openstack
/
openstack-ansible
Code Issues Proposed changes
openstack-ansible/inventory/group_vars/haproxy/haproxy.yml

690 lines
35 KiB
YAML
Raw Blame History

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_bind_on_non_local: "{{ (groups.haproxy | length) > 1 }}"
haproxy_use_keepalived: "{{ (groups.haproxy | length) > 1 }}"
keepalived_selinux_compile_rules:
- keepalived_ping
- keepalived_haproxy_pid_file
# Ensure that the package state matches the global setting
haproxy_package_state: "{{ package_state }}"
haproxy_allowlist_networks:
- 192.168.0.0/16
- 172.16.0.0/12
- 10.0.0.0/8
haproxy_galera_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_nova_metadata_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_rabbitmq_management_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_opendaylight_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_stick_table_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_ironic_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_ironic_inspector_allowlist_networks: "{{ haproxy_allowlist_networks }}"
# Variables to set security headers used by browsers
haproxy_security_headers_max_age: 31536000
# Set CSP headers to report only for testing
haproxy_security_headers_csp_report_only: False
# To override the CSP used by a specific service define a variable haproxy_<service name>_csp
haproxy_security_headers_csp: >
http-response set-header {{ haproxy_security_headers_csp_report_only | ternary('Content-Security-Policy-Report-Only', 'Content-Security-Policy') }} "
default-src 'self';
frame-ancestors 'none';
form-action 'self';
upgrade-insecure-requests;
style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
child-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }};
frame-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }};
connect-src 'self' {{ external_lb_vip_address }}:* wss://{{ external_lb_vip_address }}:{{ ironic_console_port }};
img-src 'self' data:;
worker-src blob:;
"
# To disable security headers set to []
haproxy_security_headers:
- "http-response set-header Strict-Transport-Security \"max-age={{ haproxy_security_headers_max_age }}; includeSubDomains;\""
- 'http-response set-header X-Content-Type-Options "nosniff"'
- 'http-response set-header Referrer-Policy "same-origin"'
- 'http-response set-header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(self), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(self), clipboard-write=(self), gamepad=(), speaker-selection=()"'
# haproxy default stick table
# returns 429 when more than 20 4xx responses per 10 second window
# from external IP addresses. Override as necessary.
openstack_haproxy_stick_table:
- "stick-table type ipv6 size 256k expire 10s store http_err_rate(10s)"
- "http-request track-sc0 src"
- "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"
# apply the stick table as default for all backends
haproxy_stick_table: "{{ openstack_haproxy_stick_table }}"
# special haproxy stick table for horizon
# returns 429 when more than 20 calls to /auth per 10 second window
# returns 429 when more than 20 4xx responses per 10 second window
# from external IP addresses. Override as necessary.
openstack_haproxy_horizon_stick_table:
- "stick-table type ipv6 size 256k expire 10s store http_req_rate(10s),http_err_rate(10s)"
- "http-request track-sc0 src"
- "http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 } { path_beg /auth } !{ src {{haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"
- "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"
haproxy_security_txt_service:
haproxy_backend_only: true
haproxy_service_name: security_txt
haproxy_backend_nodes: []
haproxy_balance_type: http
haproxy_service_enabled: "{{ haproxy_security_txt_content is truthy }}"
# https://sleeplessbeastie.eu/2020/05/11/how-to-serve-single-file-using-haproxy/
haproxy_backend_arguments:
- 'errorfile 503 /etc/haproxy/security.txt'
haproxy_map_entries:
- name: base_regex
entries:
- '.*/security.txt security_txt-back'
# haproxy 'base' frontend-only service that is used always deployed for port 80 redirect and 443
# this potentially supports horizon dashboard, security.txt and certbot
# plus any other user defined custom backend
haproxy_base_service:
haproxy_service_name: base
haproxy_frontend_only: true
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: true
haproxy_port: "{{ haproxy_ssl | ternary(443,80) }}"
haproxy_redirect_http_port: 80
haproxy_balance_type: http
haproxy_service_enabled: true
haproxy_redirect_scheme: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary('https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }', 'https if !{ ssl_fc }') }}"
haproxy_frontend_acls: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary(haproxy_ssl_letsencrypt_acl, {}) }}"
