c0da2e5095
With update of ansible-lint to version >=6.0.0 a lot of new linters were added, that enabled by default. In order to comply with linter rules we're applying changes to the role. With that we also update metdata to reflect current state. Change-Id: I8c316dd62ac22ccd9578bb0199ab8f25c0104f9a
321 lines
12 KiB
YAML
321 lines
12 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Validate Certificates when downloading hatop. May be set to "no" when proxy server
|
|
# is intercepting the certificates.
|
|
haproxy_hatop_download_validate_certs: yes
|
|
|
|
# Set the package install state for distribution packages
|
|
# Options are 'present' and 'latest'
|
|
haproxy_package_state: "latest"
|
|
|
|
## Haproxy Configuration
|
|
haproxy_rise: 3
|
|
haproxy_fall: 3
|
|
haproxy_interval: 12000
|
|
|
|
## Haproxy Stats
|
|
haproxy_stats_enabled: False
|
|
haproxy_stats_bind_address: 127.0.0.1
|
|
haproxy_stats_port: 1936
|
|
haproxy_stats_ssl: "{{ haproxy_ssl }}"
|
|
haproxy_username: admin
|
|
haproxy_stats_password: secrete
|
|
haproxy_stats_refresh_interval: 60
|
|
# Prometheus stats are supported from HAProxy v2
|
|
# Stats must be enabled above before this can be used
|
|
haproxy_stats_prometheus_enabled: False
|
|
# Pin stats gathering to one or more processes when using 'nbproc' tuning
|
|
# For permitted options see https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.1-stats%20bind-process
|
|
# haproxy_stats_process: all
|
|
|
|
# Default haproxy backup nodes to empty list so this doesn't have to be
|
|
# defined for each service.
|
|
haproxy_backup_nodes: []
|
|
|
|
# Configuration lines to write directly into all frontends
|
|
haproxy_frontend_extra_raw: []
|
|
haproxy_frontend_redirect_extra_raw: "{{ haproxy_frontend_extra_raw }}"
|
|
|
|
haproxy_service_configs: []
|
|
# Example:
|
|
# haproxy_service_configs:
|
|
# - haproxy_service_name: haproxy_all
|
|
# haproxy_backend_nodes: "{{ groups['haproxy_all'][0] }}"
|
|
# # haproxy_backup_nodes: "{{ groups['haproxy_all'][1:] }}"
|
|
# haproxy_port: 80
|
|
# haproxy_balance_type: http
|
|
# haproxy_backend_options:
|
|
# - "forwardfor"
|
|
# - "httpchk"
|
|
# - "httplog"
|
|
# haproxy_backend_server_options:
|
|
# - "inter 3000" # a contrived example, there are many server config options possible
|
|
# haproxy_acls:
|
|
# allow_list:
|
|
# rule: "src 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
|
|
# backend_name: "mybackend"
|
|
# haproxy_frontend_acls:
|
|
# letsencrypt-acl:
|
|
# rule: "path_beg /.well-known/acme-challenge/"
|
|
# backend_name: letsencrypt
|
|
# haproxy_stick_table:
|
|
# - "stick-table type ipv6 size 256k expire 10s store http_err_rate(10s)"
|
|
# - "http-request track-sc0 src"
|
|
# - "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src 10.0.0.0/8 } !{ src 172.16.0.0/12 } !{ src 192.168.0.0/16 }"
|
|
# # https://www.haproxy.com/blog/haproxy-exposes-a-prometheus-metrics-endpoint/
|
|
# - haproxy_service_name: prometheus-metrics
|
|
# haproxy_port: 8404
|
|
# haproxy_bind:
|
|
# - '127.0.0.1'
|
|
# haproxy_allowlist_networks: "{{ haproxy_allowlist_networks }}"
|
|
