{"id":96,"sha1":"b86341d9b856cac6b3eab31c8b3fc5e9207f00d7","playbook":{"id":2,"items":{"plays":18,"tasks":608,"results":2412,"hosts":15,"files":158,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":4,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-hosts.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-08T13:40:18.992997Z","ended":"2025-12-08T13:50:25.791366Z","duration":"00:10:06.798369","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.12.11","server_version":"1.7.4","status":"completed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2016, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nhaproxy_bind_on_non_local: \"{{ (groups.haproxy | length) > 1 }}\"\nhaproxy_use_keepalived: \"{{ (groups.haproxy | length) > 1 }}\"\nkeepalived_selinux_compile_rules:\n  - keepalived_ping\n  - keepalived_haproxy_pid_file\n\nhaproxy_ssl_letsencrypt_enable: false\nhaproxy_ssl_letsencrypt_acl:\n  letsencrypt-acl:\n    rule: \"path_beg /.well-known/acme-challenge/\"\n    backend_name: letsencrypt\n\n# Ensure that the package state matches the global setting\nhaproxy_package_state: \"{{ package_state }}\"\n\n# Variables to set security headers used by browsers\nhaproxy_security_headers_max_age: 31536000\n# Set CSP headers to report only for testing\nhaproxy_security_headers_csp_report_only: False\nhaproxy_security_child_src_records:\n  - \"{{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }}\"\n  - \"{{ external_lb_vip_address }}:{{ nova_novncproxy_port }}\"\n  - \"{{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }}\"\nhaproxy_security_frame_ancestors_records: []\nhaproxy_security_frame_src_records: \"{{ haproxy_security_child_src_records }}\"\nhaproxy_security_connect_src_records:\n  - \"{{ external_lb_vip_address }}:*\"\n  - \"wss://{{ external_lb_vip_address }}:{{ ironic_console_port }}\"\nhaproxy_security_headers_csp: >\n  http-response set-header {{ haproxy_security_headers_csp_report_only | ternary('Content-Security-Policy-Report-Only', 'Content-Security-Policy') }} \"\n  default-src 'self';\n  frame-ancestors 'self' {{ haproxy_security_frame_ancestors_records | join(' ') }};\n  form-action 'self';\n  upgrade-insecure-requests;\n  style-src 'self' 'unsafe-inline';\n  script-src 'self' 'unsafe-inline' 'unsafe-eval';\n  child-src 'self' {{ haproxy_security_child_src_records | join(' ') }};\n  frame-src 'self' {{ haproxy_security_frame_src_records | join(' ') }};\n  connect-src 'self' {{ haproxy_security_connect_src_records | join(' ') }};\n  img-src 'self' data:;\n  worker-src blob:;\n  \"\n\n# To disable security headers set to []\nhaproxy_security_headers:\n  - \"http-response set-header Strict-Transport-Security \\\"max-age={{ haproxy_security_headers_max_age }}; includeSubDomains;\\\"\"\n  - 'http-response set-header X-Content-Type-Options \"nosniff\"'\n  - 'http-response set-header Referrer-Policy \"same-origin\"'\n  - 'http-response set-header Permissions-Policy \"accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(self), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(self), clipboard-write=(self), gamepad=(), speaker-selection=()\"'\n\nhaproxy_security_txt_service:\n  haproxy_backend_only: true\n  haproxy_service_name: security_txt\n  haproxy_backend_nodes: []\n  haproxy_balance_type: http\n  haproxy_service_enabled: \"{{ haproxy_security_txt_content is truthy }}\"\n  # https://sleeplessbeastie.eu/2020/05/11/how-to-serve-single-file-using-haproxy/\n  haproxy_backend_arguments:\n    - 'errorfile 503 /etc/haproxy/security.txt'\n  haproxy_map_entries:\n    - name: base_regex\n      entries:\n        - '.