haproxy_frontend_raw: "{{ (haproxy_ssl | bool and haproxy_security_headers is defined) | ternary( haproxy_security_headers + [ haproxy_horizon_csp | default(haproxy_security_headers_csp)], []) }}"
haproxy_maps:
- 'use_backend %[path,map_reg(/etc/haproxy/base_regex.map)]'
haproxy_map_entries:
- name: base_regex
entries:
- "#Regular expression map file - this comment is defined in the base frontend config"
haproxy_adjutant_api_service:
haproxy_service_name: adjutant_api
haproxy_backend_nodes: "{{ groups['adjutant_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 5050
haproxy_balance_type: http
haproxy_balance_alg: source
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['adjutant_api'] is defined and groups['adjutant_api'] | length > 0 }}"
haproxy_aodh_api_service:
haproxy_service_name: aodh_api
haproxy_backend_nodes: "{{ groups['aodh_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8042
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['aodh_api'] is defined and groups['aodh_api'] | length > 0 }}"
haproxy_barbican_service:
haproxy_service_name: barbican
haproxy_backend_nodes: "{{ groups['barbican_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9311
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['barbican_api'] is defined and groups['barbican_api'] | length > 0 }}"
haproxy_ceph_rgw_service:
haproxy_service_name: ceph-rgw
haproxy_backend_nodes: "{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) | ternary(groups['ceph-rgw'], ceph_rgws) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_alg: source
haproxy_port: "{{ radosgw_service_port | default(7980) }}"
haproxy_balance_type: http
haproxy_backend_options:
- httpchk HEAD /
haproxy_backend_httpcheck_options:
- expect rstatus 200|405
haproxy_service_enabled: "{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) or (ceph_rgws | length > 0) }}"
haproxy_cinder_api_service:
haproxy_service_name: cinder_api
haproxy_backend_nodes: "{{ groups['cinder_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8776
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['cinder_api'] is defined and groups['cinder_api'] | length > 0 }}"
haproxy_cloudkitty_api_service:
haproxy_service_name: cloudkitty_api
haproxy_backend_nodes: "{{ groups['cloudkitty_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8089
haproxy_balance_type: http
haproxy_balance_alg: source
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['cloudkitty_api'] is defined and groups['cloudkitty_api'] | length > 0 }}"
haproxy_designate_api_service:
haproxy_service_name: designate_api
haproxy_backend_nodes: "{{ groups['designate_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9001
haproxy_balance_type: http
haproxy_backend_options:
- "forwardfor"
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
- "httplog"
haproxy_service_enabled: "{{ groups['designate_api'] is defined and groups['designate_api'] | length > 0 }}"
haproxy_galera_service:
haproxy_service_name: galera
haproxy_backend_nodes: "{{ (groups['galera_all'] | default([]))[:1] }}" # list expected
haproxy_backup_nodes: "{{ (groups['galera_all'] | default([]))[1:] }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: 3306
haproxy_check_port: 9200
haproxy_balance_type: tcp
haproxy_stick_table_enabled: False
haproxy_timeout_client: 5000s
haproxy_timeout_server: 5000s
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_server_options:
- "send-proxy-v2"
haproxy_allowlist_networks: "{{ haproxy_galera_allowlist_networks }}"
haproxy_service_enabled: "{{ groups['galera_all'] is defined and groups['galera_all'] | length > 0 }}"
haproxy_glance_api_service:
haproxy_service_name: glance_api
haproxy_backend_nodes: "{{ groups['glance_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9292
haproxy_balance_type: http
haproxy_balance_alg: source
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['glance_api'] is defined and groups['glance_api'] | length > 0 }}"
haproxy_gnocchi_service:
haproxy_service_name: gnocchi
haproxy_backend_nodes: "{{ groups['gnocchi_all'] | default([]) }}"
haproxy_port: 8041
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['gnocchi_all'] is defined and groups['gnocchi_all'] | length > 0 }}"
haproxy_heat_api_cfn_service:
haproxy_service_name: heat_api_cfn
haproxy_backend_nodes: "{{ groups['heat_api_cfn'] | default([]) }}"
haproxy_port: 8000
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['heat_api_cfn'] is defined and groups['heat_api_cfn'] | length > 0 }}"
haproxy_heat_api_service:
haproxy_service_name: heat_api
haproxy_backend_nodes: "{{ groups['heat_api'] | default([]) }}"
haproxy_port: 8004
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['heat_api'] is defined and groups['heat_api'] | length > 0 }}"
haproxy_horizon_service:
haproxy_backend_only: true #only describe the backends, frontend is in `base`
haproxy_service_name: horizon
haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}"
haproxy_backend_port: 80
haproxy_balance_type: http
haproxy_balance_alg: source
haproxy_backend_options:
- "httpchk HEAD /auth/login/ HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}"
haproxy_stick_table: "{{ openstack_haproxy_horizon_stick_table }}"
haproxy_map_entries:
- name: base_regex
order: 99
#match any requests to the horizon backend
entries:
- '.* horizon-back'
haproxy_ironic_api_service:
haproxy_service_name: ironic_api
haproxy_backend_nodes: "{{ groups['ironic_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 6385
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_arguments:
- "http-request deny if { path_beg /v1/lookup } !{ src {{haproxy_ironic_allowlist_networks | join(' } !{ src ') }} }"
- "http-request deny if { path_beg /v1/heartbeat } !{ src {{haproxy_ironic_allowlist_networks | join(' } !{ src ') }} }"
haproxy_service_enabled: "{{ groups['ironic_api'] is defined and groups['ironic_api'] | length > 0 }}"
haproxy_ironic_inspector_service:
haproxy_service_name: ironic_inspector
haproxy_backend_nodes: "{{ groups['ironic_inspector'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 5050
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_arguments:
- "http-request deny if { path_beg /v1/continue } !{ src {{haproxy_ironic_inspector_allowlist_networks | join(' } !{ src ') }} }"
haproxy_service_enabled: "{{ groups['ironic_inspector'] is defined and groups['ironic_inspector'] | length > 0 }}"
haproxy_keystone_service:
haproxy_service_name: keystone_service
haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}"
haproxy_port: 5000
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: "http"
haproxy_backend_options:
- "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['keystone_all'] is defined and groups['keystone_all'] | length > 0 }}"
haproxy_letsencrypt_service:
haproxy_service_name: letsencrypt
haproxy_backend_nodes: "{{ groups['haproxy_all'] }}"
backend_rise: 1
backend_fall: 5
interval: 4000
haproxy_bind:
- 127.0.0.1
haproxy_port: "{{ haproxy_ssl_letsencrypt_certbot_backend_port }}"
haproxy_balance_type: http
haproxy_service_enabled: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) }}"
haproxy_magnum_service:
haproxy_service_name: magnum
haproxy_backend_nodes: "{{ groups['magnum_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9511
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['magnum_all'] is defined and groups['magnum_all'] | length > 0 }}"
haproxy_manila_service:
haproxy_service_name: manila
haproxy_backend_nodes: "{{ groups['manila_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8786
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['manila_api'] is defined and groups['manila_api'] | length > 0 }}"
haproxy_masakari_api_service:
haproxy_service_name: masakari_api
haproxy_backend_nodes: "{{ groups['masakari_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 15868
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['masakari_api'] is defined and groups['masakari_api'] | length > 0 }}"
haproxy_mistral_service:
haproxy_service_name: mistral
haproxy_backend_nodes: "{{ groups['mistral_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8989
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['mistral_all'] is defined and groups['mistral_all'] | length > 0 }}"
haproxy_murano_service:
haproxy_service_name: murano
haproxy_backend_nodes: "{{ groups['murano_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8082
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /v1 HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_httpcheck_options:
- "expect status 401"
haproxy_service_enabled: "{{ groups['murano_all'] is defined and groups['murano_all'] | length > 0 }}"
haproxy_neutron_server_service:
haproxy_service_name: neutron_server
haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
haproxy_port: 9696
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['neutron_server'] is defined and groups['neutron_server'] | length > 0 }}"
haproxy_nova_api_metadata_service:
haproxy_service_name: nova_api_metadata
haproxy_backend_nodes: "{{ groups['nova_api_metadata'] | default([]) }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: 8775
haproxy_ssl: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_allowlist_networks: "{{ haproxy_nova_metadata_allowlist_networks }}"
haproxy_service_enabled: "{{ groups['nova_api_metadata'] is defined and groups['nova_api_metadata'] | length > 0 }}"
haproxy_nova_api_compute_service:
haproxy_service_name: nova_api_os_compute
haproxy_backend_nodes: "{{ groups['nova_api_os_compute'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8774
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['nova_api_os_compute'] is defined and groups['nova_api_os_compute'] | length > 0 }}"
