From 930236d7d274cf093d659188574a5e643651bd97 Mon Sep 17 00:00:00 2001 From: Damian Dabrowski Date: Wed, 29 Mar 2023 21:44:20 +0200 Subject: [PATCH] Implement separated haproxy service config All services placed behind haproxy include an additional playbook responsible for creating their haproxy services. Scope for some variables was changed to be more optimal. Change-Id: I0eec358d982cc09dcb7e2c0045b9684c65876faf --- inventory/group_vars/adjutant_all.yml | 29 + inventory/group_vars/all/haproxy.yml | 35 + inventory/group_vars/aodh_all.yml | 28 + inventory/group_vars/barbican_all.yml | 28 + inventory/group_vars/blazar_all.yml | 30 + inventory/group_vars/cinder_all.yml | 14 + inventory/group_vars/cloudkitty_all.yml | 29 + inventory/group_vars/designate_all.yml | 30 + inventory/group_vars/galera_all.yml | 23 + inventory/group_vars/glance_all.yml | 15 + inventory/group_vars/gnocchi_all.yml | 14 + inventory/group_vars/haproxy/haproxy.yml | 622 +----------------- inventory/group_vars/heat_all.yml | 26 + inventory/group_vars/horizon_all.yml | 31 + inventory/group_vars/ironic_all.yml | 48 ++ inventory/group_vars/keystone_all.yml | 14 + inventory/group_vars/magnum_all.yml | 28 + inventory/group_vars/manila_all.yml | 28 + inventory/group_vars/masakari_all.yml | 28 + inventory/group_vars/mistral_all.yml | 28 + inventory/group_vars/murano_all.yml | 30 + inventory/group_vars/neutron_all.yml | 54 ++ inventory/group_vars/nova_all.yml | 92 +++ inventory/group_vars/octavia_all.yml | 28 + inventory/group_vars/placement_all.yml | 28 + inventory/group_vars/rabbitmq_all.yml | 19 + inventory/group_vars/repo_all.yml | 20 +- inventory/group_vars/sahara_all.yml | 29 + inventory/group_vars/senlin_all.yml | 28 + inventory/group_vars/swift_all.yml | 15 + inventory/group_vars/tacker_all.yml | 30 + inventory/group_vars/trove_all.yml | 14 + inventory/group_vars/zun_all.yml | 45 ++ .../haproxy-service-config.yml | 41 ++ playbooks/galera-install.yml | 9 + playbooks/haproxy-install.yml | 5 +- playbooks/os-adjutant-install.yml | 9 + playbooks/os-aodh-install.yml | 9 + playbooks/os-barbican-install.yml | 9 + playbooks/os-blazar-install.yml | 9 + playbooks/os-cinder-install.yml | 9 +- playbooks/os-cloudkitty-install.yml | 9 + playbooks/os-designate-install.yml | 9 + playbooks/os-glance-install.yml | 9 + playbooks/os-gnocchi-install.yml | 9 + playbooks/os-heat-install.yml | 9 + playbooks/os-horizon-install.yml | 9 + playbooks/os-ironic-install.yml | 9 + playbooks/os-keystone-install.yml | 9 + playbooks/os-magnum-install.yml | 9 + playbooks/os-manila-install.yml | 9 + playbooks/os-masakari-install.yml | 9 + playbooks/os-mistral-install.yml | 9 + playbooks/os-murano-install.yml | 9 + playbooks/os-neutron-install.yml | 9 +- playbooks/os-nova-install.yml | 13 + playbooks/os-octavia-install.yml | 9 + playbooks/os-placement-install.yml | 10 +- playbooks/os-sahara-install.yml | 9 + playbooks/os-senlin-install.yml | 9 + playbooks/os-swift-install.yml | 9 + playbooks/os-tacker-install.yml | 9 + playbooks/os-trove-install.yml | 9 + playbooks/os-zun-install.yml | 9 + playbooks/rabbitmq-install.yml | 9 + playbooks/repo-install.yml | 10 +- playbooks/setup-infrastructure.yml | 2 +- ...proxy-service-config-9ccecbcb286355ef.yaml | 16 + 68 files changed, 1301 insertions(+), 608 deletions(-) create mode 100644 inventory/group_vars/adjutant_all.yml create mode 100644 inventory/group_vars/all/haproxy.yml create mode 100644 inventory/group_vars/aodh_all.yml create mode 100644 inventory/group_vars/barbican_all.yml create mode 100644 inventory/group_vars/blazar_all.yml create mode 100644 inventory/group_vars/cloudkitty_all.yml create mode 100644 inventory/group_vars/designate_all.yml create mode 100644 inventory/group_vars/ironic_all.yml create mode 100644 inventory/group_vars/magnum_all.yml create mode 100644 inventory/group_vars/manila_all.yml create mode 100644 inventory/group_vars/masakari_all.yml create mode 100644 inventory/group_vars/mistral_all.yml create mode 100644 inventory/group_vars/murano_all.yml create mode 100644 inventory/group_vars/neutron_all.yml create mode 100644 inventory/group_vars/octavia_all.yml create mode 100644 inventory/group_vars/placement_all.yml create mode 100644 inventory/group_vars/sahara_all.yml create mode 100644 inventory/group_vars/senlin_all.yml create mode 100644 inventory/group_vars/tacker_all.yml create mode 100644 inventory/group_vars/zun_all.yml create mode 100644 playbooks/common-playbooks/haproxy-service-config.yml create mode 100644 releasenotes/notes/separated-haproxy-service-config-9ccecbcb286355ef.yaml diff --git a/inventory/group_vars/adjutant_all.yml b/inventory/group_vars/adjutant_all.yml new file mode 100644 index 0000000000..87792d53e3 --- /dev/null +++ b/inventory/group_vars/adjutant_all.yml @@ -0,0 +1,29 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_adjutant_api_service: + haproxy_service_name: adjutant_api + haproxy_backend_nodes: "{{ groups['adjutant_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 5050 + haproxy_balance_type: http + haproxy_balance_alg: source + haproxy_backend_options: + - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['adjutant_api'] is defined and groups['adjutant_api'] | length > 0 }}" + +adjutant_haproxy_services: + - "{{ haproxy_adjutant_api_service | combine(haproxy_adjutant_api_service_overrides | default({})) }}" diff --git a/inventory/group_vars/all/haproxy.yml b/inventory/group_vars/all/haproxy.yml new file mode 100644 index 0000000000..4755d57ca5 --- /dev/null +++ b/inventory/group_vars/all/haproxy.yml @@ -0,0 +1,35 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_ssl: true +haproxy_ssl_all_vips: false + +haproxy_allowlist_networks: + - 192.168.0.0/16 + - 172.16.0.0/12 + - 10.0.0.0/8 + +haproxy_stick_table_allowlist_networks: "{{ haproxy_allowlist_networks }}" + +# haproxy default stick table +# returns 429 when more than 20 4xx responses per 10 second window +# from external IP addresses. Override as necessary. +openstack_haproxy_stick_table: + - "stick-table type ipv6 size 256k expire 10s store http_err_rate(10s)" + - "http-request track-sc0 src" + - "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }" + +# apply the stick table as default for all backends +haproxy_stick_table: "{{ openstack_haproxy_stick_table }}" diff --git a/inventory/group_vars/aodh_all.yml b/inventory/group_vars/aodh_all.yml new file mode 100644 index 0000000000..a83459b1c9 --- /dev/null +++ b/inventory/group_vars/aodh_all.yml @@ -0,0 +1,28 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_aodh_api_service: + haproxy_service_name: aodh_api + haproxy_backend_nodes: "{{ groups['aodh_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 8042 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['aodh_api'] is defined and groups['aodh_api'] | length > 0 }}" + +aodh_haproxy_services: + - "{{ haproxy_aodh_api_service | combine(haproxy_aodh_api_service_overrides | default({})) }}" diff --git a/inventory/group_vars/barbican_all.yml b/inventory/group_vars/barbican_all.yml new file mode 100644 index 0000000000..f5227a12e4 --- /dev/null +++ b/inventory/group_vars/barbican_all.yml @@ -0,0 +1,28 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_barbican_service: + haproxy_service_name: barbican + haproxy_backend_nodes: "{{ groups['barbican_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 9311 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['barbican_api'] is defined and groups['barbican_api'] | length > 0 }}" + +barbican_haproxy_services: + - "{{ haproxy_barbican_service | combine(haproxy_barbican_service_overrides | default({})) }}" diff --git a/inventory/group_vars/blazar_all.yml b/inventory/group_vars/blazar_all.yml new file mode 100644 index 0000000000..1af0d48539 --- /dev/null +++ b/inventory/group_vars/blazar_all.yml @@ -0,0 +1,30 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_blazar_api_service: + haproxy_service_name: blazar_api + haproxy_backend_nodes: "{{ groups['blazar_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 1234 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_backend_httpcheck_options: + - 'expect rstatus (200|401)' + haproxy_service_enabled: "{{ groups['blazar_api'] is defined and groups['blazar_api'] | length > 0 }}" + +blazar_haproxy_services: + - "{{ haproxy_blazar_api_service | combine(haproxy_blazar_api_service_overrides | default({})) }}" diff --git a/inventory/group_vars/cinder_all.yml b/inventory/group_vars/cinder_all.yml index a8c13e5c77..041af70732 100644 --- a/inventory/group_vars/cinder_all.yml +++ b/inventory/group_vars/cinder_all.yml @@ -26,3 +26,17 @@ glance_default_store: "{{ ((groups['swift_all'] is defined) and (groups['swift_a # cinder_backend_lvm_inuse: True if current host has an lvm backend cinder_backend_lvm_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.lvm.LVMVolumeDriver") != -1 }}' + +haproxy_cinder_api_service: + haproxy_service_name: cinder_api + haproxy_backend_nodes: "{{ groups['cinder_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 8776 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['cinder_api'] is defined and groups['cinder_api'] | length > 0 }}" + +cinder_haproxy_services: + - "{{ haproxy_cinder_api_service | combine(haproxy_cinder_api_service_overrides | default({})) }}" diff --git a/inventory/group_vars/cloudkitty_all.yml b/inventory/group_vars/cloudkitty_all.yml new file mode 100644 index 0000000000..1ef972b734 --- /dev/null +++ b/inventory/group_vars/cloudkitty_all.yml @@ -0,0 +1,29 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_cloudkitty_api_service: + haproxy_service_name: cloudkitty_api + haproxy_backend_nodes: "{{ groups['cloudkitty_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 8089 + haproxy_balance_type: http + haproxy_balance_alg: source + haproxy_backend_options: + - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['cloudkitty_api'] is defined and groups['cloudkitty_api'] | length > 0 }}" + +cloudkitty_haproxy_services: + - "{{ haproxy_cloudkitty_api_service | combine(haproxy_cloudkitty_api_service_overrides | default({})) }}" diff --git a/inventory/group_vars/designate_all.yml b/inventory/group_vars/designate_all.yml new file mode 100644 index 0000000000..cd64d22bc7 --- /dev/null +++ b/inventory/group_vars/designate_all.yml @@ -0,0 +1,30 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_designate_api_service: + haproxy_service_name: designate_api + haproxy_backend_nodes: "{{ groups['designate_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 9001 + haproxy_balance_type: http + haproxy_backend_options: + - "forwardfor" + - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + - "httplog" + haproxy_service_enabled: "{{ groups['designate_api'] is defined and groups['designate_api'] | length > 0 }}" + +designate_haproxy_services: + - "{{ haproxy_designate_api_service | combine(haproxy_designate_api_service_overrides | default({})) }}" diff --git a/inventory/group_vars/galera_all.yml b/inventory/group_vars/galera_all.yml index 394bb9f730..c1c7227fac 100644 --- a/inventory/group_vars/galera_all.yml +++ b/inventory/group_vars/galera_all.yml @@ -51,3 +51,26 @@ galera_server_proxy_protocol_networks: >- # Galera sessions are long lived, so if we do endpoint maintenance we will # force kill the sessions to force a failover to the active endpoint. haproxy_shutdown_sessions: yes + +haproxy_galera_allowlist_networks: "{{ haproxy_allowlist_networks }}" + +haproxy_galera_service: + haproxy_service_name: galera + haproxy_backend_nodes: "{{ (groups['galera_all'] | default([]))[:1] }}" # list expected + haproxy_backup_nodes: "{{ (groups['galera_all'] | default([]))[1:] }}" + haproxy_bind: "{{ [internal_lb_vip_address] }}" + haproxy_port: 3306 + haproxy_check_port: 9200 + haproxy_balance_type: tcp + haproxy_stick_table_enabled: False + haproxy_timeout_client: 5000s + haproxy_timeout_server: 5000s + haproxy_backend_options: + - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_backend_server_options: + - "send-proxy-v2" + haproxy_allowlist_networks: "{{ haproxy_galera_allowlist_networks }}" + haproxy_service_enabled: "{{ groups['galera_all'] is defined and groups['galera_all'] | length > 0 }}" + +galera_haproxy_services: + - "{{ haproxy_galera_service | combine(haproxy_galera_service_overrides | default({})) }}" diff --git a/inventory/group_vars/glance_all.yml b/inventory/group_vars/glance_all.yml index 89d6df925a..828372e22f 100644 --- a/inventory/group_vars/glance_all.yml +++ b/inventory/group_vars/glance_all.yml @@ -22,3 +22,18 @@ glance_container_bind_mounts: mount_path: "/openstack/{{ inventory_hostname }}" - bind_dir_path: "/var/lib/glance/cache" mount_path: "/openstack/{{ inventory_hostname }}" + +haproxy_glance_api_service: + haproxy_service_name: glance_api + haproxy_backend_nodes: "{{ groups['glance_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 9292 + haproxy_balance_type: http + haproxy_balance_alg: source + haproxy_backend_options: + - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['glance_api'] is defined and groups['glance_api'] | length > 0 }}" + +glance_haproxy_services: + - "{{ haproxy_glance_api_service | combine(haproxy_glance_api_service_overrides | default({})) }}" diff --git a/inventory/group_vars/gnocchi_all.yml b/inventory/group_vars/gnocchi_all.yml index f91ea9bbe9..bc694c9eeb 100644 --- a/inventory/group_vars/gnocchi_all.yml +++ b/inventory/group_vars/gnocchi_all.yml @@ -17,3 +17,17 @@ gnocchi_container_bind_mounts: - bind_dir_path: "/var/lib/gnocchi" mount_path: "/openstack/{{ inventory_hostname }}" + +haproxy_gnocchi_service: + haproxy_service_name: gnocchi + haproxy_backend_nodes: "{{ groups['gnocchi_all'] | default([]) }}" + haproxy_port: 8041 + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['gnocchi_all'] is defined and groups['gnocchi_all'] | length > 0 }}" + +gnocchi_haproxy_services: + - "{{ haproxy_gnocchi_service | combine(haproxy_gnocchi_service_overrides | default({})) }}" diff --git a/inventory/group_vars/haproxy/haproxy.yml b/inventory/group_vars/haproxy/haproxy.yml index 452ccbc5f1..444e658b5d 100644 --- a/inventory/group_vars/haproxy/haproxy.yml +++ b/inventory/group_vars/haproxy/haproxy.yml @@ -19,27 +19,19 @@ keepalived_selinux_compile_rules: - keepalived_ping - keepalived_haproxy_pid_file +haproxy_ssl_letsencrypt_enable: false +haproxy_ssl_letsencrypt_acl: + letsencrypt-acl: + rule: "path_beg /.well-known/acme-challenge/" + backend_name: letsencrypt + # Ensure that the package state matches the global setting haproxy_package_state: "{{ package_state }}" -haproxy_allowlist_networks: - - 192.168.0.0/16 - - 172.16.0.0/12 - - 10.0.0.0/8 - -haproxy_galera_allowlist_networks: "{{ haproxy_allowlist_networks }}" -haproxy_nova_metadata_allowlist_networks: "{{ haproxy_allowlist_networks }}" -haproxy_rabbitmq_management_allowlist_networks: "{{ haproxy_allowlist_networks }}" -haproxy_opendaylight_allowlist_networks: "{{ haproxy_allowlist_networks }}" -haproxy_stick_table_allowlist_networks: "{{ haproxy_allowlist_networks }}" -haproxy_ironic_allowlist_networks: "{{ haproxy_allowlist_networks }}" -haproxy_ironic_inspector_allowlist_networks: "{{ haproxy_allowlist_networks }}" - # Variables to set security headers used by browsers haproxy_security_headers_max_age: 31536000 # Set CSP headers to report only for testing haproxy_security_headers_csp_report_only: False -# To override the CSP used by a specific service define a variable haproxy__csp haproxy_security_headers_csp: > http-response set-header {{ haproxy_security_headers_csp_report_only | ternary('Content-Security-Policy-Report-Only', 'Content-Security-Policy') }} " default-src 'self'; @@ -62,28 +54,6 @@ haproxy_security_headers: - 'http-response set-header Referrer-Policy "same-origin"' - 'http-response set-header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(self), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(self), clipboard-write=(self), gamepad=(), speaker-selection=()"' -# haproxy default stick table -# returns 429 when more than 20 4xx responses per 10 second window -# from external IP addresses. Override as necessary. -openstack_haproxy_stick_table: - - "stick-table type ipv6 size 256k expire 10s store http_err_rate(10s)" - - "http-request track-sc0 src" - - "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }" - -# apply the stick table as default for all backends -haproxy_stick_table: "{{ openstack_haproxy_stick_table }}" - -# special haproxy stick table for horizon -# returns 429 when more than 20 calls to /auth per 10 second window -# returns 429 when more than 20 4xx responses per 10 second window -# from external IP addresses. Override as necessary. -openstack_haproxy_horizon_stick_table: - - "stick-table type ipv6 size 256k expire 10s store http_req_rate(10s),http_err_rate(10s)" - - "http-request track-sc0 src" - - "http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 } { path_beg /auth } !{ src {{haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }" - - "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }" - - haproxy_security_txt_service: haproxy_backend_only: true haproxy_service_name: security_txt @@ -120,53 +90,20 @@ haproxy_base_service: entries: - "#Regular expression map file - this comment is defined in the base frontend config" -haproxy_adjutant_api_service: - haproxy_service_name: adjutant_api - haproxy_backend_nodes: "{{ groups['adjutant_api'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 5050 +# Handles LetsEncrypt HTTP-01 challenge +haproxy_letsencrypt_service: + haproxy_service_name: letsencrypt + haproxy_backend_nodes: "{{ groups['haproxy_all'] }}" + backend_rise: 1 + backend_fall: 5 + interval: 4000 + haproxy_bind: + - 127.0.0.1 + haproxy_port: "{{ haproxy_ssl_letsencrypt_certbot_backend_port }}" haproxy_balance_type: http - haproxy_balance_alg: source - haproxy_backend_options: - - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['adjutant_api'] is defined and groups['adjutant_api'] | length > 0 }}" - -haproxy_aodh_api_service: - haproxy_service_name: aodh_api - haproxy_backend_nodes: "{{ groups['aodh_api'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 8042 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['aodh_api'] is defined and groups['aodh_api'] | length > 0 }}" - -haproxy_barbican_service: - haproxy_service_name: barbican - haproxy_backend_nodes: "{{ groups['barbican_api'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 9311 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['barbican_api'] is defined and groups['barbican_api'] | length > 0 }}" - -haproxy_blazar_api_service: - haproxy_service_name: blazar_api - haproxy_backend_nodes: "{{ groups['blazar_api'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 1234 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_backend_httpcheck_options: - - 'expect rstatus (200|401)' - haproxy_service_enabled: "{{ groups['blazar_api'] is defined and groups['blazar_api'] | length > 0 }}" + haproxy_service_enabled: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) }}" +# RGW backend is defined here as it might be referring to an external ceph cluster via 'ceph_rgws' haproxy_ceph_rgw_service: haproxy_service_name: ceph-rgw haproxy_backend_nodes: "{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) | ternary(groups['ceph-rgw'], ceph_rgws) }}" @@ -181,523 +118,8 @@ haproxy_ceph_rgw_service: - expect rstatus 200|405 haproxy_service_enabled: "{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) or (ceph_rgws | length > 0) }}" -haproxy_cinder_api_service: - haproxy_service_name: cinder_api - haproxy_backend_nodes: "{{ groups['cinder_api'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 8776 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['cinder_api'] is defined and groups['cinder_api'] | length > 0 }}" - -haproxy_cloudkitty_api_service: - haproxy_service_name: cloudkitty_api - haproxy_backend_nodes: "{{ groups['cloudkitty_api'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 8089 - haproxy_balance_type: http - haproxy_balance_alg: source - haproxy_backend_options: - - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['cloudkitty_api'] is defined and groups['cloudkitty_api'] | length > 0 }}" - -haproxy_designate_api_service: - haproxy_service_name: designate_api - haproxy_backend_nodes: "{{ groups['designate_api'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 9001 - haproxy_balance_type: http - haproxy_backend_options: - - "forwardfor" - - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - - "httplog" - haproxy_service_enabled: "{{ groups['designate_api'] is defined and groups['designate_api'] | length > 0 }}" - -haproxy_galera_service: - haproxy_service_name: galera - haproxy_backend_nodes: "{{ (groups['galera_all'] | default([]))[:1] }}" # list expected - haproxy_backup_nodes: "{{ (groups['galera_all'] | default([]))[1:] }}" - haproxy_bind: "{{ [internal_lb_vip_address] }}" - haproxy_port: 3306 - haproxy_check_port: 9200 - haproxy_balance_type: tcp - haproxy_stick_table_enabled: False - haproxy_timeout_client: 