Playbook #4
/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-openstack.yml
Execution
Date 08 Dec 2025 13:57:07 +0000
Duration 00:24:46.17
Controller aio1.openstack.local
User root
Versions
Ansible 2.18.6
ara 1.7.4 / 1.7.4
Python 3.12.11
Summary
12 Hosts
1505 Tasks
1497 Results
32 Plays
487 Files
0 Records
check:False tags:all

File: /home/zuul/src/opendev.org/openstack/openstack-ansible-haproxy_server/defaults/main.yml

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Validate Certificates when downloading hatop. May be set to "no" when proxy server
# is intercepting the certificates.
haproxy_hatop_download_validate_certs: true

# Set the package install state for distribution packages
# Options are 'present' and 'latest'
haproxy_package_state: "latest"

## Haproxy Configuration
haproxy_rise: 3
haproxy_fall: 3
haproxy_interval: 12000

## Haproxy Stats
haproxy_stats_enabled: false
haproxy_stats_bind_address: 127.0.0.1
haproxy_stats_port: 1936
haproxy_stats_ssl: "{{ haproxy_ssl }}"
# haproxy_stats_ssl_cert_path: "{{ haproxy_ssl_cert_path }}/somecustomstatscert.pem"
# haproxy_stats_ssl_client_cert_ca: "{{ haproxy_ssl_cert_path }}/somecustomrootca.pem"
haproxy_username: admin
haproxy_stats_password: secrete
haproxy_stats_refresh_interval: 60
# Prometheus stats are supported from HAProxy v2
# Stats must be enabled above before this can be used
haproxy_stats_prometheus_enabled: false

# Default haproxy backup nodes to empty list so this doesn't have to be
# defined for each service.
haproxy_backup_nodes: []

# Configuration lines to write directly into all frontends
haproxy_frontend_extra_raw: []
haproxy_frontend_redirect_extra_raw: "{{ haproxy_frontend_extra_raw }}"

# Default values for enabling HTTP/2 support
# Note, that while HTTP/2 will be enabled on frontends that are covered with TLS,
# backends can be configured to use HTTP/2 regardless of TLS.
haproxy_frontend_h2: true
haproxy_backend_h2: false

haproxy_service_configs: []
# Example:
# haproxy_service_configs:
#   - haproxy_service_name: haproxy_all
#     haproxy_backend_nodes: "{{ groups['haproxy_all'][0] }}"
#     # haproxy_backup_nodes: "{{ groups['haproxy_all'][1:] }}"
#     haproxy_port: 80
#     haproxy_balance_type: http
#     haproxy_backend_options:
#       - "forwardfor"
#       - "httpchk"
#       - "httplog"
#     haproxy_backend_server_options:
#       - "inter 3000"                # a contrived example, there are many server config options possible
#     haproxy_acls:
#       allow_list:
#         rule: "src 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
#         backend_name: "mybackend"
#     haproxy_frontend_h2: True
#     haproxy_backend_h2: False
#     haproxy_frontend_acls:
#       letsencrypt-acl:
#         rule: "path_beg /.well-known/acme-challenge/"
#         backend_name: letsencrypt
#     haproxy_stick_table:
#       - "stick-table  type ipv6  size 256k  expire 10s  store http_err_rate(10s)"
#       - "http-request track-sc0 src"
#       - "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src 10.0.0.0/8 } !{ src 172.16.0.0/12 } !{ src 192.168.0.0/16 }"
#       # https://www.haproxy.com/blog/haproxy-exposes-a-prometheus-metrics-endpoint/
#   - haproxy_service_name: prometheus-metrics
#     haproxy_port: 8404
#     haproxy_bind:
#       - '127.0.0.1'
#     haproxy_allowlist_networks: "{{ haproxy_allowlist_networks }}"
#     haproxy_frontend_only: True
#     haproxy_balance_type: "http"
#     haproxy_frontend_raw:
#       - 'http-request use-service prometheus-exporter if { path /metrics }'
#     haproxy_service_enabled: True

# HAProxy maps (unrelated keys are omitted but are required as the previous service example)
# Example:
# haproxy_service_configs:
#   - state: present                         # state 'absent' will remove map entries defined in this service
#     haproxy_service_enabled: true          # haproxy_service_enabled 'false' will remove map entries defined in this service
#     haproxy_service_name: "one"
#     haproxy_maps:
#       - 'use_backend %[req.hdr(host),lower,map(/etc/haproxy/route.map)]'
#     haproxy_map_entries:
#       - name: 'route'                      # this service contributes entries to the map called 'route'
#         order: 10                         # prefix the name of the map fragment wih this string to control ordering of the assembled map
#         entries:
#           - compute.example.com nova-api
#           - dashboard.example.com horizon
#   - haproxy_service_name: "two"
#   - haproxy_service_name: "three"
#     haproxy_map_entries:
#       - name: 'route'                     # this service contributes to the map called 'route'
#         entries:
#           - s3.example.com radosgw
#           - sso.example.com keycloak
#       - name: 'rate'                      # and also to the map called 'rate'
#         state: present                    # individual map entries can be removed with state 'absent'
#         entries:
#           - /api/foo 20
#           - /api/bar 40
#
# Results:
#
# /etc/haproxy/route.map
#    s3.example.com radosgw
#    sso.example.com keycloak
#    compute.example.com nova-api
#    dashboard.example.com horizon
#
# /etc/haproxy/rate.map
#    /api/foo 20
#    /api/bar 40