# By default the nova console service on HAProxy is configured in HTTP mode to
# allow for more fine grained control. But if the SSL connection is terminated
# on the nova console container it has to be run in TCP mode.
haproxy_nova_console_http_mode: "{{ not (nova_console_user_ssl_cert is defined
and nova_console_user_ssl_key is defined) }}"
haproxy_nova_spice_console_service:
haproxy_service_name: nova_spice_console
haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: "{{ nova_spice_html5proxy_base_port | default('6082') }}"
haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}"
haproxy_timeout_client: 60m
haproxy_timeout_server: 60m
haproxy_balance_alg: source
haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD /spice_auto.html HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}"
haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}"
haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'spice' }}"
haproxy_nova_serial_console_service:
haproxy_service_name: nova_serial_console
haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) + ((ironic_console_type == 'serialconsole') | ternary(groups['ironic_console'] | default([]), [])) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: "{{ nova_serialconsoleproxy_port | default('6083') }}"
haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}"
haproxy_timeout_client: 60m
haproxy_timeout_server: 60m
haproxy_balance_alg: source
haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}"
haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}"
haproxy_service_enabled: "{{ (groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'serial') or
(groups['ironic_console'] is defined and groups['ironic_console'] | length > 0 and ironic_console_type == 'serial') }}"
haproxy_nova_novnc_console_service:
haproxy_service_name: nova_novnc_console
haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: "{{ nova_novncproxy_port | default('6080') }}"
haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}"
haproxy_timeout_client: 60m
haproxy_timeout_server: 60m
haproxy_balance_alg: source
haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD /vnc.html HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}"
haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}"
haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'novnc' }}"
# NOTE(jrosser) Clean up legacy console haproxy configs from previous releases
haproxy_nova_console_service:
haproxy_service_name: nova_console
haproxy_service_enabled: False
haproxy_nova_ironic_console_service:
haproxy_service_name: nova_ironic_console
haproxy_service_enabled: False
haproxy_octavia_service:
haproxy_service_name: octavia
haproxy_backend_nodes: "{{ groups['octavia_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9876
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['octavia_all'] is defined and groups['octavia_all'] | length > 0 }}"
haproxy_opendaylight_neutron_service:
haproxy_service_name: opendaylight-neutron
haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: 8180
haproxy_balance_type: tcp
haproxy_timeout_client: 5000s
haproxy_timeout_server: 5000s
haproxy_allowlist_networks: "{{ haproxy_opendaylight_allowlist_networks }}"
haproxy_service_enabled: "{{ (neutron_plugin_type | default('ml2.ovn') == 'ml2.opendaylight') }}"
haproxy_opendaylight_websocket_service:
haproxy_service_name: opendaylight-websocket
haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: 8185
haproxy_balance_type: tcp
haproxy_timeout_client: 5000s
haproxy_timeout_server: 5000s
haproxy_allowlist_networks: "{{ haproxy_opendaylight_allowlist_networks }}"
haproxy_service_enabled: "{{ (neutron_plugin_type | default('ml2.ovn') == 'ml2.opendaylight') }}"
haproxy_placement_service:
haproxy_service_name: placement
haproxy_backend_nodes: "{{ groups['placement_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8780
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['placement_all'] is defined and groups['placement_all'] | length > 0 }}"
haproxy_rabbitmq_service:
haproxy_service_name: rabbitmq_mgmt
haproxy_backend_nodes: "{{ groups['rabbitmq'] | default([]) }}"