# haproxy_frontend_only: True
|
|
# haproxy_balance_type: "http"
|
|
# haproxy_frontend_raw:
|
|
# - 'http-request use-service prometheus-exporter if { path /metrics }'
|
|
# haproxy_service_enabled: True
|
|
|
|
# HAProxy maps (unrelated keys are omitted but are required as the previous service example)
|
|
# Example:
|
|
# haproxy_service_configs:
|
|
# - state: present # state 'absent' will remove map entries defined in this service
|
|
# haproxy_service_enabled: true # haproxy_service_enabled 'false' will remove map entries defined in this service
|
|
# haproxy_service_name: "one"
|
|
# haproxy_maps:
|
|
# - 'use_backend %[req.hdr(host),lower,map(/etc/haproxy/route.map)]'
|
|
# haproxy_map_entries:
|
|
# - name: 'route' # this service contributes entries to the map called 'route'
|
|
# order: 10 # prefix the name of the map fragment wih this string to control ordering of the assembled map
|
|
# entries:
|
|
# - compute.example.com nova-api
|
|
# - dashboard.example.com horizon
|
|
# - haproxy_service_name: "two"
|
|
# - haproxy_service_name: "three"
|
|
# haproxy_map_entries:
|
|
# - name: 'route' # this service contributes to the map called 'route'
|
|
# entries:
|
|
# - s3.example.com radosgw
|
|
# - sso.example.com keycloak
|
|
# - name: 'rate' # and also to the map called 'rate'
|
|
# state: present # individual map entries can be removed with state 'absent'
|
|
# entries:
|
|
# - /api/foo 20
|
|
# - /api/bar 40
|
|
#
|
|
# Results:
|
|
#
|
|
# /etc/haproxy/route.map
|
|
# s3.example.com radosgw
|
|
# sso.example.com keycloak
|
|
# compute.example.com nova-api
|
|
# dashboard.example.com horizon
|
|
#
|
|
# /etc/haproxy/rate.map
|
|
# /api/foo 20
|
|
# /api/bar 40
|
|
|
|
galera_monitoring_user: monitoring
|
|
haproxy_bind_on_non_local: False
|
|
|
|
## haproxy SSL
|
|
haproxy_ssl: true
|
|
haproxy_ssl_all_vips: false
|
|
haproxy_ssl_dh_param: 2048
|
|
haproxy_ssl_cert_path: /etc/haproxy/ssl
|
|
haproxy_ssl_bind_options: "ssl-min-ver TLSv1.2 prefer-client-ciphers"
|
|
haproxy_ssl_server_options: "ssl-min-ver TLSv1.2"
|
|
# TLS v1.2 and below
|
|
haproxy_ssl_cipher_suite_tls12: >-
|
|
{{ haproxy_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}
|
|
# TLS v1.3
|
|
haproxy_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}"
|
|
|
|
# haproxy self signed certificate
|
|
|
|
# Storage location for SSL certificate authority
|
|
haproxy_pki_dir: "{{ openstack_pki_dir | default('/etc/pki/haproxy-ca') }}"
|
|
|
|
# Delegated host for operating the certificate authority
|
|
haproxy_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
|
|
|
|
# Create a certificate authority if one does not already exist
|
|
haproxy_pki_create_ca: "{{ openstack_pki_authorities is not defined | bool }}"
|
|
haproxy_pki_regen_ca: ''
|
|
haproxy_pki_authorities:
|
|
- name: "HAProxyRoot"
|
|
country: "GB"
|
|
state_or_province_name: "England"
|
|
organization_name: "Example Corporation"
|
|
organizational_unit_name: "IT Security"
|
|
cn: "HAProxy Root CA"
|
|
provider: selfsigned
|
|
basic_constraints: "CA:TRUE"
|
|
key_usage:
|
|
- digitalSignature
|
|
- cRLSign
|
|
- keyCertSign
|
|
not_after: "+3650d"