*/security.txt security_txt-back'\n\n# haproxy 'base' frontend-only service that is used always deployed for port 80 redirect and 443\n# this potentially supports horizon dashboard, security.txt and certbot\n# plus any other user defined custom backend\nhaproxy_base_service:\n  haproxy_service_name: base\n  haproxy_frontend_only: true\n  haproxy_ssl: \"{{ haproxy_ssl }}\"\n  haproxy_ssl_all_vips: true\n  haproxy_port: \"{{ haproxy_ssl | ternary(443,80) }}\"\n  haproxy_redirect_http_port: 80\n  haproxy_balance_type: http\n  haproxy_service_enabled: true\n  haproxy_redirect_scheme: \"{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary('https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }', 'https if !{ ssl_fc }') }}\"\n  haproxy_frontend_acls: \"{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary(haproxy_ssl_letsencrypt_acl, {}) }}\"\n  haproxy_frontend_raw: >-\n    {{\n      (haproxy_ssl | bool and haproxy_security_headers is defined) | ternary(\n        haproxy_security_headers + [ haproxy_horizon_csp | default(haproxy_security_headers_csp)] + [haproxy_skyline_csp | default('')],\n        [])\n    }}\n  haproxy_maps:\n    - 'use_backend %[path,map_reg(/etc/haproxy/base_regex.map)]'\n  haproxy_map_entries:\n    - name: base_regex\n      entries:\n        - \"#Regular expression map file - this comment is defined in the base frontend config\"\n\n# Handles LetsEncrypt HTTP-01 challenge\nhaproxy_letsencrypt_service:\n  haproxy_service_name: letsencrypt\n  haproxy_backend_nodes: \"{{ groups['haproxy_all'] }}\"\n  backend_rise: 1\n  backend_fall: 5\n  interval: 4000\n  haproxy_bind:\n    - 127.0.0.1\n  haproxy_port: \"{{ haproxy_ssl_letsencrypt_certbot_backend_port }}\"\n  haproxy_balance_type: http\n  haproxy_service_enabled: \"{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) }}\"\n\n# RGW backend is defined here as it might be referring to an external ceph cluster via 'ceph_rgws'\nhaproxy_ceph_rgw_service:\n  haproxy_service_name: ceph-rgw\n  haproxy_backend_nodes: \"{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) | ternary(groups['ceph-rgw'], ceph_rgws) }}\"\n  haproxy_ssl: \"{{ haproxy_ssl }}\"\n  haproxy_ssl_all_vips: \"{{ haproxy_ssl_all_vips }}\"\n  haproxy_balance_alg: source\n  haproxy_port: \"{{ radosgw_service_port | default(7980) }}\"\n  haproxy_balance_type: http\n  haproxy_backend_httpcheck_options:\n    - send meth HEAD\n    - expect rstatus 200|405\n  # `openstack_service_backend_ssl` is not taken into account if ceph is installed independently.\n  haproxy_backend_ssl: \"{{ ceph_rgw_backend_ssl | default((groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) | ternary(openstack_service_backend_ssl, False)) }}\"\n  haproxy_backend_ca: \"{{ ceph_rgw_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}\"\n  haproxy_accept_both_protocols: \"{{ ceph_rgw_accept_both_protocols | default(openstack_service_accept_both_protocols) }}\"\n  haproxy_service_enabled: \"{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) or (ceph_rgws | length > 0) }}\"\n\nhaproxy_default_services:\n  - \"{{ haproxy_security_txt_service | combine(haproxy_security_txt_service_overrides | default({})) }}\"\n  - \"{{ haproxy_base_service | combine(haproxy_base_service_overrides | default({})) }}\"\n  - \"{{ haproxy_letsencrypt_service | combine(haproxy_letsencrypt_service_overrides | default({})) }}\"\n  - \"{{ haproxy_ceph_rgw_service | combine(haproxy_ceph_rgw_service_overrides | default({})) }}\"\n\n# ensure correct facts are gathered in haproxy play\n# to determine the network gateway to use in keepalived track script\ndeployment_extra_facts_filter:\n  - \"ansible_processor_*\"\n  - ansible_default_ipv4\ndeployment_extra_facts_subset:\n  - '!all'\n  - hardware\n  - network\n","created":"2025-12-08T13:40:46.514774Z","updated":"2025-12-08T13:40:46.514786Z","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/group_vars/haproxy/haproxy.yml"}