haproxy_ssl: "{{ rabbitmq_management_ssl | bool }}"
haproxy_backend_ssl: "{{ rabbitmq_management_ssl | bool }}"
haproxy_backend_ca: False
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: "{{ (rabbitmq_management_ssl | bool) | ternary(15671, 15672) }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_allowlist_networks: "{{ haproxy_rabbitmq_management_allowlist_networks }}"
haproxy_service_enabled: "{{ groups['rabbitmq'] is defined and groups['rabbitmq'] | length > 0 }}"
haproxy_repo_service:
haproxy_service_name: repo_all
haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: 8181
haproxy_ssl: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /constraints/upper_constraints_cached.txt HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_httpcheck_options:
- "expect status 200"
haproxy_service_enabled: "{{ groups['repo_all'] is defined and groups['repo_all'] | length > 0 }}"
haproxy_sahara_api_service:
haproxy_service_name: sahara_api
haproxy_backend_nodes: "{{ groups['sahara_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_alg: source
haproxy_port: 8386
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['sahara_api'] is defined and groups['sahara_api'] | length > 0 }}"
haproxy_senlin_api_service:
haproxy_service_name: senlin_api
haproxy_backend_nodes: "{{ groups['senlin_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8778
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['senlin_api'] is defined and groups['senlin_api'] | length > 0 }}"
haproxy_swift_proxy_service:
haproxy_service_name: swift_proxy
haproxy_backend_nodes: "{{ groups['swift_proxy'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_alg: source
haproxy_port: 8080
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['swift_proxy'] is defined and groups['swift_proxy'] | length > 0 }}"
haproxy_tacker_service:
haproxy_service_name: tacker
haproxy_backend_nodes: "{{ groups['tacker_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9890
haproxy_balance_type: http
haproxy_backend_options:
- "forwardfor"
- "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
- "httplog"
haproxy_service_enabled: "{{ groups['tacker_all'] is defined and groups['tacker_all'] | length > 0 }}"
haproxy_trove_service:
haproxy_service_name: trove
haproxy_backend_nodes: "{{ groups['trove_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 8779
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['trove_api'] is defined and groups['trove_api'] | length > 0 }}"
haproxy_zun_api_service:
haproxy_service_name: zun_api
haproxy_backend_nodes: "{{ groups['zun_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 9517
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_service_enabled: "{{ groups['zun_api'] is defined and groups['zun_api'] | length > 0 }}"
haproxy_zun_console_service:
haproxy_service_name: zun_console
haproxy_backend_nodes: "{{ groups['zun_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_port: 6784
haproxy_balance_type: http
haproxy_timeout_client: 60m
haproxy_timeout_server: 60m
haproxy_balance_alg: source
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
haproxy_backend_httpcheck_options:
- "expect status 405"
haproxy_service_enabled: "{{ groups['zun_api'] is defined and groups['zun_api'] | length > 0 }}"
haproxy_default_services:
- service: "{{ haproxy_security_txt_service | combine(haproxy_security_txt_service_overrides | default({})) }}"
- service: "{{ haproxy_base_service | combine(haproxy_base_service_overrides | default({})) }}"
- service: "{{ haproxy_adjutant_api_service | combine(haproxy_adjutant_api_service_overrides | default({})) }}"
- service: "{{ haproxy_aodh_api_service | combine(haproxy_aodh_api_service_overrides | default({})) }}"
- service: "{{ haproxy_barbican_service | combine(haproxy_barbican_service_overrides | default({})) }}"
- service: "{{ haproxy_ceph_rgw_service | combine(haproxy_ceph_rgw_service_overrides | default({})) }}"
- service: "{{ haproxy_cinder_api_service | combine(haproxy_cinder_api_service_overrides | default({})) }}"
- service: "{{ haproxy_cloudkitty_api_service | combine(haproxy_cloudkitty_api_service_overrides | default({})) }}"
