--- # Copyright 2016, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. haproxy_bind_on_non_local: "{{ (groups.haproxy | length) > 1 }}" haproxy_use_keepalived: "{{ (groups.haproxy | length) > 1 }}" keepalived_selinux_compile_rules: - keepalived_ping - keepalived_haproxy_pid_file # Ensure that the package state matches the global setting haproxy_package_state: "{{ package_state }}" haproxy_allowlist_networks: - 192.168.0.0/16 - 172.16.0.0/12 - 10.0.0.0/8 haproxy_galera_allowlist_networks: "{{ haproxy_allowlist_networks }}" haproxy_nova_metadata_allowlist_networks: "{{ haproxy_allowlist_networks }}" haproxy_rabbitmq_management_allowlist_networks: "{{ haproxy_allowlist_networks }}" haproxy_opendaylight_allowlist_networks: "{{ haproxy_allowlist_networks }}" haproxy_stick_table_allowlist_networks: "{{ haproxy_allowlist_networks }}" haproxy_security_txt_acl: keystone-security-txt-acl: rule: "path_end /security.txt" backend_name: keystone_service # Variables to set security headers used by browsers haproxy_security_headers_max_age: 31536000 # Set CSP headers to report only for testing haproxy_security_headers_csp_report_only: False # To override the CSP used by a specific service define a variable haproxy__csp haproxy_security_headers_csp: "http-response set-header {{ haproxy_security_headers_csp_report_only | ternary('Content-Security-Policy-Report-Only', 'Content-Security-Policy') }} \"default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; frame-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; connect-src 'self' {{ external_lb_vip_address }}:*; img-src 'self' data:; worker-src blob:;\"" # To disable security headers set to [] haproxy_security_headers: - "http-response set-header Strict-Transport-Security \"max-age={{ haproxy_security_headers_max_age }}; includeSubDomains;\"" - 'http-response set-header X-Content-Type-Options "nosniff"' - 'http-response set-header Referrer-Policy "same-origin"' - 'http-response set-header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(self), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(self), clipboard-write=(self), gamepad=(), speaker-selection=()"' # haproxy default stick table # returns 429 when more than 20 4xx responses per 10 second window # from external IP addresses. Override as necessary. openstack_haproxy_stick_table: - "stick-table type ipv6 size 256k expire 10s store http_err_rate(10s)" - "http-request track-sc0 src" - "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }" # apply the stick table as default for all backends haproxy_stick_table: "{{ openstack_haproxy_stick_table }}" # special haproxy stick table for horizon # returns 429 when more than 20 calls to /auth per 10 second window # returns 429 when more than 20 4xx responses per 10 second window # from external IP addresses. Override as necessary. openstack_haproxy_horizon_stick_table: - "stick-table type ipv6 size 256k expire 10s store http_req_rate(10s),http_err_rate(10s)" - "http-request track-sc0 src" - "http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 } { path_beg /auth } !{ src {{haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }" - "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }" haproxy_adjutant_api_service: haproxy_service_name: adjutant_api haproxy_backend_nodes: "{{ groups['adjutant_api'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 5050 haproxy_balance_type: http haproxy_balance_alg: source haproxy_backend_options: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['adjutant_api'] is defined and groups['adjutant_api'] | length > 0 }}" haproxy_aodh_api_service: haproxy_service_name: aodh_api haproxy_backend_nodes: "{{ groups['aodh_api'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 8042 haproxy_balance_type: http haproxy_backend_options: - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['aodh_api'] is defined and groups['aodh_api'] | length > 0 }}" haproxy_barbican_service: haproxy_service_name: barbican haproxy_backend_nodes: "{{ groups['barbican_api'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 9311 haproxy_balance_type: http haproxy_backend_options: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['barbican_api'] is