{"id":183,"sha1":"82984b1fbf33e04b88040170f1d96386805faea7","playbook":{"id":3,"items":{"plays":37,"tasks":374,"results":364,"hosts":2,"files":208,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":8,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-infrastructure.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-08T13:33:24.432723Z","ended":"2025-12-08T13:39:38.483304Z","duration":"00:06:14.050581","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.12.3","server_version":"1.7.4","status":"completed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-infrastructure.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2014, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# Validate Certificates when downloading hatop. May be set to \"no\" when proxy server\n# is intercepting the certificates.\nhaproxy_hatop_download_validate_certs: true\n\n# Set the package install state for distribution packages\n# Options are 'present' and 'latest'\nhaproxy_package_state: \"latest\"\n\n## Haproxy Configuration\nhaproxy_rise: 3\nhaproxy_fall: 3\nhaproxy_interval: 12000\n\n## Haproxy Stats\nhaproxy_stats_enabled: false\nhaproxy_stats_bind_address: 127.0.0.1\nhaproxy_stats_port: 1936\nhaproxy_stats_ssl: \"{{ haproxy_ssl }}\"\n# haproxy_stats_ssl_cert_path: \"{{ haproxy_ssl_cert_path }}/somecustomstatscert.pem\"\n# haproxy_stats_ssl_client_cert_ca: \"{{ haproxy_ssl_cert_path }}/somecustomrootca.pem\"\nhaproxy_username: admin\nhaproxy_stats_password: secrete\nhaproxy_stats_refresh_interval: 60\n# Prometheus stats are supported from HAProxy v2\n# Stats must be enabled above before this can be used\nhaproxy_stats_prometheus_enabled: false\n\n# Default haproxy backup nodes to empty list so this doesn't have to be\n# defined for each service.\nhaproxy_backup_nodes: []\n\n# Configuration lines to write directly into all frontends\nhaproxy_frontend_extra_raw: []\nhaproxy_frontend_redirect_extra_raw: \"{{ haproxy_frontend_extra_raw }}\"\n\n# Default values for enabling HTTP/2 support\n# Note, that while HTTP/2 will be enabled on frontends that are covered with TLS,\n# backends can be configured to use HTTP/2 regardless of TLS.\nhaproxy_frontend_h2: true\nhaproxy_backend_h2: false\n\nhaproxy_service_configs: []\n# Example:\n# haproxy_service_configs:\n#   - haproxy_service_name: haproxy_all\n#     haproxy_backend_nodes: \"{{ groups['haproxy_all'][0] }}\"\n#     # haproxy_backup_nodes: \"{{ groups['haproxy_all'][1:] }}\"\n#     haproxy_port: 80\n#     haproxy_balance_type: http\n#     haproxy_backend_options:\n#       - \"forwardfor\"\n#       - \"httpchk\"\n#       - \"httplog\"\n#     haproxy_backend_server_options:\n#       - \"inter 3000\"                # a contrived example, there are many server config options possible\n#     haproxy_acls:\n#       allow_list:\n#         rule: \"src 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8\"\n#         backend_name: \"mybackend\"\n#     haproxy_frontend_h2: True\n#     haproxy_backend_h2: False\n#     haproxy_frontend_acls:\n#       letsencrypt-acl:\n#         rule: \"path_beg /.well-known/acme-challenge/\"\n#         backend_name: letsencrypt\n#     haproxy_stick_table:\n#       - \"stick-table  type ipv6  size 256k  expire 10s  store http_err_rate(10s)\"\n#       - \"http-request track-sc0 src\"\n#       - \"http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src 10.0.0.0/8 } !{ src 172.16.0.0/12 } !