Playbook #3
/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-infrastructure.yml
Execution
Date 08 Dec 2025 13:33:24 +0000
Duration 00:06:14.05
Controller aio1.openstack.local
User root
Versions
Ansible 2.18.6
ara 1.7.4 / 1.7.4
Python 3.12.3
Summary
2 Hosts
374 Tasks
364 Results
37 Plays
208 Files
0 Records
check:False tags:all

File: /home/zuul/src/opendev.org/openstack/openstack-ansible-haproxy_server/vars/main.yml

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
---
# Copyright 2021, City Network International AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

_haproxy_vip_binds: |
  {% set vip_binds = [{'address': haproxy_bind_external_lb_vip_address, 'interface': haproxy_bind_external_lb_vip_interface, 'type': 'external'}] %}
  {% if haproxy_bind_internal_lb_vip_address != haproxy_bind_external_lb_vip_address or
      haproxy_bind_external_lb_vip_interface != haproxy_bind_internal_lb_vip_interface %}
  {%   set _ = vip_binds.append({'address': haproxy_bind_internal_lb_vip_address, 'interface': haproxy_bind_internal_lb_vip_interface, 'type': 'internal'}) %}
  {% endif %}
  {% for vip_address in extra_lb_tls_vip_addresses %}
  {%   set _ = vip_binds.append({'address': vip_address, 'type': 'external'}) %}
  {% endfor %}
  {{ vip_binds }}

_haproxy_pki_certificates: |
  {% set _pki_certs = [] %}
  {% for vip in haproxy_vip_binds %}
  {%   set _vip_interface = vip['interface'] | default('') %}
  {%   set san = ['DNS:' ~ ansible_facts['hostname'], 'DNS:' ~ ansible_facts['fqdn']] %}
  {%   if vip['address'] != '*' %}
  {%     set _ = san.append((vip['address'] | ansible.utils.ipaddr) | ternary('IP:', 'DNS:') ~ vip['address']) %}
  {%   endif %}
  {%   if vip['address'] == haproxy_bind_internal_lb_vip_address and not (internal_lb_vip_address | ansible.utils.ipaddr) %}
  {%     set _ = san.append('DNS:' ~ internal_lb_vip_address) %}
  {%   endif %}
  {%   if vip['address'] == haproxy_bind_external_lb_vip_address and not (external_lb_vip_address | ansible.utils.ipaddr) %}
  {%     set _ = san.append('DNS:' ~ external_lb_vip_address) %}
  {%   endif %}
  {%   for record in vip.get('pki_san_records', []) %}
  {%     set _ = san.append((record | ansible.utils.ipaddr) | ternary('IP:', 'DNS:') ~ record) %}
  {%   endfor %}
  {%   set _ = _pki_certs.append(
        {
          'name': 'haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (_vip_interface is truthy) | ternary(vip['address'] ~ '-' ~ _vip_interface, vip['address']),
          'provider': 'ownca',
          'cn': ansible_facts['hostname'],
          'san': san | join(','),
          'signed_by': haproxy_pki_intermediate_cert_name,
        }
      ) %}
  {% endfor %}
  {{ _pki_certs }}

_haproxy_pki_install_certificates: |
  {% set _pki_install = [] %}
  {% for vip in haproxy_vip_binds %}
  {% set _vip_interface = vip['interface'] | default('') %}
  {% set _cert_basename = '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (_vip_interface is truthy) | ternary(
      vip['address'] ~ '-' ~ _vip_interface, vip['address'])
  %}
  {% set _ = _pki_install.append(
      {
        'src': haproxy_user_ssl_cert | default(haproxy_pki_certs_path ~ _cert_basename ~ '.crt'),
        'dest': haproxy_ssl_temp_path ~ _cert_basename  ~ '.crt',
        'owner': 'root',
        'group': 'haproxy',
        'mode': '0644'
      }
    )
  %}
  {% set _ = _pki_install.append(
      {
        'src': haproxy_user_ssl_key | default(haproxy_pki_keys_path ~ _cert_basename ~ '.key.pem'),
        'dest': haproxy_ssl_temp_path ~ _cert_basename  ~ '.key',
        'owner': 'root',
        'group': 'haproxy',
        'mode': '0640'
      }
    )
  %}
  {# We need to put CA only when it's provided by user or internal CA is used and user certs are not provided #}
  {% if (haproxy_user_ssl_cert is not defined and haproxy_user_ssl_key is not defined) or haproxy_user_ssl_ca_cert is defined %}
  {%   set _ = _pki_install.append(
        {
          'src': haproxy_user_ssl_ca_cert | default(haproxy_pki_intermediate_cert_path),
          'dest': haproxy_ssl_temp_path ~ _cert_basename  ~ '-ca.crt',
          'owner': 'root',
          'group': 'haproxy',
          'mode': '0644'
        })
  %}
  {% endif %}
  {% endfor %}
  {{ _pki_install }}

# In case CSP is enabled, on newer haproxy versions, header size
# fill more than bufsize-maxrewrite, which results in 500
# See: https://github.com/haproxy/haproxy/issues/1597
_haproxy_default_tuning_params:
  tune.maxrewrite: 1280