defined and groups['barbican_api'] | length > 0 }}" haproxy_ceph_rgw_service: haproxy_service_name: ceph-rgw haproxy_backend_nodes: "{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) | ternary(groups['ceph-rgw'], ceph_rgws) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_balance_alg: source haproxy_port: "{{ radosgw_service_port | default(7980) }}" haproxy_balance_type: http haproxy_backend_options: - httpchk HEAD / haproxy_backend_httpcheck_options: - expect rstatus 200|405 haproxy_service_enabled: "{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) or (ceph_rgws | length > 0) }}" haproxy_cinder_api_service: haproxy_service_name: cinder_api haproxy_backend_nodes: "{{ groups['cinder_api'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 8776 haproxy_balance_type: http haproxy_backend_options: - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['cinder_api'] is defined and groups['cinder_api'] | length > 0 }}" haproxy_cloudkitty_api_service: haproxy_service_name: cloudkitty_api haproxy_backend_nodes: "{{ groups['cloudkitty_api'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 8089 haproxy_balance_type: http haproxy_balance_alg: source haproxy_backend_options: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['cloudkitty_api'] is defined and groups['cloudkitty_api'] | length > 0 }}" haproxy_designate_api_service: haproxy_service_name: designate_api haproxy_backend_nodes: "{{ groups['designate_api'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 9001 haproxy_balance_type: http haproxy_backend_options: - "forwardfor" - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - "httplog" haproxy_service_enabled: "{{ groups['designate_api'] is defined and groups['designate_api'] | length > 0 }}" haproxy_galera_service: haproxy_service_name: galera haproxy_backend_nodes: "{{ (groups['galera_all'] | default([]))[:1] }}" # list expected haproxy_backup_nodes: "{{ (groups['galera_all'] | default([]))[1:] }}" haproxy_bind: "{{ [internal_lb_vip_address] }}" haproxy_port: 3306 haproxy_check_port: 9200 haproxy_balance_type: tcp haproxy_timeout_client: 5000s haproxy_timeout_server: 5000s haproxy_backend_options: - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_allowlist_networks: "{{ haproxy_galera_allowlist_networks }}" haproxy_service_enabled: "{{ groups['galera_all'] is defined and groups['galera_all'] | length > 0 }}" haproxy_glance_api_service: haproxy_service_name: glance_api haproxy_backend_nodes: "{{ groups['glance_api'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 9292 haproxy_balance_type: http haproxy_balance_alg: source haproxy_backend_options: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['glance_api'] is defined and groups['glance_api'] | length > 0 }}" haproxy_gnocchi_service: haproxy_service_name: gnocchi haproxy_backend_nodes: "{{ groups['gnocchi_all'] | default([]) }}" haproxy_port: 8041 haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_balance_type: http haproxy_backend_options: - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['gnocchi_all'] is defined and groups['gnocchi_all'] | length > 0 }}" haproxy_heat_api_cfn_service: haproxy_service_name: heat_api_cfn haproxy_backend_nodes: "{{ groups['heat_api_cfn'] | default([]) }}" haproxy_port: 8000 haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_balance_type: http haproxy_backend_options: - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['heat_api_cfn'] is defined and groups['heat_api_cfn'] | length > 0 }}" haproxy_heat_api_service: haproxy_service_name: heat_api haproxy_backend_nodes: "{{ groups['heat_api'] | default([]) }}" haproxy_port: 8004 haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_balance_type: http haproxy_backend_options: - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['heat_api'] is defined and groups['heat_api'] | length > 0 }}" haproxy_horizon_service: haproxy_service_name: horizon haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: true haproxy_port: "{{ haproxy_ssl | ternary(443,80) }}" haproxy_backend_port: 80 haproxy_redirect_http_port: 80 haproxy_balance_type: http haproxy_balance_alg: source haproxy_backend_options: - "httpchk HEAD /auth/login/ HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}" haproxy_redirect_scheme: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary('https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }', 'https if !