|
|
- name: "HAProxyIntermediate"
|
|
country: "GB"
|
|
state_or_province_name: "England"
|
|
organization_name: "Example Corporation"
|
|
organizational_unit_name: "IT Security"
|
|
cn: "HAProxy Intermediate CA"
|
|
provider: ownca
|
|
basic_constraints: "CA:TRUE,pathlen:0"
|
|
key_usage:
|
|
- digitalSignature
|
|
- cRLSign
|
|
- keyCertSign
|
|
not_after: "+3650d"
|
|
signed_by: "HAProxyRoot"
|
|
|
|
# Installation details for certificate authorities
|
|
haproxy_pki_install_ca:
|
|
- name: "HAProxyRoot"
|
|
condition: "{{ haproxy_pki_create_ca }}"
|
|
|
|
# HAProxy server certificate
|
|
haproxy_pki_keys_path: "{{ haproxy_pki_dir ~ '/certs/private/' }}"
|
|
haproxy_pki_certs_path: "{{ haproxy_pki_dir ~ '/certs/certs/' }}"
|
|
haproxy_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('HAProxyIntermediate') }}"
|
|
haproxy_pki_intermediate_cert_path: >-
|
|
{{ haproxy_pki_dir ~ '/roots/' ~ haproxy_pki_intermediate_cert_name ~ '/certs/' ~ haproxy_pki_intermediate_cert_name ~ '.crt' }}
|
|
haproxy_pki_regen_cert: ''
|
|
haproxy_pki_certificates: "{{ _haproxy_pki_certificates }}"
|
|
|
|
# Installation details for SSL certificates
|
|
haproxy_pki_install_certificates: "{{ _haproxy_pki_install_certificates }}"
|
|
|
|
# activate letsencrypt option
|
|
haproxy_ssl_letsencrypt_enable: false
|
|
haproxy_ssl_letsencrypt_certbot_binary: 'certbot'
|
|
haproxy_ssl_letsencrypt_certbot_backend_port: 8888
|
|
haproxy_ssl_letsencrypt_pre_hook_timeout: 5
|
|
haproxy_ssl_letsencrypt_certbot_bind_address: "{{ ansible_host }}"
|
|
haproxy_ssl_letsencrypt_certbot_challenge: "http-01"
|
|
haproxy_ssl_letsencrypt_email: "example@example.com"
|
|
haproxy_ssl_letsencrypt_config_path: "/etc/letsencrypt/live"
|
|
haproxy_ssl_letsencrypt_setup_extra_params: ""
|
|
haproxy_ssl_letsencrypt_acl:
|
|
letsencrypt-acl:
|
|
rule: "path_beg /.well-known/acme-challenge/"
|
|
backend_name: letsencrypt
|
|
# Use alternative CA that supports ACME, can be a public or private CA
|
|
# haproxy_ssl_letsencrypt_certbot_server: "https://acme-staging-v02.api.letsencrypt.org/directory"
|
|
haproxy_ssl_letsencrypt_domains:
|
|
- "{{ external_lb_vip_address }}"
|
|
|
|
# hatop extra package URL and checksum
|
|
haproxy_hatop_download_url: "https://github.com/jhunt/hatop/archive/refs/tags/v0.8.2.tar.gz"
|
|
haproxy_hatop_download_checksum: "sha256:7fac1f593f92b939cfce34175b593e43862eee8e25db251d03a910b37721fc5d"
|
|
|
|
# Install hatop
|
|
haproxy_hatop_install: true
|
|
|
|
# The location where the extra packages are downloaded to
|
|
haproxy_hatop_download_path: "/opt/cache/files"
|
|
|
|
## haproxy default
|
|
# Set the number of retries to perform on a server after a connection failure
|
|
haproxy_retries: "3"
|
|
# Set the maximum inactivity time on the client side
|
|
haproxy_client_timeout: "50s"
|
|
# Set the maximum time to wait for a connection attempt to a server to succeed
|
|
haproxy_connect_timeout: "10s"
|
|
# Set the maximum allowed time to wait for a complete HTTP request
|
|
haproxy_http_request_timeout: "5s"
|
|
# Set the maximum inactivity time on the server side
|
|
haproxy_server_timeout: "50s"