- service: "{{ haproxy_designate_api_service | combine(haproxy_designate_api_service_overrides | default({})) }}"
- service: "{{ haproxy_galera_service | combine(haproxy_galera_service_overrides | default({})) }}"
- service: "{{ haproxy_glance_api_service | combine(haproxy_glance_api_service_overrides | default({})) }}"
- service: "{{ haproxy_gnocchi_service | combine(haproxy_gnocchi_service_overrides | default({})) }}"
- service: "{{ haproxy_heat_api_cfn_service | combine(haproxy_heat_api_cfn_service_overrides | default({})) }}"
- service: "{{ haproxy_heat_api_service | combine(haproxy_heat_api_service_overrides | default({})) }}"
- service: "{{ haproxy_horizon_service | combine(haproxy_horizon_service_overrides | default({})) }}"
- service: "{{ haproxy_ironic_api_service | combine(haproxy_ironic_api_service_overrides | default({})) }}"
- service: "{{ haproxy_ironic_inspector_service | combine(haproxy_ironic_inspector_service_overrides | default({})) }}"
- service: "{{ haproxy_keystone_service | combine(haproxy_keystone_service_overrides | default({})) }}"
- service: "{{ haproxy_letsencrypt_service | combine(haproxy_letsencrypt_service_overrides | default({})) }}"
- service: "{{ haproxy_magnum_service | combine(haproxy_magnum_service_overrides | default({})) }}"
- service: "{{ haproxy_manila_service | combine(haproxy_manila_service_overrides | default({})) }}"
- service: "{{ haproxy_masakari_api_service | combine(haproxy_masakari_api_service_overrides | default({})) }}"
- service: "{{ haproxy_mistral_service | combine(haproxy_mistral_service_overrides | default({})) }}"
- service: "{{ haproxy_murano_service | combine(haproxy_murano_service_overrides | default({})) }}"
- service: "{{ haproxy_neutron_server_service | combine(haproxy_neutron_server_service_overrides | default({})) }}"
- service: "{{ haproxy_nova_api_metadata_service | combine(haproxy_nova_api_metadata_service_overrides | default({})) }}"
- service: "{{ haproxy_nova_api_compute_service | combine(haproxy_nova_api_compute_service_overrides | default({})) }}"
- service: "{{ haproxy_nova_spice_console_service | combine(haproxy_nova_spice_console_service_overrides | default({})) }}"
- service: "{{ haproxy_nova_novnc_console_service | combine(haproxy_nova_novnc_console_service_overrides | default({})) }}"
- service: "{{ haproxy_nova_serial_console_service | combine(haproxy_nova_serial_console_service_overrides | default({})) }}"
- service: "{{ haproxy_nova_console_service | combine(haproxy_nova_console_service_overrides | default({})) }}"
- service: "{{ haproxy_nova_ironic_console_service | combine(haproxy_nova_ironic_console_service_overrides | default({})) }}"
- service: "{{ haproxy_octavia_service | combine(haproxy_octavia_service_overrides | default({})) }}"
- service: "{{ haproxy_opendaylight_neutron_service | combine(haproxy_opendaylight_neutron_service_overrides | default({})) }}"
- service: "{{ haproxy_opendaylight_websocket_service | combine(haproxy_opendaylight_websocket_service_overrides | default({})) }}"
- service: "{{ haproxy_placement_service | combine(haproxy_placement_service_overrides | default({})) }}"
- service: "{{ haproxy_rabbitmq_service | combine(haproxy_rabbitmq_service_overrides | default({})) }}"
- service: "{{ haproxy_repo_service | combine(haproxy_repo_service_overrides | default({})) }}"
- service: "{{ haproxy_sahara_api_service | combine(haproxy_sahara_api_service_overrides | default({})) }}"
- service: "{{ haproxy_senlin_api_service | combine(haproxy_senlin_api_service_overrides | default({})) }}"
- service: "{{ haproxy_swift_proxy_service | combine(haproxy_swift_proxy_service_overrides | default({})) }}"
- service: "{{ haproxy_tacker_service | combine(haproxy_tacker_service_overrides | default({})) }}"
- service: "{{ haproxy_trove_service | combine(haproxy_trove_service_overrides | default({})) }}"
- service: "{{ haproxy_zun_api_service | combine(haproxy_zun_api_service_overrides | default({})) }}"
- service: "{{ haproxy_zun_console_service | combine(haproxy_zun_console_service_overrides | default({})) }}"
View Git Blame Copy Permalink