5000s - haproxy_timeout_server: 5000s - haproxy_backend_options: - - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_backend_server_options: - - "send-proxy-v2" - haproxy_allowlist_networks: "{{ haproxy_galera_allowlist_networks }}" - haproxy_service_enabled: "{{ groups['galera_all'] is defined and groups['galera_all'] | length > 0 }}" - -haproxy_glance_api_service: - haproxy_service_name: glance_api - haproxy_backend_nodes: "{{ groups['glance_api'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 9292 - haproxy_balance_type: http - haproxy_balance_alg: source - haproxy_backend_options: - - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['glance_api'] is defined and groups['glance_api'] | length > 0 }}" - -haproxy_gnocchi_service: - haproxy_service_name: gnocchi - haproxy_backend_nodes: "{{ groups['gnocchi_all'] | default([]) }}" - haproxy_port: 8041 - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['gnocchi_all'] is defined and groups['gnocchi_all'] | length > 0 }}" - -haproxy_heat_api_cfn_service: - haproxy_service_name: heat_api_cfn - haproxy_backend_nodes: "{{ groups['heat_api_cfn'] | default([]) }}" - haproxy_port: 8000 - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['heat_api_cfn'] is defined and groups['heat_api_cfn'] | length > 0 }}" - -haproxy_heat_api_service: - haproxy_service_name: heat_api - haproxy_backend_nodes: "{{ groups['heat_api'] | default([]) }}" - haproxy_port: 8004 - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['heat_api'] is defined and groups['heat_api'] | length > 0 }}" - -haproxy_horizon_service: - haproxy_backend_only: true #only describe the backends, frontend is in `base` - haproxy_service_name: horizon - haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}" - haproxy_backend_port: 80 - haproxy_balance_type: http - haproxy_balance_alg: source - haproxy_backend_options: - - "httpchk HEAD /auth/login/ HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}" - haproxy_stick_table: "{{ openstack_haproxy_horizon_stick_table }}" - haproxy_map_entries: - - name: base_regex - order: 99 - #match any requests to the horizon backend - entries: - - '.* horizon-back' - -haproxy_ironic_api_service: - haproxy_service_name: ironic_api - haproxy_backend_nodes: "{{ groups['ironic_api'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 6385 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_backend_arguments: - - "http-request deny if { path_beg /v1/lookup } !{ src {{haproxy_ironic_allowlist_networks | join(' } !{ src ') }} }" - - "http-request deny if { path_beg /v1/heartbeat } !{ src {{haproxy_ironic_allowlist_networks | join(' } !{ src ') }} }" - haproxy_service_enabled: "{{ groups['ironic_api'] is defined and groups['ironic_api'] | length > 0 }}" - -haproxy_ironic_inspector_service: - haproxy_service_name: ironic_inspector - haproxy_backend_nodes: "{{ groups['ironic_inspector'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 5050 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_backend_arguments: - - "http-request deny if { path_beg /v1/continue } !{ src {{haproxy_ironic_inspector_allowlist_networks | join(' } !{ src ') }} }" - haproxy_service_enabled: "{{ groups['ironic_inspector'] is defined and groups['ironic_inspector'] | length > 0 }}" - -haproxy_keystone_service: - haproxy_service_name: keystone_service - haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}" - haproxy_port: 5000 - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_balance_type: "http" - haproxy_backend_options: - - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['keystone_all'] is defined and groups['keystone_all'] | length > 0 }}" - -haproxy_letsencrypt_service: - haproxy_service_name: letsencrypt - haproxy_backend_nodes: "{{ groups['haproxy_all'] }}" - backend_rise: 1 - backend_fall: 5 - interval: 4000 - haproxy_bind: - - 127.0.0.1 - haproxy_port: "{{ haproxy_ssl_letsencrypt_certbot_backend_port }}" - haproxy_balance_type: http - haproxy_service_enabled: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) }}" - -haproxy_magnum_service: - haproxy_service_name: magnum - haproxy_backend_nodes: "{{ groups['magnum_all'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 9511 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['magnum_all'] is defined and groups['magnum_all'] | length > 0 }}" - -haproxy_manila_service: - haproxy_service_name: manila - haproxy_backend_nodes: "{{ groups['manila_api'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 8786 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['manila_api'] is defined and groups['manila_api'] | length > 0 }}" - -haproxy_masakari_api_service: - haproxy_service_name: masakari_api - haproxy_backend_nodes: "{{ groups['masakari_api'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 15868 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['masakari_api'] is defined and groups['masakari_api'] | length > 0 }}" - -haproxy_mistral_service: - haproxy_service_name: mistral - haproxy_backend_nodes: "{{ groups['mistral_all'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 8989 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['mistral_all'] is defined and groups['mistral_all'] | length > 0 }}" - -haproxy_murano_service: - haproxy_service_name: murano - haproxy_backend_nodes: "{{ groups['murano_all'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 8082 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk GET /v1 HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_backend_httpcheck_options: - - "expect status 401" - haproxy_service_enabled: "{{ groups['murano_all'] is defined and groups['murano_all'] | length > 0 }}" - -haproxy_neutron_server_service: - haproxy_service_name: neutron_server - haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}" - haproxy_port: 9696 - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['neutron_server'] is defined and groups['neutron_server'] | length > 0 }}" - -haproxy_nova_api_metadata_service: - haproxy_service_name: nova_api_metadata - haproxy_backend_nodes: "{{ groups['nova_api_metadata'] | default([]) }}" - haproxy_bind: "{{ [internal_lb_vip_address] }}" - haproxy_port: 8775 - haproxy_ssl: "{{ haproxy_ssl_all_vips }}" - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_allowlist_networks: "{{ haproxy_nova_metadata_allowlist_networks }}" - haproxy_service_enabled: "{{ groups['nova_api_metadata'] is defined and groups['nova_api_metadata'] | length > 0 }}" - -haproxy_nova_api_compute_service: - haproxy_service_name: nova_api_os_compute - haproxy_backend_nodes: "{{ groups['nova_api_os_compute'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 8774 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['nova_api_os_compute'] is defined and groups['nova_api_os_compute'] | length > 0 }}" - -# By default the nova console service on HAProxy is configured in HTTP mode to -# allow for more fine grained control. But if the SSL connection is terminated -# on the nova console container it has to be run in TCP mode. -haproxy_nova_console_http_mode: "{{ not (nova_console_user_ssl_cert is defined - and nova_console_user_ssl_key is defined) }}" - -haproxy_nova_spice_console_service: - haproxy_service_name: nova_spice_console - haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: "{{ nova_spice_html5proxy_base_port | default('6082') }}" - haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}" - haproxy_timeout_client: 60m - haproxy_timeout_server: 60m - haproxy_balance_alg: source - haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD /spice_auto.html HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}" - haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}" - haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'spice' }}" - -haproxy_nova_serial_console_service: - haproxy_service_name: nova_serial_console - haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) + ((ironic_console_type == 'serialconsole') | ternary(groups['ironic_console'] | default([]), [])) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: "{{ nova_serialconsoleproxy_port | default('6083') }}" - haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}" - haproxy_timeout_client: 60m - haproxy_timeout_server: 60m - haproxy_balance_alg: source - haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}" - haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}" - haproxy_service_enabled: "{{ (groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'serial') or - (groups['ironic_console'] is defined and groups['ironic_console'] | length > 0 and ironic_console_type == 'serial') }}" - -haproxy_nova_novnc_console_service: - haproxy_service_name: nova_novnc_console - haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: "{{ nova_novncproxy_port | default('6080') }}" - haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}" - haproxy_timeout_client: 60m - haproxy_timeout_server: 60m - haproxy_balance_alg: source - haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD /vnc.html HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}" - haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}" - haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'novnc' }}" - -# NOTE(jrosser) Clean up legacy console haproxy configs from previous releases -haproxy_nova_console_service: - haproxy_service_name: nova_console - haproxy_service_enabled: False - -haproxy_nova_ironic_console_service: - haproxy_service_name: nova_ironic_console - haproxy_service_enabled: False - -haproxy_octavia_service: - haproxy_service_name: octavia - haproxy_backend_nodes: "{{ groups['octavia_all'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 9876 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['octavia_all'] is defined and groups['octavia_all'] | length > 0 }}" - -haproxy_opendaylight_neutron_service: - haproxy_service_name: opendaylight-neutron - haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}" - haproxy_bind: "{{ [internal_lb_vip_address] }}" - haproxy_port: 8180 - haproxy_balance_type: tcp - haproxy_timeout_client: 5000s - haproxy_timeout_server: 5000s - haproxy_allowlist_networks: "{{ haproxy_opendaylight_allowlist_networks }}" - haproxy_service_enabled: "{{ (neutron_plugin_type | default('ml2.ovn') == 'ml2.opendaylight') }}" - -haproxy_opendaylight_websocket_service: - haproxy_service_name: opendaylight-websocket - haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}" - haproxy_bind: "{{ [internal_lb_vip_address] }}" - haproxy_port: 8185 - haproxy_balance_type: tcp - haproxy_timeout_client: 5000s - haproxy_timeout_server: 5000s - haproxy_allowlist_networks: "{{ haproxy_opendaylight_allowlist_networks }}" - haproxy_service_enabled: "{{ (neutron_plugin_type | default('ml2.ovn') == 'ml2.opendaylight') }}" - -haproxy_placement_service: - haproxy_service_name: placement - haproxy_backend_nodes: "{{ groups['placement_all'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 8780 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['placement_all'] is defined and groups['placement_all'] | length > 0 }}" - -haproxy_rabbitmq_service: - haproxy_service_name: rabbitmq_mgmt - haproxy_backend_nodes: "{{ groups['rabbitmq'] | default([]) }}" - haproxy_ssl: "{{ rabbitmq_management_ssl | bool }}" - haproxy_backend_ssl: "{{ rabbitmq_management_ssl | bool }}" - haproxy_backend_ca: False - haproxy_bind: "{{ [internal_lb_vip_address] }}" - haproxy_port: "{{ (rabbitmq_management_ssl | bool) | ternary(15671, 15672) }}" - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_allowlist_networks: "{{ haproxy_rabbitmq_management_allowlist_networks }}" - haproxy_service_enabled: "{{ groups['rabbitmq'] is defined and groups['rabbitmq'] | length > 0 }}" - -haproxy_repo_service: - haproxy_service_name: repo_all - haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}" - haproxy_bind: "{{ [internal_lb_vip_address] }}" - haproxy_port: 8181 - haproxy_ssl: "{{ haproxy_ssl_all_vips }}" - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk GET /constraints/upper_constraints_cached.txt HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_backend_httpcheck_options: - - "expect status 200" - haproxy_service_enabled: "{{ groups['repo_all'] is defined and groups['repo_all'] | length > 0 }}" - -haproxy_sahara_api_service: - haproxy_service_name: sahara_api - haproxy_backend_nodes: "{{ groups['sahara_api'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_balance_alg: source - haproxy_port: 8386 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['sahara_api'] is defined and groups['sahara_api'] | length > 0 }}" - -haproxy_senlin_api_service: - haproxy_service_name: senlin_api - haproxy_backend_nodes: "{{ groups['senlin_api'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 8778 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['senlin_api'] is defined and groups['senlin_api'] | length > 0 }}" - -haproxy_swift_proxy_service: - haproxy_service_name: swift_proxy - haproxy_backend_nodes: "{{ groups['swift_proxy'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_balance_alg: source - haproxy_port: 8080 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['swift_proxy'] is defined and groups['swift_proxy'] | length > 0 }}" - -haproxy_tacker_service: - haproxy_service_name: tacker - haproxy_backend_nodes: "{{ groups['tacker_all'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 9890 - haproxy_balance_type: http - haproxy_backend_options: - - "forwardfor" - - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - - "httplog" - haproxy_service_enabled: "{{ groups['tacker_all'] is defined and groups['tacker_all'] | length > 0 }}" - -haproxy_trove_service: - haproxy_service_name: trove - haproxy_backend_nodes: "{{ groups['trove_api'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 8779 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['trove_api'] is defined and groups['trove_api'] | length > 0 }}" - -haproxy_zun_api_service: - haproxy_service_name: zun_api - haproxy_backend_nodes: "{{ groups['zun_api'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 9517 - haproxy_balance_type: http - haproxy_backend_options: - - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_service_enabled: "{{ groups['zun_api'] is defined and groups['zun_api'] | length > 0 }}" - -haproxy_zun_console_service: - haproxy_service_name: zun_console - haproxy_backend_nodes: "{{ groups['zun_api'] | default([]) }}" - haproxy_ssl: "{{ haproxy_ssl }}" - haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" - haproxy_port: 6784 - haproxy_balance_type: http - haproxy_timeout_client: 60m - haproxy_timeout_server: 60m - haproxy_balance_alg: source - haproxy_backend_options: - - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - haproxy_backend_httpcheck_options: - - "expect status 405" - haproxy_service_enabled: "{{ groups['zun_api'] is defined and groups['zun_api'] | length > 0 }}" - haproxy_default_services: - - service: "{{ haproxy_security_txt_service | combine(haproxy_security_txt_service_overrides | default({})) }}" - - service: "{{ haproxy_base_service | combine(haproxy_base_service_overrides | default({})) }}" - - service: "{{ haproxy_adjutant_api_service | combine(haproxy_adjutant_api_service_overrides | default({})) }}" - - service: "{{ haproxy_aodh_api_service | combine(haproxy_aodh_api_service_overrides | default({})) }}" - - service: "{{ haproxy_barbican_service | combine(haproxy_barbican_service_overrides | default({})) }}" - - service: "{{ haproxy_blazar_api_service | combine(haproxy_blazar_api_service_overrides | default({})) }}" - - service: "{{ haproxy_ceph_rgw_service | combine(haproxy_ceph_rgw_service_overrides | default({})) }}" - - service: "{{ haproxy_cinder_api_service | combine(haproxy_cinder_api_service_overrides | default({})) }}" - - service: "{{ haproxy_cloudkitty_api_service | combine(haproxy_cloudkitty_api_service_overrides | default({})) }}" - - service: "{{ haproxy_designate_api_service | combine(haproxy_designate_api_service_overrides | default({})) }}" - - service: "{{ haproxy_galera_service | combine(haproxy_galera_service_overrides | default({})) }}" - - service: "{{ haproxy_glance_api_service | combine(haproxy_glance_api_service_overrides | default({})) }}" - - service: "{{ haproxy_gnocchi_service | combine(haproxy_gnocchi_service_overrides | default({})) }}" - - service: "{{ haproxy_heat_api_cfn_service | combine(haproxy_heat_api_cfn_service_overrides | default({})) }}" - - service: "{{ haproxy_heat_api_service | combine(haproxy_heat_api_service_overrides | default({})) }}" - - service: "{{ haproxy_horizon_service | combine(haproxy_horizon_service_overrides | default({})) }}" - - service: "{{ haproxy_ironic_api_service | combine(haproxy_ironic_api_service_overrides | default({})) }}" - - service: "{{ haproxy_ironic_inspector_service | combine(haproxy_ironic_inspector_service_overrides | default({})) }}" - - service: "{{ haproxy_keystone_service | combine(haproxy_keystone_service_overrides | default({})) }}" - - service: "{{ haproxy_letsencrypt_service | combine(haproxy_letsencrypt_service_overrides | default({})) }}" - - service: "{{ haproxy_magnum_service | combine(haproxy_magnum_service_overrides | default({})) }}" - - service: "{{ haproxy_manila_service | combine(haproxy_manila_service_overrides | default({})) }}" - - service: "{{ haproxy_masakari_api_service | combine(haproxy_masakari_api_service_overrides | default({})) }}" - - service: "{{ haproxy_mistral_service | combine(haproxy_mistral_service_overrides | default({})) }}" - - service: "{{ haproxy_murano_service | combine(haproxy_murano_service_overrides | default({})) }}" - - service: "{{ haproxy_neutron_server_service | combine(haproxy_neutron_server_service_overrides | default({})) }}" - - service: "{{ haproxy_nova_api_metadata_service | combine(haproxy_nova_api_metadata_service_overrides | default({})) }}" - - service: "{{ haproxy_nova_api_compute_service | combine(haproxy_nova_api_compute_service_overrides | default({})) }}" - - service: "{{ haproxy_nova_spice_console_service | combine(haproxy_nova_spice_console_service_overrides | default({})) }}" - - service: "{{ haproxy_nova_novnc_console_service | combine(haproxy_nova_novnc_console_service_overrides | default({})) }}" - - service: "{{ haproxy_nova_serial_console_service | combine(haproxy_nova_serial_console_service_overrides | default({})) }}" - - service: "{{ haproxy_nova_console_service | combine(haproxy_nova_console_service_overrides | default({})) }}" - - service: "{{ haproxy_nova_ironic_console_service | combine(haproxy_nova_ironic_console_service_overrides | default({})) }}" - - service: "{{ haproxy_octavia_service | combine(haproxy_octavia_service_overrides | default({})) }}" - - service: "{{ haproxy_opendaylight_neutron_service | combine(haproxy_opendaylight_neutron_service_overrides | default({})) }}" - - service: "{{ haproxy_opendaylight_websocket_service | combine(haproxy_opendaylight_websocket_service_overrides | default({})) }}" - - service: "{{ haproxy_placement_service | combine(haproxy_placement_service_overrides | default({})) }}" - - service: "{{ haproxy_rabbitmq_service | combine(haproxy_rabbitmq_service_overrides | default({})) }}" - - service: "{{ haproxy_repo_service | combine(haproxy_repo_service_overrides | default({})) }}" - - service: "{{ haproxy_sahara_api_service | combine(haproxy_sahara_api_service_overrides | default({})) }}" - - service: "{{ haproxy_senlin_api_service | combine(haproxy_senlin_api_service_overrides | default({})) }}" - - service: "{{ haproxy_swift_proxy_service | combine(haproxy_swift_proxy_service_overrides | default({})) }}" - - service: "{{ haproxy_tacker_service | combine(haproxy_tacker_service_overrides | default({})) }}" - - service: "{{ haproxy_trove_service | combine(haproxy_trove_service_overrides | default({})) }}" - - service: "{{ haproxy_zun_api_service | combine(haproxy_zun_api_service_overrides | default({})) }}" - - service: "{{ haproxy_zun_console_service | combine(haproxy_zun_console_service_overrides | default({})) }}" + - "{{ haproxy_security_txt_service | combine(haproxy_security_txt_service_overrides | default({})) }}" + - "{{ haproxy_base_service | combine(haproxy_base_service_overrides | default({})) }}" + - "{{ haproxy_letsencrypt_service | combine(haproxy_letsencrypt_service_overrides | default({})) }}" + - "{{ haproxy_ceph_rgw_service | combine(haproxy_ceph_rgw_service_overrides | default({})) }}" diff --git a/inventory/group_vars/heat_all.yml b/inventory/group_vars/heat_all.yml index ee1067c563..75a51aa6bf 100644 --- a/inventory/group_vars/heat_all.yml +++ b/inventory/group_vars/heat_all.yml @@ -16,3 +16,29 @@ # Only enable the heat cinder backups functionality if the cinder backup # service is enabled. heat_cinder_backups_enabled: "{{ hostvars['localhost']['cinder_service_backup_program_enabled'] }}" + +haproxy_heat_api_service: + haproxy_service_name: heat_api + haproxy_backend_nodes: "{{ groups['heat_api'] | default([]) }}" + haproxy_port: 8004 + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['heat_api'] is