galera_monitoring_user: monitoring
haproxy_bind_on_non_local: false

## haproxy SSL
haproxy_ssl: true
haproxy_ssl_all_vips: false
haproxy_ssl_dh_param: 2048
haproxy_ssl_cert_path: /etc/haproxy/ssl
haproxy_ssl_temp_path: "{{ haproxy_ssl_cert_path }}"
haproxy_ssl_bind_options: "ssl-min-ver TLSv1.2 prefer-client-ciphers"
haproxy_ssl_server_options: "ssl-min-ver TLSv1.2"
# TLS v1.2 and below
haproxy_ssl_cipher_suite_tls12: >-
  {{ haproxy_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}
# TLS v1.3
haproxy_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}"

# haproxy self signed certificate

# Storage location for SSL certificate authority
haproxy_pki_dir: "{{ openstack_pki_dir | default('/etc/pki/haproxy-ca') }}"

# Delegated host for operating the certificate authority
haproxy_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"

# Create a certificate authority if one does not already exist
haproxy_pki_create_ca: "{{ openstack_pki_authorities is not defined | bool }}"
haproxy_pki_regen_ca: ""
haproxy_pki_authorities:
  - name: "HAProxyRoot"
    country: "GB"
    state_or_province_name: "England"
    organization_name: "Example Corporation"
    organizational_unit_name: "IT Security"
    cn: "HAProxy Root CA"
    provider: selfsigned
    basic_constraints: "CA:TRUE"
    key_usage:
      - digitalSignature
      - cRLSign
      - keyCertSign
    not_after: "+3650d"
  - name: "HAProxyIntermediate"
    country: "GB"
    state_or_province_name: "England"
    organization_name: "Example Corporation"
    organizational_unit_name: "IT Security"
    cn: "HAProxy Intermediate CA"
    provider: ownca
    basic_constraints: "CA:TRUE,pathlen:0"
    key_usage:
      - digitalSignature
      - cRLSign
      - keyCertSign
    not_after: "+3650d"
    signed_by: "HAProxyRoot"

# Installation details for certificate authorities
haproxy_pki_install_ca:
  - name: "HAProxyRoot"
    condition: "{{ haproxy_pki_create_ca }}"

# HAProxy server certificate
haproxy_pki_keys_path: "{{ haproxy_pki_dir ~ '/certs/private/' }}"
haproxy_pki_certs_path: "{{ haproxy_pki_dir ~ '/certs/certs/' }}"
haproxy_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('HAProxyIntermediate') }}"
haproxy_pki_intermediate_cert_path: >-
  {{ haproxy_pki_dir ~ '/roots/' ~ haproxy_pki_intermediate_cert_name ~ '/certs/' ~ haproxy_pki_intermediate_cert_name ~ '.crt' }}
haproxy_pki_regen_cert: ""
haproxy_pki_certificates: "{{ _haproxy_pki_certificates }}"

# SSL certificate creation
haproxy_pki_create_certificates: "{{ haproxy_user_ssl_cert is not defined and haproxy_user_ssl_key is not defined }}"

# Installation details for SSL certificates
haproxy_pki_install_certificates: "{{ _haproxy_pki_install_certificates }}"

# activate letsencrypt option
haproxy_ssl_letsencrypt_enable: false
haproxy_ssl_letsencrypt_certbot_binary: "certbot"
haproxy_ssl_letsencrypt_certbot_backend_port: 8888
haproxy_ssl_letsencrypt_pre_hook_timeout: 5
haproxy_ssl_letsencrypt_certbot_bind_address: "{{ management_address | default(ansible_host) }}"
haproxy_ssl_letsencrypt_certbot_challenge: "http-01"
haproxy_ssl_letsencrypt_email: "example@example.com"
haproxy_ssl_letsencrypt_config_path: "/etc/letsencrypt/live"
haproxy_ssl_letsencrypt_setup_extra_params: ""
haproxy_ssl_letsencrypt_acl:
  letsencrypt-acl:
    rule: "path_beg /.well-known/acme-challenge/"
    backend_name: letsencrypt
# Use alternative CA that supports ACME, can be a public or private CA
# haproxy_ssl_letsencrypt_certbot_server: "https://acme-staging-v02.api.letsencrypt.org/directory"
haproxy_ssl_letsencrypt_domains:
  - "{{ external_lb_vip_address }}"

# hatop extra package URL and checksum
haproxy_hatop_download_url: "https://github.com/jhunt/hatop/archive/refs/tags/v0.8.2.tar.gz"
haproxy_hatop_download_checksum: "sha256:7fac1f593f92b939cfce34175b593e43862eee8e25db251d03a910b37721fc5d"