{ src 192.168.0.0/16 }\"\n#       # https://www.haproxy.com/blog/haproxy-exposes-a-prometheus-metrics-endpoint/\n#   - haproxy_service_name: prometheus-metrics\n#     haproxy_port: 8404\n#     haproxy_bind:\n#       - '127.0.0.1'\n#     haproxy_allowlist_networks: \"{{ haproxy_allowlist_networks }}\"\n#     haproxy_frontend_only: True\n#     haproxy_balance_type: \"http\"\n#     haproxy_frontend_raw:\n#       - 'http-request use-service prometheus-exporter if { path /metrics }'\n#     haproxy_service_enabled: True\n\n# HAProxy maps (unrelated keys are omitted but are required as the previous service example)\n# Example:\n# haproxy_service_configs:\n#   - state: present                         # state 'absent' will remove map entries defined in this service\n#     haproxy_service_enabled: true          # haproxy_service_enabled 'false' will remove map entries defined in this service\n#     haproxy_service_name: \"one\"\n#     haproxy_maps:\n#       - 'use_backend %[req.hdr(host),lower,map(/etc/haproxy/route.map)]'\n#     haproxy_map_entries:\n#       - name: 'route'                      # this service contributes entries to the map called 'route'\n#         order: 10                         # prefix the name of the map fragment wih this string to control ordering of the assembled map\n#         entries:\n#           - compute.example.com nova-api\n#           - dashboard.example.com horizon\n#   - haproxy_service_name: \"two\"\n#   - haproxy_service_name: \"three\"\n#     haproxy_map_entries:\n#       - name: 'route'                     # this service contributes to the map called 'route'\n#         entries:\n#           - s3.example.com radosgw\n#           - sso.example.com keycloak\n#       - name: 'rate'                      # and also to the map called 'rate'\n#         state: present                    # individual map entries can be removed with state 'absent'\n#         entries:\n#           - /api/foo 20\n#           - /api/bar 40\n#\n# Results:\n#\n# /etc/haproxy/route.map\n#    s3.example.com radosgw\n#    sso.example.com keycloak\n#    compute.example.com nova-api\n#    dashboard.example.com horizon\n#\n# /etc/haproxy/rate.map\n#    /api/foo 20\n#    /api/bar 40\n\ngalera_monitoring_user: monitoring\nhaproxy_bind_on_non_local: false\n\n## haproxy SSL\nhaproxy_ssl: true\nhaproxy_ssl_all_vips: false\nhaproxy_ssl_dh_param: 2048\nhaproxy_ssl_cert_path: /etc/haproxy/ssl\nhaproxy_ssl_temp_path: \"{{ haproxy_ssl_cert_path }}\"\nhaproxy_ssl_bind_options: \"ssl-min-ver TLSv1.2 prefer-client-ciphers\"\nhaproxy_ssl_server_options: \"ssl-min-ver TLSv1.2\"\n# TLS v1.2 and below\nhaproxy_ssl_cipher_suite_tls12: >-\n  {{ haproxy_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM')) }}\n# TLS v1.3\nhaproxy_ssl_cipher_suite_tls13: \"{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}\"\n\n# haproxy self signed certificate\n\n# Storage location for SSL certificate authority\nhaproxy_pki_dir: \"{{ openstack_pki_dir | default('/etc/pki/haproxy-ca') }}\"\n\n# Delegated host for operating the certificate authority\nhaproxy_pki_setup_host: \"{{ openstack_pki_setup_host | default('localhost') }}\"\n\n# Create a certificate authority if one does not already exist\nhaproxy_pki_create_ca: \"{{ openstack_pki_authorities is not defined | bool }}\"\nhaproxy_pki_regen_ca: \"\"\nhaproxy_pki_authorities:\n  - name: \"HAProxyRoot\"\n    country: \"GB\"\n    state_or_province_name: \"England\"\n    organization_name: \"Example Corporation\"\n    organizational_unit_name: \"IT Security\"\n    cn: \"HAProxy Root CA\"\n    provider: selfsigned\n    basic_constraints: \"CA:TRUE\"\n    key_usage:\n      - digitalSignature\n      - cRLSign\n      - keyCertSign\n    not_after: \"+3650d\"\n  - name: \"HAProxyIntermediate\"\n    country: \"GB\"\n    state_or_province_name: \"England\"\n    organization_name: \"Example Corporation\"\n    organizational_unit_name: \"IT Security\"\n    cn: \"HAProxy Intermediate CA\"\n    