defined and groups['heat_api'] | length > 0 }}" + +haproxy_heat_api_cfn_service: + haproxy_service_name: heat_api_cfn + haproxy_backend_nodes: "{{ groups['heat_api_cfn'] | default([]) }}" + haproxy_port: 8000 + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['heat_api_cfn'] is defined and groups['heat_api_cfn'] | length > 0 }}" + +heat_haproxy_services: + - "{{ haproxy_heat_api_cfn_service | combine(haproxy_heat_api_cfn_service_overrides | default({})) }}" + - "{{ haproxy_heat_api_service | combine(haproxy_heat_api_service_overrides | default({})) }}" diff --git a/inventory/group_vars/horizon_all.yml b/inventory/group_vars/horizon_all.yml index c46d7cbc50..af2308ded7 100644 --- a/inventory/group_vars/horizon_all.yml +++ b/inventory/group_vars/horizon_all.yml @@ -15,3 +15,34 @@ horizon_enable_cinder_backup: "{{ hostvars['localhost']['cinder_service_backup_program_enabled'] }}" horizon_enable_ha_router: "{{ groups['neutron_l3_agent'] | length >= 2 }}" + +# special haproxy stick table for horizon +# returns 429 when more than 20 calls to /auth per 10 second window +# returns 429 when more than 20 4xx responses per 10 second window +# from external IP addresses. Override as necessary. +openstack_haproxy_horizon_stick_table: + - "stick-table type ipv6 size 256k expire 10s store http_req_rate(10s),http_err_rate(10s)" + - "http-request track-sc0 src" + - "http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 } { path_beg /auth } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }" + - "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }" + +haproxy_horizon_service: + haproxy_backend_only: true #only describe the backends, frontend is in `base` via haproxy_all group vars + haproxy_service_name: horizon + haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}" + haproxy_backend_port: 80 + haproxy_balance_type: http + haproxy_balance_alg: source + haproxy_backend_options: + - "httpchk HEAD /auth/login/ HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}" + haproxy_stick_table: "{{ openstack_haproxy_horizon_stick_table }}" + haproxy_map_entries: + - name: base_regex + order: 99 + #match any requests to the horizon backend + entries: + - '.* horizon-back' + +horizon_haproxy_services: + - "{{ haproxy_horizon_service | combine(haproxy_horizon_service_overrides | default({})) }}" diff --git a/inventory/group_vars/ironic_all.yml b/inventory/group_vars/ironic_all.yml new file mode 100644 index 0000000000..057068edf3 --- /dev/null +++ b/inventory/group_vars/ironic_all.yml @@ -0,0 +1,48 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_ironic_allowlist_networks: "{{ haproxy_allowlist_networks }}" +haproxy_ironic_inspector_allowlist_networks: "{{ haproxy_allowlist_networks }}" + +haproxy_ironic_api_service: + haproxy_service_name: ironic_api + haproxy_backend_nodes: "{{ groups['ironic_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 6385 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_backend_arguments: + - "http-request deny if { path_beg /v1/lookup } !{ src {{ haproxy_ironic_allowlist_networks | join(' } !{ src ') }} }" + - "http-request deny if { path_beg /v1/heartbeat } !{ src {{ haproxy_ironic_allowlist_networks | join(' } !{ src ') }} }" + haproxy_service_enabled: "{{ groups['ironic_api'] is defined and groups['ironic_api'] | length > 0 }}" + +haproxy_ironic_inspector_service: + haproxy_service_name: ironic_inspector + haproxy_backend_nodes: "{{ groups['ironic_inspector'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 5050 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_backend_arguments: + - "http-request deny if { path_beg /v1/continue } !{ src {{ haproxy_ironic_inspector_allowlist_networks | join(' } !{ src ') }} }" + haproxy_service_enabled: "{{ groups['ironic_inspector'] is defined and groups['ironic_inspector'] | length > 0 }}" + +ironic_haproxy_services: + - "{{ haproxy_ironic_api_service | combine(haproxy_ironic_api_service_overrides | default({})) }}" + - "{{ haproxy_ironic_inspector_service | combine(haproxy_ironic_inspector_service_overrides | default({})) }}" diff --git a/inventory/group_vars/keystone_all.yml b/inventory/group_vars/keystone_all.yml index 694b2a3007..24737fe1da 100644 --- a/inventory/group_vars/keystone_all.yml +++ b/inventory/group_vars/keystone_all.yml @@ -18,3 +18,17 @@ # Hosts allowed to override remote IP with X-Forwarded-For keystone_set_real_ip_from: "{{ groups['haproxy'] | map('extract', hostvars, 'container_address') | list }}" + +haproxy_keystone_service: + haproxy_service_name: keystone_service + haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}" + haproxy_port: 5000 + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_balance_type: "http" + haproxy_backend_options: + - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['keystone_all'] is defined and groups['keystone_all'] | length > 0 }}" + +keystone_haproxy_services: + - "{{ haproxy_keystone_service | combine(haproxy_keystone_service_overrides | default({})) }}" diff --git a/inventory/group_vars/magnum_all.yml b/inventory/group_vars/magnum_all.yml new file mode 100644 index 0000000000..fa779f6f2d --- /dev/null +++ b/inventory/group_vars/magnum_all.yml @@ -0,0 +1,28 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_magnum_service: + haproxy_service_name: magnum + haproxy_backend_nodes: "{{ groups['magnum_all'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 9511 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['magnum_all'] is defined and groups['magnum_all'] | length > 0 }}" + +magnum_haproxy_services: + - "{{ haproxy_magnum_service | combine(haproxy_magnum_service_overrides | default({})) }}" diff --git a/inventory/group_vars/manila_all.yml b/inventory/group_vars/manila_all.yml new file mode 100644 index 0000000000..f9c9d7bfe1 --- /dev/null +++ b/inventory/group_vars/manila_all.yml @@ -0,0 +1,28 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_manila_service: + haproxy_service_name: manila + haproxy_backend_nodes: "{{ groups['manila_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 8786 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['manila_api'] is defined and groups['manila_api'] | length > 0 }}" + +manila_haproxy_services: + - "{{ haproxy_manila_service | combine(haproxy_manila_service_overrides | default({})) }}" diff --git a/inventory/group_vars/masakari_all.yml b/inventory/group_vars/masakari_all.yml new file mode 100644 index 0000000000..982c475990 --- /dev/null +++ b/inventory/group_vars/masakari_all.yml @@ -0,0 +1,28 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_masakari_api_service: + haproxy_service_name: masakari_api + haproxy_backend_nodes: "{{ groups['masakari_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 15868 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['masakari_api'] is defined and groups['masakari_api'] | length > 0 }}" + +masakari_haproxy_services: + - "{{ haproxy_masakari_api_service | combine(haproxy_masakari_api_service_overrides | default({})) }}" diff --git a/inventory/group_vars/mistral_all.yml b/inventory/group_vars/mistral_all.yml new file mode 100644 index 0000000000..85a53442c8 --- /dev/null +++ b/inventory/group_vars/mistral_all.yml @@ -0,0 +1,28 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_mistral_service: + haproxy_service_name: mistral + haproxy_backend_nodes: "{{ groups['mistral_all'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 8989 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['mistral_all'] is defined and groups['mistral_all'] | length > 0 }}" + +mistral_haproxy_services: + - "{{ haproxy_mistral_service | combine(haproxy_mistral_service_overrides | default({})) }}" diff --git a/inventory/group_vars/murano_all.yml b/inventory/group_vars/murano_all.yml new file mode 100644 index 0000000000..c75a935cf1 --- /dev/null +++ b/inventory/group_vars/murano_all.yml @@ -0,0 +1,30 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_murano_service: + haproxy_service_name: murano + haproxy_backend_nodes: "{{ groups['murano_all'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 8082 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET /v1 HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_backend_httpcheck_options: + - "expect status 401" + haproxy_service_enabled: "{{ groups['murano_all'] is defined and groups['murano_all'] | length > 0 }}" + +murano_haproxy_services: + - "{{ haproxy_murano_service | combine(haproxy_murano_service_overrides | default({})) }}" diff --git a/inventory/group_vars/neutron_all.yml b/inventory/group_vars/neutron_all.yml new file mode 100644 index 0000000000..bac1cec837 --- /dev/null +++ b/inventory/group_vars/neutron_all.yml @@ -0,0 +1,54 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_opendaylight_allowlist_networks: "{{ haproxy_allowlist_networks }}" + +haproxy_neutron_server_service: + haproxy_service_name: neutron_server + haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}" + haproxy_port: 9696 + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['neutron_server'] is defined and groups['neutron_server'] | length > 0 }}" + +haproxy_opendaylight_neutron_service: + haproxy_service_name: opendaylight-neutron + haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}" + haproxy_bind: "{{ [internal_lb_vip_address] }}" + haproxy_port: 8180 + haproxy_balance_type: tcp + haproxy_timeout_client: 5000s + haproxy_timeout_server: 5000s + haproxy_allowlist_networks: "{{ haproxy_opendaylight_allowlist_networks }}" + haproxy_service_enabled: "{{ (neutron_plugin_type | default('ml2.ovn') == 'ml2.opendaylight') }}" + +haproxy_opendaylight_websocket_service: + haproxy_service_name: opendaylight-websocket + haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}" + haproxy_bind: "{{ [internal_lb_vip_address] }}" + haproxy_port: 8185 + haproxy_balance_type: tcp + haproxy_timeout_client: 5000s + haproxy_timeout_server: 5000s + haproxy_allowlist_networks: "{{ haproxy_opendaylight_allowlist_networks }}" + haproxy_service_enabled: "{{ (neutron_plugin_type | default('ml2.ovn') == 'ml2.opendaylight') }}" + +neutron_haproxy_services: + - "{{ haproxy_neutron_server_service | combine(haproxy_neutron_server_service_overrides | default({})) }}" + - "{{ haproxy_opendaylight_neutron_service | combine(haproxy_opendaylight_neutron_service_overrides | default({})) }}" + - "{{ haproxy_opendaylight_websocket_service | combine(haproxy_opendaylight_websocket_service_overrides | default({})) }}" diff --git a/inventory/group_vars/nova_all.yml b/inventory/group_vars/nova_all.yml