From 64054e4cada6aacb87f7b3feee88fece95c5127a Mon Sep 17 00:00:00 2001
From: Danila Balagansky <dbalagansky@me.com>
Date: Tue, 30 May 2023 11:53:00 +0300
Subject: [PATCH] Restore an ability for HAProxy to bind on interal IP

According to the docs [1], there is an ability for HAProxy to bind
specifically on IP-address, "while preserving the names for TLS-
certificates and endpoint URIs".

For internal endpoint this supposed to be done by setting
`internal_lb_vip_address` and `haproxy_bind_internal_lb_vip_address`
but was broken due to the fact that for:
* `haproxy_galera_service`
* `haproxy_opendaylight_neutron_service`
* `haproxy_opendaylight_websocket_service`
* `haproxy_nova_api_metadata_service`
* `haproxy_rabbitmq_service`
* `haproxy_repo_service`
`haproxy_bind` was explicitly set to `[internal_lb_vip_address]` and
overriding `haproxy_bind_internal_lb_vip_address` would result in
wrong certificate paths (with FQDN in names, which does not exist)
for these frontends.

[1] https://docs.openstack.org/openstack-ansible-haproxy_server/latest/configure-haproxy.html#overriding-the-address-haproxy-will-bind-to

Change-Id: I92953a14dd311a60b169165c5a8e61dd98466033
---
 inventory/group_vars/galera_all.yml                  | 2 +-
 inventory/group_vars/neutron_all/haproxy_service.yml | 4 ++--
 inventory/group_vars/nova_all/haproxy_service.yml    | 2 +-
 inventory/group_vars/rabbitmq_all.yml                | 2 +-
 inventory/group_vars/repo_all.yml                    | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/inventory/group_vars/galera_all.yml b/inventory/group_vars/galera_all.yml
index 9c084d876f..1349203313 100644
--- a/inventory/group_vars/galera_all.yml
+++ b/inventory/group_vars/galera_all.yml
@@ -58,7 +58,7 @@ haproxy_galera_service:
   haproxy_service_name: galera
   haproxy_backend_nodes: "{{ (groups['galera_all'] | default([]))[:1] }}"  # list expected
   haproxy_backup_nodes: "{{ (groups['galera_all'] | default([]))[1:] }}"
-  haproxy_bind: "{{ [internal_lb_vip_address] }}"
+  haproxy_bind: "{{ [haproxy_bind_internal_lb_vip_address | default(internal_lb_vip_address)] }}"
   haproxy_port: 3306
   haproxy_check_port: 9200
   haproxy_balance_type: tcp
diff --git a/inventory/group_vars/neutron_all/haproxy_service.yml b/inventory/group_vars/neutron_all/haproxy_service.yml
index 78af887aa4..7dc094eaae 100644
--- a/inventory/group_vars/neutron_all/haproxy_service.yml
+++ b/inventory/group_vars/neutron_all/haproxy_service.yml
@@ -32,7 +32,7 @@ haproxy_neutron_server_service:
 haproxy_opendaylight_neutron_service:
   haproxy_service_name: opendaylight-neutron
   haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
-  haproxy_bind: "{{ [internal_lb_vip_address] }}"
+  haproxy_bind: "{{ [haproxy_bind_internal_lb_vip_address | default(internal_lb_vip_address)] }}"
   haproxy_port: 8180
   haproxy_balance_type: tcp
   haproxy_timeout_client: 5000s
@@ -43,7 +43,7 @@ haproxy_opendaylight_neutron_service:
 haproxy_opendaylight_websocket_service:
   haproxy_service_name: opendaylight-websocket
   haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
-  haproxy_bind: "{{ [internal_lb_vip_address] }}"
+  haproxy_bind: "{{ [haproxy_bind_internal_lb_vip_address | default(internal_lb_vip_address)] }}"
   haproxy_port: 8185
   haproxy_balance_type: tcp
   haproxy_timeout_client: 5000s
diff --git a/inventory/group_vars/nova_all/haproxy_service.yml b/inventory/group_vars/nova_all/haproxy_service.yml
index 0c5854b86a..63579f3de3 100644
--- a/inventory/group_vars/nova_all/haproxy_service.yml
+++ b/inventory/group_vars/nova_all/haproxy_service.yml
@@ -24,7 +24,7 @@ haproxy_nova_metadata_allowlist_networks: "{{ haproxy_allowlist_networks }}"
 haproxy_nova_api_metadata_service:
   haproxy_service_name: nova_api_metadata
   haproxy_backend_nodes: "{{ groups['nova_api_metadata'] | default([]) }}"
-  haproxy_bind: "{{ [internal_lb_vip_address] }}"
+  haproxy_bind: "{{ [haproxy_bind_internal_lb_vip_address | default(internal_lb_vip_address)] }}"
   haproxy_port: 8775
   haproxy_ssl: "{{ haproxy_ssl_all_vips }}"
   haproxy_balance_type: http
diff --git a/inventory/group_vars/rabbitmq_all.yml b/inventory/group_vars/rabbitmq_all.yml
index 73d649e130..5611c3ca8b 100644
--- a/inventory/group_vars/rabbitmq_all.yml
+++ b/inventory/group_vars/rabbitmq_all.yml
@@ -41,7 +41,7 @@ haproxy_rabbitmq_service:
   haproxy_ssl: "{{ rabbitmq_management_ssl | bool }}"
   haproxy_backend_ssl: "{{ rabbitmq_management_ssl | bool }}"
   haproxy_backend_ca: False
-  haproxy_bind: "{{ [internal_lb_vip_address] }}"
+  haproxy_bind: "{{ [haproxy_bind_internal_lb_vip_address | default(internal_lb_vip_address)] }}"
   haproxy_port: "{{ (rabbitmq_management_ssl | bool) | ternary(15671, 15672) }}"
   haproxy_balance_type: http
   haproxy_backend_options:
diff --git a/inventory/group_vars/repo_all.yml b/inventory/group_vars/repo_all.yml
index b39c685219..b048b691df 100644
--- a/inventory/group_vars/repo_all.yml
+++ b/inventory/group_vars/repo_all.yml
@@ -34,7 +34,7 @@ openstack_repo_server_enable_glusterfs: True
 haproxy_repo_service:
   haproxy_service_name: repo_all
   haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}"
-  haproxy_bind: "{{ [internal_lb_vip_address] }}"
+  haproxy_bind: "{{ [haproxy_bind_internal_lb_vip_address | default(internal_lb_vip_address)] }}"
   haproxy_port: 8181
   haproxy_ssl: "{{ haproxy_ssl_all_vips }}"
   haproxy_balance_type: http