Don't restrict haproxy tunable options

Instead of hardcoding specific supported tunable options, we
just pass key as an option to haproxy config.

This change might break deployments during upgrades, since format of
values in variable has changed, but appropriate release note was written

We also increase maxrewrite by default, as otherwise usage of CSP leads
to 500 error.

Change-Id: I949960420ed5dbd6d58f0de7dae0ac629a85b7fc
Related-Bug: https://github.com/haproxy/haproxy/issues/1597
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/844815

defaults/main.yml

@@ -210,13 +210,14 @@ haproxy_maxconn: 4096
 # Parameters below should only be specified if necessary, defaults are programmed in the template
 #haproxy_tuning_params:
 #  nbproc: 1
-#  bufsize: 384000
-#  chksize: 16384
-#  comp_maxlevel: 1
-#  http_maxhdr: 101
-#  maxaccept: 64
-#  ssl_cachesize: 20000
-#  ssl_lifetime: 300
+#  tune.bufsize: 384000
+#  tune.chksize: 16384
+#  tune.comp_maxlevel: 1
+#  tune.http_maxhdr: 101
+#  tune.maxaccept: 64
+#  tune.ssl_cachesize: 20000
+#  tune.ssl_lifetime: 300
+haproxy_tuning_params: {}
 
 # Add extra VIPs to all services
 extra_lb_vip_addresses: []

releasenotes/notes/haproxy_tuning_params_released-45eb40104747561a.yaml

@@ -0,0 +1,20 @@
+---
+upgrade:
+  - |
+    If you have defined ``haproxy_tuning_params`` in your deployment, make sure
+    that before upgrade all keys are valid haproxy options. For example,
+    instead of ``chksize: 16384`` you should set ``tune.chksize: 16384``.
+    Otherwise invalid config will be generated and haproxy will fail on
+    startup.
+    No upgrade scripts are provided for this change as well as no backwards
+    compatability.
+other:
+  - |
+    Restriction on parameters that can be passed to ``haproxy_tuning_params``
+    has been released. This means, that any tuning parameter can be passed in
+    key/value format.
+fixes:
+  - |
+    By default we increase ``tune.maxrewrite`` as otherwise while using CSP
+    headers, their size could exceed allowed buffer.
+    Also deployers can override this value if needed.

templates/haproxy.cfg.j2

@@ -7,16 +7,9 @@ global
         group haproxy
         daemon
         maxconn {{ haproxy_maxconn }}
-{% if haproxy_tuning_params is defined %}
-        nbproc {{ haproxy_tuning_params.nbproc | default('1') }}
-        tune.bufsize {{ haproxy_tuning_params.bufsize | default('384000') }}
-        tune.chksize {{ haproxy_tuning_params.chksize | default('16384') }}
-        tune.comp.maxlevel {{ haproxy_tuning_params.comp_maxlevel | default('1') }}
-        tune.http.maxhdr {{ haproxy_tuning_params.http_maxhdr | default('101') }}
-        tune.maxaccept {{ haproxy_tuning_params.maxaccept | default('64') }}
-        tune.ssl.cachesize {{ haproxy_tuning_params.ssl_cachesize | default('20000') }}
-        tune.ssl.lifetime {{ haproxy_tuning_params.ssl_lifetime | default('300') }}
-{% endif %}
+{% for key, value in ((_haproxy_default_tuning_params | default({})) | combine(haproxy_tuning_params)).items() %}
+        {{ key }} {{ value }}
+{% endfor %}
         stats socket /var/run/haproxy.stat level admin mode 600
 {% if haproxy_stats_process is defined %}
         stats bind-process {{ haproxy_stats_process }}

vars/main.yml

@@ -76,3 +76,9 @@ _haproxy_pki_install_certificates: |
   {% endif %}
   {% endfor %}
   {{ _pki_install }}
+
+# In case CSP is enabled, on newer haproxy versions, header size
+# fill more than bufsize-maxrewrite, which results in 500
+# See: https://github.com/haproxy/haproxy/issues/1597
+_haproxy_default_tuning_params:
+  tune.maxrewrite: 1280