provider: ownca\n    basic_constraints: \"CA:TRUE,pathlen:0\"\n    key_usage:\n      - digitalSignature\n      - cRLSign\n      - keyCertSign\n    not_after: \"+3650d\"\n    signed_by: \"HAProxyRoot\"\n\n# Installation details for certificate authorities\nhaproxy_pki_install_ca:\n  - name: \"HAProxyRoot\"\n    condition: \"{{ haproxy_pki_create_ca }}\"\n\n# HAProxy server certificate\nhaproxy_pki_keys_path: \"{{ haproxy_pki_dir ~ '/certs/private/' }}\"\nhaproxy_pki_certs_path: \"{{ haproxy_pki_dir ~ '/certs/certs/' }}\"\nhaproxy_pki_intermediate_cert_name: \"{{ openstack_pki_service_intermediate_cert_name | default('HAProxyIntermediate') }}\"\nhaproxy_pki_intermediate_cert_path: >-\n  {{ haproxy_pki_dir ~ '/roots/' ~ haproxy_pki_intermediate_cert_name ~ '/certs/' ~ haproxy_pki_intermediate_cert_name ~ '.crt' }}\nhaproxy_pki_regen_cert: \"\"\nhaproxy_pki_certificates: \"{{ _haproxy_pki_certificates }}\"\n\n# SSL certificate creation\nhaproxy_pki_create_certificates: \"{{ haproxy_user_ssl_cert is not defined and haproxy_user_ssl_key is not defined }}\"\n\n# Installation details for SSL certificates\nhaproxy_pki_install_certificates: \"{{ _haproxy_pki_install_certificates }}\"\n\n# activate letsencrypt option\nhaproxy_ssl_letsencrypt_enable: false\nhaproxy_ssl_letsencrypt_certbot_binary: \"certbot\"\nhaproxy_ssl_letsencrypt_certbot_backend_port: 8888\nhaproxy_ssl_letsencrypt_pre_hook_timeout: 5\nhaproxy_ssl_letsencrypt_certbot_bind_address: \"{{ management_address | default(ansible_host) }}\"\nhaproxy_ssl_letsencrypt_certbot_challenge: \"http-01\"\nhaproxy_ssl_letsencrypt_email: \"example@example.com\"\nhaproxy_ssl_letsencrypt_config_path: \"/etc/letsencrypt/live\"\nhaproxy_ssl_letsencrypt_setup_extra_params: \"\"\nhaproxy_ssl_letsencrypt_acl:\n  letsencrypt-acl:\n    rule: \"path_beg /.well-known/acme-challenge/\"\n    backend_name: letsencrypt\n# Use alternative CA that supports ACME, can be a public or private CA\n# haproxy_ssl_letsencrypt_certbot_server: \"https://acme-staging-v02.api.letsencrypt.org/directory\"\nhaproxy_ssl_letsencrypt_domains:\n  - \"{{ external_lb_vip_address }}\"\n\n# hatop extra package URL and checksum\nhaproxy_hatop_download_url: \"https://github.com/jhunt/hatop/archive/refs/tags/v0.8.2.tar.gz\"\nhaproxy_hatop_download_checksum: \"sha256:7fac1f593f92b939cfce34175b593e43862eee8e25db251d03a910b37721fc5d\"\n\n# Install hatop\nhaproxy_hatop_install: true\n\n# The location where the extra packages are downloaded to\nhaproxy_hatop_download_path: \"/opt/cache/files\"\n\n## haproxy default\n# Set the number of retries to perform on a server after a connection failure\nhaproxy_retries: \"3\"\n# Set the maximum inactivity time on the client side\nhaproxy_client_timeout: \"50s\"\n# Set the maximum time to wait for a connection attempt to a server to succeed\nhaproxy_connect_timeout: \"10s\"\n# Set the maximum allowed time to wait for a complete HTTP request\nhaproxy_http_request_timeout: \"5s\"\n# Set the maximum inactivity time on the server side\nhaproxy_server_timeout: \"50s\"\n# Set the HTTP keepalive mode to use\n# Disable persistent connections by default because they can cause issues when the server side closes the connection\n# at the same time a request is sent.\nhaproxy_keepalive_mode: \"httpclose\"\n\n## haproxy tuning params\nhaproxy_maxconn: 4096\n\n# Parameters below should only be specified if necessary, defaults are programmed in the template\n# haproxy_tuning_params:\n#   tune.bufsize: 384000\n#   tune.chksize: 16384\n#   tune.comp_maxlevel: 1\n#   tune.http_maxhdr: 101\n#   tune.maxaccept: 64\n#   tune.ssl_cachesize: 20000\n#   tune.ssl_lifetime: 300\nhaproxy_tuning_params: {}\n\n# Add extra VIPs to all services\nextra_lb_vip_addresses: []\n\n# Add extra TLS VIPs to all services\nextra_lb_tls_vip_addresses: []\n\n# Option to override which address haproxy binds to for external vip.