}"