# Install hatop
haproxy_hatop_install: true

# The location where the extra packages are downloaded to
haproxy_hatop_download_path: "/opt/cache/files"

## haproxy default
# Set the number of retries to perform on a server after a connection failure
haproxy_retries: "3"
# Set the maximum inactivity time on the client side
haproxy_client_timeout: "50s"
# Set the maximum time to wait for a connection attempt to a server to succeed
haproxy_connect_timeout: "10s"
# Set the maximum allowed time to wait for a complete HTTP request
haproxy_http_request_timeout: "5s"
# Set the maximum inactivity time on the server side
haproxy_server_timeout: "50s"
# Set the HTTP keepalive mode to use
# Disable persistent connections by default because they can cause issues when the server side closes the connection
# at the same time a request is sent.
haproxy_keepalive_mode: "httpclose"

## haproxy tuning params
haproxy_maxconn: 4096

# Parameters below should only be specified if necessary, defaults are programmed in the template
# haproxy_tuning_params:
#   tune.bufsize: 384000
#   tune.chksize: 16384
#   tune.comp_maxlevel: 1
#   tune.http_maxhdr: 101
#   tune.maxaccept: 64
#   tune.ssl_cachesize: 20000
#   tune.ssl_lifetime: 300
haproxy_tuning_params: {}

# Add extra VIPs to all services
extra_lb_vip_addresses: []

# Add extra TLS VIPs to all services
extra_lb_tls_vip_addresses: []

# Option to override which address haproxy binds to for external vip.
haproxy_bind_external_lb_vip_address: "{{ external_lb_vip_address }}"

# Option to override which address haproxy binds to for internal vip.
haproxy_bind_internal_lb_vip_address: "{{ internal_lb_vip_address }}"

# Option to define if you need haproxy to bind on specific interface.
haproxy_bind_external_lb_vip_interface:
haproxy_bind_internal_lb_vip_interface:

# Option to override haproxy frontend binds
# Example:
# haproxy_vip_binds:
#   - address: '*'
#     interface: bond0
#     type: external
#   - address: '192.168.0.10'
#     pki_san_records:
#       - internal.cloud
haproxy_vip_binds: "{{ haproxy_tls_vip_binds | default(_haproxy_vip_binds) }}"

# Make the log socket available to the chrooted filesystem
haproxy_log_socket: "/dev/log"
haproxy_log_mount_point: "/var/lib/haproxy/dev/log"

# Ansible group name which should be used for distrtibuting self signed SSL Certificates
haproxy_ansible_group_name: haproxy_all

## security.txt
# When security risks in web services are discovered by independent security
# researchers who understand the severity of the risk, they often lack the
# channels to disclose them properly. As a result, security issues may be
# left unreported. security.txt defines a standard to help organizations
# define the process for security researchers to disclose security
# vulnerabilities securely. For more information see https://securitytxt.org/
# This content will be hosted at /security.txt and /.well-known/security.txt
haproxy_security_txt_dir: "/etc/haproxy"
haproxy_security_txt_headers: |
  HTTP/1.0 200 OK
  Cache-Control: no-cache
  Connection: close
  Content-Type: text/plain; charset=utf-8

haproxy_security_txt_content: ""
# haproxy_security_txt_content: |
#   # Please see https://securitytxt.org/ for details of the specification of this file

# Allows to copy any static file to the destination hosts
haproxy_static_files_default:
  - dest: "{{ haproxy_security_txt_dir }}/security.txt"
    content: "{{ haproxy_security_txt_headers + '\n' + haproxy_security_txt_content }}"
    condition: "{{ haproxy_security_txt_content is truthy }}"
haproxy_static_files_extra: []
haproxy_static_files: "{{ haproxy_static_files_default + haproxy_static_files_extra }}"

haproxy_sysctl_file: "{{ openstack_sysctl_file | default('/etc/sysctl.conf') }}"

# Allows to define custom errorfiles in the format:
# - code: 504
#   path: /path/to/504.http
# You can use haproxy_static_files_extra to add those files.
# See https://github.com/haproxy/haproxy/tree/master/examples/errorfiles for examples
#
# An example combination of haproxy_static_files_extra and haproxy_errorfiles:
# haproxy_static_files_extra:
#   - dest: /etc/haproxy/500.http
#     content: |
#       HTTP/1.0 500 Internal Server Error
#       Cache-Control: no-cache
#       Connection: close
#       Content-Type: text/html
#
#       <html><body><h1>500 Internal Server Error</h1>
#       This Server Made a Boo Boo
#       </body></html>
#   - dest: /etc/haproxy/504.http
#     content: "{{ lookup('file', '/etc/openstack_deploy/haproxy/504.http') }}"
#
# haproxy_errorfiles:
#   - code: 500
#     path: /etc/haproxy/500.http
#   - code: 504
#     path: /etc/haproxy/504.http
#
haproxy_errorfiles: []