{ ssl_fc }') }}" haproxy_frontend_acls: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary(haproxy_ssl_letsencrypt_acl, {}) }}" haproxy_acls: "{{ keystone_security_txt_content is defined | ternary(haproxy_security_txt_acl, {}) }}" haproxy_frontend_raw: "{{ (haproxy_ssl | bool and haproxy_security_headers is defined) | ternary( haproxy_security_headers + [ haproxy_horizon_csp | default(haproxy_security_headers_csp)], []) }}" haproxy_stick_table: "{{ openstack_haproxy_horizon_stick_table }}" haproxy_ironic_api_service: haproxy_service_name: ironic_api haproxy_backend_nodes: "{{ groups['ironic_api'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 6385 haproxy_balance_type: http haproxy_backend_options: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['ironic_api'] is defined and groups['ironic_api'] | length > 0 }}" haproxy_ironic_inspector_service: haproxy_service_name: ironic_inspector haproxy_backend_nodes: "{{ groups['ironic_inspector'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 5050 haproxy_balance_type: http haproxy_backend_options: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['ironic_inspector'] is defined and groups['ironic_inspector'] | length > 0 }}" haproxy_keystone_service: haproxy_service_name: keystone_service haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}" haproxy_port: 5000 haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_balance_type: "http" haproxy_backend_options: - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['keystone_all'] is defined and groups['keystone_all'] | length > 0 }}" haproxy_letsencrypt_service: haproxy_service_name: letsencrypt haproxy_backend_nodes: "{{ groups['haproxy_all'] }}" backend_rise: 1 backend_fall: 5 interval: 4000 haproxy_bind: - 127.0.0.1 haproxy_port: "{{ haproxy_ssl_letsencrypt_certbot_backend_port }}" haproxy_balance_type: http haproxy_service_enabled: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) }}" haproxy_magnum_service: haproxy_service_name: magnum haproxy_backend_nodes: "{{ groups['magnum_all'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 9511 haproxy_balance_type: http haproxy_backend_options: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['magnum_all'] is defined and groups['magnum_all'] | length > 0 }}" haproxy_manila_service: haproxy_service_name: manila haproxy_backend_nodes: "{{ groups['manila_api'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 8786 haproxy_balance_type: http haproxy_backend_options: - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['manila_api'] is defined and groups['manila_api'] | length > 0 }}" haproxy_masakari_api_service: haproxy_service_name: masakari_api haproxy_backend_nodes: "{{ groups['masakari_api'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 15868 haproxy_balance_type: http haproxy_backend_options: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['masakari_api'] is defined and groups['masakari_api'] | length > 0 }}" haproxy_mistral_service: haproxy_service_name: mistral haproxy_backend_nodes: "{{ groups['mistral_all'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 8989 haproxy_balance_type: http haproxy_backend_options: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['mistral_all'] is defined and groups['mistral_all'] | length > 0 }}" haproxy_murano_service: haproxy_service_name: murano haproxy_backend_nodes: "{{ groups['murano_all'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 8082 haproxy_balance_type: http haproxy_backend_options: - "httpchk GET /v1 HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_httpcheck_options: - "expect status 401" haproxy_service_enabled: "{{ groups['murano_all'] is defined and groups['murano_all'] | length > 0 }}" haproxy_neutron_server_service: haproxy_service_name: neutron_server haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}" haproxy_port: 9696 haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_balance_type: http