index 1db815051d..1d670a5a3a 100644 --- a/inventory/group_vars/nova_all.yml +++ b/inventory/group_vars/nova_all.yml @@ -14,3 +14,95 @@ # limitations under the License. nova_ceph_client_uuid: '{{ cinder_ceph_client_uuid | default() }}' + +# By default the nova console service on HAProxy is configured in HTTP mode to +# allow for more fine grained control. But if the SSL connection is terminated +# on the nova console container it has to be run in TCP mode. +haproxy_nova_console_http_mode: "{{ not (nova_console_user_ssl_cert is defined + and nova_console_user_ssl_key is defined) }}" + +haproxy_nova_metadata_allowlist_networks: "{{ haproxy_allowlist_networks }}" + +haproxy_nova_api_metadata_service: + haproxy_service_name: nova_api_metadata + haproxy_backend_nodes: "{{ groups['nova_api_metadata'] | default([]) }}" + haproxy_bind: "{{ [internal_lb_vip_address] }}" + haproxy_port: 8775 + haproxy_ssl: "{{ haproxy_ssl_all_vips }}" + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_allowlist_networks: "{{ haproxy_nova_metadata_allowlist_networks }}" + haproxy_service_enabled: "{{ groups['nova_api_metadata'] is defined and groups['nova_api_metadata'] | length > 0 }}" + +haproxy_nova_api_compute_service: + haproxy_service_name: nova_api_os_compute + haproxy_backend_nodes: "{{ groups['nova_api_os_compute'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 8774 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['nova_api_os_compute'] is defined and groups['nova_api_os_compute'] | length > 0 }}" + +haproxy_nova_spice_console_service: + haproxy_service_name: nova_spice_console + haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: "{{ nova_spice_html5proxy_base_port | default('6082') }}" + haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}" + haproxy_timeout_client: 60m + haproxy_timeout_server: 60m + haproxy_balance_alg: source + haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD /spice_auto.html HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}" + haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}" + haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'spice' }}" + +haproxy_nova_serial_console_service: + haproxy_service_name: nova_serial_console + haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) + ((ironic_console_type == 'serialconsole') | ternary(groups['ironic_console'] | default([]), [])) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: "{{ nova_serialconsoleproxy_port | default('6083') }}" + haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}" + haproxy_timeout_client: 60m + haproxy_timeout_server: 60m + haproxy_balance_alg: source + haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}" + haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}" + haproxy_service_enabled: "{{ (groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'serial') or + (groups['ironic_console'] is defined and groups['ironic_console'] | length > 0 and ironic_console_type == 'serial') }}" + +haproxy_nova_novnc_console_service: + haproxy_service_name: nova_novnc_console + haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: "{{ nova_novncproxy_port | default('6080') }}" + haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}" + haproxy_timeout_client: 60m + haproxy_timeout_server: 60m + haproxy_balance_alg: source + haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD /vnc.html HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}" + haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}" + haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'novnc' }}" + +# NOTE(jrosser) Clean up legacy console haproxy configs from previous releases +haproxy_nova_console_service: + haproxy_service_name: nova_console + haproxy_service_enabled: False + +haproxy_nova_ironic_console_service: + haproxy_service_name: nova_ironic_console + haproxy_service_enabled: False + +nova_haproxy_services: + - "{{ haproxy_nova_api_metadata_service | combine(haproxy_nova_api_metadata_service_overrides | default({})) }}" + - "{{ haproxy_nova_api_compute_service | combine(haproxy_nova_api_compute_service_overrides | default({})) }}" + - "{{ haproxy_nova_spice_console_service | combine(haproxy_nova_spice_console_service_overrides | default({})) }}" + - "{{ haproxy_nova_novnc_console_service | combine(haproxy_nova_novnc_console_service_overrides | default({})) }}" + - "{{ haproxy_nova_serial_console_service | combine(haproxy_nova_serial_console_service_overrides | default({})) }}" + - "{{ haproxy_nova_console_service | combine(haproxy_nova_console_service_overrides | default({})) }}" + - "{{ haproxy_nova_ironic_console_service | combine(haproxy_nova_ironic_console_service_overrides | default({})) }}" diff --git a/inventory/group_vars/octavia_all.yml b/inventory/group_vars/octavia_all.yml new file mode 100644 index 0000000000..d9cc78f35b --- /dev/null +++ b/inventory/group_vars/octavia_all.yml @@ -0,0 +1,28 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_octavia_service: + haproxy_service_name: octavia + haproxy_backend_nodes: "{{ groups['octavia_all'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 9876 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['octavia_all'] is defined and groups['octavia_all'] | length > 0 }}" + +octavia_haproxy_services: + - "{{ haproxy_octavia_service | combine(haproxy_octavia_service_overrides | default({})) }}" diff --git a/inventory/group_vars/placement_all.yml b/inventory/group_vars/placement_all.yml new file mode 100644 index 0000000000..58143011eb --- /dev/null +++ b/inventory/group_vars/placement_all.yml @@ -0,0 +1,28 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_placement_service: + haproxy_service_name: placement + haproxy_backend_nodes: "{{ groups['placement_all'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 8780 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['placement_all'] is defined and groups['placement_all'] | length > 0 }}" + +placement_haproxy_services: + - "{{ haproxy_placement_service | combine(haproxy_placement_service_overrides | default({})) }}" diff --git a/inventory/group_vars/rabbitmq_all.yml b/inventory/group_vars/rabbitmq_all.yml index 4f14863e32..73d649e130 100644 --- a/inventory/group_vars/rabbitmq_all.yml +++ b/inventory/group_vars/rabbitmq_all.yml @@ -32,3 +32,22 @@ rabbitmq_package_state: "{{ rabbitmq_upgrade | default(False) | bool | ternary(' # Ensure that all rabbitmq containers get a fixed mac address lxc_container_fixed_mac: true + +haproxy_rabbitmq_management_allowlist_networks: "{{ haproxy_allowlist_networks }}" + +haproxy_rabbitmq_service: + haproxy_service_name: rabbitmq_mgmt + haproxy_backend_nodes: "{{ groups['rabbitmq'] | default([]) }}" + haproxy_ssl: "{{ rabbitmq_management_ssl | bool }}" + haproxy_backend_ssl: "{{ rabbitmq_management_ssl | bool }}" + haproxy_backend_ca: False + haproxy_bind: "{{ [internal_lb_vip_address] }}" + haproxy_port: "{{ (rabbitmq_management_ssl | bool) | ternary(15671, 15672) }}" + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_allowlist_networks: "{{ haproxy_rabbitmq_management_allowlist_networks }}" + haproxy_service_enabled: "{{ groups['rabbitmq'] is defined and groups['rabbitmq'] | length > 0 }}" + +rabbitmq_haproxy_services: + - "{{ haproxy_rabbitmq_service | combine(haproxy_rabbitmq_service_overrides | default({})) }}" diff --git a/inventory/group_vars/repo_all.yml b/inventory/group_vars/repo_all.yml index 731c80d75b..a07c744d3e 100644 --- a/inventory/group_vars/repo_all.yml +++ b/inventory/group_vars/repo_all.yml @@ -22,7 +22,7 @@ repo_server_enable_sync_manager: False # Repo container default list of bind mounts repo_container_bind_mounts: - bind_dir_path: "/var/lib/glusterd" - mount_path: "/openstack/glusterd/{{inventory_hostname }}" + mount_path: "/openstack/glusterd/{{ inventory_hostname }}" # Enable glusterfs mount repo_server_systemd_mounts: @@ -31,5 +31,21 @@ repo_server_systemd_mounts: type: glusterfs state: 'started' enabled: true - + openstack_repo_server_enable_glusterfs: True + +haproxy_repo_service: + haproxy_service_name: repo_all + haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}" + haproxy_bind: "{{ [internal_lb_vip_address] }}" + haproxy_port: 8181 + haproxy_ssl: "{{ haproxy_ssl_all_vips }}" + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET /constraints/upper_constraints_cached.txt HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_backend_httpcheck_options: + - "expect status 200" + haproxy_service_enabled: "{{ groups['repo_all'] is defined and groups['repo_all'] | length > 0 }}" + +repo_haproxy_services: + - "{{ haproxy_repo_service | combine(haproxy_repo_service_overrides | default({})) }}" diff --git a/inventory/group_vars/sahara_all.yml b/inventory/group_vars/sahara_all.yml new file mode 100644 index 0000000000..fac33bebbf --- /dev/null +++ b/inventory/group_vars/sahara_all.yml @@ -0,0 +1,29 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_sahara_api_service: + haproxy_service_name: sahara_api + haproxy_backend_nodes: "{{ groups['sahara_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_balance_alg: source + haproxy_port: 8386 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['sahara_api'] is defined and groups['sahara_api'] | length > 0 }}" + +sahara_haproxy_services: + - "{{ haproxy_sahara_api_service | combine(haproxy_sahara_api_service_overrides | default({})) }}" diff --git a/inventory/group_vars/senlin_all.yml b/inventory/group_vars/senlin_all.yml new file mode 100644 index 0000000000..4db302c7d5 --- /dev/null +++ b/inventory/group_vars/senlin_all.yml @@ -0,0 +1,28 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_senlin_api_service: + haproxy_service_name: senlin_api + haproxy_backend_nodes: "{{ groups['senlin_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 8778 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['senlin_api'] is defined and groups['senlin_api'] | length > 0 }}" + +senlin_haproxy_services: + - "{{ haproxy_senlin_api_service | combine(haproxy_senlin_api_service_overrides | default({})) }}" diff --git a/inventory/group_vars/swift_all.yml b/inventory/group_vars/swift_all.yml index 07b2a6a11f..73a4f9c7cf 100644 --- a/inventory/group_vars/swift_all.yml +++ b/inventory/group_vars/swift_all.yml @@ -18,3 +18,18 @@ swift_system_user_name: "{{ hostvars['localhost']['swift_system_user_name'] }}" swift_system_shell: "{{ hostvars['localhost']['swift_system_shell'] }}" swift_system_comment: "{{ hostvars['localhost']['swift_system_comment'] }}" swift_system_home_folder: "{{ hostvars['localhost']['swift_system_home_folder'] }}" + +haproxy_swift_proxy_service: + haproxy_service_name: swift_proxy + haproxy_backend_nodes: "{{ groups['swift_proxy'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_balance_alg: source + haproxy_port: 8080 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['swift_proxy'] is defined and groups['swift_proxy'] | length > 0 }}" + +swift_haproxy_services: + - "{{ haproxy_swift_proxy_service | combine(haproxy_swift_proxy_service_overrides | default({})) }}" diff --git a/inventory/group_vars/tacker_all.yml b/inventory/group_vars/tacker_all.yml new file mode 100644 index 0000000000..ebe66eb7d4 --- /dev/null +++ b/inventory/group_vars/tacker_all.yml @@ -0,0 +1,30 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_tacker_service: + haproxy_service_name: tacker + haproxy_backend_nodes: "{{ groups['tacker_all'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 9890 + haproxy_balance_type: http + haproxy_backend_options: + - "forwardfor" + - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + - "httplog" + haproxy_service_enabled: "{{ groups['tacker_all'] is defined and groups['tacker_all'] | length > 0 }}" + +tacker_haproxy_services: + - "{{ haproxy_tacker_service | combine(haproxy_tacker_service_overrides | default({})) }}" diff --git a/inventory/group_vars/trove_all.yml b/inventory/group_vars/trove_all.yml index 5b090aa94c..53ec6450f9 100644 --- a/inventory/group_vars/trove_all.yml +++ b/inventory/group_vars/trove_all.yml @@ -14,3 +14,17 @@ # limitations under the License. swift_proxy_port: "{{ hostvars['localhost']['swift_proxy_port'] }}" + +haproxy_trove_service: + haproxy_service_name: trove + haproxy_backend_nodes: "{{ groups['trove_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 8779 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['trove_api'] is defined and groups['trove_api'] | length > 0 }}" + +trove_haproxy_services: + - "{{ haproxy_trove_service | combine(haproxy_trove_service_overrides | default({})) }}" diff --git a/inventory/group_vars/zun_all.yml b/inventory/group_vars/zun_all.yml new file mode 100644 index 0000000000..e3d4f9d2d0 --- /dev/null +++ b/inventory/group_vars/zun_all.yml @@ -0,0 +1,45 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_zun_api_service: + haproxy_service_name: zun_api + haproxy_backend_nodes: "{{ groups['zun_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 9517 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['zun_api'] is defined and groups['zun_api'] | length > 0 }}" + +haproxy_zun_console_service: + haproxy_service_name: zun_console + haproxy_backend_nodes: "{{ groups['zun_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_port: 6784 + haproxy_balance_type: http + haproxy_timeout_client: 60m + haproxy_timeout_server: 60m + haproxy_balance_alg: source + haproxy_backend_options: + - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_backend_httpcheck_options: + - "expect status 405" + haproxy_service_enabled: "{{ groups['zun_api'] is defined and groups['zun_api'] | length > 0 }}" + +zun_haproxy_services: + - "{{ haproxy_zun_api_service | combine(haproxy_zun_api_service_overrides | default({})) }}" + - "{{ haproxy_zun_console_service | combine(haproxy_zun_console_service_overrides | default({})) }}" diff --git a/playbooks/common-playbooks/haproxy-service-config.yml b/playbooks/common-playbooks/haproxy-service-config.yml new file mode 100644 index 0000000000..09dfde02e6 --- /dev/null +++ b/playbooks/common-playbooks/haproxy-service-config.yml @@ -0,0 +1,41 @@ +--- +# Copyright 2023, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Haproxy service configs are stored in service group vars +# (for ex. `glance_haproxy_services` are stored in glance group vars). +# This is because they may refer to other variables in this group that are not +# used only for haproxy(like `glance_backend_ssl`). +# Group haproxy_all does not have access to service group vars by default. +# To solve this, haproxy_all hosts are temporarily added to `service_group`. +# After haproxy is configured, refresh_inventory is triggered to restore the +# original inventory state. + +- hosts: "{{ service_group }}" + gather_facts: false + run_once: true + tasks: + - name: "Temporarily copy haproxy_service_configs value from {{ service_group }} to haproxy_all" + add_host: + name: "{{ item }}" + haproxy_service_configs: "{{ hostvars[inventory_hostname][service_variable] }}" + with_items: "{{ groups['haproxy_all'] }}" + +- hosts: haproxy_all + serial: "{{ haproxy_serial | default('50%') }}" + tasks: + - name: Configure haproxy for the service + import_role: + name: haproxy_server + tasks_from: haproxy_service_config_external.yml diff --git a/playbooks/galera-install.yml b/playbooks/galera-install.yml index 184decbbf6..4d8209295f 100644 --- a/playbooks/galera-install.yml +++ b/playbooks/galera-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: galera_all + service_variable: "galera_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install galera server hosts: galera_all gather_facts: false diff --git a/playbooks/haproxy-install.yml b/playbooks/haproxy-install.yml index 9029376af9..6264697842 100644 --- a/playbooks/haproxy-install.yml +++ b/playbooks/haproxy-install.yml @@ -47,13 +47,16 @@ - "item.when | bool" tags: - haproxy-config # this tag is present because the task is ONLY a config task + roles: - role: "keepalived" when: haproxy_use_keepalived | bool tags: - keepalived + - role: "haproxy_server" - haproxy_service_configs: "{{ haproxy_default_services + haproxy_extra_services|default([]) }}" + haproxy_service_configs: "{{ haproxy_default_services + haproxy_extra_services | default([]) }}" + environment: "{{ deployment_environment_variables | default({}) }}" tags: - haproxy-config diff --git a/playbooks/os-adjutant-install.yml b/playbooks/os-adjutant-install.yml index 3b8d6733c1..1dc6323984 100644 --- a/playbooks/os-adjutant-install.yml +++ b/playbooks/os-adjutant-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: adjutant_api + service_variable: "adjutant_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install adjutant services hosts: adjutant_all gather_facts: false diff --git a/playbooks/os-aodh-install.yml b/playbooks/os-aodh-install.yml index e2ea9f45be..80013b1401 100644 --- a/playbooks/os-aodh-install.yml +++ b/playbooks/os-aodh-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: aodh_api + service_variable: "aodh_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install the aodh components hosts: aodh_all gather_facts: false diff --git a/playbooks/os-barbican-install.yml b/playbooks/os-barbican-install.yml index 5eec497e4f..5a9373bb63 100644 --- a/playbooks/os-barbican-install.yml +++ b/playbooks/os-barbican-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: barbican_api + service_variable: "barbican_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Installation and setup of barbican hosts: barbican_all gather_facts: false diff --git a/playbooks/os-blazar-install.yml b/playbooks/os-blazar-install.yml index eb8a6d4ce7..66ae1cac6c 100644 --- a/playbooks/os-blazar-install.yml +++ b/playbooks/os-blazar-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: blazar_api + service_variable: "blazar_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install blazar components hosts: blazar_all gather_facts: false diff --git a/playbooks/os-cinder-install.yml b/playbooks/os-cinder-install.yml index 1d763673c9..787ba37203 100644 --- a/playbooks/os-cinder-install.yml +++ b/playbooks/os-cinder-install.yml @@ -35,7 +35,14 @@ cinder_hosts: "cinder_backup:!cinder_volume:!cinder_scheduler:!cinder_api" cinder_serial: "{{ cinder_backend_serial | default(['1', '100%']) }}" - +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: cinder_api + service_variable: "cinder_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config - name: Install cinder API services import_playbook: common-playbooks/cinder.yml diff --git a/playbooks/os-cloudkitty-install.yml b/playbooks/os-cloudkitty-install.yml index 7ef88da6ba..4853c9a9f1 100644 --- a/playbooks/os-cloudkitty-install.yml +++ b/playbooks/os-cloudkitty-install.yml @@ -24,6 +24,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: cloudkitty_api + service_variable: "cloudkitty_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install cloudkitty services hosts: cloudkitty_all serial: "{{ cloudkitty_api_serial | default(['1', '100%']) }}" diff --git a/playbooks/os-designate-install.yml b/playbooks/os-designate-install.yml index 91999dd6b6..30010155a0 100644 --- a/playbooks/os-designate-install.yml +++ b/playbooks/os-designate-install.yml @@ -26,6 +26,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: designate_api + service_variable: "designate_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install designate server hosts: designate_all gather_facts: false diff --git a/playbooks/os-glance-install.yml b/playbooks/os-glance-install.yml index ea16e3d132..157954dc0a 100644 --- a/playbooks/os-glance-install.yml +++ b/playbooks/os-glance-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: glance_api + service_variable: "glance_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install glance services hosts: "glance_all" serial: "{{ glance_api_serial | default(['1', '100%']) }}" diff --git a/playbooks/os-gnocchi-install.yml b/playbooks/os-gnocchi-install.yml index 7c2ca2c0a7..9f26d5c6ea 100644 --- a/playbooks/os-gnocchi-install.yml +++ b/playbooks/os-gnocchi-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: gnocchi_api + service_variable: "gnocchi_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install Gnocchi components hosts: gnocchi_all gather_facts: false diff --git a/playbooks/os-heat-install.yml b/playbooks/os-heat-install.yml index 06f287eba4..740177ca37 100644 --- a/playbooks/os-heat-install.yml +++ b/playbooks/os-heat-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: heat_api + service_variable: "heat_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install heat server hosts: heat_all gather_facts: false diff --git a/playbooks/os-horizon-install.yml b/playbooks/os-horizon-install.yml index e0e6d1326d..e89b0f1f5a 100644 --- a/playbooks/os-horizon-install.yml +++ b/playbooks/os-horizon-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: horizon_all + service_variable: "horizon_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install horizon server hosts: horizon_all gather_facts: false diff --git a/playbooks/os-ironic-install.yml