|
|
# Set the HTTP keepalive mode to use
|
|
# Disable persistent connections by default because they can cause issues when the server side closes the connection
|
|
# at the same time a request is sent.
|
|
haproxy_keepalive_mode: 'httpclose'
|
|
|
|
|
|
## haproxy tuning params
|
|
haproxy_maxconn: 4096
|
|
|
|
# Parameters below should only be specified if necessary, defaults are programmed in the template
|
|
# haproxy_tuning_params:
|
|
# nbproc: 1
|
|
# tune.bufsize: 384000
|
|
# tune.chksize: 16384
|
|
# tune.comp_maxlevel: 1
|
|
# tune.http_maxhdr: 101
|
|
# tune.maxaccept: 64
|
|
# tune.ssl_cachesize: 20000
|
|
# tune.ssl_lifetime: 300
|
|
haproxy_tuning_params: {}
|
|
|
|
# Add extra VIPs to all services
|
|
extra_lb_vip_addresses: []
|
|
|
|
# Add extra TLS VIPs to all services
|
|
extra_lb_tls_vip_addresses: []
|
|
|
|
# Option to override which address haproxy binds to for external vip.
|
|
haproxy_bind_external_lb_vip_address: "{{ external_lb_vip_address }}"
|
|
|
|
# Option to override which address haproxy binds to for internal vip.
|
|
haproxy_bind_internal_lb_vip_address: "{{ internal_lb_vip_address }}"
|
|
|
|
# Option to define if you need haproxy to bind on specific interface.
|
|
haproxy_bind_external_lb_vip_interface:
|
|
haproxy_bind_internal_lb_vip_interface:
|
|
|
|
# Option to override haproxy frontend binds
|
|
# Example:
|
|
# haproxy_tls_vip_binds:
|
|
# - address: '*'
|
|
# interface: bond0
|
|
# - address: '192.168.0.10'
|
|
|
|
haproxy_tls_vip_binds: "{{ _haproxy_tls_vip_binds }}"
|
|
|
|
# Make the log socket available to the chrooted filesystem
|
|
haproxy_log_socket: "/dev/log"
|
|
haproxy_log_mount_point: "/var/lib/haproxy/dev/log"
|
|
|
|
# Ansible group name which should be used for distrtibuting self signed SSL Certificates
|
|
haproxy_ansible_group_name: haproxy_all
|
|
|
|
## security.txt
|
|
# When security risks in web services are discovered by independent security
|
|
# researchers who understand the severity of the risk, they often lack the
|
|
# channels to disclose them properly. As a result, security issues may be
|
|
# left unreported. security.txt defines a standard to help organizations
|
|
# define the process for security researchers to disclose security
|
|
# vulnerabilities securely. For more information see https://securitytxt.org/
|
|
# This content will be hosted at /security.txt and /.well-known/security.txt
|
|
haproxy_security_txt_dir: "/etc/haproxy"
|
|
haproxy_security_txt_headers: |
|
|
HTTP/1.0 200 OK
|
|
Cache-Control: no-cache
|
|
Connection: close
|
|
Content-Type: text/html
|
|
|
|
haproxy_security_txt_content: ''
|
|
# haproxy_security_txt_content: |
|
|
# # Please see https://securitytxt.org/ for details of the specification of this file
|
|
|
|
# Allows to copy any static file to the destination hosts
|
|
haproxy_static_files_default:
|
|
- dest: "{{ haproxy_security_txt_dir }}/security.txt"
|
|
content: "{{ haproxy_security_txt_headers + '\n' + haproxy_security_txt_content }}"
|
|
condition: "{{ haproxy_security_txt_content is truthy }}"
|
|
haproxy_static_files_extra: []
|
|
haproxy_static_files: "{{ haproxy_static_files_default + haproxy_static_files_extra }}"
|