haproxy_backend_options: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['neutron_server'] is defined and groups['neutron_server'] | length > 0 }}" haproxy_nova_api_metadata_service: haproxy_service_name: nova_api_metadata haproxy_backend_nodes: "{{ groups['nova_api_metadata'] | default([]) }}" haproxy_bind: "{{ [internal_lb_vip_address] }}" haproxy_port: 8775 haproxy_ssl: "{{ (neutron_plugin_type == 'ml2.calico') | ternary(False, haproxy_ssl_all_vips) }}" haproxy_ssl_all_vips: "{{ (neutron_plugin_type == 'm2.calico') | ternary(False, haproxy_ssl_all_vips) }}" haproxy_balance_type: http haproxy_backend_options: - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_allowlist_networks: "{{ haproxy_nova_metadata_allowlist_networks }}" haproxy_service_enabled: "{{ groups['nova_api_metadata'] is defined and groups['nova_api_metadata'] | length > 0 }}" haproxy_nova_api_compute_service: haproxy_service_name: nova_api_os_compute haproxy_backend_nodes: "{{ groups['nova_api_os_compute'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 8774 haproxy_balance_type: http haproxy_backend_options: - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['nova_api_os_compute'] is defined and groups['nova_api_os_compute'] | length > 0 }}" # By default the nova console service on HAProxy is configured in HTTP mode to # allow for more fine grained control. But if the SSL connection is terminated # on the nova console container it has to be run in TCP mode. haproxy_nova_console_http_mode: "{{ not (nova_console_user_ssl_cert is defined and nova_console_user_ssl_key is defined) }}" haproxy_nova_console_service: haproxy_service_name: nova_console haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: "{{ nova_console_port }}" haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}" haproxy_timeout_client: 60m haproxy_timeout_server: 60m haproxy_balance_alg: source haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD ' + nova_console_path + ' HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}" haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}" haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type != 'disabled' }}" haproxy_octavia_service: haproxy_service_name: octavia haproxy_backend_nodes: "{{ groups['octavia_all'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 9876 haproxy_balance_type: http haproxy_backend_options: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['octavia_all'] is defined and groups['octavia_all'] | length > 0 }}" haproxy_opendaylight_neutron_service: haproxy_service_name: opendaylight-neutron haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}" haproxy_bind: "{{ [internal_lb_vip_address] }}" haproxy_port: 8180 haproxy_balance_type: tcp haproxy_timeout_client: 5000s haproxy_timeout_server: 5000s haproxy_allowlist_networks: "{{ haproxy_opendaylight_allowlist_networks }}" haproxy_service_enabled: "{{ neutron_plugin_type == 'ml2.opendaylight' }}" haproxy_opendaylight_websocket_service: haproxy_service_name: opendaylight-websocket haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}" haproxy_bind: "{{ [internal_lb_vip_address] }}" haproxy_port: 8185 haproxy_balance_type: tcp haproxy_timeout_client: 5000s haproxy_timeout_server: 5000s haproxy_allowlist_networks: "{{ haproxy_opendaylight_allowlist_networks }}" haproxy_service_enabled: "{{ neutron_plugin_type == 'ml2.opendaylight' }}" # TODO(jamesdenton): Remove that in Z release haproxy_ovn_northbound_service: haproxy_service_name: neutron_ovn_northd_northbound state: absent # TODO(jamesdenton): Remove that in Z release haproxy_ovn_southbound_service: haproxy_service_name: neutron_ovn_northd_southbound state: absent # TODO(jamesdenton): Remove that in Z release haproxy_ovn_ovsdb_service: haproxy_service_name: neutron_ovn_ovsdb_server state: absent # TODO(noonedeadpunk): Remove that in Y release haproxy_panko_api_service: haproxy_service_name: panko_api state: absent haproxy_placement_service: haproxy_service_name: placement haproxy_backend_nodes: "{{ groups['placement_all'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 8780 haproxy_balance_type: http haproxy_backend_options: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['placement_all'] is defined and