\nhaproxy_bind_external_lb_vip_address: \"{{ external_lb_vip_address }}\"\n\n# Option to override which address haproxy binds to for internal vip.\nhaproxy_bind_internal_lb_vip_address: \"{{ internal_lb_vip_address }}\"\n\n# Option to define if you need haproxy to bind on specific interface.\nhaproxy_bind_external_lb_vip_interface:\nhaproxy_bind_internal_lb_vip_interface:\n\n# Option to override haproxy frontend binds\n# Example:\n# haproxy_vip_binds:\n#   - address: '*'\n#     interface: bond0\n#     type: external\n#   - address: '192.168.0.10'\n#     pki_san_records:\n#       - internal.cloud\nhaproxy_vip_binds: \"{{ haproxy_tls_vip_binds | default(_haproxy_vip_binds) }}\"\n\n# Make the log socket available to the chrooted filesystem\nhaproxy_log_socket: \"/dev/log\"\nhaproxy_log_mount_point: \"/var/lib/haproxy/dev/log\"\n\n# Ansible group name which should be used for distrtibuting self signed SSL Certificates\nhaproxy_ansible_group_name: haproxy_all\n\n## security.txt\n# When security risks in web services are discovered by independent security\n# researchers who understand the severity of the risk, they often lack the\n# channels to disclose them properly. As a result, security issues may be\n# left unreported. security.txt defines a standard to help organizations\n# define the process for security researchers to disclose security\n# vulnerabilities securely. For more information see https://securitytxt.org/\n# This content will be hosted at /security.txt and /.well-known/security.txt\nhaproxy_security_txt_dir: \"/etc/haproxy\"\nhaproxy_security_txt_headers: |\n  HTTP/1.0 200 OK\n  Cache-Control: no-cache\n  Connection: close\n  Content-Type: text/plain; charset=utf-8\n\nhaproxy_security_txt_content: \"\"\n# haproxy_security_txt_content: |\n#   # Please see https://securitytxt.org/ for details of the specification of this file\n\n# Allows to copy any static file to the destination hosts\nhaproxy_static_files_default:\n  - dest: \"{{ haproxy_security_txt_dir }}/security.txt\"\n    content: \"{{ haproxy_security_txt_headers + '\\n' + haproxy_security_txt_content }}\"\n    condition: \"{{ haproxy_security_txt_content is truthy }}\"\nhaproxy_static_files_extra: []\nhaproxy_static_files: \"{{ haproxy_static_files_default + haproxy_static_files_extra }}\"\n\nhaproxy_sysctl_file: \"{{ openstack_sysctl_file | default('/etc/sysctl.conf') }}\"\n\n# Allows to define custom errorfiles in the format:\n# - code: 504\n#   path: /path/to/504.http\n# You can use haproxy_static_files_extra to add those files.\n# See https://github.com/haproxy/haproxy/tree/master/examples/errorfiles for examples\n#\n# An example combination of haproxy_static_files_extra and haproxy_errorfiles:\n# haproxy_static_files_extra:\n#   - dest: /etc/haproxy/500.http\n#     content: |\n#       HTTP/1.0 500 Internal Server Error\n#       Cache-Control: no-cache\n#       Connection: close\n#       Content-Type: text/html\n#\n#       <html><body><h1>500 Internal Server Error</h1>\n#       This Server Made a Boo Boo\n#       </body></html>\n#   - dest: /etc/haproxy/504.http\n#     content: \"{{ lookup('file', '/etc/openstack_deploy/haproxy/504.http') }}\"\n#\n# haproxy_errorfiles:\n#   - code: 500\n#     path: /etc/haproxy/500.http\n#   - code: 504\n#     path: /etc/haproxy/504.http\n#\nhaproxy_errorfiles: []\n","created":"2025-12-08T13:33:25.908831Z","updated":"2025-12-08T13:33:25.908859Z","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible-haproxy_server/defaults/main.yml"}