b/playbooks/os-ironic-install.yml index 903d4a3cba..a3e9d33e53 100644 --- a/playbooks/os-ironic-install.yml +++ b/playbooks/os-ironic-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: ironic_api + service_variable: "ironic_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Installation and setup of Ironic hosts: ironic_all gather_facts: false diff --git a/playbooks/os-keystone-install.yml b/playbooks/os-keystone-install.yml index d7edd5e727..273c2bed26 100644 --- a/playbooks/os-keystone-install.yml +++ b/playbooks/os-keystone-install.yml @@ -51,6 +51,15 @@ tags: - keystone +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: keystone_all + service_variable: "keystone_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Installation and setup of Keystone hosts: keystone_all serial: "{{ keystone_serial | default(['1', '100%']) }}" diff --git a/playbooks/os-magnum-install.yml b/playbooks/os-magnum-install.yml index b21fbed530..88a953b1f9 100644 --- a/playbooks/os-magnum-install.yml +++ b/playbooks/os-magnum-install.yml @@ -26,6 +26,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: magnum_all + service_variable: "magnum_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install magnum server hosts: magnum_all user: root diff --git a/playbooks/os-manila-install.yml b/playbooks/os-manila-install.yml index 78604fb2c2..a0c998476a 100644 --- a/playbooks/os-manila-install.yml +++ b/playbooks/os-manila-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: manila_api + service_variable: "manila_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install manila API services hosts: manila_api:manila_scheduler gather_facts: false diff --git a/playbooks/os-masakari-install.yml b/playbooks/os-masakari-install.yml index c0ebcda460..12f1858851 100644 --- a/playbooks/os-masakari-install.yml +++ b/playbooks/os-masakari-install.yml @@ -38,6 +38,15 @@ - role: "pacemaker_corosync" tags: pacemaker-corosync +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: masakari_api + service_variable: "masakari_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install the masakari components hosts: masakari_all gather_facts: false diff --git a/playbooks/os-mistral-install.yml b/playbooks/os-mistral-install.yml index 7e1d5ff243..eb3c7ffa6f 100644 --- a/playbooks/os-mistral-install.yml +++ b/playbooks/os-mistral-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: mistral_api + service_variable: "mistral_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install mistral components hosts: mistral_all gather_facts: false diff --git a/playbooks/os-murano-install.yml b/playbooks/os-murano-install.yml index 238d9335f5..ef3a994f07 100644 --- a/playbooks/os-murano-install.yml +++ b/playbooks/os-murano-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: murano_api + service_variable: "murano_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install murano components hosts: murano_all gather_facts: false diff --git a/playbooks/os-neutron-install.yml b/playbooks/os-neutron-install.yml index 08404c3648..fd394ad92e 100644 --- a/playbooks/os-neutron-install.yml +++ b/playbooks/os-neutron-install.yml @@ -25,7 +25,14 @@ dest_group: "neutron_l3_agent, neutron_metadata_agent" group_when: "{{ (neutron_plugin_type | default('ml2.ovn') == 'ml2.ovs.dvr') }}" - +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: neutron_server + service_variable: "neutron_haproxy_services" + when: groups[service_group] + tags: + - haproxy-service-config - name: Install neutron server import_playbook: common-playbooks/neutron.yml diff --git a/playbooks/os-nova-install.yml b/playbooks/os-nova-install.yml index 3d29322988..5ecde40b73 100644 --- a/playbooks/os-nova-install.yml +++ b/playbooks/os-nova-install.yml @@ -13,6 +13,19 @@ # See the License for the specific language governing permissions and # limitations under the License. +- name: "Config haproxy service" + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: + - nova_api_os_compute + - nova_api_metadata + - nova_console + - nova_ironic_console + service_variable: "nova_haproxy_services" + when: groups['nova_all'] | length > 0 + tags: + - haproxy-service-config + - name: Install nova-conductor services import_playbook: common-playbooks/nova.yml vars: diff --git a/playbooks/os-octavia-install.yml b/playbooks/os-octavia-install.yml index e1b01fb62b..05921a671f 100644 --- a/playbooks/os-octavia-install.yml +++ b/playbooks/os-octavia-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: octavia-api + service_variable: "octavia_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install octavia server hosts: octavia_all gather_facts: false diff --git a/playbooks/os-placement-install.yml b/playbooks/os-placement-install.yml index c2d5b47e67..e8a1eb9949 100644 --- a/playbooks/os-placement-install.yml +++ b/playbooks/os-placement-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: placement_api + service_variable: "placement_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install placement components hosts: placement_all gather_facts: false @@ -41,7 +50,6 @@ - include_tasks: common-tasks/unbound-clients.yml when: - hostvars['localhost']['resolvconf_enabled'] | bool - roles: - role: "os_placement" - role: "openstack.osa.system_crontab_coordination" diff --git a/playbooks/os-sahara-install.yml b/playbooks/os-sahara-install.yml index f4c47aecfc..4d0f1f9d63 100644 --- a/playbooks/os-sahara-install.yml +++ b/playbooks/os-sahara-install.yml @@ -21,6 +21,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: sahara_api + service_variable: "sahara_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install sahara server hosts: sahara_all gather_facts: "{{ osa_gather_facts | default(True) }}" diff --git a/playbooks/os-senlin-install.yml b/playbooks/os-senlin-install.yml index 336eab11b4..a0c6217d00 100644 --- a/playbooks/os-senlin-install.yml +++ b/playbooks/os-senlin-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: senlin_api + service_variable: "senlin_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install senlin services hosts: senlin_all gather_facts: false diff --git a/playbooks/os-swift-install.yml b/playbooks/os-swift-install.yml index 5ac68cd127..3068418ab0 100644 --- a/playbooks/os-swift-install.yml +++ b/playbooks/os-swift-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: swift_all + service_variable: "swift_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Installation and setup of Swift hosts: swift_all:swift_remote_all gather_facts: false diff --git a/playbooks/os-tacker-install.yml b/playbooks/os-tacker-install.yml index b2a2e437eb..8c1a097b8e 100644 --- a/playbooks/os-tacker-install.yml +++ b/playbooks/os-tacker-install.yml @@ -23,6 +23,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: tacker_server + service_variable: "tacker_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install the tacker components hosts: tacker_all gather_facts: false diff --git a/playbooks/os-trove-install.yml b/playbooks/os-trove-install.yml index ba5200a89d..4a65d7208b 100644 --- a/playbooks/os-trove-install.yml +++ b/playbooks/os-trove-install.yml @@ -26,6 +26,15 @@ tags: - always +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: trove_api + service_variable: "trove_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install trove server hosts: trove_all gather_facts: false diff --git a/playbooks/os-zun-install.yml b/playbooks/os-zun-install.yml index b2bee39822..ec876a862f 100644 --- a/playbooks/os-zun-install.yml +++ b/playbooks/os-zun-install.yml @@ -36,6 +36,15 @@ - zun-install - etcd-server +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: zun_api + service_variable: "zun_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install the zun components hosts: zun_all gather_facts: false diff --git a/playbooks/rabbitmq-install.yml b/playbooks/rabbitmq-install.yml index 1170516f95..e77531ff05 100644 --- a/playbooks/rabbitmq-install.yml +++ b/playbooks/rabbitmq-install.yml @@ -53,6 +53,15 @@ state: "stopped" when: rabbitmq_upgrade | default(false) | bool +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: rabbitmq_all + service_variable: "rabbitmq_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Install rabbitmq server hosts: "{{ rabbitmq_host_group | default('rabbitmq_all') }}" gather_facts: false diff --git a/playbooks/repo-install.yml b/playbooks/repo-install.yml index 9389a5d94e..3ef2f1f34d 100644 --- a/playbooks/repo-install.yml +++ b/playbooks/repo-install.yml @@ -55,6 +55,15 @@ - openstack_repo_server_enable_glusterfs | default(False) environment: "{{ deployment_environment_variables | default({}) }}" +- name: Configure haproxy services + import_playbook: common-playbooks/haproxy-service-config.yml + vars: + service_group: repo_all + service_variable: "repo_haproxy_services" + when: groups[service_group] | length > 0 + tags: + - haproxy-service-config + - name: Setup repo servers hosts: repo_all gather_facts: false @@ -62,7 +71,6 @@ user: root roles: - role: "repo_server" - vars_files: - defaults/repo_packages/openstack_services.yml - "defaults/{{ install_method }}_install.yml" diff --git a/playbooks/setup-infrastructure.yml b/playbooks/setup-infrastructure.yml index 127826566a..58f85e8db5 100644 --- a/playbooks/setup-infrastructure.yml +++ b/playbooks/setup-infrastructure.yml @@ -14,8 +14,8 @@ # limitations under the License. - import_playbook: unbound-install.yml -- import_playbook: repo-install.yml - import_playbook: haproxy-install.yml +- import_playbook: repo-install.yml - import_playbook: memcached-install.yml - import_playbook: galera-install.yml - import_playbook: qdrouterd-install.yml diff --git a/releasenotes/notes/separated-haproxy-service-config-9ccecbcb286355ef.yaml b/releasenotes/notes/separated-haproxy-service-config-9ccecbcb286355ef.yaml new file mode 100644 index 0000000000..4cd5c693f1 --- /dev/null +++ b/releasenotes/notes/separated-haproxy-service-config-9ccecbcb286355ef.yaml @@ -0,0 +1,16 @@ +--- +features: + - | + Haproxy services are now configured separately at the beginning of each + service playbook. +other: + - | + Haproxy service definitions(along with their overrides) are no longer + stored in haproxy group vars. They were moved to service variables, + so for example ``glance_haproxy_services`` are stored in glance_all + group variables. + - | + The structure of ``haproxy_default_services`` and + ``haproxy_extra_services`` was simplified. + Now it's just a list of dicts. + It has the same format as ``haproxy_service_configs``.