groups['placement_all'] | length > 0 }}" haproxy_rabbitmq_service: haproxy_service_name: rabbitmq_mgmt haproxy_backend_nodes: "{{ groups['rabbitmq'] | default([]) }}" haproxy_ssl: "{{ rabbitmq_management_ssl | bool }}" haproxy_backend_ssl: "{{ rabbitmq_management_ssl | bool }}" haproxy_backend_ca: False haproxy_bind: "{{ [internal_lb_vip_address] }}" haproxy_port: "{{ (rabbitmq_management_ssl | bool) | ternary(15671, 15672) }}" haproxy_balance_type: http haproxy_backend_options: - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_allowlist_networks: "{{ haproxy_rabbitmq_management_allowlist_networks }}" haproxy_service_enabled: "{{ groups['rabbitmq'] is defined and groups['rabbitmq'] | length > 0 }}" haproxy_repo_service: haproxy_service_name: repo_all haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}" haproxy_bind: "{{ [internal_lb_vip_address] }}" haproxy_port: 8181 haproxy_balance_type: http haproxy_backend_options: - "httpchk GET /constraints/upper_constraints_cached.txt HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_httpcheck_options: - "expect status 200" haproxy_service_enabled: "{{ groups['repo_all'] is defined and groups['repo_all'] | length > 0 }}" haproxy_sahara_api_service: haproxy_service_name: sahara_api haproxy_backend_nodes: "{{ groups['sahara_api'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_balance_alg: source haproxy_port: 8386 haproxy_balance_type: http haproxy_backend_options: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_httpcheck_options: - "expect rstatus 300|200" haproxy_service_enabled: "{{ groups['sahara_api'] is defined and groups['sahara_api'] | length > 0 }}" haproxy_senlin_api_service: haproxy_service_name: senlin_api haproxy_backend_nodes: "{{ groups['senlin_api'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 8778 haproxy_balance_type: http haproxy_backend_options: - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['senlin_api'] is defined and groups['senlin_api'] | length > 0 }}" haproxy_swift_proxy_service: haproxy_service_name: swift_proxy haproxy_backend_nodes: "{{ groups['swift_proxy'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_balance_alg: source haproxy_port: 8080 haproxy_balance_type: http haproxy_backend_options: - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['swift_proxy'] is defined and groups['swift_proxy'] | length > 0 }}" haproxy_tacker_service: haproxy_service_name: tacker haproxy_backend_nodes: "{{ groups['tacker_all'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 9890 haproxy_balance_type: http haproxy_backend_options: - "forwardfor" - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" - "httplog" haproxy_service_enabled: "{{ groups['tacker_all'] is defined and groups['tacker_all'] | length > 0 }}" haproxy_trove_service: haproxy_service_name: trove haproxy_backend_nodes: "{{ groups['trove_api'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 8779 haproxy_balance_type: http haproxy_backend_options: - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['trove_api'] is defined and groups['trove_api'] | length > 0 }}" haproxy_zun_api_service: haproxy_service_name: zun_api haproxy_backend_nodes: "{{ groups['zun_api'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 9517 haproxy_balance_type: http haproxy_backend_options: - "httpchk GET /v1 HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_service_enabled: "{{ groups['zun_api'] is defined and groups['zun_api'] | length > 0 }}" haproxy_zun_console_service: haproxy_service_name: zun_console haproxy_backend_nodes: "{{ groups['zun_api'] | default([]) }}" haproxy_ssl: "{{ haproxy_ssl }}" haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" haproxy_port: 6784 haproxy_balance_type: http haproxy_timeout_client: 60m haproxy_timeout_server: 60m haproxy_balance_alg: source haproxy_backend_options: - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" haproxy_backend_httpcheck_options: - "expect status 405" haproxy_service_enabled: "{{ groups['zun_api'] is defined and groups['zun_api'] | length > 0 }}" haproxy_default_services: - service: "{{ haproxy_adjutant_api_service | combine(haproxy_adjutant_api_service_overrides | default({})) }}" - service: "{{ haproxy_aodh_api_service | combine(haproxy_aodh_api_service_overrides | default({})) }}" - service: "{{ haproxy_barbican_service | combine(haproxy_barbican_service_overrides | default({})) }}" - service: "{{ haproxy_ceph_rgw_service | combine(haproxy_ceph_rgw_service_overrides | default({})) }}" - service: "{{ haproxy_cinder_api_service | combine(haproxy_cinder_api_service_overrides | default({})) }}" - service: "{{ haproxy_cloudkitty_api_service | combine(haproxy_cloudkitty_api_service_overrides | default({})) }}" - service: "{{ haproxy_designate_api_service | combine(haproxy_designate_api_service_overrides | default({})) }}" - service: "{{ haproxy_galera_service | combine(haproxy_galera_service_overrides | default({})) }}" - service: "{{ haproxy_glance_api_service | combine(haproxy_glance_api_service_overrides | default({})) }}" - service: "{{ haproxy_gnocchi_service | combine(haproxy_gnocchi_service_overrides | default({})) }}" - service: "{{ haproxy_heat_api_cfn_service | combine(haproxy_heat_api_cfn_service_overrides | default({})) }}" - service: "{{ haproxy_heat_api_service | combine(haproxy_heat_api_service_overrides | default({})) }}" - service: "{{ haproxy_horizon_service | combine(haproxy_horizon_service_overrides | default({})) }}" - service: "{{ haproxy_ironic_api_service | combine(haproxy_ironic_api_service_overrides | default({})) }}" - service: "{{ haproxy_ironic_inspector_service | combine(haproxy_ironic_inspector_service_overrides | default({})) }}" - service: "{{ haproxy_keystone_service | combine(haproxy_keystone_service_overrides | default({})) }}" - service: "{{ haproxy_letsencrypt_service | combine(haproxy_letsencrypt_service_overrides | default({})) }}" - service: "{{ haproxy_magnum_service | combine(haproxy_magnum_service_overrides | default({})) }}" - service: "{{ haproxy_manila_service | combine(haproxy_manila_service_overrides | default({})) }}" - service: "{{ haproxy_masakari_api_service | combine(haproxy_masakari_api_service_overrides | default({})) }}" - service: "{{ haproxy_mistral_service | combine(haproxy_mistral_service_overrides | default({})) }}" - service: "{{ haproxy_murano_service | combine(haproxy_murano_service_overrides | default({})) }}" - service: "{{ haproxy_neutron_server_service | combine(haproxy_neutron_server_service_overrides | default({})) }}" - service: "{{ haproxy_nova_api_metadata_service | combine(haproxy_nova_api_metadata_service_overrides | default({})) }}" - service: "{{ haproxy_nova_api_compute_service | combine(haproxy_nova_api_compute_service_overrides | default({})) }}" - service: "{{ haproxy_nova_console_service | combine(haproxy_nova_console_service_overrides | default({})) }}" - service: "{{ haproxy_octavia_service | combine(haproxy_octavia_service_overrides | default({})) }}" - service: "{{ haproxy_opendaylight_neutron_service | combine(haproxy_opendaylight_neutron_service_overrides | default({})) }}" - service: "{{ haproxy_opendaylight_websocket_service | combine(haproxy_opendaylight_websocket_service_overrides | default({})) }}" - service: "{{ haproxy_panko_api_service | combine(haproxy_panko_api_service_overrides | default({})) }}" - service: "{{ haproxy_placement_service | combine(haproxy_placement_service_overrides | default({})) }}" - service: "{{ haproxy_rabbitmq_service | combine(haproxy_rabbitmq_service_overrides | default({})) }}" - service: "{{ haproxy_repo_service | combine(haproxy_repo_service_overrides | default({})) }}" - service: "{{ haproxy_sahara_api_service | combine(haproxy_sahara_api_service_overrides | default({})) }}" - service: "{{ haproxy_senlin_api_service | combine(haproxy_senlin_api_service_overrides | default({})) }}" - service: "{{ haproxy_swift_proxy_service | combine(haproxy_swift_proxy_service_overrides | default({})) }}" - service: "{{ haproxy_tacker_service | combine(haproxy_tacker_service_overrides | default({})) }}" - service: "{{ haproxy_trove_service | combine(haproxy_trove_service_overrides | default({})) }}" - service: "{{ haproxy_zun_api_service | combine(haproxy_zun_api_service_overrides | default({})) }}" - service: "{{ haproxy_zun_console_service | combine(haproxy_zun_console_service_overrides | default({})) }}"